What Is the NCA? Saudi Arabia's Cybersecurity Authority

If you run a business in Saudi Arabia, the rules on cybersecurity changed at the start of 2026 and the change now reaches far more companies than before. The body behind those rules is the National Cybersecurity Authority, almost always referred to simply as the NCA.

The NCA is Saudi Arabia's national cybersecurity regulator the single government authority responsible for setting, issuing, and enforcing cybersecurity requirements across the Kingdom. Established by Royal Order in 2017 and linked directly to the King, it produces the frameworks that government bodies, critical infrastructure operators, and now the wider private sector are required to follow.

For years, those mandatory requirements applied mainly to government entities and operators of Critical National Infrastructure. That is no longer the case. With the release of NCNICC-1:2025, the NCA extended binding cybersecurity obligations to non-CNI private sector companies for the first time which means a large share of businesses operating in the Kingdom are now in scope, many without realising it.

This guide explains what the NCA is and why it was created, the full stack of frameworks it enforces, exactly who must comply, what it means when a security provider is NCA-registered, how the NCA differs from SAMA, and what happens if you are non-compliant. It is the starting point for understanding cybersecurity regulation in Saudi Arabia.

1. What the NCA Is and Why It Was Created
2. What the NCA Regulates — The Full Framework Stack
3. Who Must Comply With NCA Requirements?
4. What Does NCA Registration Mean?
5. NCA vs SAMA — What's the Difference?
6. What Happens If You're Non-Compliant?
7. How SecurityWall Helps Saudi Organisations Meet NCA Requirements

What the NCA Is and Why It Was Created

The National Cybersecurity Authority was established by Royal Order in 2017 as the government entity in charge of cybersecurity in the Kingdom of Saudi Arabia, and the national reference on all of its affairs. It is linked directly to the King, which gives it unusual authority for a regulator: it sits above individual ministries and sectors rather than within any one of them.

Its creation was a direct response to two pressures. The first was the sharp rise in cyber threats against Saudi government systems and critical infrastructure through the 2010s. The second was Vision 2030 the Kingdom's economic transformation programme, which depends on digital infrastructure, a growing private sector, and international trust in Saudi Arabia's digital economy. A secure and trusted cyberspace is treated as a foundation for that transformation, not an afterthought to it.

The NCA holds both a regulatory and an operational mandate. On the regulatory side, it develops the national cybersecurity strategy and issues the frameworks, controls, and guidelines that organisations must implement. On the operational side, it monitors threats, coordinates national incident response, and oversees the cybersecurity sector including the registration of cybersecurity service providers through its national portal. In short, the NCA writes the rules, enforces them, and helps run the national defences.

What the NCA Regulates — The Full Framework Stack

The NCA does not enforce a single rulebook. It issues a stack of frameworks, each aimed at a different type of organisation or technology. Understanding which ones apply to you is the first step in any Saudi compliance programme and the most common point of confusion, because the frameworks overlap and have been updated at different times.

ECC 2:2024 — Essential Cybersecurity Controls

The ECC is the NCA's foundational framework, first issued as ECC-1:2018 and updated to ECC-2:2024. It sets the minimum cybersecurity requirements across domains such as governance, defence, resilience, third-party security, and operational technology. Its mandatory scope is government entities (including their affiliates, with extraterritorial reach) and private sector entities that own, operate, or host Critical National Infrastructure. The 2024 update streamlined the controls, strengthened Saudization requirements for cybersecurity roles, and moved data-localisation responsibilities to the National Data Management Office. The NCA strongly encourages all other organisations to adopt the ECC as good practice but for the non-CNI private sector, the binding obligation now comes from a different framework.

CSCC 1:2019 — Critical Systems Cybersecurity Controls

The CSCC is an extension of the ECC that applies tighter controls to national critical systems the systems whose failure or compromise would have serious consequences for the Kingdom. It is the framework that operators of Critical National Infrastructure in sectors such as energy, water, finance, and telecommunications must meet on top of the ECC baseline.

NCNICC 1:2025 — Private Companies Now in Scope

This is the most consequential recent development. NCNICC-1:2025 the Cybersecurity Controls for Non-CNI Private Sector Entities is the first NCA framework written specifically for ordinary private companies that are not critical infrastructure operators. It is binding regulation, not guidance, and it applies on a tiered basis according to organisation size and revenue, with separate expectations for large entities and for small and medium enterprises. It mandates concrete technical controls multi-factor authentication, encryption, and backups among them and the NCA can assess compliance through self-assessment, audits by NCA-approved third parties, and direct inspection. If your company operates in Saudi Arabia and is not already covered by the ECC as a CNI operator, this is very likely the framework that now applies to you.

CCC 2:2024 — Cloud Cybersecurity Controls

The CCC governs cloud computing, covering both cloud service providers and the organisations that consume cloud services. Updated from CCC-1:2020 to CCC-2:2024 with changes reflecting the shift in data-localisation responsibilities it sits as an extension of the ECC for any organisation whose systems or data live in the cloud.

PDPL — Data Protection, Alongside the NCA

The Personal Data Protection Law is Saudi Arabia's data protection regime. It is worth knowing in this context because it is often grouped with NCA compliance, but it is enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), not the NCA. Cybersecurity controls and data protection obligations run in parallel: meeting NCA controls does not by itself satisfy the PDPL, and vice versa.

Who Must Comply With NCA Requirements?

The simplest way to find your obligations is to identify which category your organisation falls into.

• Government entities: Ministries, authorities, public establishments, and their affiliated companies (inside and outside the Kingdom) must implement the ECC. This was the NCA's original mandatory population.
• Critical National Infrastructure operators: Private or public organisations running systems whose compromise would threaten national interests must meet both the ECC and the stricter CSCC. This covers sectors such as energy, finance, healthcare, water, and telecommunications.
• The wider private sector: This is the new and widely under-recognised category. Under NCNICC-1:2025, private companies that are not CNI operators now have a binding cybersecurity baseline for the first time, applied on a tiered basis by size. Technology companies, SaaS providers, e-commerce platforms, manufacturers, and professional services firms operating in the Kingdom are squarely in scope.
• Cybersecurity service providers: Firms that sell cybersecurity services in Saudi Arabia are themselves subject to NCA oversight and registration requirements, which matters a great deal when you are choosing who to hire (covered next).

What Does NCA Registration Mean?

Cybersecurity in Saudi Arabia is not only regulated on the buyer side. The NCA also oversees the providers who sell cybersecurity services in the Kingdom, including through registration and authorisation processes administered via its national cybersecurity portal. When a provider is described as NCA-registered, it means they are a recognised participant in that regulated ecosystem rather than an unvetted vendor.

For organisations buying security services, this matters for two practical reasons. First, frameworks like NCNICC-1:2025 contemplate compliance being assessed through audits by NCA-approved third parties so the standing of the firm you engage affects how your evidence is received. Second, working with a provider that operates inside the NCA's regulated framework reduces the risk of buying assessments or testing that will not hold up to regulatory scrutiny.

SecurityWall is NCA-registered, which means Saudi organisations engaging us are working with a provider recognised within the Kingdom's regulated cybersecurity ecosystem not an offshore vendor unfamiliar with local requirements.

NCA vs SAMA — What's the Difference?

This is the single most common source of confusion for financial-sector companies, and getting it wrong is expensive. The NCA and SAMA are different regulators with different remits and financial companies typically have to satisfy both.

In short: the NCA is the national cybersecurity authority for every sector, while SAMA the Saudi Central Bank regulates cybersecurity within the financial sector through its own Cyber Security Framework. A bank, insurer, payment company, or fintech does not choose between them; it is supervised by both. If you operate in financial services, our SAMA cybersecurity guide and our overview of SAMA cybersecurity compliance explain that side of the picture, and a combined NCA and SAMA programme is usually the most efficient route to covering both.

What Happens If You're Non-Compliant?

The NCA backs its frameworks with real oversight. Compliance can be assessed through self-assessment submissions, audits by NCA-approved third parties, and direct inspection so non-compliance is something the regulator can and does identify rather than a theoretical risk.

The consequences fall into a few categories. There is direct regulatory exposure: organisations found non-compliant can face regulatory action and may be required to remediate under supervision. There is commercial exposure: failing to meet the relevant controls can make a company ineligible for government contracts and for work with CNI operators, who must ensure their own supply chains are compliant. There is operational exposure: regulators can impose restrictions where serious gaps are found. And there is reputational exposure, which in a market built on Vision 2030's digital-trust agenda can be the most damaging of all. For cybersecurity service providers specifically, failing to maintain NCA registration removes the ability to operate as a recognised provider at all.

The practical takeaway is that NCA compliance is no longer a box-ticking exercise for government bodies. With NCNICC-1:2025 in force, it is a baseline business requirement and the cost of discovering you are non-compliant during a tender, an audit, or a customer's due diligence is far higher than the cost of getting ready in advance.

How SecurityWall Helps Saudi Organisations Meet NCA Requirements

SecurityWall is an NCA-registered cybersecurity firm supporting organisations across Saudi Arabia through every stage of NCA compliance from working out which frameworks apply, to readiness and remediation, to the offensive testing the controls require. Our team holds OSCP, OSWE, CREST, CISM, and CISSP credentials and works to the Kingdom's regulatory requirements rather than generic international templates.

Confirming Your Scope and Frameworks

• Identifying which NCA frameworks apply to your organisation ECC, CSCC, NCNICC-1:2025, or CCC
• Clarifying overlap with SAMA for financial-sector clients, and with the PDPL for data obligations
• A clear answer on where you stand before you commit budget to remediation

ECC and NCNICC Gap Assessments

• Structured gap assessment against the applicable controls, mapped domain by domain
• A prioritised remediation roadmap with realistic timelines
• Evidence guidance aligned to how the NCA and NCA-approved auditors evaluate compliance

Penetration Testing and Red Teaming

• Penetration testing scoped to NCA control requirements, with retesting included
• Red team operations for organisations that need to demonstrate resilience against realistic attack scenarios
• The same offensive expertise behind our SAMA penetration testing and SAMA red teaming work for financial-sector clients

NCA-Registered, Locally Grounded

• Recognised within the Kingdom's regulated cybersecurity ecosystem
• Familiar with NCA expectations, documentation standards, and the assessment process
• A single provider for NCA readiness, testing, and ongoing compliance support

Related reading:

• NCA ECC 2:2024 Requirements Explained
• NCA Compliance Checklist
• NCA and SAMA Dual Compliance Guide
• SAMA Cybersecurity Guide 2026
• SAMA Cybersecurity Compliance in Saudi Arabia
• SAMA Penetration Testing Guide

Frequently Asked Questions

What is the NCA in Saudi Arabia?

The NCA is the National Cybersecurity Authority Saudi Arabia's national cybersecurity regulator, established by Royal Order in 2017 and linked directly to the King. It sets and enforces the cybersecurity frameworks that government bodies, critical infrastructure operators, and private companies in the Kingdom must follow.

What frameworks does the NCA enforce?

The main ones are the Essential Cybersecurity Controls (ECC-2:2024), the Critical Systems Cybersecurity Controls (CSCC-1:2019), the Non-CNI Private Sector Controls (NCNICC-1:2025), and the Cloud Cybersecurity Controls (CCC-2:2024). The Personal Data Protection Law (PDPL) sits alongside these but is enforced by SDAIA, not the NCA.

Does the NCA apply to private companies?

Yes and this is recent. Until NCNICC-1:2025, mandatory NCA controls applied mainly to government and critical infrastructure. NCNICC-1:2025 introduced a binding cybersecurity baseline for non-CNI private sector companies for the first time, applied on a tiered basis according to organisation size.

What is the difference between the NCA and SAMA?

The NCA is the national cybersecurity regulator for all sectors. SAMA is the Saudi Central Bank and regulates cybersecurity within the financial sector through its own Cyber Security Framework. Financial companies such as banks and fintechs must comply with both regimes.

What does it mean that SecurityWall is NCA-registered?

It means SecurityWall is recognised within the Kingdom's regulated cybersecurity ecosystem rather than being an unvetted vendor. Because frameworks like NCNICC-1:2025 contemplate assessment by NCA-approved third parties, the standing of the provider you engage affects how your compliance work is received.

What happens if my company is not NCA-compliant?

The NCA can assess compliance through self-assessment, NCA-approved third-party audits, and inspection. Non-compliance can lead to regulatory action, ineligibility for government and CNI-related contracts, operational restrictions, and reputational damage. The cost of being caught non-compliant during a tender or audit is typically far higher than preparing in advance.