Cybersecurity Controls 2025: Obligating Companies to Saudize and Separate Technology

In a strategic move aimed at strengthening the Kingdom’s digital economy, the National Cybersecurity Authority issued the “Cybersecurity Controls for Private Sector Entities Not with Critical Infrastructure” document for 2025. This document sets out a precise regulatory framework that obliges large, medium and small companies to strict security standards, to ensure business continuity and protect national gains from escalating digital threats.

The context of digital transformation and Vision 2030

This crucial step aligns with the goals of Saudi Vision 2030, which aims to increase the private sector's contribution to GDP to 65% and raise the share of small and medium-sized enterprises (SMEs) to 35%. In light of the Kingdom's rapid digital transformation, cyberspace has become a vital arena requiring a secure "digital fence." These regulations are part of the Kingdom's ongoing efforts to strengthen its position as a global leader in cybersecurity indicators, aiming to create a safe investment environment that attracts capital and protects the data of both investors and beneficiaries.

A precise classification of facilities and obligations

The new regulations adopted a precise methodology in classifying the targeted establishments into two main categories based on "establishments" criteria:

• The first category (large entities): These are entities with more than 250 employees or annual revenues exceeding 200 million riyals. The Authority has mandated that they implement a comprehensive package consisting of 65 core controls distributed across 22 sub-components, to cover all potential gaps in their complex infrastructure.
• The second category (small and medium-sized enterprises): This includes establishments with between 6 and 249 employees, or revenues between 3 million and 200 million riyals. Flexible controls have been allocated to them, comprising 26 key regulations, focused on protecting core operations without burdening them with excessive operating costs.

Cybersecurity governance and leadership localization

Perhaps the most significant aspect of the document is its explicit focus on strengthening digital sovereignty through Saudization. The regulations mandate that large organizations establish an independent cybersecurity management unit directly reporting to the organization's head, ensuring its complete independence from the IT department and preventing conflicts of interest. Crucially, the document emphasizes that this unit and its supervisory staff must be full-time, highly qualified Saudi nationals.

This approach not only enhances national security, but is also expected to have a significant positive impact on the local labor market by creating thousands of quality job opportunities for national cadres specializing in cybersecurity, thus supporting the pillar of a “thriving economy” within the national vision.

Strengthening technical defenses and data protection

On the technical level, the authority imposed strict precautionary measures, including:

• Identity management: Mandatory use of multi-element authentication (MFA) for remote logins and email.
• Email protection: Activate global protocols such as (SPF) and (DMARC) to counter phishing and impersonation emails.
• Business continuity: Periodic backups of sensitive systems and testing of their recovery capabilities are necessary to counter ransomware attacks.
• Third-party security: Incorporating cybersecurity requirements into contracts with suppliers and cloud service providers, with an emphasis on data classification and segregation of technical environments in the cloud.

In conclusion, the National Cybersecurity Authority confirmed that these controls represent the minimum required, reserving its right to obligate any entity to additional controls when needed, while continuing to assess compliance to ensure a safe and sustainable Saudi digital environment.