Cybersecurity authorities approve mandatory regulations for the private sector in Saudi Arabia

In a strategic move aimed at strengthening the digital infrastructure in Saudi Arabia, the National Cybersecurity Authority the adoption of the "Cybersecurity Controls" document, directed at private sector entities, specifically those that do not possess critical infrastructure. This decision aims to solidify digital security standards and ensure a minimum level of protection for information and technological assets against escalating threats.

The context of digital transformation and Vision 2030

The issuance of these regulations coincides with the Kingdom's rapid digital transformation, a key component of Saudi Vision 2030. As the private sector increasingly relies on modern technologies and cloud services, the need for a regulatory framework to ensure the confidentiality, security, and availability of information has become paramount. The Kingdom, which has achieved high global rankings in the Global Cybersecurity Index, is working to close any gaps that could be exploited by internal or external cyber threats, thereby enhancing the attractiveness of its business environment for both foreign and domestic investment.

Classification of establishments: precise standards of responsibility

The authority took into account the differences in the sizes and capabilities of establishments in its regulations, as the targeted entities were divided into two main categories to ensure effective and realistic implementation:

• The first category (large entities): These are establishments with more than 250 full-time employees or annual revenues exceeding 200 million Saudi Riyals. Due to the complexity of their operations, comprehensive controls have been developed for them, comprising 3 main components, 22 sub-components, and 65 mandatory controls.
• The second category (small and medium-sized enterprises): This includes entities with between 3 and 249 employees, or revenues between 3 million and 200 million riyals. Requirements tailored to their size have been established, comprising one main component, 13 sub-components, and 26 mandatory criteria.

The three pillars: people, procedures, and technology

The new controls are based on a holistic philosophy that covers all aspects of cybersecurity, divided into three main pillars:

1. The people axis: It focuses on the human element as the first line of defense, by obligating entities to train employees and raise their security awareness, and to appoint qualified officials to protect data.
2. The focus of the procedures includes: establishing documented regulatory policies, risk management plans, and clear mechanisms for dealing with data leak incidents to ensure business continuity.
3. Technology axis: This involves adopting the necessary technical solutions to protect networks and systems, and ensuring appropriate encryption for sensitive data.

Compliance and certification mechanism

To ensure compliance, the Authority has established a clear path to obtaining "Certification," with applications being evaluated within a maximum of 90 working days. The regulations require certified entities to maintain the standards throughout the certification period and to immediately disclose any material changes or cybersecurity incidents. This regulation represents a significant step forward, aiming to create a secure and reliable cybersecurity environment that supports economic growth and protects the rights of consumers and private sector partners.