Cybersecurity Controls 2025 for the Private Sector and Localization of Leadership

In a strategic move aimed at strengthening the Kingdom’s digital economy, the National Cybersecurity Authority issued the “Cybersecurity Controls for Private Sector Entities Not with Critical Infrastructure” document for 2025. This document sets out a precise regulatory framework that obliges large, medium and small companies to strict security standards, to ensure business continuity and protect national assets from escalating cyber threats globally.

The context of digital transformation and global standing

This step reinforces the Kingdom of Saudi Arabia's leading position in the global cybersecurity index, as a secure cyberspace is a cornerstone for the success of digital transformation projects. With the accelerating pace of technology adoption in the business sector, cyberattacks have become an existential threat to the sustainability of companies, necessitating regulatory intervention to enhance preparedness, especially given the private sector's pivotal role in achieving the goals of Vision 2030, which aims to increase its contribution to the GDP to 65%.

Classification of facilities and determination of responsibilities

The new controls targeted two main categories, which were precisely categorized to ensure a balance between facility size and security requirements:

• The first category (large entities): These are entities with more than 250 employees or annual revenues exceeding 200 million riyals. The Authority has mandated that they implement 65 basic controls covering all potential loopholes.
• The second category (small and medium-sized entities): This includes establishments with between 6 and 249 employees, or revenues between 3 million and 200 million riyals, for which 26 basic officers have been allocated, focusing on protecting core operations.

Cybersecurity governance and leadership localization

Perhaps the most notable aspect of the document is the radical change in the structure of cybersecurity departments, as the regulations require large entities to establish an independent cybersecurity administrative unit directly linked to the head of the entity, to ensure its complete separation from the information technology department, in order to prevent conflicts of interest and ensure neutrality in risk assessment.

In the context of strengthening digital sovereignty, the document stressed the need to “Saudize” the position of cybersecurity officer, stipulating that the leadership of this department and its supervisory staff be full-time Saudi citizens who possess competence, thus opening up broad prospects for employing national talents in this vital sector.

Strengthening technical defenses and data protection

On the technical level, the authority imposed strict policies including:

• Mandatory use of Multi-Element Authentication (MFA) for remote login and email.
• Activate email protection protocols (SPF, DMARC) to counter phishing messages.
• Perform periodic backups of sensitive systems and test their recovery capabilities to counter ransomware attacks.
• Include cybersecurity requirements in contracts with suppliers and cloud service providers to ensure that data is not leaked through third parties.

This integrated system aims to create a safe and reliable investment environment that supports the growth of the digital economy and reduces potential losses resulting from cybercrimes.