Regulatory Enhancements: ECC-2 and Enforcement Authority
In December 2024, the NCA released the second iteration of the Essential Cybersecurity Controls (ECC-2), refining the previous ECC-1:2018 framework. Key updates include:
-
Expanded Scope: ECC-2 clarifies its applicability to Saudi governmental entities operating both domestically and internationally, reflecting the Kingdom’s growing global engagements.
-
Data Localization Shift: The responsibility for data localization requirements has transitioned from the NCA to the National Data Management Office (NDMO) under the Saudi Data and Artificial Intelligence Authority (SDAIA), centralizing oversight of data governance.
-
Workforce Nationalization: A significant change mandates that all cybersecurity roles within organizations be occupied by qualified Saudi nationals, aligning with broader Saudization efforts.
-
Streamlined Controls: The number of controls has been reduced from 114 to 108, enhancing clarity and efficiency in implementation.
Complementing ECC-2, the National Cybersecurity Authority Regulations 2024 grant the NCA explicit enforcement powers, including:
-
Licensing Requirements: Entities must obtain appropriate licenses to engage in cybersecurity activities, with violations subject to penalties.
-
Inspection Authority: The NCA can conduct inspections, seize evidence, and investigate non-compliance.
-
Penalties: Non-compliance may result in fines up to SAR 25 million, license suspensions, or public disclosure of violations.
Strategic Initiatives: CyberIC and MSOC Licensing
To bolster national cybersecurity capabilities, the NCA has launched two key programs:
CyberIC Program
The CyberIC initiative aims to develop the cybersecurity sector by:
-
Training and Development: Targeting 13,000 beneficiaries, including specialists, leaders, and students, through specialized programs and cyber exercises.
-
Startup Support: Assisting over 60 national companies, fostering innovation and entrepreneurship in cybersecurity.
-
Collaboration: Partnering with international universities and the Saudi Information Technology Company (SITE) to deliver advanced training.
MSOC Licensing
In March 2025, the NCA announced the licensing of Tier 1 Managed Security Operations Center (MSOC) providers, including SITE, Sirar by stc, Haboob, Cyberani by Aramco Digital, TCC, and SAMI-AEC. These providers are authorized to offer comprehensive MSOC services to all entities, including government and private sectors managing Critical National Infrastructures (CNIs). This initiative aims to elevate the quality of cybersecurity services and ensure robust protection for national assets.
