NCA scopeVerified 26 June 2026

Does NCA cybersecurity apply to my company?

Until 2026, most private companies in Saudi Arabia could assume NCA’s controls were "for critical infrastructure, not us." That’s no longer true. With NCNICC-1:2025 (in force from January 2026), the National Cybersecurity Authority extended a mandatory baseline to every private-sector entity in the Kingdom — not just Critical National Infrastructure.^[S1]

The 60-second answer

Which bucket are you in?

Critical National Infrastructure (CNI) → full ECC-2:2024 + CCC-2:2024 + DCC-1:2022. Highest bar.
Large private entity (250+ staff OR revenue > SAR 200M) → NCNICC-1:2025 Category A: 65 essential controls across Governance, Cyber Defense, Third-party & Cloud.
SME (6–249 staff OR revenue SAR 3M–200M) → NCNICC-1:2025 Category B: reduced control set.
Micro (< 6 staff and < SAR 3M) → typically below the NCNICC size thresholds — but PDPL still applies to any personal data you process.
Handle personal data? → PDPL applies regardless of size, and enforcement is active (fines to SAR 5M).

Not sure which apply to you? → Take the 2-minute "Am I compliant?" check.

The two questions that decide it

1. Are you Critical National Infrastructure?

If a regulator has designated your systems as CNI (energy, finance, health, telecom, government-adjacent), you sit under the full NCA stack — ECC-2:2024 (4 domains, ~110 controls), CCC-2:2024 for cloud, and DCC-1:2022 for data.^[S2]

2. If not CNI — what size are you?

NCNICC-1:2025 sorts non-CNI private entities into Category A (large: 250+ FTE or revenue over SAR 200M) and Category B (SME: 6–249 FTE or revenue SAR 3M–200M). Category A implements the full 65-control set; Category B a lighter profile. Both are mandatory.^[S1]

What the controls actually cover

NCNICC is organized into three components — Governance, Cybersecurity Defense, and Third-party & Cloud Computing Cybersecurity — with practical requirements like periodic risk assessments, endpoint protection, data classification, backup management, incident response procedures, and employee awareness training.^[S3]

How this stacks with PDPL

NCA controls and PDPL are separate, parallel obligations. NCA governs cybersecurity; PDPL (SDAIA) governs personal data. A typical SaaS company processing Saudi personal data now answers to both at once — NCNICC for security posture, PDPL for data handling and cross-border transfer. Neither exempts the other.

This page is a regulatory reference, not legal advice. Designation as CNI and your exact control tier depend on facts specific to your organization — verify with the primary NCA documents and qualified counsel before acting. Last verified 26 June 2026.