المملكة: "Cyber" Requires companies to "Saudization" Security officials and separate their departments from "Technology" – urgent

The National Cybersecurity Authority issued the document “Cybersecurity Controls for Private Sector Entities Without Sensitive Infrastructure” for the year 2025, setting a precise regulatory framework that requires large, medium and small companies to adhere to standards Strict security to ensure business continuity and protect the national economy from escalating threats.

This step comes in line with the objectives of the Kingdom’s Vision 2030, which aims to raise the private sector’s contribution to the gross domestic product to 65%, and increase the share of small and medium enterprises to 35%, which necessitated the establishment of a secure digital fence that protects these huge economic gains from cyber risks.

The new controls target two main categories that have been carefully classified based on the criteria «Enterprises”, where the first category includes “large entities” that have more than 250 employees or whose annual revenues exceed 200 million riyals, and the Authority requires them to implement a comprehensive set of standards.

While the second category includes “small and medium-sized entities” whose number of employees ranges from 6 to 249 employees, or whose revenues range between 3 million and 200 million riyals, as they have been allocated specific controls commensurate with the size of their business and the nature of the risks that may arise. It faces.

The document specified the regulatory burden for the large category by committing to 65 basic officers distributed among 22 sub-components covering three main axes, to ensure that all potential gaps in the technical infrastructure of these huge entities are covered.

While the Authority obligated small and medium-sized entities to a minimum requirement that includes 26 basic officers within 13 sub-components, with a primary focus on the axis of enhancing cybersecurity to ensure the protection of their core operations without burdening them.

The controls issued are based on three basic components that constitute the general structure of protection, which are cybersecurity governance, strengthening cyber defenses, in addition to cybersecurity related to external parties and cloud computing, to ensure comprehensive confrontation against threats.

With regard to governance, the controls obligated large entities to establish an independent administrative unit for cybersecurity directly linked to the head of the entity, to ensure its complete separation from the information technology department and to prevent any conflict of interest that might weaken the security system.

The document also stressed the need for this department and its supervisory cadres to be headed by full-time Saudi citizens with high competence, in order to enhance digital sovereignty and Localizing expertise in this sensitive sector.

With regard to strengthening defenses, the Authority imposed on all categories the application of strict policies for managing identities and powers, including the mandatory use of multi-factor authentication “MFA” for remote logins and e-mail operations.

The technical requirements included the mandatory protection of e-mail by activating reliable global protocols such as “SPF” and “DMARC” to prevent impersonation and confront phishing messages, which are the first gateway to hacking.

The controls required entities to perform periodic backups of sensitive systems and test their ability to recover, to ensure that business does not stop if the entity is exposed to ransom attacks or digital disasters.

With regard to the security aspect related to external parties, the document obligated entities to include cybersecurity requirements in their contracts with suppliers and cloud service providers, to ensure that data is not leaked through a third party that may be the weakest link.

The controls also called for the necessity of classifying data before hosting it in the cloud, and ensuring By separating the entity’s technical environment from other entities in the cloud, while ensuring that the data is restored in a usable form upon the expiration of the contract.

The Authority confirmed that these controls represent the minimum required to reduce cyber risks, indicating its right to oblige any entity to additional controls if the security need arises for that, while assuming the task of continuously evaluating the extent of compliance.