Cybersecurity Controls 2025: Localizing Leadership and Separating Departments

In a strategic move aimed at strengthening the Kingdom’s digital economy, the National Cybersecurity Authority issued the “Cybersecurity Controls for Private Sector Entities Not in Critical Infrastructure” document for 2025. This document sets out a precise and binding regulatory framework for large, medium and small companies, imposing strict security standards to ensure business continuity and protect national assets from escalating global digital threats.

The context of digital transformation and the importance of the decision

This regulatory move comes at a time when Saudi Arabia is experiencing a massive technological boom as part of its Vision 2030 goals, which aim to increase the private sector's contribution to GDP to 65% and raise the share of small and medium-sized enterprises (SMEs) to 35%. With the increasing reliance on digital solutions, the frequency of cyberattacks has risen globally, making cybersecurity a fundamental pillar of economic stability, not merely a technological option. These regulations aim to create a secure investment environment that enhances investor confidence and protects the sensitive data of both companies and customers.

A precise classification of facilities and responsibilities

In its new document, the Authority adopted a precise classification of the target groups based on “Establishments” criteria, to ensure that the controls are commensurate with the size of the risks and the available resources:

• The first category (large entities): This includes entities with more than 250 employees or annual revenues exceeding 200 million riyals. This category is required to implement 65 core controls distributed across 22 sub-components covering all security and technical aspects.
• The second category (small and medium-sized enterprises): This includes establishments with between 6 and 249 employees, or revenues between 3 million and 200 million riyals. A simplified package was allocated to them, comprising 26 core controls within 13 sub-components, with a focus on protecting core operations.

Governance: Localizing leadership and separating powers

The document brought about a fundamental change in the administrative structure of large companies, mandating the establishment of an independent cybersecurity management unit reporting directly to the head of the organization, thus ensuring its complete separation from the information technology (IT) department. This separation aims to prevent conflicts of interest and guarantee the impartiality of security oversight.

In the context of strengthening digital sovereignty, the regulations stressed the need to “Saudize” leadership positions in these units, stipulating that the leadership of the cybersecurity department and its supervisory staff must be full-time Saudi citizens with the necessary competence, which contributes to localizing knowledge and expertise in this vital sector.

Strengthening technological defenses and supply chains

The regulations did not overlook the finer technical aspects, mandating strict identity management policies, most notably the requirement for multi-factor authentication (MFA) for remote access and email. They also required the activation of global email security protocols such as SPF and DMARC to combat phishing and impersonation attacks.

Regarding cybersecurity for third parties, the document obliges companies to include security requirements in their contracts with suppliers and cloud service providers, with the necessity of classifying data before hosting it in the cloud, and ensuring that the entity’s technical environment is separated from others, to ensure that supply chains do not become a backdoor for breaches.