Cybersecurity Controls 2025: Obligating companies to Saudize their workforce and separate departments

In a strategic move aimed at enhancing the Kingdom’s digital resilience, the National Cybersecurity Authority issued the “Cybersecurity Controls for Private Sector Entities Not with Critical Infrastructure” document for 2025. This document sets out a precise regulatory framework that obliges large, medium and small companies to strict security standards, to ensure business continuity and protect the national economy from escalating threats in cyberspace.

The context of digital transformation and Vision 2030

These decisive measures align with the goals of Saudi Vision 2030, which aims to increase the private sector's contribution to GDP to 65% and raise the share of small and medium-sized enterprises (SMEs) to 35%. With the Kingdom's rapid digital transformation and its advanced global rankings in cybersecurity indicators, establishing a robust digital infrastructure has become essential to safeguarding its significant economic gains. These regulations are part of the Kingdom's efforts to solidify its position as a regional and international digital powerhouse, thereby bolstering investor confidence in the Saudi digital environment.

Classification of facilities and specified criteria

The new controls targeted two main categories, which were precisely categorized to ensure a balance between facility size and security requirements:

• The first category (large entities): This includes companies with more than 250 employees or annual revenues exceeding 200 million riyals. This category is subject to 65 core controls distributed across 22 sub-components to address all potential gaps in its complex infrastructure.
• The second category (small and medium-sized enterprises): This includes establishments with between 6 and 249 employees, or revenues between 3 million and 200 million riyals. It has been allocated 26 core regulations within 13 sub-components, focusing on protecting core operations without overburdening them with excessive regulatory requirements.

Governance: Separation of departments and Saudization of leadership positions

In a fundamental shift in corporate structure, regulations now require large organizations to establish an independent cybersecurity management unit that reports directly to the organization's CEO. This complete separation from the IT department aims to prevent conflicts of interest, as merging the two often prioritizes operational speed over security.

The document also emphasized a strategic national dimension, stipulating that the leadership of this department and its supervisory staff must be full-time Saudi citizens. This step aims to strengthen digital sovereignty and localize expertise in this sensitive sector, ensuring the presence of qualified national personnel capable of managing cyber crises and protecting national data.

Strengthening technical defenses and data protection

On the technical level, the authority imposed strict policies including:

• Identity management: Mandatory use of multi-element authentication (MFA) for remote access and email.
• Email protection: Activate global protocols such as (SPF) and (DMARC) to prevent impersonation and counter phishing messages.
• Backup: Perform periodic backups of sensitive systems and test their restoreability to counter ransomware attacks.
• Third-party security: Including cybersecurity requirements in contracts with suppliers and cloud service providers, and classifying data before hosting it in the cloud.

The authority confirmed that these controls represent the minimum required, while reserving its right to obligate any entity to additional controls when needed, while continuing to assess the extent of compliance to ensure a safe and stable work environment.