Explore more
Saudi Arabia
Government Structure
Do they designate a lead cyber security agency within the government? The National Cybersecurity Authority (NCA).
Is oversight provided on a centralized or sectoral basis? Centralized. The NCA oversees compliance with national requirements. See Essential Cybersecurity Controls (ECC) 2018, pg. 6.
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? N/A
How do they designate within these sectors? N/A
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. The ECC of 2018 "set the minimum cybersecurity requirements for information and technology assets in organizations." ECC 2018, pg. 8.
Does it take a risk-based approach? Yes. Per Control 1-5-1, "risk management methodology and procedures must be defined." ECC 2018, pg 15.
Do the security measures enable the use of international standards? Unclear. The Introduction of the Essential Cybersecurity Controls of 2018 explain that the controls were developed "after conducting a comprehensive study of multiple national and international cybersecurity frameworks and standards." ECC 2018, pg. 7.
Are security measures NIST CSF compatible? (Possible to comply through this approach?) Unclear. Documents only reference that Saudi Arabia developed their standards "based on industry leading practices." The controls address many of the areas within the main 5 Framework Core Functions of NIST, but compatibility is not specific. ECC 2018, pg. 8.
Do they include prescriptive or technology-based security measures? Yes. Per Control 1-3-3, cybersecurity policies "must be supported by technical security standards." ECC 2018, page 15.
Incident Reporting
Are there mandatory incident reporting requirements? Yes. Per Controls 2-13-1, requirements for cybersecurity incidents and threat management must be "defined, documented and approved." These plans must include response plans and escalation procedures, classifications, reporting requirements, incident notifications, and threat intelligence feeds (2-13-3). ECC 2018, page 24.
Are there clear thresholds above which an incident should be reported? Unclear. The thresholds may be set in the required plans mentioned above, but each plan will be unique to the agency or organization designing and implementing it. The proposed CFR requires that LSPs "report major incidents with appropriate details to CITC." Control 4.9.2, draft CRF for the ICT Sector, pg. 37.
How do they determine the timeline within which an incident must be reported? Similar to the answer above, these timelines will be unique to each plan.
Threat Information Sharing
Have they established a national threat information sharing entity? No. There is no center or entity that is specifically designed for national threat information sharing.
Does this entity share information out to industry, as well as receiving information? Unclear based on available information.
Is threat information sharing mandatory for any private sector entity? The Essential Cybersecurity Controls require that organizations include cybersecurity incident reporting to the NCA. See ECC, pg 24. Entities in the ICT Sector are required to provide compliance reporting, as well as information and documentation, upon request from the CITC. See Control Draft CRF for the ICT Sector, pg. 4.
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? No. Such requirements are not outlined in the ECC or the new draft ICT regulations.
Are there requirements to cede control of facilities in an emergency situation? No. Such requirements are not outlined in the ECC or the new draft ICT regulations.
Are there requirements to provide source code or other decryption capabilities? No. Such requirements are not outlined in the ECC or the new draft ICT regulations.
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? No. Such requirements are not outlined in the ECC or the new draft ICT regulations.
Are there requirements to localize data? No. Such requirements are not outlined in the ECC or the new draft ICT regulations.
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? Yes. An individual may be subject to a fine between 500,000-5 million riyals for committing various cyber crimes. Anti-Cyber Crime Law, Royal Decree No. M/17.
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Yes. An individual may be subject to between 1-10 years for committing various cyber crimes. Anti-Cyber Crime Law, Royal Decree No. M/17.
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Essential Cybersecurity Controls (ECC – 1: 2018) was published in 2018. The Cybersecurity Framework for the ICT Sector was published on May 29, 2019.