Saudi Arabia's National Cybersecurity Authority (NCA) has quietly completed one of the most expansive regulatory moves in the Gulf's digital economy. With the issuance of the Cybersecurity Controls for Non-Critical Private Sector Organizations (NCNICC-1:2025) — finalized on 27 March 2026 according to a legal analysis by CMS — the Kingdom has extended legally mandatory cybersecurity obligations to essentially every private company operating on its soil, not just banks, telecoms, and other designated critical national infrastructure (CNI).
For a decade, the NCA's flagship instruments — the Essential Cybersecurity Controls (ECC), first issued as ECC-1:2018 and updated to ECC-2:2024 — bound government entities and CNI operators. NCNICC-1:2025 closes the gap, capturing the long tail of private firms that the ECC never formally reached. It is, in regulatory ambition, comparable to the EU bringing mid-market companies into the NIS2 Directive's perimeter.
What the framework actually requires
NCNICC-1:2025 sorts firms into two tiers. Category A — large entities with more than 250 employees or annual revenue above SAR 200 million — must implement the full set: three main components, 22 sub-components, and 65 essential controls, including multi-factor authentication, encryption, logging, and independent audit. Category B — small and medium-sized firms with 6 to 249 employees or revenue between SAR 3 million and SAR 200 million — face a streamlined regime of 26 controls, some recommended rather than strictly mandatory, per the CMS summary of the published text.
The substantive controls are unremarkable in the best sense: they track the NCA's own framework architecture and align with NIST CSF and ISO/IEC 27001. This is not exotic regulation. It is the floor that most security professionals would recommend regardless of any mandate.
The strong case for the mandate
It is worth stating the case for NCNICC plainly, because it is genuine. Cyber risk is a classic negative externality: a breached SME is rarely just its own problem — it becomes a foothold into supply chains, a node in a botnet, or a leak of customers' data that the firm itself never has to fully internalize. Voluntary adoption of baseline hygiene has been weak worldwide. Saudi Arabia is also a uniquely high-value target; it sits atop the UN's Global Cybersecurity Index as a tier-one nation precisely because it has invested heavily and been attacked heavily. A national floor that forces every firm to turn on MFA and keep logs is a defensible, even admirable, public-good intervention. The Kingdom's broader National Cybersecurity Strategy, built on six pillars (Unify, Manage, Assure, Defend, Partner, Build), has coincided with real market growth: cybersecurity spending reached SAR 13.3 billion ($3.55 billion) in 2023, up 10.8 percent year-on-year, with the private sector supplying 69 percent of that investment and a workforce of 19,600 specialists.
Where proportionality starts to fray
The concern is not the controls. It is the breadth, the burden curve, and the surrounding posture.
First, the SME burden is real and front-loaded. Category B's 26 controls are lighter on paper, but a 10-person firm has no security team to interpret them. The cost of compliance for the smallest captured firms — those near the SAR 3 million revenue line — is non-trivial relative to margins, and the framework's technical controls (centralized logging, encryption key management) carry procurement and deployment cycles of months. A mandate that is rational for a 240-person fintech can be a deadweight tax on a regional logistics shop. Proportionate regulation would tier far more aggressively at the bottom, lean on safe harbors for firms that adopt recognized managed-security services, and publish a realistic grace period — which, as of early June 2026, the NCA has not clearly specified.
Second, scope without a sunset clause invites mission creep. NCNICC folds the entire private economy under a single security regulator's standing authority to "assess compliance and update requirements as needed." That is a lot of discretionary reach. The risk is not the 2026 control set; it is the 2028 one, added without the friction that a narrower mandate would impose.
Third, and most importantly for the open internet, cybersecurity authority and content control are converging in the Gulf. In the same window that NCNICC took effect, Meta restricted over 100 Facebook and Instagram accounts belonging to NGOs and researchers from reaching Saudi and UAE audiences — many at the explicit request of the Saudi government, per a 20 May 2026 statement from ALQST and Access Now. That is a separate legal track from NCNICC. But it is the same state apparatus, and it underscores why a maximalist reading of "national cybersecurity" should worry anyone who cares about speech. Security frameworks that are technically sound can still be deployed inside a governance environment where "protecting the network" and "controlling the network" blur.
The proportionate path
None of this argues for abandoning a national baseline. It argues for keeping the cybersecurity mandate narrow, technical, and bounded — MFA and logging, not a standing license over the digital private sector — and for institutional firewalls that keep the NCA's defensive remit from sliding into content governance. Saudi Arabia has built genuine cyber capability. The test now is whether it regulates the externality without taxing the entrepreneur or absorbing the regulator into the censor.