A genuine technical achievement
On June 18, 2026, Saudi Arabia's National Cybersecurity Authority (NCA) announced that the Kingdom had been classified Tier 1 — "Role-modelling" — in the International Telecommunication Union's Global Cybersecurity Index (GCI) 2026, marking its third consecutive year at the top of the ranking (NCA; Arab News). The GCI, published by the ITU — the UN's specialized agency for information and communication technology — scores nearly every UN member state across five pillars: legal measures, technical measures, organizational measures, capacity development, and cooperation (ITU). "Role-modelling" is the index's highest tier, reserved for governments the ITU judges to have both comprehensive cybercrime statutes and the institutional capacity — CERTs, incident-response coordination, workforce pipelines — to actually enforce them.
That is a real accomplishment, and it deserves to be credited as one before any critique follows. Building durable cyber-defense capacity is unglamorous, expensive, multi-year institutional work: standing up a national CERT, harmonizing incident-reporting obligations across critical-infrastructure sectors, training a cybersecurity workforce, negotiating cooperation agreements with allied CERTs abroad. The NCA, established in 2017 as the Kingdom's specialized cybersecurity regulator, has done that work in partnership with the Saudi Information Technology Company (SITE), and the fact that Saudi Arabia has now held the ITU's top tier for three straight assessment cycles suggests the investment has been sustained rather than performative (NCA). For a country whose Vision 2030 economic diversification plan depends on attracting cloud infrastructure, fintech, and data-center investment, a credible cyber-resilience track record is a legitimate competitive asset — not just a PR line.
The same legal toolkit, a different use
The trouble is that "cybersecurity" in Saudi Arabia's legal architecture is not narrowly scoped to malware, ransomware, and infrastructure attacks — it doubles as the statutory basis for content control that has nothing to do with technical threat mitigation. Since April 30, 2026, Meta has rendered the Facebook accounts of the Gulf-focused NGOs ALQST for Human Rights and Democratic Diwan, along with Saudi researcher Abdullah Alaoudh and human rights defender Yahya Assiri, "unavailable" specifically inside Saudi Arabia — a form of geo-blocking carried out at the Saudi government's request. Meta's own transparency disclosures show more than 100 Facebook pages and Instagram accounts have been restricted across Saudi Arabia and the UAE since March 2026, with the underlying legal requests citing cybercrime statutes (ALQST/Access Now joint statement). Twelve organizations, including Access Now, EFF, and the Gulf Centre for Human Rights, have jointly called the restrictions "arbitrary, discriminatory, and a direct violation of the right to freedom of expression."
This is not a coincidence of timing — it is a design feature. The ITU's "Legal Measures" pillar rewards countries for having broad, enforceable cybercrime law on the books; it does not audit how that law is subsequently applied. Saudi Arabia's 2007 Anti-Cyber Crime Law and its successors give the state wide latitude to characterize speech — including reporting on "regional geopolitical conflicts and security developments" — as a cybercrime matter, and platforms complying with a government legal request have no meaningful way to distinguish a good-faith infrastructure-security demand from a political silencing order. The NCA's technical mandate (protecting networks, coordinating incident response, setting the Essential Cybersecurity Controls that critical-infrastructure operators must follow) is legitimate and largely uncontroversial. The use of adjacent "cybercrime" statutes to compel platforms to geo-block human rights researchers is a separate function entirely, and conflating the two — crediting a government's cyber-defense capacity while it simultaneously wields "cybersecurity" law against dissidents — is precisely the kind of category error that gives proportionate regulation a bad name.
Why the distinction matters for policy design
For other governments watching Saudi Arabia's GCI result as a model — and Gulf peers, in particular, study each other's regulatory architecture closely — the lesson to take is not "broad cybercrime law plus strong institutions equals a Tier 1 score." It is that technical capacity and legal scope are two different variables, and only one of them should be broad. A well-resourced CERT, mandatory breach reporting for critical infrastructure, and cross-border incident-response cooperation are all pro-innovation moves: they reduce the tail risk that keeps foreign cloud and fintech investors up at night, and they impose real costs only on attackers. Statutes broad enough to let "cybercrime" swallow ordinary political and human-rights speech impose costs on legitimate platforms, researchers, and the country's own reputation as a place to build — the opposite of what Vision 2030 is supposed to attract.
A genuinely proportionate cybersecurity framework would firewall the two: keep the NCA's technical mandate intact and internationally respected, while narrowing cybercrime statutes so platform-compliance requests tied to content and speech require a distinct, judicially reviewable legal basis rather than riding on the same law that authorizes incident-response coordination. Until that separation exists, Saudi Arabia's ITU ranking will keep measuring something real — but it will not be the whole story of what the Kingdom's cybersecurity law is being used for.