Cybersecurity in Saudi Arabia: NCA Mandates, the $3.5 Billion Market, and Critical Infrastructure Protection

Saudi Arabia faces a cybersecurity environment of extraordinary complexity and consequence. As one of the world’s largest oil producers, a major financial center, and a country undergoing massive digital transformation, the Kingdom presents a uniquely attractive target for state-sponsored hackers, cybercriminal organizations, and hacktivists. The digitization of government services, the deployment of smart city infrastructure, and the expansion of e-commerce and digital payments have created a vast and growing attack surface that must be defended around the clock.

The stakes are not theoretical. Saudi Arabia has experienced some of the most significant cyberattacks in history, including the 2012 Shamoon attack that destroyed data on 35,000 computers at Saudi Aramco, one of the most destructive cyberattacks against a single company ever recorded. Subsequent attacks targeting government agencies, financial institutions, and critical infrastructure have reinforced the message that cybersecurity is not merely a technology issue but a national security imperative.

In response, Saudi Arabia has built one of the most comprehensive national cybersecurity programs in the Middle East, anchored by the National Cybersecurity Authority (NCA) and supported by a growing domestic cybersecurity industry. The Kingdom’s cybersecurity market has reached approximately $3.5 billion annually, driven by government mandates, private sector demand, and a growing awareness that digital transformation without security is a recipe for disaster.

The National Cybersecurity Authority

The NCA, established by royal decree in 2017, serves as Saudi Arabia’s national authority responsible for cybersecurity. The agency reports directly to the King, reflecting the strategic importance of cybersecurity to the Kingdom’s leadership. This direct reporting line gives the NCA the authority and visibility needed to enforce its mandates across all government agencies and critical infrastructure operators.

Mandate and Scope

The NCA’s mandate encompasses the full spectrum of cybersecurity activities, from policy development and regulation to incident response and international cooperation. The agency is responsible for setting national cybersecurity standards, monitoring compliance, conducting cybersecurity assessments, and leading the Kingdom’s response to major cyber incidents.

The NCA’s authority extends beyond government to include critical infrastructure operators in sectors such as energy, telecommunications, finance, healthcare, water, and transportation. Private sector companies in these sectors must comply with NCA regulations, submit to periodic assessments, and report cybersecurity incidents within specified timeframes.

Essential Cybersecurity Controls

The NCA’s Essential Cybersecurity Controls (ECC) represent the foundation of Saudi Arabia’s regulatory approach to cybersecurity. The ECC framework, first published in 2018 and updated regularly since, establishes minimum security requirements that all government agencies and critical infrastructure operators must implement.

The ECC comprises five main domains: cybersecurity governance, cybersecurity defense, cybersecurity resilience, third-party cybersecurity, and cloud computing and hosting cybersecurity. Within these domains, the framework defines 114 specific controls covering areas including access management, network security, application security, data protection, incident management, and business continuity.

Compliance with the ECC is not optional. Government agencies must achieve full compliance and are subject to periodic assessments by NCA-authorized auditors. Critical infrastructure operators face similar requirements, with non-compliance potentially resulting in penalties, operational restrictions, or management accountability measures.

Sector-Specific Controls

Beyond the general ECC framework, the NCA has developed sector-specific cybersecurity controls for industries with unique risk profiles.

The Critical Systems Cybersecurity Controls (CSCC) apply to operational technology (OT) systems that control physical infrastructure such as power plants, water treatment facilities, and industrial processes. These controls address the unique challenges of securing OT environments, where legacy systems, safety requirements, and the convergence of IT and OT networks create complex security challenges.

The Cloud Cybersecurity Controls (CCC) establish requirements for the use of cloud computing services by government agencies and regulated entities. The controls address data classification, data residency, access management, and incident response in cloud environments, ensuring that the migration to cloud services does not compromise the security of sensitive data.

The Data Cybersecurity Controls (DCC) focus specifically on the protection of data throughout its lifecycle, from creation and storage to processing and destruction. These controls are particularly relevant given the massive data generation associated with smart city deployments, IoT networks, and AI applications.

National Cybersecurity Assessment

The NCA conducts the National Cybersecurity Assessment on an annual basis, evaluating the cybersecurity maturity of government agencies and critical infrastructure operators against the ECC framework and relevant sector-specific controls. The assessment uses a standardized methodology that assigns maturity levels ranging from initial (ad hoc, reactive security measures) to optimized (proactive, continuously improving security operations).

Results from the most recent assessment show steady improvement in cybersecurity maturity across government agencies, with the average maturity score increasing from 2.1 out of 5 in 2020 to 3.4 in 2025. Critical infrastructure operators have shown similar improvement, though the starting point and rate of progress vary significantly across sectors. The energy and financial sectors lead in cybersecurity maturity, while healthcare and water sectors continue to face challenges related to legacy systems and limited cybersecurity budgets.

The $3.5 Billion Cybersecurity Market

Saudi Arabia’s cybersecurity market has grown at a compound annual growth rate of approximately 18 percent over the past five years, reaching an estimated $3.5 billion in 2025. This makes it the largest cybersecurity market in the Middle East and one of the fastest growing globally.

Demand Drivers

Several factors drive the strong growth in cybersecurity spending. The NCA’s regulatory mandates create a baseline of demand as organizations invest to achieve compliance. The rapid pace of digital transformation increases the attack surface and creates new security requirements. The evolving threat landscape, with increasingly sophisticated and persistent attackers, requires continuous investment in defensive capabilities.

Vision 2030’s megaprojects, including NEOM, the Red Sea Project, and Riyadh Expo 2030, each have significant cybersecurity requirements. These projects deploy cutting-edge technology in environments where a security breach could have physical safety implications, creating demand for advanced security solutions and specialized cybersecurity expertise.

The growth of e-commerce and digital payments has also driven cybersecurity investment, as merchants, payment processors, and financial institutions invest in fraud prevention, data protection, and compliance with Payment Card Industry Data Security Standard (PCI DSS) requirements.

Market Composition

The cybersecurity market in Saudi Arabia encompasses several segments. Security products, including firewalls, endpoint protection, security information and event management (SIEM) systems, and identity management solutions, account for approximately 40 percent of the market. Security services, including managed security services, consulting, assessment, and incident response, account for another 40 percent. The remaining 20 percent covers cybersecurity training, education, and workforce development.

International cybersecurity vendors dominate the products segment, with companies like Palo Alto Networks, CrowdStrike, Fortinet, and IBM maintaining significant market share. However, Saudi cybersecurity companies are gaining ground, particularly in services and in solutions tailored to the Kingdom’s specific regulatory and operational requirements.

Domestic Cybersecurity Companies

The growth of the cybersecurity market has spawned a vibrant domestic industry. Saudi cybersecurity companies compete across multiple segments, often leveraging their understanding of local regulations, Arabic language capabilities, and cultural context as competitive advantages.

SITE (Saudi Information Technology Company), a subsidiary of SAMI, provides cybersecurity solutions for government and defense clients. The company’s portfolio includes secure communications systems, classified network infrastructure, and cybersecurity operations center (CSOC) services.

Elm, a PIF-owned technology company, provides identity management and verification services that underpin the security of government digital platforms. The company’s identity verification technology is used by Absher, Nafath, and other government services to prevent unauthorized access and identity fraud.

Several cybersecurity startups have emerged from Saudi Arabia’s growing technology ecosystem, focusing on areas including cloud security, IoT security, AI-powered threat detection, and cybersecurity training. These companies benefit from supportive government policies, access to venture capital, and a large domestic market with strong demand for cybersecurity solutions.

Critical Infrastructure Protection

The protection of critical infrastructure is the highest priority of Saudi Arabia’s cybersecurity program. The Kingdom’s economy depends on the uninterrupted operation of oil and gas production, electricity generation and distribution, water desalination and distribution, and telecommunications networks. A successful cyberattack against any of these systems could have devastating economic and humanitarian consequences.

Energy Sector

Saudi Aramco, the world’s largest oil company, operates the most extensive cybersecurity program in the Saudi private sector. The 2012 Shamoon attack served as a catalyst for massive investment in cybersecurity, transforming Aramco from a victim into a model for industrial cybersecurity.

Aramco’s cybersecurity program encompasses both IT systems (corporate networks, business applications, and data centers) and OT systems (industrial control systems, SCADA networks, and safety instrumented systems). The company operates multiple cybersecurity operations centers that monitor its global infrastructure around the clock, employing hundreds of cybersecurity specialists.

The separation of IT and OT networks is a fundamental principle of Aramco’s security architecture. Industrial control systems that manage oil production, refining, and distribution are isolated from corporate networks through multiple layers of security controls, including network segmentation, data diodes that allow information to flow in only one direction, and dedicated monitoring systems for OT-specific threats.

Aramco also participates in international cybersecurity information sharing initiatives, contributing threat intelligence and receiving early warnings of attacks targeting the energy sector. This collaborative approach reflects the recognition that cybersecurity threats are global in nature and cannot be addressed by any single organization in isolation.

Financial Sector

The Saudi Central Bank (SAMA) has established a comprehensive cybersecurity framework for the financial sector that complements the NCA’s national framework with sector-specific requirements. SAMA’s Cybersecurity Framework, first issued in 2017 and regularly updated, establishes detailed security requirements for banks, insurance companies, payment processors, and fintech firms.

The framework requires financial institutions to establish dedicated cybersecurity functions, conduct regular penetration testing and vulnerability assessments, implement robust incident response plans, and maintain cybersecurity awareness programs for employees. SAMA conducts periodic assessments of financial institutions’ cybersecurity posture and can impose corrective actions on institutions that fail to meet requirements.

The financial sector also operates a sector-specific Computer Emergency Response Team (CERT) that coordinates incident response and threat intelligence sharing among financial institutions. This capability enables rapid coordination when threats target multiple financial institutions simultaneously, as occurred during several coordinated phishing campaigns in recent years.

Telecommunications

The telecommunications sector’s cybersecurity is overseen by both the NCA and the Communications, Space, and Technology Commission (CST). Telecommunications networks are both critical infrastructure in their own right and the connectivity layer on which other critical infrastructure depends, giving their security a multiplier effect on national resilience.

The three mobile operators, stc, Mobily, and Zain, each maintain substantial cybersecurity operations, including security operations centers, threat intelligence teams, and incident response capabilities. The operators are required to implement specific security measures for their 5G networks, reflecting the expanded attack surface and the critical applications that 5G enables.

The CST has also established requirements for the security of IoT devices deployed on telecommunications networks, recognizing that insecure IoT devices can be compromised and used as platforms for attacks against other targets. These requirements include minimum security standards for device manufacturers, secure boot mechanisms, encrypted communications, and automatic security update capabilities.

Water and Desalination

Saudi Arabia depends on desalination for approximately 70 percent of its potable water supply, making the security of desalination plants a matter of national survival. The Saline Water Conversion Corporation (SWCC), which operates the Kingdom’s major desalination facilities, has implemented cybersecurity programs that protect both the IT systems used for business operations and the industrial control systems that manage the desalination process.

The convergence of IT and OT in modern desalination plants creates particular security challenges. Modern plants use networked sensors, automated control systems, and data analytics platforms that improve operational efficiency but also create potential entry points for cyberattacks. SWCC’s cybersecurity strategy emphasizes defense in depth, with multiple layers of security controls protecting critical systems from both external attacks and insider threats.

Cyber Threat Landscape

Saudi Arabia faces a diverse and sophisticated threat landscape that includes state-sponsored advanced persistent threats (APTs), organized cybercrime groups, hacktivists, and opportunistic attackers.

State-Sponsored Threats

The Kingdom has been targeted by state-sponsored hacking groups attributed to several nations. These groups pursue objectives including espionage, intellectual property theft, and the disruption of critical infrastructure. The Shamoon attacks, attributed to Iranian-linked groups, demonstrated the potential for destructive cyber operations against Saudi targets.

The NCA monitors state-sponsored threats through its national threat intelligence center, which combines technical monitoring with open-source intelligence and information sharing with allied nations’ cybersecurity agencies. The center produces regular threat assessments that are distributed to government agencies and critical infrastructure operators, enabling them to prioritize their defenses against the most likely and impactful threats.

Cybercrime

As Saudi Arabia’s digital economy has grown, so has its attractiveness as a target for cybercriminal organizations. Phishing attacks targeting Saudi individuals and businesses have increased significantly, with attackers impersonating government services, banks, and delivery companies to steal credentials and financial information.

Ransomware attacks against Saudi businesses have also increased, with small and medium enterprises being particularly vulnerable due to limited cybersecurity resources. The NCA has published guidance for organizations on preventing and responding to ransomware attacks, and SAMA has issued specific guidance for financial institutions.

Business email compromise (BEC) attacks, where attackers impersonate executives or business partners to fraudulently redirect payments, have cost Saudi businesses hundreds of millions of riyals. The international nature of these attacks, often originating from outside the Kingdom, creates jurisdictional challenges for law enforcement.

Workforce Development

The cybersecurity workforce shortage is one of the most significant challenges facing Saudi Arabia’s cybersecurity program. The Kingdom needs an estimated 40,000 cybersecurity professionals by 2030 to meet the demands of government agencies, critical infrastructure operators, and private sector organizations. Current estimates place the existing workforce at approximately 18,000, leaving a substantial gap to fill.

Education and Training

Saudi universities have responded to the workforce need by establishing cybersecurity degree programs. King Saud University, King Fahd University of Petroleum and Minerals, Princess Nourah bint Abdulrahman University, and several other institutions now offer bachelor’s and master’s programs in cybersecurity. Several universities have also obtained accreditation from international cybersecurity education bodies, ensuring their programs meet global standards.

The NCA operates the Saudi Cybersecurity Academy, which provides specialized training for cybersecurity professionals across government and critical infrastructure. The academy offers courses in areas including penetration testing, incident response, malware analysis, and security architecture, delivered by a combination of NCA staff and international cybersecurity experts.

Certifications and Competitions

Professional certifications play an important role in validating cybersecurity expertise. The NCA has partnered with international certification bodies including ISC2, ISACA, and SANS to offer certification programs within the Kingdom. The number of Saudi professionals holding internationally recognized cybersecurity certifications has grown by more than 200 percent over the past five years.

Cybersecurity competitions, including capture-the-flag events and national cyber exercises, serve as both talent identification and development tools. The NCA’s annual cybersecurity competition attracts thousands of participants from universities, government agencies, and the private sector, identifying talented individuals for accelerated career development.

Saudization Targets

The NCA has established Saudization targets for cybersecurity positions across government and regulated sectors, requiring that an increasing percentage of cybersecurity professionals be Saudi nationals. These targets are supported by training programs, career development pathways, and salary guidelines that make cybersecurity careers attractive to Saudi graduates.

The Saudization push in cybersecurity serves multiple objectives. It reduces dependence on foreign nationals for security-sensitive positions, builds domestic expertise that strengthens the Kingdom’s long-term cybersecurity capability, and creates high-value jobs that support economic diversification.

Future Outlook

Saudi Arabia’s cybersecurity landscape will continue to evolve as the Kingdom’s digital transformation deepens and the threat landscape shifts. Several trends will shape the future of cybersecurity in the Kingdom.

The adoption of artificial intelligence in both offensive and defensive cybersecurity operations will accelerate. AI-powered threat detection systems will become essential for managing the volume and velocity of attacks, while attackers will use AI to develop more sophisticated and adaptive attack techniques. The cybersecurity arms race between attackers and defenders will increasingly be fought with AI tools on both sides.

The security of operational technology environments will receive increased attention as more industrial systems become connected. The convergence of IT and OT creates efficiencies but also new vulnerabilities that traditional IT security tools are not designed to address. Purpose-built OT security solutions and specialized expertise will be in high demand.

Cloud security will become the dominant concern for many organizations as cloud adoption accelerates. The shared responsibility model of cloud security, where providers and customers each bear responsibility for different aspects of security, requires new skills and governance approaches that many organizations are still developing.

Quantum computing, while still years from practical impact, is already influencing cybersecurity planning. The prospect of quantum computers breaking current encryption algorithms has prompted SAMA and the NCA to begin evaluating quantum-resistant cryptographic standards for eventual deployment across government and financial systems.

Saudi Arabia’s cybersecurity journey mirrors its broader transformation: ambitious in scope, rapid in execution, and driven by the recognition that in a digital world, security is not a luxury but a prerequisite for progress. The Kingdom’s investment in cybersecurity infrastructure, regulation, workforce development, and technology positions it well to defend against the threats of today while preparing for the challenges of tomorrow.