{"id":14493,"date":"2026-05-18T16:15:54","date_gmt":"2026-05-18T10:45:54","guid":{"rendered":"https:\/\/threatcop.com\/blog\/?p=14493"},"modified":"2026-06-18T12:24:21","modified_gmt":"2026-06-18T06:54:21","slug":"saudi-arabia-government-cybersecurity-frameworks","status":"publish","type":"post","link":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/","title":{"rendered":"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?"},"content":{"rendered":"\n<!-- Key Takeaways Section | Threatcop Brand Style -->\n\n<style>\n.threatcop-summary {\n    border: 1px solid #2f80ed;\n    background-color: #f2f7ff;\n    padding: 20px 24px;\n    border-radius: 6px;\n    margin: 30px 0;\n}\n.threatcop-summary h3 {\n    margin-top: 0;\n    color: #2f80ed;\n    font-size: 20px;\n}\n.threatcop-summary ul {\n    padding-left: 20px;\n    margin: 10px 0 0;\n}\n.threatcop-summary li {\n    margin-bottom: 8px;\n    line-height: 1.5;\n}\n<\/style>\n\n<div class=\"threatcop-summary\">\n    <h3>Key Takeaways<\/h3>\n    <ul>\n        <li>Cybersecurity behaviour change platforms focus on measurable risk reduction, not training completion.<\/li>\n        <li>Modern tools track behavioural metrics such as phishing reporting, click rates, and risk trends over time.<\/li>\n        <li>Effective platforms combine simulations, adaptive learning, and human risk scoring into one ecosystem.<\/li>\n        <li>Multi-channel simulations covering email, vishing, messaging apps, and QR attacks reflect real attacker methods.<\/li>\n        <li>Security leaders should prioritise audit-ready analytics that demonstrate ROI and behavioural improvement to boards.<\/li>\n    <\/ul>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The National Cybersecurity Authority (NCA) issues Saudi Arabia&#8217;s Key Digital Security Frameworks, such as the Essential Cybersecurity Controls (ECC), Cloud Cybersecurity Controls (CCC), Critical Systems Cybersecurity Controls (CSCC), Operational Technology Cybersecurity Controls (OTCC), Data Cybersecurity Controls (DCC), and Telework Cybersecurity Controls (TCC).<\/p><div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 ez-toc-wrap-center counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #414141;color:#414141\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #414141;color:#414141\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#The_NCA_Framework\" >The NCA Framework\u00a0<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#Critical_Systems_Cybersecurity_Controls_CSCC\" >Critical Systems Cybersecurity Controls (CSCC)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#Inspect_cloud_security_controls_CCC\" >Inspect cloud security controls (CCC)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#The_Knowledge_of_Operating_Technology_Cybersecurity_Controls_OTCC\" >The Knowledge of Operating Technology Cybersecurity Controls (OTCC)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#Data_Cybersecurity_Controls_DCC\" >Data Cybersecurity Controls (DCC)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#Telework_Cyber_Security_Controls_TCC\" >Telework Cyber Security Controls (TCC)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#The_SAMA_Layer_for_Financial_Institutions\" >The SAMA Layer for Financial Institutions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#Best_practices_in_Saudi_Arabia_for_Cybersecurity_Measures_adopted_by_Organizations\" >Best practices in Saudi Arabia for Cybersecurity Measures adopted by Organizations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#FAQs\" >FAQs<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n\n<p class=\"wp-block-paragraph\">Saudi Arabia&#8217;s cybersecurity has grown quickly. The Kingdom has developed one of the most structured regulatory regimes in the Middle East, and the deployment of such extensive digital infrastructure in government, finance, healthcare, energy, etc., is creating a need for it. Vision 2030 and the extent of digital infrastructure being implemented across sectors, such as government, finance, healthcare, and energy, are driving the need for such a structured regulatory environment in the Kingdom. For all organizations working here, it is no longer an option not to understand the landscape.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Initiatives to protect national security are underway at the National Cybersecurity Authority, where it all begins.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In 2017, the King of Saudi Arabia issued a Royal Decree establishing the Saudi Arabian National Cybersecurity Authority (NCA) as the Kingdom&#8217;s main authority responsible for cybersecurity policy, the issuance of cybersecurity frameworks, and compliance monitoring. The NCA had been providing guidelines for years, and organizations were supposed to abide by those guidelines. Enforcement of these was not strict, and there were no clear penalties for <a href=\"https:\/\/threatcop.com\/blog\/cybersecurity-governance-risk-and-compliance-guide\/\">non-compliance<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_NCA_Framework\"><\/span><strong>The NCA Framework\u00a0<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The NCA Regulations 2024 granted the NCA formal enforcement powers. It is now authorized to carry out inspections, insist on documentation, take evidence, and impose penalties. The fines range up to SAR 25,000,000. Licenses are subject to suspension. Violation of any rules may be broadcast. Those who adopted the NCA&#8217;s guidelines as recommendations face a new calculation.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But there&#8217;s also a misunderstanding to be cleared up. Many teams think the only way to be cybersecure in Saudi Arabia is to meet the ECC. It does not. The NCA is building a connected family of frameworks to address each risk environment. Part of the growing focus of inspectors is on acknowledging ECC as the whole picture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A set of security controls deemed to be fundamental to the security of the system.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Imagine ECC as a base. It must be met by all levels of government, critical infrastructure operators, and all essential service providers within the Kingdom. This framework was also updated in October 2024 to ECC-2:2024, which removed 4 control points and restructured the framework from 5 domains to 4 (28 subdomains). The four pillars remain unchanged: Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, and Third-Party and Cloud Security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">An interesting change in the 2024 edition was the introduction of cybersecurity Saudization. The Saudi government has placed a Saudi-Australian in all cybersecurity roles. The earlier version only applied this requirement to senior positions. This is a wide scope that has grown significantly. ECC sets the floor. All else will be built upon that.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Critical_Systems_Cybersecurity_Controls_CSCC\"><\/span><strong>Critical Systems Cybersecurity Controls (CSCC)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If compromised, some systems don&#8217;t just impact a business. They impact the nations. Systems in this category include energy grids, water systems, financial market infrastructure, and defense-adjacent systems. CSCC applies to those environments and requires network segmentation, ID, and real-time monitoring on a scale beyond the ECC baseline. Organizations in this space have two obligations: they must be simultaneously ECC and CSCC.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Inspect_cloud_security_controls_CCC\"><\/span><strong>Inspect cloud security controls (CCC)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Adoption of cloud technology has been rapid in Saudi Arabia, across both the public and private sectors. CCC steps up to combat that reality. It applies to any organization that runs workloads in the cloud, whether private or hybrid, as well as to cloud service providers. It has four domains and 24 subdomains. In 2024, a revision moved the responsibility for data localization to the National Data Management Office, and CCC was updated accordingly. Where workloads run in the cloud, and organizations use only ECC, there is a compliance gap that they don&#8217;t justify.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_Knowledge_of_Operating_Technology_Cybersecurity_Controls_OTCC\"><\/span><strong>The Knowledge of Operating Technology Cybersecurity Controls (OTCC)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Security solutions for industrial systems cannot be implemented to the same degree as those in office IT. OTCC includes operational technology in the energy, manufacturing, utilities, and water industries, as well as industrial control systems and SCADA applications. The controls center on separating OT networks from corporate IT, controlling and limiting remote access to industrial systems, and keeping systems running even under attack. This framework is highly significant given the shape of the Kingdom&#8217;s energy sector.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Data_Cybersecurity_Controls_DCC\"><\/span><strong>Data Cybersecurity Controls (DCC)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">DCC is responsible for all aspects of data encryption, access control, data classification, audit processes, and data retention throughout the data lifecycle. The NCA coordinator coordinates with the NDO on localization needs. For healthcare, financial, and government services organizations, their DCC obligations add to any other frameworks that may apply in their environments.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Telework_Cyber_Security_Controls_TCC\"><\/span><strong>Telework Cyber Security Controls (TCC)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Hybrid work is no longer temporary; it&#8217;s the new normal. From VPN standards and endpoint security to secure file transfer and remote access management, TCC addresses the risks posed by employees working beyond the office perimeter. For the organizations having teams distributed across the Kingdom, this is not an option.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">&nbsp;In 2026, the scope of the expansion was changed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In January 2026, NCA&#8217;s NCNICC-1:2025 was adopted, mandating NCA coverage for all private-sector companies across the Kingdom, regardless of infrastructure type. Before this, numerous non-governmental and non-critical-sector organizations believed the frameworks were primarily for government and critical sectors. Now this no longer holds. All businesses in Saudi Arabia are now subject to minimum cybersecurity requirements.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"The_SAMA_Layer_for_Financial_Institutions\"><\/span><strong>The SAMA Layer for Financial Institutions<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">There are additional obligations for banks, insurance companies, and financial institutions regulated by the Saudi Arabian Monetary Authority. In many respects, the SAMA Cybersecurity Framework is prescriptive; it is not a replacement for the NCA baseline and should be adhered to in addition to it. For institutions with critical financial infrastructure, they may have to operate under ECC, CSCC, DCC, and SAMA at the same time and need to own this coordinated compliance work, not just the coordinated compliance efforts.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1662\" height=\"996\" src=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/05\/Screenshot-2026-05-18-at-4.02.37-PM.png\" alt=\"cybersecurity in saudi arabia\" class=\"wp-image-14496\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Best_practices_in_Saudi_Arabia_for_Cybersecurity_Measures_adopted_by_Organizations\"><\/span><strong>Best practices in Saudi Arabia for Cybersecurity Measures adopted by Organizations<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Get Your NCA Frameworks Right.<\/strong> ECC is the baseline for every organization, but it is just the starting point. Add CCC for multi-cloud environments, OTCC for OT facilities, and TCC for hybrid workforces.<\/li>\n\n\n\n<li><strong>Do a Gap Analysis.<\/strong> Run a formal assessment owned by business units, not just IT. When NCA inspectors arrive, you need to show compliance, not just claim it.<\/li>\n\n\n\n<li><strong>Your People Are Your Biggest Risk.<\/strong> Frameworks govern technology and processes, but cannot change <a href=\"https:\/\/threatcop.com\/blog\/how-to-reduce-human-error-in-cybersecurity\/\">human behavior<\/a>. Technical controls can fix a misconfigured server. They cannot stop an employee from clicking a phishing link.<\/li>\n\n\n\n<li><strong>Close the Human Gap with Threatcop.<\/strong> Threatcop&#8217;s TSAT runs simulations of phishing, smishing, vishing, ransomware, and scams. Each employee gets a personal risk score and targeted training, with a full audit trail ready for inspectors.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/threatcop.com\/tdmarc\">TDMARC<\/a> solution enforces DMARC compliance and flags email spoofing in real time, directly supporting ECC and DCC requirements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Get the frameworks right, close the gaps, and invest in your people. That is what inspection-ready cybersecurity looks like.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cybersecurity compliance in Saudi Arabia is now essential, with National Cybersecurity Authority regulations covering infrastructure, cloud, data governance, and HR. With stricter enforcement and updated regulations effective from December 2024, organizations must address both technical and human risks.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By combining TSAT and TDMARC,<a href=\"https:\/\/threatcop.com\/?utm_source=chatgpt.com\"> Threatcop<\/a> helps Middle Eastern organizations build measurable, audit-ready human-layer security and support their NCA compliance journey.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"FAQs\"><\/span>FAQs<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n<style>#sp-ea-14497 .spcollapsing { height: 0; overflow: hidden; transition-property: height;transition-duration: 300ms;}#sp-ea-14497.sp-easy-accordion>.sp-ea-single {margin-bottom: 10px; border: 1px solid #e2e2e2; }#sp-ea-14497.sp-easy-accordion>.sp-ea-single>.ea-header a {color: #444;}#sp-ea-14497.sp-easy-accordion>.sp-ea-single>.sp-collapse>.ea-body {background: #fff; color: #444;}#sp-ea-14497.sp-easy-accordion>.sp-ea-single {background: #eee;}#sp-ea-14497.sp-easy-accordion>.sp-ea-single>.ea-header a .ea-expand-icon { float: left; color: #444;font-size: 16px;}<\/style><div id=\"sp_easy_accordion-1779100769\"><div id=\"sp-ea-14497\" class=\"sp-ea-one sp-easy-accordion\" data-ea-active=\"ea-click\" data-ea-mode=\"vertical\" data-preloader=\"\" data-scroll-active-item=\"\" data-offset-to-scroll=\"0\"><div class=\"ea-card ea-expand sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-144970\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse144970\" aria-controls=\"collapse144970\" href=\"#\" aria-expanded=\"true\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-minus\"><\/i> What are the stakeholders of the NCA's cybersecurity framework in Saudi Arabia?<\/a><\/h3><div class=\"sp-collapse spcollapse collapsed show\" id=\"collapse144970\" data-parent=\"#sp-ea-14497\" role=\"region\" aria-labelledby=\"ea-header-144970\"> <div class=\"ea-body\"><p><span style=\"font-weight: 400;color: #000000\">As of now, it applies to all the organizations of the Kingdom and will be activated starting from 2026. Under the new NCNICC-1:2025 framework, all private-sector companies are required to comply with NCA, not just government organizations and critical infrastructure operators.<\/span><\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-144971\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse144971\" aria-controls=\"collapse144971\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> What differences are there between ECC and the other NCA frameworks?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse144971\" data-parent=\"#sp-ea-14497\" role=\"region\" aria-labelledby=\"ea-header-144971\"> <div class=\"ea-body\"><p><span style=\"font-weight: 400;color: #000000\">The ECC must be met as a minimum standard by all in-scope organizations. Additional layers of functionality (not intended to replace ECC) add further levels to the ECC; these include CSCC, CCC, OTCC, DCC, and TCC.<\/span><\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-144972\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse144972\" aria-controls=\"collapse144972\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> What will be the effects if a person does not adhere to the NCA regulations in Saudi Arabia?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse144972\" data-parent=\"#sp-ea-14497\" role=\"region\" aria-labelledby=\"ea-header-144972\"> <div class=\"ea-body\"><p><span style=\"font-weight: 400;color: #000000\">Fines of up to SAR 25 million, suspension and\/or revocation of the license, and publication of the violation are provided for under the NCA Regulations 2024.<\/span><\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-144973\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse144973\" aria-controls=\"collapse144973\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> What role do the courses in Cyber Security play in helping to achieve NCA compliance?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse144973\" data-parent=\"#sp-ea-14497\" role=\"region\" aria-labelledby=\"ea-header-144973\"> <div class=\"ea-body\"><p><span style=\"font-weight: 400;color: #000000\">One of the major compliance components of the NCA framework is through the people element. This is the list of key topics that NCA inspections will look for regarding human-layer security investments, and the evidence of these investments will be documented.<\/span><\/p><\/div><\/div><\/div><div class=\"ea-card sp-ea-single\"><h3 class=\"ea-header\"><a class=\"collapsed\" id=\"ea-header-144974\" role=\"button\" data-sptoggle=\"spcollapse\" data-sptarget=\"#collapse144974\" aria-controls=\"collapse144974\" href=\"#\" aria-expanded=\"false\" tabindex=\"0\"><i aria-hidden=\"true\" role=\"presentation\" class=\"ea-expand-icon eap-icon-ea-expand-plus\"><\/i> Is the SAMA Cybersecurity Framework an alternative to banks' compliance with NCA?<\/a><\/h3><div class=\"sp-collapse spcollapse \" id=\"collapse144974\" data-parent=\"#sp-ea-14497\" role=\"region\" aria-labelledby=\"ea-header-144974\"> <div class=\"ea-body\"><p><span style=\"font-weight: 400;color: #000000\">No. Both of the frameworks would have to be followed by financial institutions. In other respects, SAMA is more prescriptive, allowing for obligations to be multi-faceted, that is, obligations under SAMA and ECC, SAMA and CSCC, SAMA and DCC, etc.<\/span><\/p><\/div><\/div><\/div><\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways Cybersecurity behaviour change platforms focus on measurable risk reduction, not training completion. Modern tools track behavioural metrics such as phishing reporting, click rates, and risk trends over time. Effective platforms combine simulations, adaptive learning, and human risk scoring into one ecosystem. Multi-channel simulations covering email, vishing, messaging apps, and QR attacks reflect real [&hellip;]<\/p>\n","protected":false},"author":23,"featured_media":14500,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42,47,1],"tags":[],"class_list":["post-14493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-awareness","category-miscellaneous","category-people-security-insights"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What Are the Key Government Frameworks for Digital Security in Saudi Arabia?<\/title>\n<meta name=\"description\" content=\"Explore Saudi Arabia government cybersecurity frameworks, including NCA ECC, SAMA CSF, CCC, and compliance standards shaping national cyber resilience.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?\" \/>\n<meta property=\"og:description\" content=\"Explore Saudi Arabia government cybersecurity frameworks, including NCA ECC, SAMA CSF, CCC, and compliance standards shaping national cyber resilience.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/\" \/>\n<meta property=\"og:site_name\" content=\"Threatcop\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-18T10:45:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-18T06:54:21+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/05\/Blog-Banners-Threatcop-Product-Marketing-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Purva Puri\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatcop\" \/>\n<meta name=\"twitter:site\" content=\"@threatcop\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Purva Puri\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/\"},\"author\":{\"name\":\"Purva Puri\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/37ec6d4f17ad36fb23e04a52c48f323f\"},\"headline\":\"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?\",\"datePublished\":\"2026-05-18T10:45:54+00:00\",\"dateModified\":\"2026-06-18T06:54:21+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/\"},\"wordCount\":1291,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Blog-Banners-Threatcop-Product-Marketing-1.jpg\",\"articleSection\":[\"Cybersecurity Awareness\",\"Miscellaneous\",\"People Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/\",\"name\":\"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Blog-Banners-Threatcop-Product-Marketing-1.jpg\",\"datePublished\":\"2026-05-18T10:45:54+00:00\",\"dateModified\":\"2026-06-18T06:54:21+00:00\",\"description\":\"Explore Saudi Arabia government cybersecurity frameworks, including NCA ECC, SAMA CSF, CCC, and compliance standards shaping national cyber resilience.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Blog-Banners-Threatcop-Product-Marketing-1.jpg\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Blog-Banners-Threatcop-Product-Marketing-1.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"phishing incident response\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/saudi-arabia-government-cybersecurity-frameworks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"name\":\"Threatcop\",\"description\":\"Cybersecurity Blogs, News, Updates, and Articles\",\"publisher\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#organization\",\"name\":\"Threatcop\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/threatcop-logo-black-1.png\",\"width\":432,\"height\":102,\"caption\":\"Threatcop\"},\"image\":{\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/people\\\/Threatcop\\\/100083109892339\\\/\",\"https:\\\/\\\/x.com\\\/threatcop\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/threatcop\\\/\",\"https:\\\/\\\/www.instagram.com\\\/threatcop_official\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/#\\\/schema\\\/person\\\/37ec6d4f17ad36fb23e04a52c48f323f\",\"name\":\"Purva Puri\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/avatar_user_23_1774006881.png\",\"url\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/avatar_user_23_1774006881.png\",\"contentUrl\":\"https:\\\/\\\/threatcop.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/avatar_user_23_1774006881.png\",\"caption\":\"Purva Puri\"},\"description\":\"Purva is a Technical Content Strategist at Threatcop with an MBA in Business Analytics, specializing in SEO-driven content and technical editing across IT and digital domains, and is the author of the book From a Daughter\u2019s Eye.\",\"sameAs\":[\"https:\\\/\\\/threatcop.com\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/purva-puri\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?","description":"Explore Saudi Arabia government cybersecurity frameworks, including NCA ECC, SAMA CSF, CCC, and compliance standards shaping national cyber resilience.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/","og_locale":"en_US","og_type":"article","og_title":"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?","og_description":"Explore Saudi Arabia government cybersecurity frameworks, including NCA ECC, SAMA CSF, CCC, and compliance standards shaping national cyber resilience.","og_url":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/","og_site_name":"Threatcop","article_publisher":"https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","article_published_time":"2026-05-18T10:45:54+00:00","article_modified_time":"2026-06-18T06:54:21+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/05\/Blog-Banners-Threatcop-Product-Marketing-1.jpg","type":"image\/jpeg"}],"author":"Purva Puri","twitter_card":"summary_large_image","twitter_creator":"@threatcop","twitter_site":"@threatcop","twitter_misc":{"Written by":"Purva Puri","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#article","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/"},"author":{"name":"Purva Puri","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/37ec6d4f17ad36fb23e04a52c48f323f"},"headline":"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?","datePublished":"2026-05-18T10:45:54+00:00","dateModified":"2026-06-18T06:54:21+00:00","mainEntityOfPage":{"@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/"},"wordCount":1291,"commentCount":0,"publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"image":{"@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/05\/Blog-Banners-Threatcop-Product-Marketing-1.jpg","articleSection":["Cybersecurity Awareness","Miscellaneous","People Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/","url":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/","name":"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?","isPartOf":{"@id":"https:\/\/threatcop.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#primaryimage"},"image":{"@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#primaryimage"},"thumbnailUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/05\/Blog-Banners-Threatcop-Product-Marketing-1.jpg","datePublished":"2026-05-18T10:45:54+00:00","dateModified":"2026-06-18T06:54:21+00:00","description":"Explore Saudi Arabia government cybersecurity frameworks, including NCA ECC, SAMA CSF, CCC, and compliance standards shaping national cyber resilience.","breadcrumb":{"@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#primaryimage","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/05\/Blog-Banners-Threatcop-Product-Marketing-1.jpg","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/05\/Blog-Banners-Threatcop-Product-Marketing-1.jpg","width":1920,"height":1080,"caption":"phishing incident response"},{"@type":"BreadcrumbList","@id":"https:\/\/threatcop.com\/blog\/saudi-arabia-government-cybersecurity-frameworks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/threatcop.com\/blog\/"},{"@type":"ListItem","position":2,"name":"What Are the Key Government Frameworks for Digital Security in Saudi Arabia?"}]},{"@type":"WebSite","@id":"https:\/\/threatcop.com\/blog\/#website","url":"https:\/\/threatcop.com\/blog\/","name":"Threatcop","description":"Cybersecurity Blogs, News, Updates, and Articles","publisher":{"@id":"https:\/\/threatcop.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/threatcop.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/threatcop.com\/blog\/#organization","name":"Threatcop","url":"https:\/\/threatcop.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/06\/threatcop-logo-black-1.png","width":432,"height":102,"caption":"Threatcop"},"image":{"@id":"https:\/\/threatcop.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/people\/Threatcop\/100083109892339\/","https:\/\/x.com\/threatcop","https:\/\/www.linkedin.com\/company\/threatcop\/","https:\/\/www.instagram.com\/threatcop_official\/"]},{"@type":"Person","@id":"https:\/\/threatcop.com\/blog\/#\/schema\/person\/37ec6d4f17ad36fb23e04a52c48f323f","name":"Purva Puri","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/03\/avatar_user_23_1774006881.png","url":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/03\/avatar_user_23_1774006881.png","contentUrl":"https:\/\/threatcop.com\/blog\/wp-content\/uploads\/2026\/03\/avatar_user_23_1774006881.png","caption":"Purva Puri"},"description":"Purva is a Technical Content Strategist at Threatcop with an MBA in Business Analytics, specializing in SEO-driven content and technical editing across IT and digital domains, and is the author of the book From a Daughter\u2019s Eye.","sameAs":["https:\/\/threatcop.com\/","https:\/\/www.linkedin.com\/in\/purva-puri\/"]}]}},"_links":{"self":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/14493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/comments?post=14493"}],"version-history":[{"count":2,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/14493\/revisions"}],"predecessor-version":[{"id":14498,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/posts\/14493\/revisions\/14498"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media\/14500"}],"wp:attachment":[{"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/media?parent=14493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/categories?post=14493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threatcop.com\/blog\/wp-json\/wp\/v2\/tags?post=14493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}