Cybersecurity in the Kingdom

This section highlights the Kingdom’s efforts to provide a safe environment for data and digital operations through a secure environment, developing, implementing and supervising the strategy of national cybersecurity. You will also understand the basic controls and policies highlighted in the Basic Cybersecurity Controls Handbook, and the national programs and initiatives including the Saudi Federation for Cybersecurity and the launch of the National Academy of Cybersecurity launched by the Ministry of Communications and Information Technology.

With the significant acceleration of digital transformation, the rates of cyber attacks and the risks of data breaches have increased, making the Kingdom keener to provide a secure environment for data and digital operations through a robust security system. Here comes the role of the National Cybersecurity Authority in developing, implementing, and supervising strategies.

National Cybersecurity Strategy


The National Cybersecurity Strategy was developed to reflect the strategic ambition of the Kingdom in a manner that is balanced between security, trust, and growth. It is created to achieve the concept of (a safe and reliable Saudi cyberspace that enables growth and prosperity)
It also includes six main concepts:

  1. Integration
  2. Regulation
  3. Assurance
  4. Defense
  5. Cooperation
  6. Construction

The national strategy aims to:

  • Integrated cybersecurity governance at a national level
  • Effective management of cyber risks at the national level
  • Protecting cyberspace
  • Strengthening national capabilities in defense against cyber threats
  • Strengthening partnerships and cooperation in Cybersecurity
  • Building national human capabilities and developing the cybersecurity industry in the Kingdom

Controls and policies

Basic Cybersecurity Controls

In order to reduce the cyber risks on the information and technology assets of the entities at the internal or external level, the authority has worked on 114 basic cybersecurity officers divided into five main components:

  • Cyber Security Governance
  • Enhancing Cybersecurity
  • Cybersecurity resilience
  • Third-party Cybersecurity and cloud computing
  • Cybersecurity for industrial control systems

Control details can be found in the Basic Cybersecurity Controls Handbook.

Sensitive systems controls

Sensitive systems controls aim to support basic cybersecurity controls. It provides the minimum cybersecurity requirements for sensitive systems based on best practices and standards to meet current security needs and raise the readiness of entities within the scope of these controls to protect their sensitive systems and prevent unauthorized access to them.

The cybersecurity controls for sensitive systems consist of:

  • 32 main controls.
  • 73 subsidiary controls.

It is divided into four main components:

  • Cyber Security Governance
  • Enhancing Cybersecurity
  • Cybersecurity resilience
  • Cybersecurity related to external parties and cloud computing

Control details can be found in the Sensitive Systems Cybersecurity Controls Handbook.

Cloud computing controls

Cloud computing controls come as an extension and complement to the basic cybersecurity controls and aim to define the cybersecurity requirements for cloud computing from service providers' and subscribers' perspectives to raise security and reduce cyber risks on all services and subscribers.

Cloud computing controls consist of:

  • 37 main controls
  • 96 subsidiary controls for service providers.
  • 18 main controls and 26 subsidiary controls for subscribers.

It is divided into four main components:

  • Cyber Security Governance
  • Enhancing Cybersecurity
  • Cybersecurity resilience
  • Cybersecurity related to external parties

You can see details of controls in the Cloud Computing Controls Guide.

Cybersecurity controls to work remotely

According to the various preventive precautions taken by the Kingdom's government to confront Coronavirus, national authorities' reliance is increasing regarding means of information and communication technology through cyberspace. This procedure enabled workers and employees to perform their work remotely without the need to come to the workplace, so a list of cybersecurity controls for remote work has been launched:

  • Cybersecurity awareness
  • Managing Entry Identities and Authorities
  • Protection of systems and information processing equipment
  • Network security management
  • Encryption
  • Monitoring Cybersecurity and managing incidents

You can view the details of the controls through the Cybersecurity Controls Handbook for Remote Work.

Cybersecurity Legislation

Anti-Cyber Crime Law

The Anti-Cyber Crime Law aims at preventing cybercrimes by identifying such crimes and defining their punishments. The objective is to ensure information security, protection of public interest, morals, protection of rights of the legitimate use of computers and information networks, and protection of the national economy.

National programs and initiatives

The indicative Center for Cybersecurity

In order to raise awareness of Cybersecurity and avoid cyber risks and reduce their effects, the National Cyber Security Guidance Center has been launched to work on issuing alerts about the latest and most serious gaps, and it also works on launching awareness campaigns and programs and cooperates with other guidance centers.

Saudi Federation for CyberSecurity

For the sake of local professional capabilities in Cybersecurity, software development, and drones, the Saudi Federation for Cybersecurity was launched under the Saudi Olympic Committee's umbrella. To provide activities and programs that contribute to increasing community awareness of Cybersecurity, programming, drones, and support and encourage young people to become professionals in this field.

National Academy of Cybersecurity

An initiative launched by the Ministry of Communications and Information Technology in cooperation with the Human Resources Development Fund (Hadaf) to raise the level of national digital capabilities in various fields of modern technology to keep pace with digital transformation requirements. It includes several paths:

  • Analyzing artificial intelligence data
  • Cloud Computing
  • Web and application development
  • Games design and development
  • Executive Programs

Hasseen Initiative

The Hasseen initiative was launched to enhance Cybersecurity at the national level, and it is concerned with protecting emails from spoofing and unauthorized use. It works to empower entities to:

  • Knowing the level of implementation of the Hasseen initiative for the entity
  • Create domain name records
  • Survey of domain name registries
  • Raising awareness among national authorities of the importance of activating domain name documentation and methods of implementing it.

Cybersecurity Regulation

Related Links