Saudi Arabia: National Cybersecurity Authority Regulations 2024

Cybersecurity is now a global priority, crucial for safeguarding technologies, practices, and devices. Governments worldwide, including in the Middle East, have enacted regulations to enhance cybersecurity. In Saudi Arabia, the National Cybersecurity Authority (NCA) leads these efforts, issuing guidelines and frameworks. Historically, the NCA lacked clear authority to take action in respect of non-compliance. The December 2024 National Cybersecurity Authority Regulations have addressed this gap. In this article we provide an overview of key developments.

National Cybersecurity Authority Regulations 2024

The Regulations establish a regulatory framework that encompasses all NCA-issued frameworks, controls, policies, governance mechanisms, standards, and more (collectively referred to as "Standards"). Non-compliance with these Standards, where applicable, can now result in substantial fines and/or the revocation of licences.  

Key Provisions of the Regulations

The Regulations, effective upon publication in Umm al Qura (the Official Gazette), mark a significant step for the NCA, granting it the authority to enforce compliance with its Standards and superseding any conflicting regulations. The Regulations cover violations, compliance requirements, consequences of violations, inspection and investigation procedures, and reporting protections, as summarised below.

Violations and Compliance Requirements

The Regulations specify several violations related to cybersecurity activities, including, most notably, practising activities regulated by NCA without obtaining a licence from NCA, making available cybersecurity-related devices, programs or tools without the necessary licenses or permits (and, potentially, even using the same), and general non-compliance with the Standards. Other violations include: 

• Disseminating misleading information about cybersecurity services or operations.
• Withholding requested information from the NCA or providing misleading information.
• Obstructing or not cooperating with NCA inspectors.
• Otherwise engaging in activities that contravene NCA regulations and decisions.

The scope of these violations is extensive, requiring adherence to a wide array of requirements, which can be challenging to navigate. Sufficient awareness of the Standards, and commensurate compliance, is imperative for entities subject to the NCA’s requirements and, particularly, for those operating in the cybersecurity space.

Inspection and Investigation Procedures

To ensure adherence to the Standards, the NCA Governor will appoint inspectors to monitor and inspect cybersecurity activities, including sites, systems, and documents. These inspectors can seize items, make copies, and collect evidence. As such, it is imperative to retain comprehensive records of cybersecurity activities with clear audit trails.  Detected violations are referred to a specialized committee for further action, including potential legal proceedings. Inspectors can refer suspected cybersecurity crimes to appropriate authorities, summon individuals for investigation, and retain seized items until a final decision is made.

Penalties and Disciplinary Actions

In the event of a violation, the NCA will form a committee to determine the appropriate penalty based on the nature, recurrence, severity, and circumstances of the violation. Penalties may include warnings, temporary or permanent license suspension, service suspension, or fines up to SAR 25,000,000 (approx. 6,660,000 USD). The committee can also publish the decision at the violator's expense, impacting their reputation. Violators must remedy the violation and deposit any gains into the state treasury.

Decisions can be appealed to the Administrative Court within 60 days of notice or if the NCA fails to meet the decision-making time frames outlined in the Regulations.

What’s next?

This legislative framework underscores Saudi Arabia's commitment to enhancing its cybersecurity resilience, ensuring the protection of its critical infrastructure and data in an increasingly digital world. Entities subject to NCA requirements need to familiarise themselves with the Standards and, where applicable, ensure compliance.

The NCA is mandated to submit a comprehensive report on the implementation of the Regulations after a four-year period, detailing observations and proposing any necessary amendments.

For further information on Saudi Arabia’s cybersecurity regulatory regime and how it may affect your business, please get in touch with Simon Shooter [email protected] or Nikita Manro [email protected].