NCNICC-1:2025 — National Cybersecurity Industrial Controls
The first mandatory cybersecurity framework for ALL private sector organizations in Saudi Arabia. 65 controls across two categories — no organization is exempt.
What is NCNICC?
The National Cybersecurity Industrial Controls for Critical Systems (NCNICC-1:2025) extends cybersecurity requirements beyond government to every private sector organization in Saudi Arabia. Issued by the NCA, it introduces Category A (critical) and Category B (standard) classifications with tailored control sets for each.
Who must comply?
- ALL private sector organizations in Saudi Arabia
- Category A: Organizations handling critical systems or sensitive data
- Category B: All other private sector entities
- No exemptions — compliance is mandatory for every private sector entity
The two compliance categories
Category A — Critical
Full 65 controls. Organizations operating critical systems, handling large volumes of personal data, or providing services to government entities. Higher scrutiny, more frequent assessments.
Category B — Standard
Subset of controls. All other private sector organizations. Foundational cybersecurity requirements. Annual self-assessment required.
Key control areas
How CYDER automates NCNICC compliance
Category B pre-configured
Zero-to-SOC comes with NCNICC Category B compliance pre-configured. Auto-evidence collection from day one.
Category A full mapping
Complete control mapping for Category A organizations. Dashboard shows real-time compliance status across all 65 controls.
Automated self-assessment
Generate the required annual self-assessment report automatically with evidence from platform operations.