Jul 16, 2025
Khalifa Al Shehhi
Introduction
As Saudi Arabia accelerates its transformation under Vision 2030, digitalization has become a cornerstone of national development. With the rapid adoption of emerging technologies such as cloud computing, AI, IoT, and Industry 4.0 systems, the threat landscape has evolved significantly, placing unprecedented pressure on the cybersecurity readiness of critical national infrastructures.
To address these growing risks, the National Cybersecurity Authority (NCA) of the Kingdom of Saudi Arabia was established as the central authority for developing and enforcing cybersecurity regulations. In 2018, the NCA introduced the Essential Cybersecurity Controls (ECC–1:2018) to establish a baseline security standard for organizations. However, due to the unique nature and heightened risk profile of national critical systems, a more advanced and focused framework was needed.
This led to the creation of the Critical Systems Cybersecurity Controls (CSCC–1:2019), a specialized set of cybersecurity controls designed to protect vital systems whose compromise could result in severe economic, security, or societal consequences at the national level.
Organizations identified as operating or owning critical systems are legally required to comply with the CSCC, making it a national mandate backed by royal decrees and subject to audit and enforcement by the NCA
What Are Critical Systems?
In the context of national security and public service continuity, not all systems are created equal. Some systems, by their nature, carry a strategic importance whose compromise could ripple through government operations, economic stability, and even public safety. The NCA defines these as Critical Systems.
Definition of Critical Systems
According to the CSCC, a critical system is:
"Any system or network whose failure, unauthorized change to its operation, unauthorized access to it, or the data stored or processed by it, may result in negative impact on the organization’s business and service availability, or cause economic, financial, security, or social impacts at the national level.”
Identification Criteria
Organizations are required to classify their systems as "critical" if any of the following conditions apply:
Criteria | |
1 | Negative impact on national security |
2 | Negative impact on the Kingdom’s reputation or public image |
3 | Potential for significant financial losses (> 0.01% of GDP) |
4 | Disruption to services for a large population (> 5% of the population) |
5 | Potential loss of lives |
6 | Unauthorized disclosure of Top Secret or Secret data |
7 | Impact on the operations of one or more vital sectors |
Organizations must perform a self-assessment against these criteria to determine which of their systems are considered "critical" and therefore subject to the CSCC.
Components of Critical Systems
The CSCC emphasizes that critical systems are more than just software applications or databases. Their scope includes technical and human elements:
Component Type | Examples |
Network Devices | Routers, switches, gateways, firewalls, IDS/IPS, APT protection |
Data Infrastructure | Databases, storage assets, middleware, encryption devices |
Host and Application Systems | Servers, operating systems, and applications |
End-User Assets | Critical peripherals such as printers, scanners |
People | Users with sensitive access, technical staff, operators, and service providers |
Documentation | Supporting documents related to critical system components |
By considering this holistic view, organizations are encouraged to assess not just infrastructure but also privileged roles and supporting workflows that contribute to the critical system environment.
Scope and Applicability
The Critical Systems Cybersecurity Controls (CSCC) are not advisory — they are mandatory controls applicable to any organization that owns or operates systems deemed “critical” by the criteria outlined in the previous section.
These controls serve as a national standard for cybersecurity in critical sectors and are applicable regardless of the organization’s type or geography.
Who Must Comply?
The CSCC applies to a broad range of organizations:
Government entities inside and outside KSA
(e.g., ministries, authorities, embassies)
Private companies and their subsidiaries
(especially those in regulated or high-risk sectors)
Operators of national infrastructure and digital services
In the CSCC, all these entities are collectively referred to as “Organizations.”
Examples of Applicability
Scenario | Compliance Required? |
A government ministry operating a national identity database | Yes |
A private telco managing nationwide 5G network infrastructure | Yes |
A hospital with life-critical IoT and electronic patient systems | Yes |
A logistics company managing warehouse inventory software | Only if the criteria are met |
An embassy with diplomatic systems connected to Saudi servers | Yes |
CSCC Statement of Applicability
Each organization is responsible for:
Assessing their systems against the CSCC criteria.
Applying controls based on the risk and impact.
Justifying applicability for specific controls (e.g., cloud hosting, remote access).
For example:
Subdomain 4-2 (Cloud Computing and Hosting Cybersecurity) is only applicable if the organization uses or plans to use cloud services.
CSCC vs. ECC Applicability
Criteria | ECC – 1:2018 | CSCC – 1:2019 |
General cybersecurity requirements | All organizations | All organizations |
Critical system focus | Not explicitly scoped | Explicitly scoped for national-level criticality |
Mandatory for compliance | Yes (baseline) | Yes (for critical systems) |
Extension Required? | N/A | Must be built upon existing ECC compliance |
In short, compliance with ECC is a prerequisite for CSCC. The CSCC builds upon the ECC, introducing stricter, more frequent, and targeted controls for critical systems.
The Four CSCC Domains
Domain No. | Name | Primary Focus |
1 | Cybersecurity Governance | Strategy, risk management, HR, policies, project controls |
2 | Cybersecurity Defense | Asset security, access, patching, encryption, and monitoring |
3 | Cybersecurity Resilience | Disaster recovery, business continuity |
4 | Third-Party and Cloud Cybersecurity | Outsourcing, vendor risk, and cloud hosting policies |
Relationship with ECC
CSCC uses ECC as its foundation.
Some subdomains are new, while others are enhanced versions of ECC controls.
Appendix A in the document maps out which ECC subdomains are extended by CSCC.
Breakdown of CSCC Domains and Key Controls
5.1 Cybersecurity Governance
This domain focuses on strategic alignment, risk management, IT governance, auditing, and human resource policies to ensure critical systems are operated under rigorous and well-defined cybersecurity oversight.
Key Subdomains and Controls
Subdomain | Control Highlights |
1-1 Cybersecurity Strategy | - Strategy must explicitly prioritize critical systems - Align plans and projects with regulations |
1-2 Cybersecurity Risk Management | - Conduct annual risk assessments on critical systems - Maintain and review a risk register monthly |
1-3 IT Project Management | - Apply cybersecurity controls in asset changes and project plans - Must conduct stress tests - Secure API, source code, and ensure secure migration to production |
1-4 Cybersecurity Review & Audit | - Internal review annually - Independent audit (non-cybersecurity team) every 3 years |
1-5 Cybersecurity in HR | - Vetting of all personnel working on critical systems - Preferential use of experienced Saudi nationals in technical roles |
Objective Summary
The governance domain ensures:
Cybersecurity is embedded in the strategic vision
Projects, HR, and IT changes support cybersecurity-by-design
Organizations have a repeatable process for assessing risks and maintaining compliance
Accountability through internal and independent audits
5.2 Cybersecurity Defense
This is the most extensive domain in the CSCC. It addresses the technical, procedural, and operational controls necessary to prevent, detect, and respond to cyber threats targeting critical systems.
Key Subdomains and Controls
Subdomain | Control Highlights |
2-1 Asset Management | - Maintain annual inventory of critical assets - Assign owners responsible for lifecycle management |
2-2 Identity & Access Management | - Prohibit remote access from outside KSA - Enforce MFA for all users - No direct DB access for users |
2-3 Information System Protection | - Allowlisting, endpoint protection, monthly patching, and secure configurations |
2-4 Network Security | - Segregation, firewall reviews, no internet unless justified, and DDoS/APT protections |
2-5 Mobile Device Security | - No access to critical systems from mobile devices unless pre-approved - Enforce full-disk encryption |
2-6 Data Protection | - Use masking, scrambling, DLP tools - Prohibit non-production usage of critical data |
2-7 Cryptography | - Encrypt data in transit and at rest - Use NCA-approved algorithms |
2-8 Backup & Recovery | - Daily backups recommended - Secure transfer, access, and perform DR tests every 3 months |
2-9 Vulnerability Management | - Scan at least monthly, patch monthly/quarterly based on exposure |
2-10 Penetration Testing | - Internal and external systems are tested every 6 months - Qualified teams must perform tests |
2-11 Event Logging & Monitoring | - 24/7 monitoring of alerts - Behavior analysis, file integrity monitoring, and 18-month log retention |
2-12 Web Application Security | - Apply OWASP Top 10, secure session handling, and use a 3-tier architecture |
2-13 Application Security | - Internal apps must use HTTPS, secure session management, and documented requirements |
Defense Domain Summary
This domain enforces zero-trust principles, resilience by design, and proactive defense through:
Restricted access and network segregation
Strict asset and configuration controls
Enforced cryptographic standards
Continuous monitoring, logging, and testing
Together, these controls form the technical backbone of CSCC’s cybersecurity defense strategy.
5.3 Cybersecurity Resilience
This domain ensures that organizations can withstand, recover from, and minimize disruption caused by cyber incidents that target critical systems. It emphasizes embedding cyber resilience into business continuity management (BCM).
Key Subdomain and Controls
Subdomain | Control Highlights |
3-1 Cybersecurity Resilience Aspects of BCM | - Integrate critical systems into DR plans - Establish Disaster Recovery (DR) Centers - Test recovery plans annually |
Resilience Domain Summary
The focus here is on operational continuity, not just technical protection. By integrating DR planning into cybersecurity, CSCC ensures:
Preparedness for worst-case scenarios
Regular validation of recovery processes
Alignment between IT and business continuity plans
Rapid response to minimize national-level service disruptions
In essence, this domain connects cybersecurity with crisis management, ensuring that critical infrastructure remains operational, even under attack.
5.4 Third-Party and Cloud Cybersecurity
This domain addresses one of the most critical attack surfaces today: the supply chain. It ensures that stringent cybersecurity requirements and localization mandates govern outsourcing, managed services, and cloud hosting of critical systems.
Key Subdomains and Controls
Subdomain | Control Highlights |
4-1 Third-Party Cybersecurity | - Vet vendors and service providers - Mandate use of Saudi companies for critical systems support |
4-2 Cloud Computing Security | - Hosting must be done within KSA or by government-approved Saudi cloud providers - Must follow NCA's Cloud Cybersecurity Controls (CCC) |
Third-Party & Cloud Domain Summary
This domain reflects a national security priority — to prevent foreign or untrusted entities from having privileged access to Saudi Arabia’s critical infrastructure. It ensures:
Vendor cybersecurity hygiene
Data sovereignty and localization
Alignment with NCA’s CCC framework for cloud deployments
Reduced supply chain risk exposure
This is especially important, as cyberattacks increasingly target third parties to infiltrate core systems, making vendor due diligence and cloud governance essential pillars of national defense.
Key Differences from ECC
While the Essential Cybersecurity Controls (ECC–1:2018) laid the groundwork for general organizational cybersecurity, the Critical Systems Cybersecurity Controls (CSCC–1:2019) represent a specialized extension focused exclusively on national-level critical systems.
ECC vs. CSCC: What is the Difference?
Aspect | ECC – 1:2018 | CSCC – 1:2019 |
Purpose | Baseline controls for general cybersecurity | Specialized controls for protecting critical systems |
Applicability | All government and private sector organizations | Only organizations with national-impacting systems |
Depth of Control | Standard-level | Advanced controls with more frequency and granularity |
Scope | Broad organizational cybersecurity posture | Focused on IT/OT components, data, networks, and people |
Legal Weight | Mandatory by Royal Decree | Mandatory by additional Royal Decrees and Articles |
Compliance Requirement | Compliance with ECC is a prerequisite to CSCC | Cannot comply with CSCC unless ECC is fully implemented |
Third Party & Cloud | Broad outsourcing controls | Requires local (Saudi) providers, compliance with CCC |
New or Enhanced Elements in CSCC
More Frequent Requirements
e.g., Monthly risk register reviews, Quarterly DR testing, 6-monthly pen tests
Stricter Access & Hosting Policies
No remote access from outside KSA
Cloud must be Saudi-hosted and CCC-compliant
Greater Operational Integration
CSCC requires cybersecurity integration in project management, HR, and business continuity
Vendor Nationality Mandates
Outsourced support for critical systems must come from Saudi-based companies only.
Physical & Logical Segmentation
Mandates network isolation, allowlisting, and secure APIs.
Strategic Significance
While ECC focuses on minimum baseline compliance, CSCC emphasizes national resilience. The latter introduces defense-grade protections and systematic reviews, aligning KSA's critical infrastructure with global best practices (e.g., NIST 800-53 High, ISO 27001+ operational hardening).
Compliance and Enforcement
The Critical Systems Cybersecurity Controls (CSCC) are not optional. Multiple Royal Decrees legally mandate them and must be implemented by all organizations operating critical systems in Saudi Arabia.
Legal Backing
CSCC enforcement is grounded in the following:
Royal Decree No. 57231 (10/11/1439H)
Requires all government organizations to enhance their cybersecurity and comply with the NCA's controls.
Royal Decree No. 7732 (12/2/1440H)
Reinforces that cybersecurity responsibility remains with each organization, despite NCA oversight.
NCA Mandate – Article 10, Item 3
Empowers NCA to enforce, monitor, and assess compliance for critical systems.
Implementation Requirements
Organizations must follow this 3-phase compliance cycle:
Phase | Requirement |
1. Identification | Identify all critical systems using CSCC’s defined criteria |
2. Implementation | Apply all applicable controls, conduct risk assessments, and mitigate any compliance gaps |
3. Continuous Monitoring | Ensure ongoing compliance, track control effectiveness, and maintain evidence |
Methods of Compliance Assessment
The NCA may evaluate compliance via:
Self-Assessments
Internal assessments are submitted to NCA regularly
On-site Audits
Direct inspections by NCA or appointed third parties
Evidence-based Reviews
Examination of risk registers, DR plans, logs, audit trails, etc.
Control Validation
Penetration testing, vulnerability scans, and technical configuration reviews
Failure to Comply: Risks
Risk Area | Impact |
Legal Sanctions | Government penalties or revocation of operational licenses for non-compliance |
Operational Disruption | Audit failures may lead to shutdowns of critical systems until the necessary controls are implemented. |
National Security Risk | Exposure of Top Secret or critical infrastructure data could result in significant reputational harm. |
Supply Chain Impact | Vendors and partners may lose eligibility for national projects if CSCC is not observed. |
NCA’s Role
NCA does not only enforce compliance, but it also:
Publishes updates to CSCC periodically
Provides guidance and clarification during implementation
Coordinates with ministries and regulators for cross-sector enforcement
Strategic Implications for Organizations
The CSCC is more than just a checklist; it is a strategic mandate that organizations must embed into their governance models, technical architecture, and vendor ecosystems to remain resilient and compliant.
Why CSCC Matters for Business and IT Leaders
Stakeholder | What CSCC Demands |
CISOs / CIOs | Prioritize risk-driven security investments, enforce controls across IT/OT and cloud environments. |
Risk Officers | Maintain updated risk registers, DR plans, and regular audit-ready documentation. |
IT Project Managers | Apply security at every stage — planning, development, deployment, and decommissioning. |
HR & Procurement | Vet staff and vendors, enforce localization rules, and track role-based access. |
Legal / Compliance | Understand jurisdictional mandates, audit readiness, and third-party contractual obligations. |
Benefits of CSCC Compliance
Reduced Risk Exposure: Early detection and mitigation of technical and operational vulnerabilities
Audit Readiness: Structured logs, test results, and reviews for NCA audits
National Project Eligibility: Compliance boosts eligibility for sensitive government tenders
Improved Trust: Demonstrates accountability to regulators, clients, and the public
Operational Resilience: Stronger ability to recover from ransomware, DDoS, and supply chain attacks
How to Operationalize CSCC
To effectively adopt CSCC, organizations should:
Map CSCC to Internal Assets
→ Build a control matrix and assign owners for each control set.
Establish Governance Committees
→ Align cybersecurity, risk, compliance, and IT under a unified framework.
Use Security Automation Platforms
→ Leverage tools for access management, monitoring, vulnerability scanning, and documentation.
Train Internal Staff
→ Conduct awareness programs for engineering, ops, development, and vendor management teams.
Run Internal Audits and Red Teaming
→ Validate implementation quality beyond policy checkboxes.
Global Alignment
While designed for the Kingdom of Saudi Arabia, the CSCC echoes international standards such as:
Global Standard | CSCC Parallel |
NIST SP 800-53 (High) | System hardening, logging, privileged access, and backup testing |
ISO/IEC 27001 | Governance, risk treatment, and control validation |
SANS Top 20 / CIS | Technical control depth, especially for asset protection and vulnerability management |
What This Means for Cyber Leaders
As Saudi Arabia advances with its Vision 2030 agenda, cybersecurity is no longer a technical function; it has become a national imperative. The Critical Systems Cybersecurity Controls (CSCC–1:2019), issued by the National Cybersecurity Authority (NCA), represent a bold and necessary leap toward protecting the Kingdom's most vital systems from a rapidly evolving threat landscape.
Designed to complement the Essential Cybersecurity Controls (ECC), the CSCC introduces advanced, risk-based controls tailored for environments where failure or compromise is not an option. Whether it is power grids, telecom infrastructure, government databases, or financial platforms, these controls demand a higher standard of preparedness, governance, and resilience.
Organizations entrusted with operating critical systems must see CSCC compliance not as a burden, but as a strategic opportunity, one that ensures continuity, builds trust, and opens doors to national-level collaborations and projects.
As the NCA continues to refine and enforce these controls, the organizations that embrace CSCC today will be better positioned to thrive in a secure, sovereign digital future.
