NCA, SAMA & PDPL: A Practical Compliance Guide for Saudi Organisations

Saudi Arabia's regulatory landscape for cybersecurity and data protection has matured quickly. For most organisations three names matter most: the NCA Essential Cybersecurity Controls (ECC), the SAMA Cyber Security Framework, and the Personal Data Protection Law (PDPL).

NCA Essential Cybersecurity Controls (ECC)

The ECC is the National Cybersecurity Authority's baseline set of controls for protecting an organisation's information and technology assets, spanning governance, defence, resilience and third-party risk. The practical starting point is a gap assessment against the ECC domains, then prioritising the gaps that carry the most risk.

SAMA Cyber Security Framework

Entities regulated by the Saudi Central Bank (SAMA) must align to the SAMA Cyber Security Framework, which sets expectations for cyber governance, risk management and resilience appropriate to the sensitivity of financial data. It overlaps substantially with the ECC, so a single well-designed control programme can address both.

Personal Data Protection Law (PDPL)

The PDPL governs how personal data is collected, processed, stored and shared in the Kingdom. Compliance is as much about process and accountability — knowing what personal data you hold, why, and on what basis — as it is about technical controls.

A practical, risk-led approach

Trying to satisfy every requirement at once is the most common way programmes stall. A risk-led sequence works better:

• Assess — map your current controls and data flows against the relevant framework.
• Prioritise — rank gaps by risk, not by checklist order.
• Remediate — close the highest-risk gaps first.
• Monitor — put detection and reporting in place so you can demonstrate ongoing compliance.

Our cybersecurity services follow exactly this sequence — assessment, prioritised roadmap, implementation and ongoing support.