In a move indicative of its rapid development, the National Cybersecurity Authority (NCA) of Saudi Arabia has introduced a new regulatory framework to bolster the country's cybersecurity regulatory landscape.

The latest amendments introduced by the NCA come in the form of a framework and an accompanying policy that regulate managed security operation centre (MSOC) services. The framework will, importantly, apply to all entities who provide MSOC services.

This development restricts the ability for organisations from providing cybersecurity purposes lawfully on a cross-border basis from outside the Kingdom. Instead, such organizations must be established in the Kingdom, operate from within it and process data locally. This is likely to significantly impact and reshape the cybersecurity sector in the Kingdom at both a strategic and operational level.

In a move indicative of its rapid development, the National Cybersecurity Authority (NCA) of Saudi Arabia has introduced a new regulatory framework to bolster the country's cybersecurity regulatory landscape. The NCA is tasked with responsibility for enhancing the nation's cyber resilience, and already administers a complex array of standards, policies, and guidelines.  
 
The latest amendments introduced by the NCA come in the form of a framework and an accompanying policy that regulate managed security operation centre (MSOC) services. The policy specifically applies to government ministries, authorities and establishments, as well as private sector organizations that own, operate or host Critical National Infrastructures (CNI), in addition to any other organisations specifically identified by the NCA. By contrast, the framework is of broader application and will apply to all entities who provide MSOC services.

MSOC services encompass the detection and monitoring of cyber threats, offering recommendations for their remediation, and implementing solutions to counteract identified cyber threats. Common examples of MSOC services include continuous threat monitoring and detection, threat analysis and investigation and threat containment. Given the broad scope of these defined terms, they are likely to encapsulate a wide range of cyber risk detection and threat monitoring operations and services, many of which have traditionally been offered to customers in the Kingdom, in the private sector at least, on a cross-border basis. Those arrangements will no longer be permissible under the new regime.

Key features sunder the new regime include that:

• all organisations that wish to provide MSOC services to customers in the Kingdom must first obtain a license from the NCA;
• there are two tiers of licence; Tier 1, which entitles the holder to provide MSOC services to government entities or entities which are classed as operating "National Critical Infrastructure" (as that term is defined in the associated NCA Essential Cybersecurity Controls) and Tier 2, which entitles the holder to provide MSOC services to all other entities;
• to qualify for a Tier 1 licence organisations must, amongst other requirements:
  • satisfy the Saudi ownership percentage stipulated by the NCA; and
  • have their regional HQ in Kingdom (i.e., in accordance with Project Saudi HQ).
• to qualify for a Tier 2 licence the applicant must be a Saudi incorporated legal entity.
• holders of Tier 1 and Tier 2 licences are required to:
  • hire a minimum number of NCA-licensed MSOC analysts (or cybersecurity professionals), each of whom it would appear must be Saudi nationals. While not yet confirmed, we anticipate that this may apply in addition to the generally applicable Saudisation requirements;
  • provide their services from within the Kingdom;
  • ensure that their facilities and the data they process remains within the Kingdom; and
  • notify NCA of any and all changes to their ownership.
  • Integrate with the national security operation, to support more coordinated and routine data sharing among the regulated industry participants, increasing the overall resilience of the digital ecosystem in the Kingdom.
• holders of Tier 1 and Tier 2 licences are only entitled to sub-contract services provided certain mandatory criteria are met. 

This development means that organisations previously offering cybersecurity services from overseas into the Kingdom will no longer be able to do so lawfully, a move that is likely to significantly reshape the cybersecurity sector in the Kingdom at both a strategic and operational level.

We understand that the NCA is now accepting licensing applications. Notwithstanding the grace period for implementing the Framework, it is recommended that interested parties act swiftly to review their existing operations and to take action to bring them into compliance.