Login using IAM
The National Cybersecurity Authority (NCA) is the national entity in charge of cybersecurity in the Kingdom of Saudi Arabia and serves as the national authority and reference on its affairs, as per its Statute approved by virtue of Royal Order No. 6801, dated 31/10/2017. NCA aims to improve the cybersecurity posture of the kingdom in order to safeguard its vital interests, national security, critical infrastructures, high-priority sectors, and government services and activities. NCA mandate includes, but not limited to setting cybersecurity policies, governance rules, frameworks, rules, standards, and directives; communicating the same to relevant agencies; monitoring compliance therewith; and updating them.. In addition, NCA mandate includes licensing individuals and non-government agencies to engage in cybersecurity activities and operations specified by the NCA., as well as stimulating the growth of the cybersecurity sector in the Kingdom and encouraging innovation and investment therein..
In its endeavor to ensure the provision of cybersecurity services, products, and solutions with the highest efficiency, effectiveness, and reliability in the Kingdom, in order to contribute to enhancing national cybersecurity and improving the services provided to national entities, and due to the importance of regulating the cybersecurity market in the Kingdom to create a stimulating environment that enhances the growth of the cybersecurity sector, NCA has issued this Framework to regulate the licensing process for providing cybersecurity services, products, and solutions in the Kingdom, outlining responsibilities and obligations of the licensee when providing any type of service, in addition to limiting the provision of such services only to qualified entities.
The terms used in this Framework shall have the same meanings as stated in the table below, unless the context requires otherwise:
This Framework aims to regulate the provision of cybersecurity services and products in the Kingdom through a regulatory framework that defines the responsibilities and obligations of the licensee, contributing to promoting the efficiency and quality of such services, products, and solutions during their delivery to various entities. The objectives that this Framework is seeking to realize are:
This Framework applies to any entity that provides or intends to provide cybersecurity-related services, products, or solutions to entities across the Kingdom. This includes direct contracting with such entities, as well as indirect engagement through collaboration with a licensed entity. This excludes the licensing for Managed Security Operations Center (MSOC) services, as licensing such service is regulated by the Regulatory Framework for Licensing Managed Security Operations Center (MSOC) Services.
Based on the classification of cybersecurity services and products in the Kingdom, license domains have been divided into (5) main domains, comprising (25) subdomains, covering various services, products, and solutions. Figure (1) illustrates main domains and subdomains for classifying cybersecurity services, products, and solutions in the Kingdom. Appendix (1) includes a list of all cybersecurity services, products, and solutions according to NCA classification.
**Please look at the attached for the figures**
Based on licensing domains under Section (5), specifically the 25 subdomains, NCA will issue 4 license types, which are based on 2 categories and 2 tiers, as specified below:
7.1 NCA Mandates & Operations as the National Authority in Charge of Cybersecurity in the Kingdom
To fulfill its mandates as per its Statue issued under Royal Order No. 6801, dated 31/10/2017, aimed at fostering the cybersecurity posture of the Kingdom in order to safeguard its vital interests and national security, NCA provides a number of critical cybersecurity services centrally and directly to national entities (especially government and private sector entities that own, operate, or host national critical infrastructure). Such services include conducting assessments of compliance with controls, standards, and frameworks and other regulatory requirements issued by NCA, cybersecurity risk assessments, cybersecurity technical assessments, as well as responding to cybersecurity incidents among others. Figure (4) illustrates how such services provided through HASEEN, where NCA executes its mandates through service request and assignment to (HASEEN) operator, who in turn carries out such mandates in coordination with national entities (public, private, and others).
7.2 Mechanism for Providing Services, Products and Solutions under Specialized License Category, excluding Cybersecurity Incident Response & Investigation ServicesTo fulfill their cybersecurity responsibilities, national entities have to take measures to enhance cybersecurity readiness at both the entity and internal operational process levels, ensuring full and continuous compliance with NCA cybersecurity policies, governance mechanisms, frameworks, standards, controls, and guidelines. This includes, for example, conducting preparatory and indicative assessments prior to NCA official assessment via HASEEN, or assessments conducted before launch of e-services, including compliance assessments, technical assessments, or cybersecurity risk assessments, among others. If needed, national entities (public, private, and others) can contract with a licensee under Specialized License Category as per the associated Tier to deliver such services. The licensee shall provide NCA with all documents, information, and data related to services provided, as well as deliverables and results of executing the services through HASEEN according to the approved forms. All licensees must inform HASEEN of all activities carried out before, during, and after provision of the service. Figure (5) illustrates how these services are rendered.
In case any national entity (public, private, or other) suspects or detects a cybersecurity incident, it must report such incident immediately via HASEEN or NCA official channels such the number (936). The cybersecurity incident will be classified and prioritized (Triage Process) through HASEEN, followed by directions to complete necessary procedures as follows:
A. If the cybersecurity incident classified under Level I, II, or III, HASEEN will promptly respond to the entity's cybersecurity incident.
B. If the cybersecurity incident classified under Level IV or V, the MSOC licensee will provide necessary support to handle the incident according to license requirements, and the national entity may seek any licensee to provide incident response services when needed, who in turn shall deliver the services. In such case, the licensee shall enter into an agreement with HASEEN operator and proceed as per HASEEN methodology. The licensee shall also provide NCA with all related documents, information, and data, as well as the outputs of HASEEN services as per the applicable forms. All licensees must inform HASEEN of all activities carried out before, during, and after provision of the service. NCA reserves at its discretion the right to respned directly to a Level IV or V cybersecurity incident as appropriate.
8.2.1 General Obligations
The licensee shall always adhere to the provisions in this Framework and the decisions, regulations, frameworks, controls, instructions, directions, circulars and the like issued by NCA. The licensee is obliged to:
8.2.1.1 Adhering to the enforced laws, regulations, and instructions in the Kingdom of Saudi Arabia.
8.2.1.2 Starting to provide licensed services within (3) months as a maximum from the date of license issuance, unless NCA decides otherwise.
8.2.1.3 Adhering to localization requirements, keeping all relevant information and data created before, during, or after service provision within the Kingdom, and not storing or copying them outside the Kingdom.
8.2.1.4 Implementing the licensed services and providing services to national entities (public, private, or others) from within the Kingdom.
8.2.1.5 Ensuring that service-related data is processed and stored within the Kingdom, with no access permitted from outside the Kingdom.
8.2.1.6 Adhering to HASEEN service provision methods, and providing NCA with all relevant documents, information, and data, as well as service outputs through HASEEN within the specified timeframe.
8.2.1.7 Complying with all responsibilities and obligations when providing services to national entities, according to NCA instructions.
8.2.1.8 Implementing the security and cybersecurity recommendations or requirements shared by NCA, including cyber alerts, threat detection rules, and indicators of compromise. Furthermore, providing NCA with the results according to the requirements and the specified period.
8.2.1.9 Providing NCA with periodic reports - as decided by NCA - and any other information NCA requests, and to adhere to the deadlines, methods, and templates prescribed for this. Reports may include, but are not limited to, cybersecurity assessments conducted, cybersecurity incidents addressed, beneficiaries, etc.
8.2.1.10 Refraining from publishing any data related to cybersecurity and any related information gathered by the licensee while providing services to national entities (public, private or others) in the Kingdom before obtaining written approval from NCA.
8.2.1.11 Refraining from publishing and/or sharing any data related to national entities (public, private or others) served by the licensee, whether individually or after aggregating that data or information, with any party for any justification or purpose, including government or private entities, inside and outside the Kingdom before obtaining written approval from NCA.
8.2.1.12 Stating in its contracts related to this Framework the provisions that address cases of license expiration, non-renewal, or cancellation.
8.2.1.13 Implementing the necessary procedures in the event of the expiration or termination of the contractual relationship with national entities (public, private or others) in accordance with NCA decisions.
8.2.1.14 When the services of cloud service provider (CSP) are needed, a licensed CSP by relevant authority in KSA shall be contracted before utilizing the services.
8.2.1.15 Informing NCA immediately of any change in information or data related to the license application and/or upon discovery of any information that is inaccurate or contrary to the reality of what was reported to NCA indicating the reasons of inaccurate or incorrect submission and the reason for the change in it.
8.2.1.16 Informing NCA immediately of any actual or potential risk, threat, or breach detected by the licensee at the national entity (public, private or others).
8.2.1.17 Informing NCA immediately of any legal or regulatory action against the licensee that may impact providing services, regardless of the regulatory body or jurisdiction, and whether it is from inside or outside the Kingdom.
8.2.1.18 Submitting financial statements audited by an independent licensed auditor in accordance with the laws of the Kingdom, showing revenues from providing cybersecurity services, products, or solutions for each fiscal year throughout the license period.
8.2.1.19 Fully cooperating with NCA when exercising its regulatory and supervisory authority on the licensee and making available all its possible resources to implement any oversight and inspection requirements from NCA, including audits, verifications, cybersecurity assessments and any other requirements on their business and systems, whatever they may be.
8.2.1.20 Providing NCA with all documents, data, information and reports that prove their compliance with NCA’s requirements and regulations, including, but not limited to, the following:
8.2.1.19.1 Financial performance information for cybersecurity activities, including revenues and its sources, capital, technology investments, infrastructure investments, and training and development expenses.
8.2.1.19.2 Information about the cybersecurity services provided, the beneficiaries of the services, their numbers and names, the type of services provided to them and meetings and interactions with them, etc.
8.2.1.19.3 Information about the licensee’s employees involved in providing services within Specialized License Category, and other services as deemed necessary by NCA, including the number of employees, their CVs and qualifications, etc.
8.2.1.19.4 Information about the technical requirements imposed on the licensee, technology tools and subscriptions, any IT infrastructure related to implementing cybersecurity services by the licensed entity, etc.
8.2.1.19.5 Any evidence, document, or proof required by NCA, for the purpose of verifying the compliance of the licensee with the provisions outlined in this Framework, and other documents issued by NCA, and other relevant entities.
8.2.1.21 Adhering to local content and localization percentages for jobs, as determined by NCA and relevant authorities.
8.2.1.22 Complying with the decisions issued by NCA in any disputes that may arise with beneficiaries regarding the services provided under the license.
8.2.1.23 Fully and continually applying all cybersecurity controls issued by NCA that apply to the licensee; including but not limited to, Essential Cybersecurity Controls (ECC), Critical Systems Cybersecurity Controls (CSCC), and Data Cybersecurity Controls (DCC); and submitting annual documentation of compliance with the controls approved by NCA.
8.2.1.24 Adhering to notify NCA immediately if any change occurs in the ownership of the licensed entity in any way.
8.2.1.25 Adhering to obtain NCA’s prior written approval before taking any action that would result in a change in the ownership of the licensed entity in any way.
8.2.2 Special Obligations
8.2.2.1 Obligations on Providing Cybersecurity Compliance Assessment, Cybersecurity Risk Assessment, and Cybersecurity Technical Assessment Services
8.2.2.1.1 The licensee shall conduct assessments according to a specific and systematic mechanism that includes developing a comprehensive final report for the assessments of various types in accordance with HASEEN methodologies and frameworks, and submit the same through HASEEN in the format specified by NCA within the specified timeframe.
8.2.2.1.2 The licensee must follow clear methodologies for conducting compliance assessments, which should include criteria for acceptable evidence and standards that determine the entity’s performance being assessed in such category; NCA reserves the right to specify the evaluation mechanism, its methodology, and its contents, as well as to make any amendments or remove any of its elements.
8.2.2.1.3 The licensee shall conduct assessments through qualified and experienced Saudi personnel holding academic qualifications and certifications in cybersecurity or related fields, and must be seasoned in assessments, as specified by NCA.
8.2.2.1.4 The licensee shall maintain accurate and complete records of the assessments provided to beneficiaries for a period of five (5) years from the date those services were rendered; such records should include, but are not limited to, the service provision date, name of the beneficiary, details of personnel involved in delivering the service, detailed assessment results, and any third parties involved in providing any part of the assessment services.
8.2.2.2 Obligations on Providing Bug Bounty Programs
8.2.2.2.1 Limiting participation in bug bounty programs to citizens and residents of the Kingdom who meet the necessary requirements.
8.2.2.2.2 The scope of the programs must be limited to assets that are not likely to affect national security, and to public-facing assets, excluding operational systems and social engineering.
8.2.2.2.3 Bug bounty program platforms must have the following features: (1) Statistics and real-time tracking of activities on the platform, e.g. average resolution time, number of rewards paid, and number of vulnerabilities detected. (2) Participating entities ability to select the participating researchers. (3) The ability to generate reports and data for entities.
8.2.2.2.4 Verify the identities of platform users and maintain platform records for at least five (5) years.
8.2.2.2.5 Grant NCA the right to directly access information and data of the bug bounty program platforms.
8.2.2.2.6 Obtain approval and sign NDA between researchers and platform participant entities before providing the service.
8.2.2.2.7 Privacy policies on bug bounty program platforms must adhere to National Data Governance Policies issued by the relevant authority, the Personal Data Protection Law and relevant regulations applicable in the Kingdom.
8.2.2.3 Obligations on Providing Cybersecurity Incident Response & Investigation Services (Only licensed within Tier I under Specialized License Category “Specialized - 1”)
8.2.2.3.1 The licensee shall establish a clear Service Level Agreement (SLA) with national entities (public, private, or others).
8.2.2.3.2 The licensee shall employ (full-time) cybersecurity incident response specialists who are Saudi citizens, as specified by NCA.
8.2.2.3.3 The licensee shall provide cybersecurity incident response and investigation services through qualified and experienced Saudi personnel holding academic qualifications and certifications in cybersecurity or related fields, and must be seasoned in incident response and investigation, as specified by NCA.
8.2.2.3.4 The licensee shall maintain accurate and complete records of cybersecurity incidents responded to and investigated for a period of twenty five (25) years from the date those services were rendered; such records should include, but are not limited to, the service provision date, name of the beneficiary, details of incident responders involved in delivering the service, and any third parties involved in providing any part of incident response services.
8.2.2.3.5 The licensee shall retain accurate and complete copies of digital evidence related to cybersecurity incidents they responded to and investigated for a minimum of ten (10) years from the date of providing those services. This includes, but is not limited to, system logs, digital copies of hard drives, RAM, and other data. The licensee shall ensure that these copies remain undamaged, unaltered, and untampered with during collection and storage. This information shall not be destroyed before being handed over to the National Cybersecurity Authority.
8.2.2.3.6 The licensee shall conduct an analysis and provide actionable measures to the entity affected by the cybersecurity incident. The licensee is also responsible for reviewing the incident and providing lessons learned to the affected entity after completion.
8.2.2.3.7 The licensee shall follow a systematic mechanism for providing incident response services that includes preparing a comprehensive final report detailing the incident, according to NCA methodologies and models, and submit such report in the format specified by NCA; NCA reserves the right to specify the incident response mechanism, its methodology, and its contents, as well as to make any amendments or remove any of its elements.
8.2.2.3.8 The licensee must operate according to the Mechanism for Providing Cybersecurity Incident Response & Investigation Services outlined in Section (7.3).
9. Provisions of Licenses under General License Category
9.1 Requirements for Obtaining a License under General License Category
Any entity seeking a Tier I or Tier II license to provide any cybersecurity services, products, or solutions under General License Category outlined in Section (6) shall meet the requirements for obtaining, renewing, and maintaining the license, as detailed in the table below:
**Please look at the attached for the table**
**Please look at the attached for the Appendices**
Last update: 16 February 2026
You can browse the portal by giving voice commands using the microphone
Speak Now...
Please give voice commands from the following options:
Disclaimer: Translation into other languages depends on the Google translation, Therefor the NCC is not responsible for the accuracy of the information in the new language.
