Saudi Arabia’s cybersecurity regulatory environment is among the most demanding in the GCC. The SAMA Cyber Resilience Framework, NCA Essential Cybersecurity Controls, and Saudi PDPL collectively impose mandatory security requirements on thousands of Saudi private and public sector organisations. UAE-based cybersecurity firms — operating from Dubai — are well-positioned to serve Saudi clients remotely, combining GCC regulatory expertise, Arabic language capability, and time zone alignment with cost-effective delivery models. This post explains the Saudi regulatory landscape and how remote delivery from Dubai works in practice.
Saudi Arabia Cybersecurity Regulatory Overview
Saudi Arabia operates three primary cybersecurity regulatory frameworks, each targeting different sectors and types of organisation. Understanding which frameworks apply to your Saudi business is the starting point for any compliance programme.
SAMA Cyber Resilience Framework (CRF)
The Saudi Central Bank (SAMA) issued the Cyber Resilience Framework for all SAMA-licensed entities: commercial banks, insurance companies, finance companies, and payment service providers operating in Saudi Arabia.
The SAMA CRF is structured across five domains:
- Governance: Cybersecurity strategy, board-level oversight, CISO appointment, and policy framework
- Identify: Asset inventory, risk management, and third-party risk
- Protect: Access control, secure configuration, encryption, and security awareness
- Detect: Continuous monitoring, threat intelligence, and anomaly detection
- Respond and Recover: Incident response, business continuity, and regulatory reporting
SAMA-regulated entities must complete an annual self-assessment against the CRF and submit results to SAMA. Independent assessments are required for higher-risk entities. Non-compliance can result in remediation requirements, operational restrictions, and regulatory sanctions.
NCA ECC — Essential Cybersecurity Controls
The National Cybersecurity Authority (NCA) of Saudi Arabia issued the Essential Cybersecurity Controls (ECC) as the baseline cybersecurity framework for government entities and organisations in critical sectors including energy, water, transport, telecommunications, and financial services.
Key facts about NCA ECC:
- 114 controls across five domains: Cybersecurity Governance, Cybersecurity Defence, Third-Party and Cloud Computing Cybersecurity, Industrial Control Systems Cybersecurity, and Compliance
- Mandatory for all Saudi government entities (federal and local) and private sector organisations in critical sectors
- Annual audit required; NCA may conduct independent assessments of critical sector entities
- Aligns closely with ISO 27001 — approximately 70% control overlap, making ISO 27001 a strong foundation for NCA ECC compliance
Saudi PDPL — Personal Data Protection Law
Saudi Arabia’s Personal Data Protection Law (PDPL), issued by Royal Decree M/19 and enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), applies to any organisation processing personal data of Saudi residents.
Key PDPL obligations:
- Consent requirement: Personal data processing requires explicit or implicit consent based on the processing purpose
- Data localisation: Default requirement to store personal data of Saudi residents within Saudi Arabia (with exceptions for specific cross-border transfers)
- Breach notification: Notify SDAIA within 72 hours of becoming aware of a breach; notify affected individuals without undue delay
- Data subject rights: Access, correction, deletion, and portability rights for Saudi residents
- Penalties: Up to SAR 5 million for violations; up to SAR 10 million for repeat violations; imprisonment possible for egregious cases
Remote Delivery Model from Dubai — How It Works
UAE-based cybersecurity firms can deliver the full spectrum of services to Saudi clients remotely. Here is how each service type is delivered:
ISO 27001 and Compliance Consulting
All documentation work, gap assessments, policy development, risk assessments, and audit preparation can be conducted entirely remotely via video conference, secure file sharing, and collaborative documentation platforms. Initial kickoff and any physical office walkthroughs can be conducted during a 1–2 day on-site visit if required. The remaining 80–90% of a compliance engagement is remote.
VAPT (Vulnerability Assessment and Penetration Testing)
External VAPT is inherently remote — the penetration tester assesses internet-facing systems from their location, which can be Dubai, London, or anywhere. Internal VAPT for Saudi clients is conducted via a secure VPN tunnel or a jump server provisioned inside the Saudi network. All major Saudi regulators (SAMA, NCA) accept remote VAPT evidence when properly scoped and documented.
Managed SOC
Security monitoring is delivered from Dubai-based analyst teams monitoring Saudi client environments via secure SIEM connectivity. Log data, security telemetry, and alert feeds are transmitted over encrypted channels. Data residency for Saudi PDPL compliance is addressed through Saudi-region cloud tenants (AWS Riyadh, Azure UAE/KSA) where required.
Training and Awareness
Security awareness training, tabletop exercises, and board-level cybersecurity briefings are delivered via virtual platforms. Arabic-language training materials are available for Saudi workforce delivery.
Why UAE-Based Firms Serve Saudi Clients Well
Several structural factors make Dubai-based cybersecurity firms effective partners for Saudi organisations:
- GCC regulatory fluency: UAE consultants operate within the same regulatory tradition as Saudi Arabia — SAMA CRF, NCA ECC, and Saudi PDPL all share structural similarities with CBUAE CSF, NESA IAS, and UAE PDPL. A UAE-experienced consultant navigates Saudi frameworks quickly.
- Time zone alignment: UAE (GST, UTC+4) and Saudi Arabia (AST, UTC+3) are one hour apart. Same-day meeting scheduling, real-time incident response collaboration, and shared business culture remove the friction that characterises offshore delivery from Europe or the US.
- Arabic language capability: UAE cybersecurity firms with Arabic-speaking consultants can deliver reports, present to Saudi boards, and communicate with Saudi regulators in Arabic — a significant advantage for government and semi-government engagements.
- Regional threat intelligence: GCC-specific threat intelligence — relevant to Gulf energy sector targeting, Arabic-language phishing campaigns, and regional APT activity — is a natural competency of UAE-based security teams.
- Proximity for occasional on-site work: Dubai to Riyadh is a 2-hour direct flight. When physical presence is required (data centre walkthrough, physical penetration test, board presentation), a Dubai-based team can be on-site same day or next day.
Cost of Cybersecurity Services for Saudi Businesses
| Service | Cost (SAR) | Cost (AED) | Timeline |
|---|---|---|---|
| SAMA CRF Gap Assessment | SAR 30,000–70,000 | AED 30,000–70,000 | 2–4 weeks |
| NCA ECC Gap Assessment | SAR 40,000–90,000 | AED 40,000–90,000 | 3–5 weeks |
| ISO 27001 (SME, full programme) | SAR 80,000–200,000 | AED 80,000–200,000 | 8–14 months |
| External VAPT | SAR 15,000–50,000 | AED 15,000–50,000 | 1–3 weeks |
| Internal VAPT (via VPN) | SAR 25,000–80,000 | AED 25,000–80,000 | 2–4 weeks |
| Managed SOC (entry-level) | SAR 8,000–15,000/month | AED 8,000–15,000/month | Ongoing |
| Saudi PDPL Compliance Programme | SAR 25,000–70,000 | AED 25,000–70,000 | 4–8 weeks |
Frequently Asked Questions
Do Saudi businesses need a local cybersecurity provider or can a UAE firm serve them?
UAE-licensed cybersecurity consulting firms can serve Saudi clients directly without a Saudi entity, particularly for consulting, assessment, and remote managed services. For services requiring NCA or SAMA accreditation (e.g., being listed as an approved SAMA assessor), a Saudi entity or local partnership may be required. Most advisory and VAPT work does not have this restriction.
Does SAMA require annual VAPT?
The SAMA CRF Protect domain requires regular vulnerability assessments and penetration testing. Most SAMA-regulated entities conduct annual external VAPT as a minimum, with internal VAPT and application testing for higher-risk entities. SAMA does not prescribe a specific frequency but expects entities to demonstrate active testing as part of their annual self-assessment evidence.
What language are Saudi PDPL compliance documents prepared in?
Saudi PDPL compliance documentation (privacy notices, data processing agreements, DPA policies) should be prepared in Arabic for Saudi resident-facing communications. Internal policies and technical documentation can be in English. UAE firms with Arabic-language capability can deliver bilingual compliance documentation.
Is Saudi Arabia covered by UAE cybersecurity laws?
No. Saudi Arabia and the UAE are separate jurisdictions with separate cybersecurity laws. UAE PDPL, NESA IAS, and CBUAE CSF apply in the UAE. SAMA CRF, NCA ECC, and Saudi PDPL apply in Saudi Arabia. GCC harmonisation efforts exist (via GCC Secretariat) but compliance must be managed per-country.
