Saudi Arabia’s National Cybersecurity Authority (NCA) has released a public consultation draft – on Istitlaa Platform of its proposed Draft National Framework for Cybersecurity Information Sharing and Incident Response (NFCISIR – 1:2026).
The draft framework is significant because it would introduce extensive cybersecurity reporting, information-sharing, and incident response obligations for a broad range of organisations operating in the Kingdom.
Key proposals include:
- Mandatory reporting of actual and potential cybersecurity incidents and threats to the NCA
- 24/7 communication channels with the NCA and compliance with NCA-issued alerts and directives
- Prescribed incident response, investigation, evidence preservation, and reporting requirements
- Tight response timelines for NCA requests — in some cases as short as 1–2 hours
- Restrictions on sharing cybersecurity operations and incident response information with third parties without prior NCA approval
- Detailed post-incident reporting obligations, including root cause analysis, indicators of compromise, remediation actions, affected systems and data, and estimated financial impact
The proposed framework would apply broadly across public and private sector organisations, including critical infrastructure operators, cloud providers, managed security service providers, cybersecurity service providers, and IT/OT vendors.
Companies and groups with operations, infrastructure, customers, or service provider relationships in Saudi Arabia should begin assessing whether their incident response procedures, escalation processes, contractual arrangements, and reporting capabilities could meet the proposed requirements and timelines.
The consultation is another indication of Saudi Arabia’s continued focus on strengthening national cyber resilience and enhancing coordinated cyber incident response across the Kingdom.
Consultation will be open from 10 June 2026, through 10 July 2026.
If you would like to discuss the potential implications of the draft framework for your organisation, please feel free to reach out to Christine Khoury.
Christine Khoury
Christine is a commercial lawyer with over 15 years' experience advising domestic and international clients across the GCC, with a particular focus on the TMT sector. She is recognised by Chambers and Legal 500 as a leading TMT lawyer and was named a Next Generation Partner in 2026. Christine's practice focuses on data protection, cybersecurity, AI regulation, and technology transactions.