LoupedIn

Saudi Arabia proposes strict new cybersecurity reporting and response obligations

,

Saudi Arabia proposes strict new cybersecurity reporting and response obligations

Getting your Trinity Audio player ready...

Saudi Arabia’s National Cybersecurity Authority (NCA) has released a public consultation draft – on Istitlaa Platform of its proposed Draft National Framework for Cybersecurity Information Sharing and Incident Response (NFCISIR – 1:2026).

The draft framework is significant because it would introduce extensive cybersecurity reporting, information-sharing, and incident response obligations for a broad range of organisations operating in the Kingdom.

Key proposals include:

  • Mandatory reporting of actual and potential cybersecurity incidents and threats to the NCA
  • 24/7 communication channels with the NCA and compliance with NCA-issued alerts and directives
  • Prescribed incident response, investigation, evidence preservation, and reporting requirements
  • Tight response timelines for NCA requests — in some cases as short as 1–2 hours
  • Restrictions on sharing cybersecurity operations and incident response information with third parties without prior NCA approval
  • Detailed post-incident reporting obligations, including root cause analysis, indicators of compromise, remediation actions, affected systems and data, and estimated financial impact

The proposed framework would apply broadly across public and private sector organisations, including critical infrastructure operators, cloud providers, managed security service providers, cybersecurity service providers, and IT/OT vendors.

Companies and groups with operations, infrastructure, customers, or service provider relationships in Saudi Arabia should begin assessing whether their incident response procedures, escalation processes, contractual arrangements, and reporting capabilities could meet the proposed requirements and timelines.

The consultation is another indication of Saudi Arabia’s continued focus on strengthening national cyber resilience and enhancing coordinated cyber incident response across the Kingdom.

Consultation will be open from 10 June 2026, through 10 July 2026.

If you would like to discuss the potential implications of the draft framework for your organisation, please feel free to reach out to Christine Khoury.

About the author(s)

See recent posts

Christine is a commercial lawyer with over 15 years' experience advising domestic and international clients across the GCC, with a particular focus on the TMT sector. She is recognised by Chambers and Legal 500 as a leading TMT lawyer and was named a Next Generation Partner in 2026.

Christine's practice focuses on data protection, cybersecurity, AI regulation, and technology transactions.

Christine is a commercial lawyer with over 15 years' experience advising domestic and international clients across the GCC, with a particular focus on the TMT sector. She is recognised by Chambers and Legal 500 as a leading TMT lawyer and was named a Next Generation Partner in 2026. Christine's practice focuses on data protection, cybersecurity, AI regulation, and technology transactions.

Views expressed in this blog do not necessarily reflect those of Gowling WLG.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.