Saudi Compliance Frameworks: Sourced From the Regulators, Not From Blogs
Most Saudi compliance content is copied between consultancy decks and vendor pages, and a surprising amount of it is wrong in ways that matter: controls cited against the wrong domains, documents that do not exist, and precise-sounding figures the regulator never published. Every guide below was built from the regulator's own document. Where the regulator states no figure, we say so rather than inventing one.
Cloud Cybersecurity Controls
CCC-2:2024 deleted the in-Kingdom hosting mandate. 4 domains, 24 subdomains, separate Provider (P) and Tenant (T) control sets.
Read the guide →Essential Cybersecurity Controls
It is 108 main controls, not the 114 almost everyone still quotes. That figure is ECC-1:2018.
Read the guide →Critical Systems Cybersecurity Controls
Where the NCA put its real numbers: 6-month pen tests, 3-month access reviews, 18-month log retention. ECC compliance is a prerequisite.
Read the guide →Operational Technology Cybersecurity Controls
ECC-1's deleted ICS domain moved here. 47 controls, 122 subcontrols — and 92 of them sit in Cybersecurity Defense alone.
Read the guide →Building a SOC to NCA Expectations
Logging is ECC 2-12 and incident management is 2-13 — not 2-10/2-11, which is the error repeated across the market.
Read the guide →SAMA Cyber Security Framework
There is no SAMA "Cloud Rulebook" and no Tier 1–4 RTO/RPO grid. The cloud pre-approval is real, though — CSF 3.4.3.4(a)(2).
Read the guide →ZATCA Phase 2 E-Invoicing Integration
The self-billing invoice type code is 0100001. The 0211000 circulating online decodes to self-billed = 0, and it needs ZATCA's prior approval anyway.
Read the guide →Personal Data Protection Law
PDPL grants exactly five rights in Article 4. There is no right to object and no right to restriction — those are GDPR imports.
Read the guide →Aramco Third Party Cybersecurity Standard
92 controls, TPC-1 to TPC-92. Includes a diff of the retired 2020 issue (86 controls) against the current 2022 issue.
Read the guide →How we work with these frameworks
We design and operate infrastructure — data centre, network, security, hosting — to these controls, including an in-Kingdom region in Dammam powered by Google Cloud. No vendor can make you "fully compliant": several controls are structurally yours alone and cannot be carried by a provider. What we can do is build the infrastructure and produce the evidence an assessor actually asks for.
