Cybersecurity Regulations in the GCC

DFSA Cyber Risk Management Guidelines

The DFSA Cyber Risk Management Guidelines provide best practices for firms to establish a robust cyber risk management framework and strengthen system security, reliability, resiliency, and recoverability. These guidelines are principle-based and encourage firms to implement a framework consistent with the G7 Fundamental Elements of Cybersecurity for the Financial Sector. The DFSA will consider these guidelines in future risk assessments.

SCA Guidelines for Regulation of Virtual Assets and Virtual Asset Service Providers

The SCA Guidelines provide a regulatory framework for Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) in the UAE, excluding financial free zones. Issued under Cabinet Resolution No. (111) of 2022, these guidelines detail licensing requirements, operational standards, and obligations for entities dealing with VAs as investment instruments, aiming to ensure market integrity and investor protection.

Cloud Cybersecurity Controls (CCC-2: 2024)

The Cloud Cybersecurity Controls (CCC-2: 2024) framework, issued by the NCA of Saudi Arabia, outlines cybersecurity controls for cloud services. It aims to establish a baseline for cloud security practices within the Kingdom, updating the previous version (CCC-1: 2020) to reflect current cybersecurity requirements and industry updates. The Arabic version of the document is the binding version.

Cloud Cybersecurity Controls Implementation Guide for CSPs

This document, the "Cloud Cybersecurity Controls Implementation Guide for CSPs (GCCC-CSP)", provides guidance to Cloud Service Providers (CSPs) on implementing cybersecurity controls. It outlines a structure of cybersecurity domains and subdomains, offering implementation guidance to enhance the security posture of CSPs operating within Saudi Arabia.

Cloud Cybersecurity Controls Implementation Guide for CSTs

This document, titled "Cloud Cybersecurity Controls Implementation Guide for CSTs (GCCC-CST)," provides guidance on implementing cloud cybersecurity controls for cloud service tenants in Saudi Arabia. It outlines objectives, scope, and applicability, covering various cybersecurity domains and their structure to ensure a secure cloud environment. The guide aims to help tenants understand and implement necessary security measures.

Essential Cybersecurity Controls (ECC-2: 2024)

The Essential Cybersecurity Controls (ECC-2: 2024) framework, issued by the National Cybersecurity Authority (NCA) of Saudi Arabia, provides a set of cybersecurity controls. It aims to protect organizations from cyber threats and ensure compliance with national cybersecurity standards. The Arabic version of the document is the binding language.

Operational Technology Cybersecurity Controls (OTCC-1: 2022)

The Operational Technology Cybersecurity Controls (OTCC-1: 2022) framework, issued by the National Cybersecurity Authority (NCA) in Saudi Arabia, establishes cybersecurity controls for Industrial Control Systems (ICS). It aims to address the increasing cyber threats targeting these systems and provides a structured approach to implementing and monitoring cybersecurity measures within the Kingdom.

SAMA Cyber Security Framework

The SAMA Cyber Security Framework provides guidance and controls for regulated entities in Saudi Arabia to establish robust cyber security governance, infrastructure, and detective/preventive controls. It aims to ensure that the Saudi Arabian Banking, Insurance, and Financing Companies sectors can effectively manage and withstand cyber security threats through a common approach and maturity assessment.

Telework Cybersecurity Controls (TCC-1: 2021)

The Telework Cybersecurity Controls (TCC-1: 2021) framework, issued by the NCA in Saudi Arabia, establishes cybersecurity requirements for telework systems to mitigate increasing threats and cyber risks associated with remote work environments. It aims to promote economic development and productivity by enabling secure telework practices in accordance with Saudi Arabian laws. The Arabic version of the document is the binding version.

Critical Systems Cybersecurity Controls (CSCC-1: 2019)

The Critical Systems Cybersecurity Controls (CSCC-1: 2019) framework, issued by the NCA of Saudi Arabia, outlines cybersecurity controls for critical systems. It provides a structure for establishing and maintaining cybersecurity governance, defense, and resilience, including third-party and cloud computing considerations. The framework aims to protect critical infrastructure and sensitive data within the Kingdom.

Critical Systems Cybersecurity Controls Implementation Guidelines

This document provides guidelines for implementing cybersecurity controls for critical systems in Saudi Arabia. It outlines general guidelines and specific controls related to cybersecurity governance, risk management, and resilience. The document aims to help organizations protect their critical systems from cyber threats and ensure business continuity.

Data Cybersecurity Controls (DCC-1: 2022)

The Data Cybersecurity Controls (DCC-1: 2022) framework, issued by the NCA in Saudi Arabia, establishes cybersecurity controls for data protection. It outlines requirements for cybersecurity governance, defense, and third-party/cloud computing cybersecurity. The framework aims to safeguard data assets in accordance with Saudi Arabian laws and regulations.

Guide to Essential Cybersecurity Controls (ECC) Implementation

This document, issued by the National Cybersecurity Authority (NCA) of Saudi Arabia, provides guidance for organizations on implementing the Essential Cybersecurity Controls (ECC). It serves as an illustrative model to help organizations meet ECC requirements, while emphasizing the need to consider their unique environments. The document outlines the ECC domains and structure to aid in implementation.

Operational Technology Cybersecurity Controls Implementation Guide

This document, titled "Operational Technology Cybersecurity Controls Implementation Guide," provides guidance on implementing cybersecurity controls for Operational Technology (OT) environments. It outlines general guidelines and specific controls related to cybersecurity governance. The document is intended for public use and aims to improve OT cybersecurity posture.

Bahrain National Cybersecurity Strategy 2025–2028

The Bahrain National Cybersecurity Strategy 2025-2028 outlines the Kingdom's approach to strengthening its cybersecurity landscape. It aims to support national development and enhance global competitiveness by addressing cybersecurity threats and promoting digital transformation. The strategy focuses on building cyber resilience, governance, collaboration, awareness, workforce development, research, and innovation.

CBB Rulebook Vol. 6 — Crypto-Asset Module (CRA) 2024

The CBB Rulebook Vol. 6, Crypto-Asset Module (CRA) 2024, outlines the regulatory framework for crypto-asset services in Bahrain. It covers licensing requirements, minimum capital, business standards, technology governance, cybersecurity, risk management, and reporting obligations for entities engaged in crypto-asset activities. The module aims to ensure the stability and integrity of the crypto-asset market and protect consumers.

CBB Rulebook Vol. 6 — Stablecoin Issuance and Offering Module 2024

The Central Bank of Bahrain's (CBB) Volume 6, Stablecoin Issuance and Offering Module (SIO) outlines the regulatory framework for stablecoin offerings within Bahrain's capital markets. It covers licensing, financial resource requirements, business standards, reserve asset management, and technology governance. The module aims to ensure the stability and security of stablecoins offered in Bahrain and protect consumers.

Bahrain NCSC National Cybersecurity Risk Management Framework 2023

The Bahrain National Cybersecurity Risk Management Framework (NCSC-RMF-0001) by the National Cybersecurity Center (NCSC) provides a structured approach to managing information security risks across the nation. It outlines a comprehensive methodology for risk assessment, treatment, monitoring, and governance, aiming to enhance cybersecurity posture. The framework serves as the authoritative reference for risk management in Bahrain.

CBB Rulebook Vol. 4 — Cyber Security Risk Management Module

This Central Bank of Bahrain (CBB) regulation outlines requirements for cyber security risk management for investment firms. It mandates a robust framework to manage cyber security risks and vulnerabilities, including a cyber security strategy, policy, and risk management approach. The regulation aims to ensure the protection of financial institutions and their customers from cyber threats.

FINAL IoT Adoption Policy Executive Summary EN

Qatar's IoT Adoption Policy aims to promote the widespread, secure, and sustainable deployment of IoT technologies across all sectors. It focuses on public-private collaboration, responsible innovation, interoperability, and long-term sustainability. The policy provides strategic guidance to accelerate IoT adoption and enable digital transformation.

CBK Cybersecurity Framework for the Kuwaiti Banking Sector 2020

The CBK Cybersecurity Framework for the Kuwaiti Banking Sector 2020 outlines requirements for regulated entities to improve their cyber resilience and manage cyber risks. It aims to protect information and financial assets, promote cooperation, and standardize information sharing within the banking sector. The framework is intended to guide the banking sector in effectively managing imminent cyber risks.

CBK E-Payment Services Chapter 2 — Circulars for Electronic Payment

This CBK regulation compiles circulars related to electronic payment services in Kuwait. It addresses various aspects of electronic payments, including fraud reporting, fee structures, payment links, BNPL services, cybersecurity, AML/CFT, and the use of POS devices. The regulation aims to provide guidance and controls for electronic payment service providers and related entities.

Kuwait National Cybersecurity Strategy 2017–2020

The Kuwait National Cybersecurity Strategy 2017-2020, issued by CITRA, outlines Kuwait's approach to cybersecurity, acknowledging the increasing cyber risks and threats facing the country. It aims to promote the security of national critical infrastructure and information, reduce cyber risks, and ensure a reliable and secure cyber environment for the government, private sector, and individuals.