Saudi OTCC

Saudi OTCC-1:2022 — Operational Technology Cybersecurity Controls

RegulationSaudi Arabia

OTCC-1:2022 is a mandatory cybersecurity regulation for operational technology environments in Saudi Arabia. Issued by the NCA, it defines 47 main controls and 122 sub-controls across 4 domains covering OT governance, asset protection, vulnerability management, and incident response. Non-compliance carries fines up to SAR 25 million.

Also explore

GDPR DORA NIS2 SOC 2 HIPAA PCI DSS ISO 27001 CMMC IEC 62443 NERC CIP MITRE ATT&CK ICS CISA CPGs NIST CSF 2.0 NIST 800-53 NIST 800-171 CIS Controls CSA CCM CSA CAIQ

Main Controls

122

Sub-Controls

SAR 25M

Max Fine

Mandatory

For CNI

Who Needs to Comply

Critical National Infrastructure

Energy and utilities operators in Saudi Arabia
Water and wastewater treatment facilities
Manufacturing and industrial process plants
Transportation and logistics operators with OT systems

Public & Private Sector

All organisations operating OT/ICS systems deemed critical by NCA
Government entities with industrial control systems
Foreign companies operating OT infrastructure in Saudi Arabia
Managed OT security service providers serving Saudi CNI

Key Compliance Areas

Domain 1

OT Governance & Compliance

OT cybersecurity strategy, organisational structure, roles and responsibilities, and periodic compliance reviews aligned with NCA requirements.

Domain 2

OT Asset Management & Protection

OT asset inventory, network segmentation, secure remote access, and access control specifically designed for operational technology environments.

Domain 3

OT Risk & Vulnerability Management

OT-specific risk assessments, vulnerability scanning, and patch management adapted for operational continuity and safety requirements.

Domain 4

OT Incident Response & Continuity

OT incident detection and response procedures, disaster recovery for OT systems, and mandatory NCA incident reporting.

How Orizon Helps

Scope Determination

Identify all OT assets and systems within NCA regulatory scope and determine applicable OTCC controls.

Gap Assessment

Evaluate current OT security posture against all 122 sub-controls and document gaps.

OT Governance Framework

Establish OT cybersecurity policies, roles, reporting structures, and NCA compliance processes.

Technical Controls Deployment

Implement network segmentation, access controls, monitoring, and secure remote access for OT environments.

NCA Compliance Documentation

Prepare comprehensive evidence and documentation for NCA audit and compliance review.

Periodic Review & Reporting

Ongoing compliance monitoring, periodic reassessment, and mandatory NCA reporting obligations.

Official Sources

Assess Your Compliance

Expert guidance for your Saudi OTCC compliance journey.

Get Started