Issued by the Communications & Information Technology Commission (CITC) in June 2020, the Cybersecurity Regulatory Framework (CRF) aims to increase the cybersecurity maturity of Service Providers in the Information and Telecommunications Technology and Postal Sector.

Who does it apply to?

The CITC’s CRF framework mainly applies to organizations who are licensed or registered by the CITC and those subject to it as the regulator of the ICT and Postal Sector in the Kingdom of Saudi Arabia.
That said, it is mainly targeting organizations that are not classified as Critical National Infrastructure (NCI). Those organizations that are classified as NCIs should comply with the Essential Cybersecurity Controls (ECC) issued by the Saudi National Cybersecurity Authority (NCA).

What is its purpose?

The CRF provides requirements for better management of cybersecurity risks through a consistent approach and in line with the international best practices and Saudi cybersecurity regulations.

How long does it take to implement the CRF in an organization?

It depends on the size of the organization, the field in which it operates, the number of employees, the state of the current policies implemented, and the number and type of ICT components within its infrastructure. Some organizations can roll out the CRF in a few weeks, others may require months or years. If you are interested in implementing the Cybersecurity Regulatory Framework in your organization, contact us to schedule a gap analysis audit and get a better assessment of the lead time and the costs.

Clients and Partners