NCA Penetration Testing Requirements in Saudi Arabia

If you are reading this, you are probably close to a decision: your organisation needs penetration testing for NCA compliance, and you need to know exactly what the regulator expects, what your report has to contain, and who is actually allowed to do the testing in Saudi Arabia. This guide answers all three. But if you're still into "What is NCA Saudi Arabia?" we have the guide available.

The short version is that yes, the NCA requires penetration testing it is a specific control within the NCA Essential Cybersecurity Controls. But meeting the requirement is not just about running a test; it is about scoping it correctly, documenting it the way an NCA assessor expects, and using a provider that is registered with the NCA, which has been a regulatory requirement in the Kingdom since 2022. Get any of those wrong and you have spent money on a test that does not satisfy the auditor.

Below: where penetration testing sits in the NCA ECC, how it stacks with SAMA for financial institutions, what "NCA-registered tester" really means for you as a buyer, what the test must cover, what the report must contain to be accepted, and how often you need to do it. If you want the wider framework context first, see our NCA ECC requirements guide.

1. Does the NCA Require Penetration Testing?
2. Where Penetration Testing Sits in NCA ECC
3. Financial Sector: SAMA and NCA Together
4. What an NCA-Registered Tester Means for Buyers
5. What the Test Must Cover for NCA Compliance
6. What the Report Must Contain to Be Accepted
7. How Often Must You Test?
8. SecurityWall's NCA-Registered Testing in Saudi Arabia

Does the NCA Require Penetration Testing?

Yes. The NCA's Essential Cybersecurity Controls include a dedicated penetration testing requirement, and for in-scope organisations it is mandatory, not optional. The ECC requires that organisations conduct penetration testing on their systems and that the cybersecurity requirements for penetration testing are defined, applied, and reviewed periodically.

In plain terms: if you are a government entity or a Critical National Infrastructure operator subject to the ECC, penetration testing is part of your compliance baseline. If you are a non-CNI private company under NCNICC-1:2025, testing and vulnerability management feature there too. And if you are a financial institution, you face the requirement from both the NCA and SAMA at once.

Where Penetration Testing Sits in NCA ECC

This is where most write-ups get it wrong, so it is worth being precise. In the ECC, penetration testing is a subdomain within Domain 2, Cybersecurity Defence the technical-controls domain not within the Cybersecurity Resilience domain. It sits alongside the other defensive controls such as vulnerability management, network security, and event logging and monitoring.

The confusion is understandable, because penetration testing clearly supports resilience: finding and fixing weaknesses before an attacker does is exactly how you become more resilient. But the explicit control that obliges you to test lives in the Defence domain, and the ECC expects that the requirements for penetration testing are documented, applied to your systems, and reviewed periodically. A provider who does not know which domain the requirement sits in is a provider who has not read the framework a useful filter when you are choosing one. For the full domain-by-domain breakdown, see our ECC 2:2024 requirements guide, and to check your own readiness, the interactive ECC checklist.

Financial Sector: SAMA and NCA Together

If you are a bank, fintech, payment company, or other SAMA-regulated entity, penetration testing is required by two regulators simultaneously. The NCA requires it under the ECC's Cybersecurity Defence domain, and SAMA requires it within its Cyber Security Operations and Technology domain as evidence that your technical controls actually work distinct from a simple vulnerability scan, and tied to SAMA's maturity expectations.

The efficient approach is one engagement scoped to satisfy both, with reporting formatted for both supervisory and assessment review, extended into intelligence-led red teaming where SAMA expects it. We cover this in depth in the NCA and SAMA dual compliance guide and the SAMA penetration testing guide. The key point for buyers: do not commission two separate tests when one, scoped properly from the start, can serve both regulators.

What an NCA-Registered Tester Means for Buyers

This is the part most organisations do not know, and it directly affects who you can hire.

Since 1 August 2022, registration with the NCA has been a regulatory requirement for any entity that provides cybersecurity services, solutions, or products in the Kingdom. The NCA launched its service provider registration platform in 2022, and registration is not a marketing badge it is a compliance prerequisite for operating as a cybersecurity provider in Saudi Arabia. You can read the requirement on the NCA's own registration and licensing page.

For you as a buyer, this has two consequences:

• Using a non-registered provider is itself a risk. If your penetration test is delivered by a firm that is not NCA-registered, you have engaged a provider operating outside the Kingdom's regulatory requirement which is precisely the kind of third-party and supplier-management gap the ECC and your auditors scrutinise.
• Buying from an NCA-registered firm is the defensible choice. It signals to your assessors that you used a compliant vendor, and it removes a question you do not want raised during an assessment.

SecurityWall is an NCA-registered cybersecurity provider. Before engaging any tester including us you can and should verify their registration through the NCA. When you speak with our team, we provide our NCA registration details so you can confirm them directly.

What the Test Must Cover for NCA Compliance

The ECC expects testing that reflects your actual attack surface, not a token scan of one system. A credible NCA penetration test scope typically includes:

• External network and perimeter: Internet-facing infrastructure and exposed services
• Internal network: What an attacker can reach after gaining a foothold, including lateral movement and privilege escalation
• Web applications: Your customer-facing and internal applications, tested against recognised methodology
• APIs: Increasingly the largest real attack surface, and frequently under-tested
• Cloud configuration: Where your systems are hosted in the cloud, aligned to the relevant cloud controls
• Network segmentation: Validation that segmentation actually holds

The scope should be driven by your environment and the systems the ECC deems in scope, agreed in rules of engagement before testing begins. A provider who proposes an identical scope for every client regardless of architecture is selling a product, not assessing your risk.

What the Report Must Contain to Be Accepted

This is where many tests fail their real purpose. A penetration test only satisfies the NCA if the report demonstrates the work and the outcomes in a form an assessor accepts. At minimum it should contain:

• Scope and rules of engagement: What was tested, when, and under what authorisation
• Methodology: The recognised approach followed, so the work is repeatable and defensible
• Executive summary: Risk stated in business terms for leadership and assessors
• Detailed findings with severity ratings: Each issue rated consistently, with the evidence to support it
• Proof and reproduction steps: Enough that findings can be validated, not just asserted
• Remediation guidance: Specific, actionable fixes, not generic advice
• Retest and verification: Confirmation that findings were remediated, which is what closes the loop for an auditor

That last point matters more than buyers expect: a report full of findings with no evidence of remediation and retesting leaves the control open. The deliverable an assessor wants to see is findings and the proof they were fixed.

How Often Must You Test?

The ECC requires that penetration testing is conducted and that its requirements are reviewed periodically, rather than naming a single fixed interval for every organisation. In practice, the defensible cadence that satisfies NCA assessors and aligns with how the framework is applied is:

• At least annually, as a baseline for in-scope systems
• After significant change major releases, new infrastructure, architectural changes, or significant configuration changes
• In line with risk higher-exposure systems warrant more frequent testing

For SAMA-regulated entities, testing should be regular and structured enough to demonstrate maturity, not a one-off. The safe operating assumption is annual testing plus testing after material change, with retesting of findings in between.

SecurityWall's NCA-Registered Testing in Saudi Arabia

SecurityWall is an NCA-registered cybersecurity firm delivering penetration testing for NCA and SAMA compliance across Saudi Arabia. Our team holds OSCP, OSWE, CREST, CRT, CISM, and CISSP credentials, and we scope, test, and report to what the regulators actually expect not a generic template.

NCA-Registered and Verifiable

• A registered cybersecurity service provider in the Kingdom, as the NCA requires
• Registration details provided on request so you can verify them with the NCA
• Testing scoped to the ECC's Cybersecurity Defence requirements

Scoped to Your Environment

• Penetration testing across external, internal, web, API, and cloud attack surfaces
• Rules of engagement agreed before testing, scope driven by your architecture
• Red teaming where SAMA's intelligence-led expectations apply

Reports Auditors Accept

• Clear methodology, severity-rated findings, and reproduction evidence
• Business-level executive summaries for leadership and assessors
• Retesting included, so findings are demonstrably closed

One Engagement for Both Regulators

• A single test scoped to satisfy both the NCA and SAMA where both apply
• Aligned to our NCA and SAMA compliance work
• Mobile-heavy estate? Add mobile application penetration testing

Related reading:

• NCA ECC 2:2024 Requirements: Every Control Domain Explained
• NCA ECC Compliance Checklist (Interactive)
• NCA and SAMA Dual Compliance for Banks and Fintech
• SAMA Penetration Testing Guide
• What Is the NCA? Saudi Arabia's Cybersecurity Authority
• NCNICC-1:2025: Every Saudi Private Company Now in Scope

Frequently Asked Questions

Does the NCA require penetration testing?

Yes. Penetration testing is a mandatory control within the NCA's Essential Cybersecurity Controls for in-scope organisations. It sits within the Cybersecurity Defence domain, and the ECC requires that penetration testing is conducted and its requirements reviewed periodically.

Which ECC domain covers penetration testing?

Domain 2, Cybersecurity Defence the technical-controls domain. Penetration testing is a subdomain there, alongside vulnerability management, network security, and monitoring. It is commonly assumed to fall under the Resilience domain, but the explicit control sits in Cybersecurity Defence.

Does my penetration testing provider need to be NCA-registered?

Any entity providing cybersecurity services in Saudi Arabia has been required to register with the NCA since 1 August 2022. Using an NCA-registered provider is the defensible choice and avoids raising a supplier-compliance question during your assessment. You can verify a provider's registration with the NCA directly.

What must an NCA penetration test report contain?

Scope and rules of engagement, methodology, an executive summary, detailed findings with severity ratings, reproduction evidence, specific remediation guidance, and retesting that confirms findings were fixed. A report without remediation and retest evidence leaves the control open.

How often do Saudi organisations need penetration testing?

The ECC requires periodic testing rather than a single fixed interval. The defensible cadence is at least annually, plus testing after any significant change, with higher-risk systems tested more often. SAMA-regulated entities should test regularly enough to demonstrate maturity.

Can one penetration test cover both NCA and SAMA?

Yes, if scoped to both from the start. The NCA requires testing under its Defence domain and SAMA under its Operations and Technology domain, so a single engagement designed against both, with appropriately formatted reporting, can serve both reviews.