Follow Okaz channel on WhatsApp

In a major developmental step aimed at enhancing digital sovereignty and protecting sensitive infrastructure in the Kingdom, the National Cybersecurity Authority has officially begun implementing a package of strict new regulatory rules, including the 'Rules for Controlling and Investigating Cybersecurity Violations' and the 'Rules for Regulating Whistleblowing.'

The new decisions, which came into effect immediately upon publication, carried surprises ranging from granting inspectors broad 'surprise' powers to access networks, to offering generous financial rewards for whistleblowers, amid stern warnings against 'malicious reports' or using illegal means to hack.

Cybersecurity Inspector: Broad Powers and Immediate Suspension

Under the new regulation, inspectors authorized by the Authority now have firm powers to supervise and inspect the premises and technical and operational systems of institutions and individuals, and for that purpose they have:

Immediate entry and seizure: The right to enter premises, direct access to networks and software, access to data and backups, examination and seizure in case of suspicion.

Immediate system suspension: In urgent and necessary cases threatening the Kingdom's digital security, the Governor of the Authority (or his delegate) has the legal authority to issue an immediate decision to suspend or stop the activities or networks under violation.

Prohibition of tampering: The system imposes full commitment from all parties to absolute cooperation, and completely prohibits refraining from providing records or tampering with and destroying them, with absolute confidentiality imposed on investigations.

Financial Rewards for Whistleblowers

On the other hand, the Authority opened the door for individuals to contribute to protecting the digital space through an official and confidential reporting platform, announcing encouraging financial rewards assessed by a special committee based on the severity of the violation and the importance of the report.

The reward controls came to set a specific financial ceiling:

Reward value: The system set the reward at no more than 50,000 Saudi riyals, or equivalent to (1%) of the value of the collected financial fine.

Strict eligibility condition: The Authority stipulated that the report must be submitted through 'legal means,' as the right to the reward is completely forfeited (and may fall under legal liability) if the report involves illegal practices such as 'unauthorized access' or 'hacking' into the systems of the reported entity to prove the violation.

Exclusion of relatives and employees: The system completely prohibits giving the reward to Authority employees or their relatives up to the fourth degree, or if the disclosure of the violation results from the person's original job duties.

Firmness against 'Malicious Reports'

In a legal move to protect institutions and companies from settling scores or misusing the system, the rules stressed that the Authority will take strict legal action against anyone proven to have submitted a 'malicious report,' including referring them directly to judicial authorities to apply penalties against them.

Through this integrated regulatory environment, which relies on electronic and modern technical means in all its activations, the Kingdom seeks to build a safe and compliant cyber society that balances decisive deterrence of violators and smart incentives for those who preserve the nation's digital security.