Are You Compliant? IT/OT Requirements for MENA Manufacturers

MENA manufacturing: which cyber rules apply – and what to do about them

Short answer: No, not every manufacturer must follow every cyber rule. What applies depends on where you operate, what personal data you hold, and whether you’re critical or supplying government/regulated customers. Use the guide below as a practical map.

When compliance is mandatory

You handle personal data (HR, contractors, visitors, customers) → The country’s privacy law (PDPL) applies. This is true across UAE, KSA, Bahrain, Oman, Qatar, etc.

You are government, critical infrastructure, or a supplier to them → National cyber baselines usually apply (mandatory controls, exercises, evidence). Examples: UAE Information Assurance (IA), KSA NCA Essential Cybersecurity Controls (ECC), Qatar National Information Assurance (NIA).

When it’s contractual/expected

Even if you’re not “critical,” large customers and insurers often flow down national baselines in contracts (e.g., “align to UAE IA / KSA ECC, run drills, keep logs”). This is common for plant operators and Tier-1/2 suppliers across the Gulf.

Country-by-country

United Arab Emirates (UAE)

What it is

• UAE IA Regulation – national baseline for cyber controls (governance, assets, access, monitoring, incident response, drills).
• UAE PDPL – data-protection law (what you collect, why, how you secure it, when to notify, cross-border rules).

What a plant must do

• Keep one asset inventory (IT + OT) and name your critical lines/systems.
• Enforce risk-based access (admin/vendor actions via a controlled, recorded gateway).
• Log and monitor at network chokepoints and remote access.
• Run and evidence exercises: one tabletop + one hands-on.
• For personal data: publish a short privacy notice, keep records of processing, log breaches, and have a notification plan.

Tricky bit, made simple – “show us proof” Audits expect evidence: policies, inventories, drill minutes, screenshots/logs –ideally Arabic & English.

Saudi Arabia (KSA)

What it is

• NCA ECC – national baseline for enterprises (updated 2024).
• NCA OT Cybersecurity Controls (OTCC-1:2022) – extra rules for plants/ICS (segmentation, remote access, vendor oversight).
• KSA PDPL – national data-protection law (with implementing regs).

What a plant must do

• Map your program to ECC domains and track gaps.
• Apply OTCC in the plant: zones & conduits, brokered/recorded vendor access, patch windows or compensating controls.
• Under PDPL: keep a privacy notice, respect data-subject rights, follow cross-border rules.

Tricky bit, made simple — “is OT really in scope?” Yes. OTCC extends ECC specifically to industrial control systems. Start with one pilot cell: segment it, force vendor work through a recorded gateway, and log the junctions.

Qatar

What it is

• NIA Standard — Qatar’s framework for controls and certification scoping.
• Personal Data Privacy Protection Law — national privacy rules.

What a plant must do

• Use NIA as your control map (governance, assets, access, monitoring, third parties).
• For personal data: keep a notice, secure it, be ready for audits.
• Keep AR/EN evidence for controls and exercises.

Tricky bit, made simple — “do we need certification?” Many private firms use NIA voluntarily because agencies and major customers reference it. Build once → smoother vendor reviews.

Bahrain

What it is

• PDPL (Law No. 30 of 2018) – privacy law with ministerial processes.

What a plant must do

• Keep a short privacy notice and records of processing for HR/contractor data.
• Be ready for access/erasure requests and transfer controls.
• Expect checks for documented compliance (policies, logs, breach handling).

Tricky bit, made simple – “do we register?” Some activities need notifications/registrations. Legal/HR can submit; keep copies in your audit pack.

Oman

What it is

• PDPL (Royal Decree 6/2022) + Executive Regulations (2024) – consent-first, DPO required, tight transfer conditions, external auditor expected for PD compliance.

What a plant must do

• Appoint a DPO; keep a privacy policy and breach plan.
• Many cross-border transfers need explicit consent and checks.
• Prepare for external audit of PDPL compliance.

Tricky bit, made simple – “this sounds heavy” There’s a grace period. Start with HR: notices, consent where needed, a request inbox, and a basic breach workflow – then expand.

What every MENA plant should keep “on file”

• One inventory for IT + OT (hardware, software/firmware, accounts, vendors).
• Access evidence: admin/vendor sessions through a controlled, recorded gateway with approvals.
• Monitoring evidence: sample logs from remote access, firewalls, historians, jump hosts.
• Drill evidence: one tabletop (leaders) + one hands-on (engineers) per year—minutes, timelines, screenshots.
• Privacy pack: notices, records of processing, breach plan, and cross-border decisions.

FAQ

Do we need different programs for each country? No. Build one control set (e.g., IEC 62443 for OT plus your chosen IT framework) and map it to UAE/KSA/Qatar asks. Audits care that you do the basics and keep evidence.

What if we can’t patch a PLC quickly? Use compensating controls: allow-listing on the network, brokered remote access, monitoring/alerts at the cell boundary. Log the risk and the temporary controls – auditors accept this approach.

Do we need red teaming? Only when you’re ready. Start with tabletop and hands-on drills. In KSA finance, red teaming follows SAMA practices; for most factories, do it after the basics are in place.