Now
Review your current position
Review your current certificate, expiry date, supplier scope, and likely classification.
Saudi Aramco is raising the bar with SACS-210 — a major update focused on advanced controls, tighter NCA alignment, and stronger operational governance. Official details will follow from Aramco. But preparation starts now.
SACS-210 is the upcoming evolution of Aramco’s third-party cybersecurity standard. It reflects a stronger alignment with the NIST Cybersecurity Framework, related NIST 800 guidance, national cybersecurity regulations in Saudi Arabia, and broader governance expectations used across critical industries.
SACS-210 will introduce critical changes in areas like:
The companies that move early will have more time to assess controls, organise evidence, fix weak areas, and plan audits properly.
4S helps vendors understand what is changing, what it means for their classification, and what they should do now.
Guidance
At the centre of the model are 33 general controls that apply to all third parties. On top of that, suppliers are grouped into six classifications, with added requirements based on the services they provide and the operational exposure they create.
This is important for buyers because it means compliance is no longer a broad, generic exercise. It is more specific. More scoped. More dependent on how your company actually interacts with Aramco environments, systems, data, and operations.
More Information at: aramco.com cybersecurity
All third parties are expected to meet a baseline set of mandatory requirements. This gives Aramco a stronger common floor across the supplier ecosystem. For vendors, that means the basics will matter even more: governance, asset visibility, access control, secure operations, evidence, and readiness to show that controls are active and maintained.
A dedicated OT section:
One of the biggest updates is the addition of a dedicated OT-focused section. This includes five OT controls and places more weight on areas such as security awareness, training, secure-by-design principles, and certification expectations for OT vendors.
| Area | SACS-002 Position | SACS-210 Direction |
|---|---|---|
| Framework basis | Current supplier standard aligned with NIST, NCA ECC, and ISO/IEC 27001 | Stronger alignment to NIST-based structure and national regulatory expectations |
| Supplier structure | General requirements plus additional requirements based on classification | Clearer six-classification model with more explicit scoping |
| General controls | Broad supplier baseline under current standard | 33 mandatory controls for all third parties |
| OT coverage | OT concerns may be addressed indirectly depending on service scope | Dedicated OT section with its own controls |
| Readiness model | Often approached as certification preparation close to audit | Better approached as transition planning, classification review, and staged remediation |
| Business impact | Mandatory for Aramco supplier status today | Will shape renewal readiness, audit workload, and supplier competitiveness going forward |
| Cross-ecosystem value | Mainly Aramco-driven | New certificates may also help suppliers needing alignment for Aramco and SABIC |
Your SACS-210 transition is easier to manage when each step is clear, sequenced, and timed properly.
Review your current certificate, expiry date, supplier scope, and likely classification.
Identify where the new structure may affect your controls, scope, evidence, and renewal planning.
Fix the highest-risk gaps first, assign ownership, and build a practical readiness plan.
Validate controls, organise documentation, and reduce friction before audit and submission.
Use the grace period properly and avoid last-minute delays before 26 August 2026.
A six-month grace period sounds generous until you factor in internal approvals, remediation work, evidence gathering, audit preparation, and scheduling.
The earlier your team starts, the more choices you keep.
Why
The threat environment is moving faster than supplier compliance cycles used to. CrowdStrike’s 2026 Global Threat Report says AI-enabled attacks rose 89% year over year, average breakout time fell to 29 minutes, and adversaries are increasingly abusing trusted identities, SaaS platforms, cloud environments, and even AI systems themselves.
For companies serving critical sectors, this changes the risk picture. Third-party cyber controls are no longer only about policy and procurement. They are about continuity, data trust, operational resilience, audit defensibility, and keeping supplier access open when customer expectations get tougher.
Readiness
If Aramco business matters to your company, renewal delays and failed readiness are commercial problems, not just IT problems. Early preparation helps protect approved supplier status and reduces disruption to ongoing opportunities.
A rushed compliance project usually costs more. Teams duplicate effort. Evidence is incomplete. Controls are patched in late. Early planning lets you fix the right issues once, in the right order.
The strongest readiness programs make day-to-day operations safer and more efficient. Better asset visibility, cleaner access management, stronger monitoring, clearer incident handling, and more disciplined change control all support the business after the audit is over.
Whether you’re a general vendor, infrastructure provider, data processor, or software supplier — you’re in scope. Let us help you:
We’re offering early advisory and pre-launch readiness support for companies who want to stay ahead of the standard — and avoid delays once it goes live.
We’ve helped dozens of suppliers reach and retain certification. Learn more about our SACS-002 services >.
You’ll get notified as soon as official requirements are published — and priority access to 4S advisory and compliance planning.
Support
4S has supported leading regional and global suppliers in achieving cybersecurity compliance under SABIC, Aramco, and national mandates. We combine technical depth with industrial expertise — helping you secure your place in critical supply chains and maintain long-term resilience.
We work across supplier cybersecurity, industrial environments, and Saudi-aligned frameworks. That helps us turn requirements into practical actions, not generic advice.
Suppliers are not starting from a blank page. They have renewals, customer deadlines, limited internal resources, and operational commitments. Our approach is built around that reality.
Many vendors serve mixed environments. We understand that a software supplier, a managed service provider, and an OT contractor do not face the same risks or evidence expectations.
Our work helps management answer the important questions early: What changes? What will it cost? What needs fixing first? What can wait? What is the risk if we do nothing now?