This site uses cookies to improve your experience and analyze visits.
The references NORA builds on: global frameworks, Saudi government business capabilities, and national controls for technology, data, and security.
The organisational framework for digital government work.
Core standards for digital transformation.
Benchmarks against several countries advanced in national EA.
Federal Enterprise Architecture Framework, second version (FEAF V2.0).
The Open Group Architecture Framework, tenth version (TOGAF 10).
| Domain | References cited by the guideline |
|---|---|
| Business Architecture | APQC business-capability framework, plus a reference list of business capabilities drawn from multiple Saudi government entities. |
| Beneficiary Experience Architecture | Centralised beneficiary policy, the service-lab establishment document (World Government Summit, UAE), the U.S. Federal Customer Experience system, the GSA Customer Experience Excellence handbook, and beneficiary-experience practices observed across Saudi government entities. |
| Application Architecture | DGA regulations on comprehensive government platforms, the guide for defining platforms, products, and digital services, a review of national solutions such as those from the National Center for Government Resource Systems, and a reference list of application components drawn from Saudi entities. |
| Data Architecture | SDAIA policies and controls on data management and governance, the national data governance policies document from the National Data Management Office, the data management and governance controls including personal data protection, and national initiatives such as the National Data Bank. |
| Technology Architecture | DGA cloud computing adoption guide for government entities (09/08/2023), the risk management and business continuity controls, and the Risk and Business Continuity Management guideline for digital government. |
| Security Architecture | ISO/IEC 27001:2022 for information security management, NIST SP 800-207 for Zero Trust Architecture, and the National Cybersecurity Authority controls (Essential, Sensitive Systems, Data, Cloud Computing, Telework, Social Media Accounts of Entities, and Operational Systems). |
| Step | Description |
|---|---|
| Inventory and assess | List the national and international standards adopted per domain, with the type of obligation (mandatory or optional) and the issuing body. |
| Engage stakeholders | Bring business and technology stakeholders together with domain owners to review the list and close gaps before approval. |
| Approve the list | Derive an approved EA standards list, document and code it, and tie every item to one of the six domains. |
| Periodic review | Review the list on a regular cycle and refresh it in step with business shifts and regulations issued by the DGA and other regulators. |
Consistent design, implementation, and compliance with national regulations.
Higher integration and interoperability across systems via shared interfaces and protocols.
Lower exposure to data breaches and technical gaps once cybersecurity controls are enforced.
Less duplication and complexity, with a direct effect on running costs and spend efficiency.
Stronger EA governance through checklists and periodic audits.
