GRC · NCA Regulations · Compliance
Quick Answer
NCA ECC (Essential Cybersecurity Controls) is the mandatory cybersecurity baseline issued by Saudi Arabia's National Cybersecurity Authority for government entities and Critical National Infrastructure (CNI) operators. The current version, ECC-2:2024, organizes requirements into 4 domains, 28 subdomains, and 110 controls — streamlined from ECC-1:2018's 5 domains, 29 subdomains, and 114 controls.
The update also introduces a Saudization requirement for cybersecurity staffing and shifts data-localization authority to the National Data Management Office (NDMO) at SDAIA. ECC sits alongside sector overlays — SAMA CSF for banks, CST CRF for ICT licensees — and the newer NCNICC-1:2025, which extends NCA's reach to the general private sector.
If you operate in or sell into Saudi Arabia's government or critical-infrastructure sectors, NCA ECC is not optional reading — it is the control set your organization will be measured against. This guide covers what it is, what changed in the 2024 update, who must comply, and how it fits alongside the Kingdom's other cybersecurity regulations.
The National Cybersecurity Authority (NCA) is Saudi Arabia's national cybersecurity regulator, established in 2017 by royal decree and reporting directly to the highest levels of government. NCA holds both regulatory and operational mandates: it sets binding cybersecurity requirements, and it also coordinates national-level cyber defense and incident response. Its stated purpose is to protect the Kingdom's critical infrastructure, priority sectors, and government services — work that sits directly inside the national security and digital-economy goals of Vision 2030.
Since its founding, NCA has moved from establishing itself as a regulator to actively supervising a maturing compliance ecosystem. Early cycles of ECC assessment gave NCA visibility into where Saudi organizations were consistently under-prepared — a pattern that directly informed the scope and structure of the 2024 update. NCA also maintains close working relationships with sector regulators such as SAMA and CST, which is why the various Saudi cybersecurity frameworks share a recognizable governance/defense/resilience vocabulary rather than each inventing its own.
NCA has issued a family of control frameworks over the past several years, each targeting a different slice of the Saudi economy. ECC is the first and most foundational of these — the baseline that everything else builds on.
NCA did not revise ECC on a fixed schedule out of habit — the 2024 update reflects several years of real assessment data, an evolving threat landscape, and closer alignment with globally recognized standards such as ISO 27001, NIST CSF, and ISF's Standard of Good Practice. Three drivers stand out:
The Essential Cybersecurity Controls (ECC) is NCA's flagship mandatory framework. It defines the minimum set of cybersecurity requirements that in-scope organizations must implement, sustain, and demonstrate — covering governance, technical defense, operational resilience, and third-party risk. ECC does not ask organizations to pick and choose; it is a baseline, meaning every applicable control needs an owner, an implementation state, and evidence.
The original version, ECC-1:2018, was structured around 5 domains, 29 subdomains, and 114 controls. It has since been superseded by ECC-2:2024, a revised and streamlined edition that reflects several years of assessment experience, evolving threats, and lessons NCA absorbed from supervising the first cycle of compliance.
ECC-2:2024 is not a cosmetic refresh. It reorganizes the framework for clarity and shifts responsibility for one entire control area to a different regulator.
| Aspect | ECC-1:2018 | ECC-2:2024 |
|---|---|---|
| Domains | 5 | 4 |
| Subdomains | 29 | 28 |
| Controls | 114 | 110 |
| Data localization | Addressed within ECC controls | Authority moved to NDMO (SDAIA) |
| Cybersecurity staffing | Not explicitly mandated | Full-time, qualified Saudi nationals required |
| Framing | Original baseline | Streamlined for efficiency and clarity |
Two changes deserve particular attention. First, data localization — previously addressed inside ECC itself — is now the responsibility of the National Data Management Office (NDMO) at the Saudi Data and Artificial Intelligence Authority (SDAIA). Organizations still need to comply with data-residency rules; they now find that guidance in NDMO's own regulatory documents rather than in ECC. Second, ECC-2:2024 introduces a workforce localization requirement: cybersecurity roles inside scoped organizations must be filled by full-time, qualified Saudi professionals — a meaningful shift for organizations that previously relied on outsourced, part-time, or expatriate-only security staffing models.
ECC-2:2024 groups its 110 controls into four domains. Defense is by far the largest, reflecting where most day-to-day technical control activity lives.
Strategy, policies, roles and responsibilities, risk management, legal and regulatory compliance, and organization-wide cybersecurity awareness. This domain is the foundation everything else is built on — auditors typically start here.
The largest domain by far, covering asset management, identity and access management, network security, cryptography, application security, endpoint protection, email security, and vulnerability management — including the requirement for regular security testing.
Integrates cybersecurity requirements into business continuity management — backup strategy, disaster recovery, and incident response capability, so that a security event does not become an operational outage.
Vendor risk management, outsourcing controls, and cloud-specific security requirements — recognizing that a growing share of Saudi organizations' attack surface now sits with suppliers and cloud providers rather than on-premises.
ECC's scope of application covers two groups: government entities in the Kingdom — ministries, authorities, and their subsidiaries or affiliates — and private-sector organizations that own, operate, or host Critical National Infrastructure (CNI), such as energy, telecom, finance, healthcare, and transport operators designated by NCA. If your organization is a private-sector company that is not CNI, ECC does not directly apply to you — but you are very likely in scope of NCNICC-1:2025, NCA's newer framework built specifically for the general private sector.
ECC has also become the dominant procurement driver for security services in the Saudi market. It mandates regular security testing as part of the Defense domain, which is why penetration testing and vulnerability management engagements are so consistently tied to ECC audit cycles — see our penetration testing and GRC services for how this typically plays out in practice.
One of the most operationally significant changes in ECC-2:2024 is the requirement that cybersecurity roles within scoped organizations be staffed by full-time, qualified Saudi national professionals. This is a workforce localization requirement layered on top of the technical controls — it does not replace them. Organizations that previously ran security functions through outsourced SOC contracts, offshore analysts, or part-time consultants need to reassess their staffing model against this requirement as part of their ECC-2:2024 transition plan.
ECC compliance is not a one-time certificate. NCA assesses organizations through a combination of self-assessment against the published control set and periodic NCA-led audits and reviews, with maturity typically scored per control or subdomain rather than as a single pass/fail outcome. Because assessments are recurring, the practical risk of falling behind is not a single event — it shows up as adverse audit findings, gaps that widen with each assessment cycle, and reduced eligibility for government and CNI-related contracts that require demonstrated ECC alignment. A platform like ComplyOS is built to keep evidence, ownership, and control status current between assessment cycles rather than reconstructed from scratch each time.
ECC is best understood as the national baseline, with sector regulators layering additional, sector-specific requirements on top for the industries they oversee:
A CNI-designated bank, for example, may need to demonstrate alignment with both ECC and SAMA CSF at the same time — the two frameworks are complementary rather than redundant, but they do require coordinated evidence management.
GHS Perspective
Most of the ECC-2:2024 gap assessments we run surface the same pattern: governance documentation is usually in reasonable shape, but Defense-domain evidence — vulnerability management cadence, access reviews, and network segmentation — lags behind. Organizations that treat ECC as a continuous operating discipline, not an annual audit scramble, consistently score higher and spend less remediating findings under pressure.
For organizations transitioning from ECC-1:2018 or building an ECC program from scratch, a practical sequence looks like this:
Most organizations complete an initial ECC-2:2024 transition over 6 to 12 months, with governance and Third-Party/Cloud domain work typically finishing first and Defense-domain remediation — particularly vulnerability management and network segmentation — taking the longest to mature. Treating ECC as an ongoing operating discipline rather than a project with an end date is what separates organizations that maintain their maturity scores from those that regress between audit cycles.
GHS maps your current controls against ECC-2:2024's four domains, identifies your highest-priority gaps, and delivers a phased remediation roadmap aligned to your next NCA audit cycle.