Gray Hat Security (GHS) logo

GRC · NCA Regulations · Compliance

NCA Essential Cybersecurity Controls (ECC-2:2024): The Complete Guide

July 7, 2026 · 11 min read · GHS Security Team NCA ECC GRC Saudi Compliance

Quick Answer

NCA ECC (Essential Cybersecurity Controls) is the mandatory cybersecurity baseline issued by Saudi Arabia's National Cybersecurity Authority for government entities and Critical National Infrastructure (CNI) operators. The current version, ECC-2:2024, organizes requirements into 4 domains, 28 subdomains, and 110 controls — streamlined from ECC-1:2018's 5 domains, 29 subdomains, and 114 controls.

The update also introduces a Saudization requirement for cybersecurity staffing and shifts data-localization authority to the National Data Management Office (NDMO) at SDAIA. ECC sits alongside sector overlays — SAMA CSF for banks, CST CRF for ICT licensees — and the newer NCNICC-1:2025, which extends NCA's reach to the general private sector.