Saudi Arabia's Essential Cybersecurity Controls — the national cyber baseline for the Kingdom.
Government entities, CNI operators, and many regulated private-sector entities.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
114 main controls across 5 domains (Cybersecurity Governance / Defence / Resilience / Third-Party / Industrial Control).
Mandatory annual self-assessment and periodic NCA audits.
Incident reporting to NCA.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
ECC-2:2024 control crosswalk with live evidence.
Annual self-assessment data pack and external audit support.
Multi-regulator overlay for entities subject to ECC + OTCC + SAMA.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
ECC self-assessment package.
External audit pack.
These frameworks share substantial control overlap with NCA ECC. Customers running one assessment typically satisfy the others with the same evidence base.
Middle East
Saudi Arabia's Operational Technology Cybersecurity Controls for industrial control systems in critical sectors.
Middle East
SAMA's Cybersecurity Framework for Saudi banks, insurers, and fintech.
Middle East
The UAE's national information assurance baseline applicable to CII operators and government entities.
Cross-jurisdictional
The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.