Compliance & Regulations/Middle East/NCA ECC

Critical Infrastructure · Kingdom of Saudi Arabia — public sector, CNI operators, mixed obligations for private sector

Saudi NCA ECC

Saudi Arabia's Essential Cybersecurity Controls — the national cyber baseline for the Kingdom.

Regulator

Saudi National Cybersecurity Authority (NCA)

Jurisdiction

Kingdom of Saudi Arabia — public sector, CNI operators, mixed obligations for private sector

Status

Active — ECC-2:2024 latest revision.

In force since

Active

Regulator's source

Who it applies to

Government entities, CNI operators, and many regulated private-sector entities.

Audit / certification status

Continuous evidence pipeline available; audit support included for all customers.

What it requires

What NCA ECC actually requires.

These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.

114 main controls across 5 domains (Cybersecurity Governance / Defence / Resilience / Third-Party / Industrial Control).

Mandatory annual self-assessment and periodic NCA audits.

Incident reporting to NCA.

How Safeguard maps to it

Pre-mapped controls. Continuous evidence.

Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.

ECC-2:2024 control crosswalk with live evidence.

Annual self-assessment data pack and external audit support.

Multi-regulator overlay for entities subject to ECC + OTCC + SAMA.

Evidence we produce

Artifacts your auditor accepts.

Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.

ECC self-assessment package.

External audit pack.

Related frameworks

One evidence base. Many regulators.

These frameworks share substantial control overlap with NCA ECC. Customers running one assessment typically satisfy the others with the same evidence base.

Saudi NCA OTCC

Middle East

Saudi Arabia's Operational Technology Cybersecurity Controls for industrial control systems in critical sectors.

Open

SAMA Cybersecurity Framework

Middle East

SAMA's Cybersecurity Framework for Saudi banks, insurers, and fintech.

Open

UAE NESA / SIA

Middle East

The UAE's national information assurance baseline applicable to CII operators and government entities.

Open

ISO/IEC 27001:2022

Cross-jurisdictional

The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.

Open

Ready for NCA ECC?

Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.

Back to the framework map