NCA ECC Compliance Checklist 2026 (Free Template)

The National Cybersecurity Authority Essential Cybersecurity Controls — NCA ECC-1:2018 — is the baseline cybersecurity standard every Saudi government entity and critical national infrastructure (CNI) operator is measured against. Unlike SAMA CSF, which is principle-led and maturity-scored, NCA ECC is closer to a structured compliance check: each sub-control either operates with evidence or it does not. That makes a clean checklist particularly useful — the question is binary, and the team needs an organised way to answer it.

This post is the structured NCA ECC compliance checklist for 2026, organised by the framework's five domains. A downloadable working copy is available at the end.

How to use this checklist

For each line item:

1. Mark the current state — compliant, partially compliant, or non-compliant.
2. Identify the owner (named individual, not a function).
3. Note the evidence reference.
4. Record the date the assessment was made.
5. Identify the gap and the action required to close it.

The NCA assessment process collects evidence against each sub-control. A working checklist updated in real time produces the submission almost as a by-product; one filled in retrospectively is the source of most submission delays.

Domain 1 — Cybersecurity Governance

The Governance domain establishes the management foundation.

1-1 Cybersecurity strategy. Documented cybersecurity strategy approved at the highest level (typically the CEO or equivalent), aligned to the organisation's overall strategy and to national cybersecurity priorities.

1-2 Cybersecurity management. Defined cybersecurity function with named leadership reporting independently of the IT function. Documented roles and responsibilities. Resourcing appropriate to risk.

1-3 Cybersecurity policies and procedures. Documented cybersecurity policy approved at appropriate level, communicated to all relevant staff, supported by sub-policies. Defined review cadence (annual minimum).

1-4 Cybersecurity roles and responsibilities. Documented roles and responsibilities for cybersecurity. Job descriptions reflect the responsibilities.

1-5 Cybersecurity risk management. Documented risk management approach covering identification, analysis, evaluation and treatment. Risk register maintained.

1-6 Cybersecurity in IT projects. Documented requirement to consider cybersecurity in IT projects from the design phase.

1-7 Compliance with cybersecurity laws and regulations. Documented identification of applicable laws and regulations. Tracking of compliance.

1-8 Periodic cybersecurity review and audit. Documented internal audit programme covering cybersecurity. Findings tracked to closure.

1-9 Cybersecurity in human resources. Cybersecurity considerations in joiners-movers-leavers. Background screening commensurate with role. Acceptable use agreements.

1-10 Cybersecurity awareness and training. Documented awareness programme with role-based training, completion tracking and refresher cadence.

Domain 2 — Cybersecurity Defence

This is the largest domain by control count and covers the day-to-day technical controls.

Asset management (2-1)

Asset inventory covering hardware, software, systems and data. Owners assigned. Classification applied. Updated as assets change. Secure disposal of media at end of life.

Identity and access management (2-2)

User access management lifecycle (joiners-movers-leavers) with documented SLAs. Authentication strength appropriate to data classification — multi-factor authentication mandatory for administrative and remote access. Privileged access management with least privilege, time-bounded sessions where appropriate, monitoring of privileged actions. Periodic access review (typically quarterly for privileged, annually for general).

Information system and information processing facilities protection (2-3)

System hardening to documented standards. Anti-malware controls in place. Patch management with documented SLAs by criticality. Configuration management.

Email protection (2-4)

Email gateway protections in place — anti-spam, anti-phishing, attachment scanning, link inspection. DMARC, SPF, DKIM configured. User reporting mechanism for suspected phishing.

Networks security management (2-5)

Documented network architecture with appropriate segmentation between corporate, production, management and (where applicable) industrial networks. Firewall rule reviews. Wireless network security. Remote access security (VPN with MFA, defined access controls, session monitoring).

Mobile devices security (2-6)

Mobile device management for organisation-owned devices. Defined controls for personal devices accessing corporate data (BYOD policy where applicable). Encryption at rest. Remote wipe capability.

Data and information protection (2-7)

Data classification scheme. Controls applied per classification. Data loss prevention controls where appropriate. Encryption of sensitive data at rest and in transit.

Cryptography (2-8)

Documented cryptographic standards. Approved algorithms. Key management process. Key inventory.

Backup and recovery management (2-9)

Documented backup approach for critical data. Regular backup execution. Off-site backup retention. Periodic restoration testing. RPO defined per system criticality.

Vulnerabilities management (2-10)

Vulnerability scanning on defined cadence. Documented patch SLAs by vulnerability criticality (typically 24h for critical, 7d for high, 30d for medium). Evidence of compliance with SLAs.

Penetration testing (2-11)

External penetration testing on defined cadence. Findings tracked to closure with documented remediation evidence.

Cybersecurity event logs and monitoring management (2-12)

Centralised log collection from in-scope systems. Defined retention period (typically 12 months minimum). Integrity protection on logs. Security monitoring with defined use cases. SIEM in place. Documented alert response SLAs.

Cybersecurity incident and threat management (2-13)

Documented incident response plan with severity classification, escalation paths and runbooks. Incident detection capability. Notification process to NCA and other relevant authorities. Post-incident review.

Physical security (2-14)

Physical security controls for facilities housing in-scope systems. Access control to data centres and equipment rooms. Environmental controls. CCTV and monitoring.

Web application security (2-15)

Documented secure web application standards. OWASP Top 10 considered. Web application firewall where appropriate. Security testing before production deployment.

Domain 3 — Cybersecurity Resilience

NCA ECC folds cybersecurity resilience directly into the core framework, unlike many international standards.

3-1 Cybersecurity in business continuity management. Cybersecurity requirements embedded in the BCM lifecycle. Cyber scenarios considered in business impact analysis. Recovery plans cover cyber scenarios. Exercises include cyber scenarios.

Domain 4 — Third-Party and Cloud Computing Cybersecurity

4-1 Third-party cybersecurity. Documented third-party cybersecurity programme. Due diligence at onboarding. Contractual cybersecurity requirements. Ongoing monitoring. Termination controls.

4-2 Cloud computing and hosting cybersecurity. Cybersecurity requirements applied to cloud arrangements. For in-scope entities using cloud, the NCA Cloud Cybersecurity Controls (CCC) apply in addition to ECC and impose more detailed requirements.

Domain 5 — Industrial Control Systems Cybersecurity

For entities operating industrial control systems — utilities, energy, manufacturing, certain transport operators — domain 5 applies. Entities with significant OT estates should also consider the NCA Operational Technology Cybersecurity Controls (OTCC), which add depth on top of ECC.

5-1 ICS cybersecurity. Documented ICS cybersecurity strategy. Network segmentation between corporate IT and OT environments. Vendor support controls. Hardening of ICS components. Monitoring of ICS environments. Documented incident response procedures specific to ICS.

Frameworks that often apply alongside ECC

Many in-scope entities are subject to additional NCA frameworks based on the data they handle and the systems they operate:

• CSCC — Critical Systems Cybersecurity Controls, for systems classified as critical national systems.
• CCC — Cloud Cybersecurity Controls, for cloud arrangements.
• OTCC — Operational Technology Cybersecurity Controls, for OT/ICS estates.
• DCC — Data Cybersecurity Controls.
• TCC — Telework Cybersecurity Controls.

A complete compliance posture for a Saudi government entity or CNI operator usually includes ECC plus one or more of these supplementary frameworks. The checklist below covers ECC as the baseline; the supplementary frameworks are documented separately.

Get the downloadable checklist

The full checklist — formatted as a working spreadsheet with state, owner, evidence reference and target date columns — is available on request. Contact us to receive a copy.

For the wider regulatory context, read our NCA frameworks guide and our deep-dive NCA ECC compliance guide. To see the same checklist running as a live, audit-trailed control library inside a unified GRC platform — with evidence collected once and presented in NCA submission format — read about GRC Vantage's compliance module, supported from our offices in Riyadh and Dammam.