NCA ECC vs SAMA CSF: Saudi Arabia's Two Cybersecurity Frameworks Compared

Saudi Arabia operates two mandatory cybersecurity frameworks that address overlapping but distinct slices of the national economy. The essential difference is structural: SAMA CSF uses a five-level maturity model in which organisations demonstrate progressive capability, while NCA ECC uses a binary compliant/non-compliant assessment per control. Both operate on annual cycles. Neither replaces the other, and for a significant category of organisations — particularly financial entities with critical infrastructure designations — both are simultaneously mandatory.

Issuing Bodies and Regulatory Authority

NCA ECC — formally the Essential Cybersecurity Controls, first published as ECC-1:2018 — is issued and enforced by the National Cybersecurity Authority (NCA), the independent government body responsible for national cybersecurity strategy, regulation, and oversight across Saudi Arabia. The NCA has authority over government entities and operators of critical national infrastructure regardless of their sector.

SAMA CSF — the Cyber Security Framework — is issued and enforced by the Saudi Central Bank (SAMA). SAMA's supervisory mandate is sector-specific: it regulates banks, insurance companies, fintechs, payment service providers, and exchange houses operating in the Kingdom. The CSF sits within SAMA's broader prudential and operational risk supervision regime, meaning non-compliance carries direct supervisory consequences including potential licence implications.

The two bodies have separate enforcement regimes, separate submission processes, and separate inspection mechanisms. An organisation cannot satisfy one body by referencing its compliance with the other.

Who Must Comply

NCA ECC applies to Saudi government agencies, operators of critical national infrastructure (CNI), and any entity that holds or processes sensitive national data. CNI designation spans multiple sectors — energy, water, telecommunications, transport, financial infrastructure, health, and others — and is determined by the NCA on the basis of systemic impact criteria rather than sector classification alone.

SAMA CSF applies to the supervised financial sector: licensed banks, insurance companies and intermediaries, fintechs operating under SAMA licences, payment service providers, and exchange houses. SAMA-regulated entities are required to self-assess annually and submit results through SAMA's supervisory channels.

The category that demands the most attention is the intersection: organisations that are both SAMA-regulated and CNI-designated must satisfy both frameworks in full. A large Saudi bank that is also classified as part of the financial critical infrastructure — which describes virtually every systemically important domestic bank — operates under dual mandatory obligations. Treating those obligations independently, with separate evidence sets and separate assessment teams, is technically compliant but operationally wasteful.

Control Architecture

The two frameworks differ materially in scale and structure.

NCA ECC is organised across four domains: Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, and Third-party and Cloud Cybersecurity. Within those domains, the framework defines 108 main controls and 232 sub-controls. The sub-control is the unit of assessment: each one is evaluated individually as compliant, partially compliant, or non-compliant, and evidence must be produced to support the determination.

SAMA CSF is broader in control count. Its four domains — Cybersecurity Leadership and Governance, Cybersecurity Risk Management and Compliance, Cybersecurity Operations and Technology, and Third-party and Cloud Cybersecurity — contain 250 controls in aggregate. The domain labels are deliberately similar to ECC's, which reflects a degree of intentional alignment; the assessment methodology, however, is fundamentally different.

Assessment Model

The assessment models represent the sharpest practical distinction between the two frameworks.

Under NCA ECC, each sub-control is assessed as Compliant, Partially Compliant, or Non-compliant. The process is an annual self-assessment, with the NCA retaining the right to review and challenge submissions. The binary character of the assessment means that evidence either demonstrates a functioning control or it does not — there is no credit for intent or partial implementation beyond the partial compliance rating, and the NCA's expectation is that organisations move to full compliance on a defined remediation timeline.

Under SAMA CSF, each control is scored on a five-level maturity scale: Level 0 (Non-existent) through Level 5 (Optimised). The annual self-assessment assigns a maturity level to each control based on a defined capability description for each level. Beyond the self-assessment, SAMA conducts periodic supervisory inspections — in-person and documentation-based examinations that validate self-reported scores. Organisations are expected to demonstrate continuous improvement across assessment cycles, and SAMA maintains supervisory memory of previous scores.

The 40% Overlap

Approximately 40% of controls map across both frameworks, representing the common cybersecurity foundations that any serious programme must address regardless of which regulator is watching. The overlap is concentrated in the disciplines that sit at the core of operational security: access management, cryptography, vulnerability management, security monitoring, incident response, network security architecture, business continuity, and third-party risk management.

For organisations subject to both frameworks, this overlap has a direct operational implication. A penetration test report, an access management policy, an incident response exercise record, or a third-party risk assessment can serve as evidence for controls in both ECC and CSF simultaneously — provided the evidence is mapped correctly and the documentation standards meet both frameworks' requirements. Organisations that treat the two frameworks as wholly separate programmes collect the same evidence twice, maintain two separate gap registers, and run two separate assessment cycles. That duplication is not a regulatory requirement; it is an artefact of organisational structure and the absence of a unified mapping.

NCA Supplementary Frameworks

ECC is the baseline, not the ceiling of NCA obligations. Two supplementary frameworks sit above it and apply to specific circumstances.

NCA CSCC (Cloud Cybersecurity Controls) applies to any ECC-obligated organisation that uses cloud computing services. It adds cloud-specific controls covering shared responsibility, data residency, provider assurance, and incident coordination — areas where ECC's general controls require more granular implementation guidance for cloud environments.

NCA CCC (Critical Systems Cybersecurity Controls) applies to systems classified as nationally critical within an organisation's technology estate. Both CSCC and CCC are additive: an organisation subject to ECC, CSCC, and CCC must satisfy all three. There is no substitution. SAMA-regulated entities that are also CNI-designated and use cloud services therefore operate under ECC, CSCC, and SAMA CSF as a minimum — with CCC applying if specific systems within their estate carry a national criticality classification.

PDPL Intersection

The Personal Data Protection Law (PDPL), enforced by the Saudi Data and Artificial Intelligence Authority (SDAIA), operates as a third regulatory dimension alongside both cybersecurity frameworks. This is a point of recurring confusion: achieving ECC compliance or CSF maturity Level 3 does not imply PDPL compliance. The frameworks address cybersecurity controls; PDPL addresses data subject rights, consent, retention, and cross-border transfer obligations that extend well beyond the perimeter of a cybersecurity programme.

The natural integration layer is NCA DCC (Data Cybersecurity Controls), which addresses the data-specific cybersecurity requirements that neither ECC nor CSF covers with sufficient granularity. DCC should be treated as the bridge between an organisation's cybersecurity programme and its PDPL obligations — providing the technical controls framework that supports PDPL's operational requirements for data protection, breach notification, and secure processing.

The Bottom Line: Four Organisation Scenarios

The compliance obligation depends on the organisation's regulatory and infrastructure classification:

A SAMA-regulated bank or insurer will almost certainly be subject to both SAMA CSF and NCA ECC. Systemically important banks are effectively always CNI-designated, making dual compliance mandatory rather than optional.

A fintech operating under a SAMA licence without a CNI designation faces SAMA CSF as the primary framework. NCA ECC applies only if a CNI designation is subsequently assigned. Fintechs should nonetheless monitor their infrastructure footprint — growth that creates systemic dependency can trigger CNI designation.

A government entity or CNI operator outside the financial sector faces NCA ECC as the primary framework, with CSCC or CCC applying where relevant. SAMA CSF is not applicable unless the entity also holds a SAMA licence.

A financial entity with a formal CNI designation — the category that includes the Kingdom's major banks — faces both frameworks as mandatory obligations with no derogation available.

The practical implication across all four scenarios is the same: a unified GRC platform with pre-built cross-mapping between ECC and CSF controls enables evidence collected once to satisfy both frameworks simultaneously. Control overlaps are addressed in a single evidence collection exercise; gaps are identified in a single register; and assessment outputs are mapped to the correct framework format for each submission. The regulatory obligations do not simplify — but the operational burden of meeting them does not need to be additive.