NCA Frameworks: A Complete Guide for Saudi Organisations

The National Cybersecurity Authority (NCA) is the regulatory body responsible for cybersecurity at the national level in Saudi Arabia. Established by Royal Order in 2017, the NCA is now the issuing authority for a growing family of cybersecurity frameworks that govern government entities, critical national infrastructure operators, and a significant share of the private sector. Most teams know the Essential Cybersecurity Controls (ECC), but the NCA family is much wider — and the other frameworks are exactly the ones inspectors are increasingly focused on.

This guide walks through every NCA framework, who they apply to, how they relate to each other, and how to build a connected NCA-aligned cybersecurity programme. It is written for CISOs, GRC managers and compliance officers in Saudi government bodies, critical infrastructure operators, healthcare providers, energy companies, telecoms, regulated enterprises and any organisation that finds itself in scope of the NCA mandate.

Why the NCA matters

Saudi Arabia's cybersecurity strategy is anchored in Vision 2030 and the parallel modernisation of government services, payments, healthcare, energy and digital infrastructure. The NCA sits at the centre of that strategy with two principal roles: setting the national cybersecurity policy and frameworks, and supervising compliance across in-scope organisations.

For a CISO, the practical implication is that the NCA is now the single most important cybersecurity regulator in Saudi Arabia outside the financial sector. Even financial institutions regulated by SAMA find themselves in scope of NCA requirements where their systems are classified as critical national infrastructure or where they host in cloud environments covered by NCA Cloud Controls.

A common mistake is to treat "NCA compliance" as if it means "ECC compliance". It doesn't. Just as SAMA issues a family of frameworks rather than one document, the NCA has built up a connected family of control sets that interlock. Reducing the conversation to ECC misses CSCC, CCC, OTCC, DCC and TCC — every one of which can be in scope depending on what your organisation does.

What the NCA framework family covers

The NCA framework family currently consists of six core control sets:

1. Essential Cybersecurity Controls (ECC) — the baseline cybersecurity standard
2. Critical Systems Cybersecurity Controls (CSCC) — additional controls for systems classified as critical
3. Cloud Cybersecurity Controls (CCC) — controls for cloud service providers and cloud tenants
4. Operational Technology Cybersecurity Controls (OTCC) — controls for industrial control systems and OT
5. Data Cybersecurity Controls (DCC) — controls focused on data protection and lifecycle
6. Telework Cybersecurity Controls (TCC) — controls for remote and hybrid working

On top of these, the NCA issues sector-specific guidelines and directives — and the Saudi Cybersecurity Higher Committee provides national-level direction that the NCA operationalises. The framework family is regularly extended; new control sets and updated versions are published periodically and inspected entities are expected to keep current.

1. NCA Essential Cybersecurity Controls (ECC)

The Essential Cybersecurity Controls are the cornerstone of the NCA framework family. ECC defines the minimum cybersecurity controls expected of every organisation in scope: government entities, critical national infrastructure operators, and a wide range of private-sector organisations that touch sensitive systems or data.

ECC is structured around five top-level main domains, each broken down into subdomains and individual controls. The five main domains are:

• Cybersecurity Governance — strategy, policies, roles, risk management, awareness, human resources security, third parties, project security, compliance and review
• Cybersecurity Defence — asset management, identity and access management, information system and processing facilities protection, email protection, networks security, mobile device security, data and information protection, cryptography, backup and recovery, vulnerability management, penetration testing, cybersecurity event logs and monitoring, cybersecurity incident management, physical security and web application security
• Cybersecurity Resilience — business continuity aspects of cybersecurity
• Third-Party and Cloud Computing Cybersecurity — supplier and cloud provider controls
• Industrial Control Systems Cybersecurity — high-level OT expectations (extended in OTCC for OT-heavy environments)

Each control is written as a clear, testable statement, and entities are expected to demonstrate evidence of implementation. ECC's design philosophy is practical and outcome-oriented — it does not specify a particular technology, but it does specify the security outcomes the organisation must be able to demonstrate.

The clear value of ECC for any Saudi organisation is that it gives the board and the executive a single, regulator-recognised baseline to work against. Once that baseline is in place, layering CSCC, CCC, OTCC, DCC or TCC on top becomes a much more contained exercise.

GRC Vantage's compliance module ships with the full ECC control library and a pre-built mapping to ISO 27001, NIST CSF and SAMA CSF, so a single control update flows to every framework view your team runs.

2. NCA Critical Systems Cybersecurity Controls (CSCC)

Some systems are too important to be governed by a baseline alone. The Critical Systems Cybersecurity Controls (CSCC) are a layered control set that applies to systems formally classified as critical under the NCA's classification methodology — typically systems whose disruption would cause significant impact to national security, public safety, the economy or essential services.

CSCC inherits the ECC structure but adds higher-assurance controls in the areas that matter most for critical systems:

• Stricter identity and access controls, including privileged access management
• Tighter network segmentation and traffic inspection
• Enhanced monitoring and log retention
• Stronger cryptography requirements and key management
• Higher-frequency vulnerability scans, penetration testing and red-team exercises
• More demanding incident detection and response timelines
• Enhanced supply-chain assurance for critical system components

The classification of a system as critical is the trigger that brings CSCC into scope. Many organisations operate a small number of systems that fall under CSCC (their core production environment, payment switches, control rooms, citizen-facing portals) while the rest of their estate sits under ECC alone. The connected GRC pattern is to tag each system with its classification and let the platform automatically apply the right control set.

3. NCA Cloud Cybersecurity Controls (CCC)

The Cloud Cybersecurity Controls are one of the most distinctive parts of the NCA family because they explicitly recognise that cloud security is a shared responsibility. CCC defines two distinct control sets:

For Cloud Service Providers (CSPs) operating in Saudi Arabia: governance, certification, infrastructure security, segmentation between tenants, customer data protection, incident notification, audit rights and exit assistance.

For Cloud Tenants consuming cloud services: cloud strategy and policy, classification of data going to cloud, due diligence on the provider, configuration baselines, identity federation, encryption and key management, monitoring, and exit and portability.

CCC is the framework that has had the biggest impact on the cloud-adoption conversation in Saudi Arabia. It clarifies what providers must offer and what tenants must do, and it is closely tied to data classification and residency expectations. For organisations handling sensitive or critical data, CCC effectively requires that data either stay inside Saudi Arabia or move to a provider with NCA-recognised controls and a Saudi-region presence.

For CISOs running cloud-first or cloud-heavy architectures, CCC is the framework you must own. For CISOs running on-premise or hybrid estates, CCC still applies the moment you adopt a SaaS service that processes regulated data — which most organisations do without realising it.

4. NCA Operational Technology Cybersecurity Controls (OTCC)

The Operational Technology Cybersecurity Controls cover the cybersecurity of industrial control systems (ICS) and operational technology (OT) environments — the systems that run power generation, water treatment, oil and gas pipelines, refineries, manufacturing lines, building management and similar physical processes.

OTCC recognises that OT environments are not the same as IT environments. The control set borrows the structural language of ECC but adapts it to the realities of OT:

• Asset inventories that include PLCs, RTUs, HMIs, historians and engineering workstations
• Network architecture controls aligned to the Purdue Model and IEC 62443
• Tighter change management for control system firmware and logic
• Specific patching and vulnerability management approaches that respect availability constraints
• Physical and environmental controls for control rooms and field cabinets
• Incident response procedures that include safety implications, not just data confidentiality
• Supplier and integrator security expectations

For energy companies, utilities, large manufacturers and any organisation operating an OT estate, OTCC is the framework that demands the most cross-discipline collaboration — between IT cybersecurity, OT engineering, plant operations and safety. The control library has to be implemented in a way that does not compromise the availability and safety of the physical process, which is a different conversation from securing a typical IT environment.

5. NCA Data Cybersecurity Controls (DCC)

The Data Cybersecurity Controls are focused on the data lifecycle — classification, protection, retention, transfer, sharing and disposal. Where ECC and CSCC focus primarily on systems and infrastructure, DCC focuses on the data itself, regardless of where it lives.

DCC's controls cluster around several themes:

• A formal data classification scheme aligned to NCA expectations
• Clear ownership of data assets across the organisation
• Encryption of data at rest and in transit, with documented key management
• Controls on data sharing across organisations and across borders
• Data leakage prevention and monitoring
• Secure disposal of media and equipment containing data
• Privacy-aligned controls that complement PDPL requirements

DCC sits closely alongside the Personal Data Protection Law (PDPL), which is the broader Saudi privacy regulation. PDPL sets the legal expectations for handling personal data; DCC sets the cybersecurity controls that operationalise those expectations. A mature programme treats them together — one set of data classifications, one set of controls, two regulator-facing views.

GRC Vantage's compliance module supports DCC and PDPL together, with a unified data classification and control library so that privacy and cybersecurity teams work from the same source of truth.

6. NCA Telework Cybersecurity Controls (TCC)

The Telework Cybersecurity Controls were issued in response to the rapid normalisation of remote and hybrid working. TCC applies to any organisation in NCA scope that allows staff to work from outside the corporate network — which, in practice, is almost everyone.

TCC's controls cover:

• Telework policy and acceptable-use rules
• Endpoint security for laptops and mobile devices used for telework
• Secure remote access technologies (VPN, ZTNA, MDM)
• Authentication strength for remote sessions, including MFA
• Data protection on telework devices
• Monitoring of remote sessions
• Awareness and training for telework users

TCC is one of the lighter NCA frameworks in terms of control count, but it is also one of the easiest to fail an inspection on, because it touches every employee with a laptop. A documented and tested telework programme — with clear policy, enforced device controls and visible monitoring — is the minimum any inspector will expect to see.

How the NCA frameworks fit together

The six frameworks are designed to layer, not to compete. ECC is the floor; the other frameworks are walls and ceiling.

A typical Saudi enterprise might have:

• ECC as the baseline across the whole estate
• CSCC layered on top of the systems classified as critical
• CCC layered on top of every cloud-hosted workload, on either the tenant or both sides
• OTCC layered on top of any OT or ICS environment
• DCC running across all systems that handle classified or personal data
• TCC running across the telework population

The trap is to treat each framework as a separate workstream with its own spreadsheet, its own owner and its own evidence store. The result is duplicated work, conflicting evidence, and inspection findings driven by mismatches between frameworks rather than by genuine control gaps.

The connected approach is to maintain one control library in your GRC platform, where each control statement is tagged with every NCA framework it satisfies (and every other framework — ISO 27001, SAMA CSF, NIST — alongside). When the platform runs an ECC self-assessment, it pulls evidence from the same controls that satisfy CSCC, CCC and DCC. When it produces a board report, the report shows status against every framework from the same underlying data. This is what GRC Vantage was built to deliver.

How NCA and SAMA fit together

For Saudi banks, the NCA framework family does not replace SAMA. The two regulators have overlapping but distinct mandates:

• SAMA regulates financial institutions and issues the SAMA framework family — CSF, BCM, IT Governance, Cyber Threat Intelligence, Counter-Fraud and Outsourcing
• NCA regulates government, critical national infrastructure and broad cybersecurity at a national level, and issues the NCA framework family

A typical Saudi bank or insurer is regulated by both: SAMA is its primary regulator, and NCA frameworks apply where systems are classified as critical national infrastructure, where data falls under DCC, where the bank consumes cloud services covered by CCC, and where staff work remotely under TCC. The connected GRC pattern is to tag each control with both the SAMA and the NCA references it satisfies, so that one well-implemented control can satisfy multiple regulators at once.

For our deeper guide on the SAMA family and how it interlocks with the rest of the Saudi regulatory landscape, see the SAMA frameworks complete guide.

A 90-day NCA readiness plan

If you are building an NCA programme from scratch — or trying to rescue a programme that has slipped — here is a 90-day plan that focuses on the essentials:

Days 0–30: Discovery. Establish which NCA frameworks you are in scope of by mapping your estate against each framework's applicability criteria. Identify systems classified as critical, cloud workloads, OT environments, regulated data stores and the telework population. Run a baseline self-assessment against ECC and identify the highest-impact gaps.

Days 31–60: Build. Stand up a single connected control library covering ECC and the layered frameworks you are in scope of. Define control owners. Build a remediation plan for the top gaps with realistic timelines and accountable owners. Align with PDPL where personal data is in scope.

Days 61–90: Operate. Run the first integrated NCA self-assessment, document evidence for every implemented control, present a connected board report covering every NCA framework in scope, and set the cadence for ongoing testing, evidence refresh and reporting.

90 days is enough to move from "fragmented and reactive" to "connected and predictable" — which is what NCA inspectors most want to see. Reaching full maturity takes longer, but the pattern you establish in those first 90 days determines how fast you can get there.

Where to go next

This pillar is part of our deeper series on the Saudi GRC framework landscape. To go deeper on specific topics:

• For the financial-sector regulator, read the SAMA frameworks complete guide
• For a side-by-side mapping of SAMA CSF and ISO 27001, see SAMA CSF and ISO 27001 mapping
• For Saudi business continuity expectations, see SAMA BCM Framework explained

If you would like to see a connected NCA control library running on real data, book a demo of GRC Vantage and we will walk you through how Saudi government bodies, critical infrastructure operators and regulated enterprises use the platform to manage ECC, CSCC, CCC, OTCC, DCC and TCC from one connected workspace, supported by Saudi-based teams in Riyadh and Dammam.

Frequently asked questions

What is the National Cybersecurity Authority (NCA)?

The National Cybersecurity Authority (NCA) is the Saudi Arabian government body responsible for cybersecurity at a national level. It was established by Royal Order in 2017 and is the issuing authority for the family of NCA cybersecurity frameworks that apply to government entities, critical national infrastructure and many private-sector organisations.

How many NCA frameworks are there?

The NCA framework family currently includes the Essential Cybersecurity Controls (ECC), the Critical Systems Cybersecurity Controls (CSCC), the Cloud Cybersecurity Controls (CCC), the Operational Technology Cybersecurity Controls (OTCC), the Data Cybersecurity Controls (DCC) and the Telework Cybersecurity Controls (TCC). There are also sector-specific guidelines and the Saudi Cybersecurity Higher Committee directives that sit alongside the framework family.

Who has to comply with NCA frameworks?

NCA ECC applies to all government entities and to private-sector organisations that own, operate or host critical national infrastructure or sensitive systems. CSCC applies specifically to organisations operating critical systems. CCC applies to cloud service providers operating in Saudi Arabia and to cloud tenants. OTCC applies to operators of industrial control systems and operational technology. DCC and TCC apply across all NCA-regulated entities. Many private-sector organisations also adopt ECC voluntarily as a baseline.

What is the difference between NCA ECC and SAMA CSF?

NCA ECC is issued by the National Cybersecurity Authority and applies broadly across government, critical infrastructure and many private-sector organisations. SAMA CSF is issued by the Saudi Central Bank and applies specifically to financial institutions regulated by SAMA. A typical Saudi bank has to comply with both — SAMA as its primary regulator, and NCA where its systems are also classified as critical national infrastructure or where it is hosting in Saudi data centres covered by NCA controls.

How is NCA ECC compliance assessed?

NCA ECC compliance is assessed through self-assessment against the published controls, with periodic audits and assurance reviews coordinated by the NCA. The assessment is structured around control implementation status and maturity, and entities are expected to remediate gaps within agreed timeframes. Failure to comply can result in directives, escalation and reputational impact, particularly for government entities and critical infrastructure operators.

Does the NCA framework family cover cloud?

Yes. The NCA Cloud Cybersecurity Controls (CCC) cover both Cloud Service Providers (CSPs) operating in Saudi Arabia and the organisations consuming cloud services (tenants). The framework defines distinct control sets for each role and is closely tied to data classification and residency expectations.

How does GRC Vantage support NCA compliance?

GRC Vantage ships pre-built control libraries for ECC, CSCC, CCC, OTCC, DCC and TCC, with cross-mappings to ISO 27001, NIST CSF and SAMA frameworks. The platform automates self-assessments, evidence collection, gap remediation and board-level reporting, and is built and supported by Saudi-based teams in Riyadh and Dammam, with deployment options inside KSA for data residency.