SAMA CSF vs NCA ECC: Differences, Overlaps, and How They Work Together

Saudi organisations regulated by more than one authority often find themselves simultaneously inside the scope of the SAMA Cyber Security Framework and the National Cybersecurity Authority Essential Cybersecurity Controls. This is most common among banks and payment service providers that also operate critical national infrastructure, insurers that process national-level data, and fintechs that sit at the intersection of financial services and telecom infrastructure. The two frameworks share substantial DNA, but they are issued by different authorities, assessed against different methodologies, and oriented toward different outcomes.

This post is a factual side-by-side comparison so that compliance teams running both programmes can understand precisely where the frameworks overlap, where they diverge, and how to organise a unified control environment that satisfies both without doubling the effort.

Issuer, authority and legal basis

SAMA CSF is issued by the Saudi Central Bank (formerly the Saudi Arabian Monetary Authority, from which it still takes its name). The framework was published in 2017 as version 1.0 and applies to every organisation supervised by SAMA — banks, insurance and reinsurance companies, finance companies, money exchangers, payment service providers and credit information companies. SAMA's authority to enforce CSF derives from its supervisory mandate under the Banking Control Law (M/5) and, more broadly, from the Saudi Central Bank Law (M/36).

NCA ECC is issued by the National Cybersecurity Authority, established by Royal Order A/6 in 2017 as the Kingdom's national cybersecurity body. The Essential Cybersecurity Controls were published in 2018 as ECC-1:2018. NCA's authority to enforce ECC applies to all Saudi government entities, private-sector organisations that operate critical national infrastructure, and entities that hold sensitive national-level data.

The practical implication: a bank licensed by SAMA is primarily accountable to SAMA for CSF compliance. If that same bank operates infrastructure classified as critical by the NCA — which many tier-one Saudi banks do — it is simultaneously accountable to the NCA for ECC. The two authorities do not pass control of the same population to each other; they both assess.

Structure and control count

| Attribute | SAMA CSF | NCA ECC | |---|---|---| | Version | CSF v1.0 (2017) | ECC-1:2018 | | Top-level domains | 4 | 5 | | Subdomains / main controls | ~28 | ~29 | | Total sub-controls | ~118 | ~114 | | Assessment model | 5-level maturity | Binary compliance + evidence | | Governing authority | Saudi Central Bank | National Cybersecurity Authority |

SAMA CSF's four domains are Cyber Security Leadership and Governance, Cyber Security Risk Management and Compliance, Cyber Security Operations and Technology, and Third-Party Cyber Security.

NCA ECC's five domains are Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, Third-Party and Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity.

The structural difference is deliberate. SAMA elevates Third-Party Cyber Security to a domain of its own because third-party and outsourcing risk is a dominant feature of the financial sector. NCA elevates Cybersecurity Resilience and ICS Cybersecurity to their own domains because those topics are material to the population NCA regulates — utilities, energy, transport and government.

Assessment methodology — the biggest practical difference

This is the single most important distinction for teams running both programmes.

SAMA CSF is assessed against a five-level maturity model: non-existent, ad-hoc, repeatable, defined and managed, and adaptive. SAMA expects each regulated organisation to operate at a defined minimum maturity appropriate to its size and complexity, and — equally important — to demonstrate year-on-year improvement. A control operating at "repeatable" this year should be closer to "defined and managed" next year. Standing still is interpreted by SAMA inspectors as a regression in effective terms.

NCA ECC is assessed primarily as a compliance check with evidence. The NCA expects each subcontrol to be either compliant, partially compliant or non-compliant, with evidence substantiating the rating. Entities submit evidence through NCA's compliance platform, and the NCA conducts targeted on-site assessments. There is no formal maturity scoring in the way CSF uses it — ECC is closer to the ISO 27001 Statement of Applicability model than to CSF's maturity loop.

The consequence for compliance programmes: SAMA-only organisations tend to build measurement and improvement infrastructure (KPIs, management reviews, action tracking). NCA-only organisations tend to build evidence collection infrastructure (control-tagged artefacts, submission workflows). Organisations running both need both — measurement and evidence — and the evidence needs to be tagged to both sets of control IDs so that a single artefact satisfies two audiences.

Where the frameworks overlap

A working estimate — based on the programmes we see in Saudi banks that run both frameworks — is that roughly 70% of the control intent overlaps. The clearest overlaps include:

• Information security policy and governance. Both frameworks expect a documented information security policy, approved at the highest level, with a defined review cadence. SAMA CSF 1.1–1.3 and NCA ECC 1-1 through 1-2 are conceptually aligned.
• Risk management. Both frameworks require a documented cybersecurity risk management methodology with identification, analysis, evaluation and treatment. The process language is almost interchangeable.
• Asset management. Inventory, classification and ownership of information assets is present in both.
• Identity and access management. Both frameworks cover joiners-movers-leavers, privileged access, authentication strength and access reviews. The intent is identical; the evidence cadence differs.
• Vulnerability and patch management. Both frameworks expect vulnerability scanning, patch SLAs and penetration testing with remediation tracking.
• Logging and monitoring. Both frameworks expect centralised logging, monitoring and use-case-driven detection.
• Incident management. Both frameworks expect a documented incident response process, severity classification, lessons learned and post-incident review.
• Third-party security. Both frameworks expect a risk-based vendor lifecycle with contractual requirements, onboarding due diligence and ongoing monitoring.
• Business continuity and cybersecurity resilience. Both frameworks link cybersecurity to BCM, though NCA puts resilience in a domain of its own and SAMA treats BCM as a separate framework that sits alongside CSF.
• Awareness and training. Both frameworks expect role-based training with measurable outcomes.

A mature control implementation that serves one framework will satisfy the great majority of the other, provided the evidence is tagged correctly. The mistake organisations make is implementing two separate control sets and two separate evidence repositories.

Where the frameworks diverge

The divergences are smaller in number but disproportionate in effort.

Maturity vs. compliance mindset. Already covered above — this is the single biggest difference, and it changes the shape of the programme.

Third-party depth. SAMA CSF 4.x expects third-party cyber security at a level that intersects with the separate SAMA Outsourcing Regulations, which add prior-approval requirements for material outsourcing arrangements. NCA ECC 4-1 and 4-2 cover third-party and cloud but do not layer on the SAMA prior-approval obligation.

Cloud. NCA operates a separate framework — the Cloud Cybersecurity Controls (CCC) — that applies when in-scope entities use cloud services. SAMA-regulated organisations using cloud must also navigate SAMA's Cloud Computing Framework and Outsourcing Regulations. These are not the same document, and teams running both will need to satisfy both sets of cloud expectations.

Industrial control systems. NCA ECC domain 5 and the Operational Technology Cybersecurity Controls (OTCC) cover ICS/OT in depth. SAMA CSF has no equivalent ICS domain because its population is primarily IT-only.

Incident reporting obligations. SAMA expects member organisations to notify the Central Bank of significant cyber incidents within defined channels and timeframes. NCA operates its own national cyber incident reporting channel. An incident at a SAMA-regulated CNI operator triggers both obligations, through different reporting lines.

Data protection and residency. Neither framework is the primary data protection instrument — that is PDPL under SDAIA. Both frameworks intersect with PDPL but do not replace it.

Maturity reporting cadence. CSF expects a periodic self-assessment against the maturity model with a submission to SAMA. ECC expects evidence submission through NCA's platform. The cadences and formats differ.

Running both frameworks from one control library

The only sustainable model for organisations inside both frameworks is a single connected control library where each control is tagged with every framework reference it satisfies — SAMA CSF sub-control ID, NCA ECC sub-control ID, ISO 27001 Annex A reference, NIST CSF category — and the evidence is attached once.

A well-structured connected control library has three layers:

1. A plain-English control statement describing what the control does and who owns it.
2. Framework tags for every regulator the control satisfies.
3. Evidence and test results attached once and inherited by every framework view.

When a SAMA inspector asks to see CSF 3.3.5 and an NCA assessor asks to see ECC 2-2-3, they are both looking at the same underlying control, the same evidence, the same owner and the same last-review date. The platform produces the CSF maturity self-assessment and the NCA compliance submission from the same store.

Organisations that attempt to run two separate programmes — one for SAMA and one for NCA — effectively double the cost and routinely fall out of sync, producing findings where the two programmes disagree about the state of the same control.

How GRC Vantage runs both frameworks

GRC Vantage's compliance module ships with both the SAMA CSF and the NCA ECC control libraries, cross-mapped to each other and to ISO 27001:2022, NIST CSF, PCI DSS and SOC 2. Evidence captured once against the unified control is presented in CSF maturity format for SAMA and in ECC compliance format for the NCA. The platform runs inside Saudi Arabia to satisfy data residency expectations and is supported from our Riyadh and Dammam offices.

For the wider SAMA framework family read our SAMA frameworks guide; for the NCA family read our NCA frameworks guide. If you are running both frameworks and want to see how a single connected library feels in practice, book a demo and we will walk through a live Saudi banking deployment.