NCA Cloud Cybersecurity Controls
Saudi Arabia's mandatory cloud security framework — prescriptive controls for Cloud Service Providers and cloud customers across governance, security, continuity, and third-party management. Issued by the National Cybersecurity Authority under reference CCC – 1 : 2020.
What NCA CCC covers
The NCA Cloud Cybersecurity Controls (CCC – 1 : 2020) is Saudi Arabia's dedicated mandatory framework for securing cloud computing environments. Issued by the National Cybersecurity Authority, CCC sits alongside the NCA ECC, CSCC, DCC, OTCC, and TCC as part of the integrated NCA framework family. Where ECC sets the IT baseline for all in-scope organisations, CCC applies specifically whenever those organisations consume or deliver cloud services — filling the governance, shared-responsibility, and residency gaps that a technology-neutral baseline cannot address.
CCC is distinctive in that it places obligations on both sides of the cloud relationship. Cloud Service Providers must demonstrate that their infrastructure and service-layer controls meet NCA requirements; cloud customers must document their workload classification, shared- responsibility boundaries, CSP due diligence, and tenant-side configurations. Neither party can rely solely on the other to carry compliance: a CSP may hold ISO 27017 certification, but the customer still owns the obligation to verify, contract, and configure correctly.
The framework spans approximately 80 prescriptive controls organised across four domains — Governance, Security, Continuity, and Third-Party Management. There is no maturity model: controls are pass/fail, assessed against documented evidence, and mandatory for every entity in scope. NCA holds enforcement powers including remediation orders and, for regulated sectors, licence conditions.
NCA CCC domains and subdomains
Domain 1Cloud Computing Governance
Domain 2Cloud Computing Security
Domain 3Cloud Service Continuity
Domain 4Third-Party Cloud Computing
Who must comply with NCA CCC
Any organisation providing cloud infrastructure, platform, or software services to Saudi government, CNI, or regulated entities — including hyperscalers with Saudi-resident regions and managed-service providers running cloud-based platforms.
All Saudi ministries, public authorities, and government agencies using cloud services to process, store, or transmit official or national-sensitive data must apply CCC requirements to their cloud customers.
CNI organisations in energy, water, telecommunications, healthcare, transport, and financial services using public, private, or hybrid cloud for core operations or data processing.
Banks, insurers, and fintechs supervised by SAMA routinely apply NCA CCC as the cloud-security baseline alongside SAMA Outsourcing requirements and the SAMA CSF.
State-owned enterprises and government-affiliated organisations handling official data in cloud environments are in scope regardless of whether their primary regulator is NCA or a sector supervisor.
Organisations subject to the Saudi Personal Data Protection Law (PDPL) that use cloud processors or sub-processors to handle personal data should treat NCA CCC as the minimum technical standard for cloud data security.
NCA CCC vs NCA ECC
| Dimension | NCA ECC | NCA CCC |
|---|---|---|
| Issuing body | National Cybersecurity Authority (NCA) | National Cybersecurity Authority (NCA) |
| Reference | ECC – 2 : 2024 | CCC – 1 : 2020 |
| Scope | All IT environments | Cloud computing environments only |
| Applies to | Government, CNI, regulated entities | CSPs + any cloud customer in scope |
| Total controls (approx.) | ~108 controls | ~80 controls |
| Domains | 4 domains | 4 domains (cloud-specific) |
| Maturity model | No — prescriptive pass/fail | No — prescriptive pass/fail |
| Shared responsibility | Not addressed | Explicit CSP vs. customer boundary |
| Data residency | General data security controls | Explicit cloud residency requirements |
| Relationship | Baseline — mandatory for all in-scope entities | Extension — adds cloud-layer on top of ECC |
How GRC Vantage supports NCA CCC compliance
GRC Vantage ships with a pre-built NCA CCC control library, CSP assessment engine, and continuous cloud posture monitoring — covering both the CSP and cloud-customer sides of the shared-responsibility boundary.
All ~80 controls pre-loaded with evidence prompts, responsibility assignment (CSP vs. customer), and NCA reference IDs — ready to map against your cloud estate.
Pre-built questionnaires for hyperscalers and regional providers, mapped to every NCA CCC domain. Capture attestations, SOC reports, and ISO 27017 certificates in one workflow.
Make the CSP-vs.-customer boundary explicit per workload and service tier. Control accountability is captured at contract level with version-controlled approvals.
Track data residency obligations for every cloud workload. Map sub-processors against PDPL and NCA CCC cross-border requirements, with automated expiry alerts.
Schedule annual CSP re-assessments, monitor contractual security obligations, and surface alerts on SLA breaches, certification lapses, or material CSP changes.
Assemble NCA-ready audit packs at any time — domain-level status, control evidence links, gap register, and remediation plan in a format aligned to NCA examiner expectations.
NCA CCC — common questions
- What is NCA CCC?
- The NCA Cloud Cybersecurity Controls (CCC – 1 : 2020) is a mandatory framework issued by Saudi Arabia's National Cybersecurity Authority. It defines the cybersecurity requirements that Cloud Service Providers and cloud customers must satisfy when processing, storing, or transmitting data in cloud environments — public, private, or hybrid — within the Kingdom of Saudi Arabia.
- Who must comply with NCA CCC?
- Compliance is mandatory for two groups: (1) Cloud Service Providers (CSPs) offering cloud services to Saudi government, CNI, or regulated entities; and (2) cloud customers — any government, semi-government, CNI organisation, or regulated entity using cloud services to process official or sensitive data. Both sides of the shared-responsibility boundary carry obligations under CCC.
- How does NCA CCC differ from NCA ECC?
- NCA ECC is the cross-sector IT baseline covering all information systems. NCA CCC is a purpose-built extension that adds cloud-specific controls on top of ECC — addressing the shared-responsibility model, CSP due diligence, tenant isolation, data residency, sub-processor management, and SLA governance that generic IT controls do not reach. Organisations using cloud are expected to comply with both.
- What does a CSP assessment under NCA CCC cover?
- A CSP assessment examines the provider's security configuration, identity and access controls, network segmentation and tenant isolation, data encryption and residency practices, disaster recovery and backup posture, logging and monitoring capabilities, sub-processor management, and contractual compliance mechanisms. Evidence typically includes ISO 27017/CSA STAR certifications, third-party audit reports, and control questionnaire responses.
- How do cloud customers evidence NCA CCC compliance?
- Cloud customers must document their cloud inventory and classify workloads by data sensitivity, define shared-responsibility matrices per CSP and service tier, capture encryption and IAM configuration evidence, maintain CSP assessment records and contractual audit rights, test disaster recovery, and keep a sub-processor register. Annual re-assessments of CSPs and continuous posture monitoring are expected under the framework.
- Can NCA CCC compliance be satisfied alongside ISO 27017 or CSA CCM?
- Yes — with cross-mapping. ISO 27017 addresses cloud-specific information security guidance and CSA CCM covers cloud control domains; both align closely with NCA CCC's structure and intent. An organisation that has mapped controls from ISO 27017 or CSA CCM against the NCA CCC requirements can reuse significant evidence, reducing duplication. GRC Vantage maintains a cross-reference between CCC, ISO 27017, and CSA CCM so a single assessment satisfies all three.
Ready to put your cloud estate on NCA CCC-ready rails?
Our team in Riyadh and Dammam can run a CSP inventory sprint, map your shared-responsibility boundaries, and deliver an examiner-ready compliance baseline — typically within six weeks.