The NCA Critical Systems Cybersecurity Controls (CSCC – 1 : 2019) is a hardened cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority for entities operating critical systems. It extends the NCA ECC with additional, stricter requirements specifically for systems whose disruption would have a critical national impact.

What is a 'critical system' under CSCC?

A critical system is any information or operational technology system whose disruption, compromise, or loss of confidentiality, integrity, or availability would have a high impact on national interests. This includes systems supporting essential government services, critical financial infrastructure, energy and water supply, telecommunications backbones, healthcare systems, transport systems, and any environment classified by the NCA as critical for national security or public welfare.

How does CSCC relate to the NCA ECC?

CSCC is an extension framework. Every entity operating a critical system must comply with the ECC baseline first, then apply the CSCC controls on top wherever a critical system is in scope. CSCC sub-controls explicitly reference the equivalent ECC controls they tighten — for example, the CSCC strategy control sits on top of ECC subdomain 1-1, adding the requirement to prioritise protection of critical systems. The two frameworks are assessed together for critical-system operators.

Who must comply with NCA CSCC?

Any Saudi government entity or private-sector organisation that operates a critical system as defined by the NCA. This typically includes large financial institutions, telecommunications operators, energy and utility companies, healthcare systems supporting national-level operations, transport infrastructure operators, and government bodies operating national systems. The NCA determines critical-system classification through its sector engagement and assessment process.

How is CSCC assessed?

CSCC is assessed jointly with the ECC. Entities perform a structured self-assessment against each CSCC sub-control, identify the critical systems in scope, and submit evidence through the NCA's national reporting service. Because CSCC controls tighten ECC requirements, evidence often takes the form of demonstrating that ECC controls operate at a higher maturity level for critical systems than they do for general systems.

What sectors are most affected by CSCC?

Energy (electricity, oil and gas), water and wastewater, telecommunications, financial services (in addition to SAMA CSF), healthcare systems supporting national operations, transport (rail, aviation, ports), and government bodies operating national digital platforms. Any organisation in these sectors should expect to be assessed against CSCC for the systems classified as critical.

NCA CSCC — Critical Systems Cybersecurity Controls (1:2019)

What NCA CSCC covers

The NCA Critical Systems Cybersecurity Controls (CSCC – 1 : 2019) are issued by the National Cybersecurity Authority as a hardened extension of the ECC. CSCC applies on top of ECC wherever an entity operates a critical system — a system whose disruption, compromise or loss of confidentiality, integrity or availability would have a high impact on Saudi national interests.

CSCC is not a replacement for ECC; it is a supplement. Every CSCC sub-control sits on top of an equivalent ECC control and tightens the requirement, raises the maturity bar, or adds critical-system-specific obligations. Entities running critical systems are assessed against both frameworks in combination.

The complete control library below contains 4 domains, 21 subdomains, 32 controls and 73 sub-controls, each referenced to its canonical NCA ID and mapped to the corresponding ECC requirement.

Control library

Complete NCA CSCC controls

NCA Critical Systems Cybersecurity Controls — the hardened cybersecurity baseline for systems whose disruption would have a critical impact on national security. These controls extend the ECC with additional requirements for entities operating critical systems in any sector.

4
Domains: 21
Subdomains: 32
Controls: 85
Assessable

NCA CSCC · Domain 1

Cybersecurity Governance

subdomains

controls

NCA CSCC · Domain 2

Cybersecurity Defense

subdomains

controls

NCA CSCC · Domain 3

Cybersecurity Resilience

subdomains

controls

NCA CSCC · Domain 4

Third-Party and Cloud Computing Cybersecurity

subdomains

controls

Reference

Frequently asked questions

What is NCA CSCC?: The NCA Critical Systems Cybersecurity Controls (CSCC – 1 : 2019) is a hardened cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority for entities operating critical systems. It extends the NCA ECC with additional, stricter requirements specifically for systems whose disruption would have a critical national impact.
What is a 'critical system' under CSCC?: A critical system is any information or operational technology system whose disruption, compromise, or loss of confidentiality, integrity, or availability would have a high impact on national interests. This includes systems supporting essential government services, critical financial infrastructure, energy and water supply, telecommunications backbones, healthcare systems, transport systems, and any environment classified by the NCA as critical for national security or public welfare.
How does CSCC relate to the NCA ECC?: CSCC is an extension framework. Every entity operating a critical system must comply with the ECC baseline first, then apply the CSCC controls on top wherever a critical system is in scope. CSCC sub-controls explicitly reference the equivalent ECC controls they tighten — for example, the CSCC strategy control sits on top of ECC subdomain 1-1, adding the requirement to prioritise protection of critical systems. The two frameworks are assessed together for critical-system operators.
Who must comply with NCA CSCC?: Any Saudi government entity or private-sector organisation that operates a critical system as defined by the NCA. This typically includes large financial institutions, telecommunications operators, energy and utility companies, healthcare systems supporting national-level operations, transport infrastructure operators, and government bodies operating national systems. The NCA determines critical-system classification through its sector engagement and assessment process.
How is CSCC assessed?: CSCC is assessed jointly with the ECC. Entities perform a structured self-assessment against each CSCC sub-control, identify the critical systems in scope, and submit evidence through the NCA's national reporting service. Because CSCC controls tighten ECC requirements, evidence often takes the form of demonstrating that ECC controls operate at a higher maturity level for critical systems than they do for general systems.
What sectors are most affected by CSCC?: Energy (electricity, oil and gas), water and wastewater, telecommunications, financial services (in addition to SAMA CSF), healthcare systems supporting national operations, transport (rail, aviation, ports), and government bodies operating national digital platforms. Any organisation in these sectors should expect to be assessed against CSCC for the systems classified as critical.

Get started

Run your NCA CSCC assessment with GRC Vantage

The complete NCA CSCC control library is pre-loaded inside GRC Vantage with evidence templates, ownership workflow and submission-ready reporting. Hosted inside Saudi Arabia for data residency.

Start free assessment Book a demo