The NCA Data Cybersecurity Controls (DCC – 1) is a mandatory framework issued by Saudi Arabia's National Cybersecurity Authority that defines how organisations classify, protect, and manage the lifecycle of data — particularly classified, sensitive, and national-level data. It covers governance, encryption, data loss prevention, residency, cross-border transfers, and resilience in four structured domains.

How does NCA DCC relate to PDPL?

NCA DCC and PDPL address different but overlapping concerns. DCC is a cybersecurity framework focused on technical and operational controls for data protection; PDPL is a privacy law regulating how personal data is collected, processed, shared, and retained. They overlap significantly on data classification, residency requirements, cross-border transfer controls, and breach notification. Organisations subject to both should map DCC controls against PDPL obligations to avoid duplicating effort — a single classification record and data-flow map can satisfy both frameworks simultaneously.

What are Saudi data residency requirements under NCA DCC?

The Data Residency & Cross-Border Transfers domain requires that classified and national-level sensitive data be stored within Saudi Arabia unless an explicit NCA-approved cross-border transfer arrangement is in place. Organisations must document hosting locations, map all data flows crossing borders, apply contractual and technical safeguards for any authorised transfers, and maintain an auditable record of sub-processor and third-party data handling arrangements.

How does NCA DCC differ from NCA ECC?

NCA ECC is the broad baseline cybersecurity framework covering all domains — governance, asset management, identity, network security, resilience, and third-party. NCA DCC is a specialised overlay focused exclusively on data: classification, encryption, DLP, residency, lifecycle, and resilience of data assets. Organisations subject to DCC must comply with ECC first, then apply the additional DCC data-specific controls on top. ECC does not contain a dedicated residency domain or explicit DLP controls — those are unique to DCC.

How does GRC Vantage help with NCA DCC compliance?

GRC Vantage ships with a pre-built NCA DCC control library, a data classification engine aligned to NCA sensitivity tiers, encryption and key management tracking, retention and disposal workflows, cross-border transfer register, and DLP evidence integration. Each control is linked to live evidence so your examination pack stays current. The platform is hosted inside Saudi Arabia for full NCA, SAMA, and PDPL data residency compliance.

NCA DCC — Data Cybersecurity Controls Compliance Guide | Saudi Arabia

What NCA DCC covers

The NCA Data Cybersecurity Controls (DCC – 1) is Saudi Arabia's dedicated cybersecurity framework for data protection, issued by the National Cybersecurity Authority. Unlike the broad ECC baseline, DCC focuses specifically on the security of data assets — from the moment data is classified through its entire lifecycle to secure disposal or transfer.

DCC is mandatory for government ministries, critical national infrastructure operators, and any entity that holds, processes, or transmits classified or national-level sensitive data within Saudi Arabia. Compliance requires a structured self-assessment, documented evidence against each control, and submission through the NCA's national reporting service. The NCA holds enforcement powers, including remediation orders and, for critical-sector entities, licence conditions.

The four DCC domains build on the ECC baseline and add data-specific obligations not covered elsewhere in the NCA framework family: mandatory multi-tier data classification, explicit encryption and key management requirements, a dedicated data residency domain, cross-border transfer controls, and a data resilience testing programme. Organisations subject to DCC must maintain evidence at the control level — classification records, encryption attestations, residency maps, and lifecycle audit trails — to support NCA examination readiness at all times.

Control library

NCA DCC domains and subdomains

Data Cybersecurity Governance

Data Governance Strategy

Data Classification Policy

Data Owner Accountability

Data Risk Management

Data Regulatory Compliance

Data Security & Protection

Encryption at Rest & In Transit

Data Masking & Anonymization

Data Loss Prevention

Access Control for Data

Secure Data Sharing

Data Lifecycle Management

Data Residency & Cross-Border Transfers

Saudi Data Residency Requirements

Cross-Border Transfer Controls

Data Localization Obligations

Third-Party Data Handling

Data Cybersecurity Resilience

Data Backup & Recovery

Data Integrity Monitoring

Data Resilience Testing

Applicability

Who must comply with NCA DCC

Government Ministries

All Saudi government ministries and public authorities processing national or classified data.

CNI Operators

Critical national infrastructure operators — energy, water, telecoms, healthcare, transport — with sensitive data environments.

Semi-Government Entities

State-owned enterprises and semi-government bodies that hold or transmit Saudi national data assets.

National Data Asset Holders

Private-sector organisations that hold, process, or transmit data classified at national sensitivity levels.

Framework comparison

NCA DCC vs NCA ECC

Aspect	NCA DCC	NCA ECC
Primary focus	Data classification, protection, residency, and lifecycle	Organisational cybersecurity baseline across all control domains
Scope	Entities handling classified or national-level sensitive data	All government, CNI, and critical-sector organisations in Saudi Arabia
Data classification	Mandatory — multi-tier classification is a core DCC requirement	Addressed but at a high level within Cybersecurity Defense domain
Encryption requirements	Detailed at-rest, in-transit, and key management controls	General cryptography requirements under subdomain 2-7
Data residency	Dedicated domain — Saudi localisation and cross-border controls explicit	No dedicated residency domain; addressed through asset and third-party controls
DLP / data loss prevention	Explicit DLP controls within Data Security & Protection domain	Implied through network and endpoint controls, not explicitly named
Sub-processor oversight	Third-Party Data Handling subdomain with specific obligations	Covered under Third-Party and Cloud domain at a general level
PDPL alignment	Strong overlap — DCC residency and classification mirror PDPL obligations	Partial overlap — PDPL personal data not the primary focus of ECC
Control count	~70 controls	108 controls, 92 sub-controls
Assessment cadence	NCA-mandated periodic assessment and evidence submission	NCA-mandated annual self-assessment via national reporting service

Platform

GRC Vantage for NCA DCC

Six purpose-built capabilities that cover the DCC control library from classification to examination pack — hosted inside Saudi Arabia for full data residency compliance.

Data Classification Engine

Pre-built NCA DCC classification tiers — Top Secret through Public — with policy-driven labelling, tagging workflows, and re-classification scheduling.

Encryption & Key Inventory

Track encryption posture at rest and in transit, key custody, rotation schedules, and HSM integration with examination-ready audit trails.

Data Lifecycle Workflows

Govern collection, processing, retention, and secure disposal with approval chains, documented exceptions, and policy linkage.

Cross-Border Transfer Register

Map every data flow across border, record legal bases and contractual safeguards, and alert on transfers lacking NCA-approved controls.

DLP Evidence Capture

Integrate DLP telemetry from your tooling and surface policy breach evidence directly against the relevant DCC sub-controls in the control register.

NCA-Ready Evidence Packs

Auto-assemble examination packs linking each DCC control to live evidence — classification records, encryption logs, residency maps, and incident history.

Reference

Frequently asked questions

What is NCA DCC?: The NCA Data Cybersecurity Controls (DCC – 1) is a mandatory framework issued by Saudi Arabia's National Cybersecurity Authority that defines how organisations classify, protect, and manage the lifecycle of data — particularly classified, sensitive, and national-level data. It covers governance, encryption, data loss prevention, residency, cross-border transfers, and resilience in four structured domains.
Who must comply with NCA DCC?: NCA DCC applies to government ministries, semi-government entities, and critical national infrastructure operators in Saudi Arabia that hold, process, or transmit classified or national-level sensitive data. Many SAMA-licensed entities and PDPL-regulated data controllers also adopt DCC controls given the strong structural overlap with PDPL data residency and protection obligations.
How does NCA DCC relate to PDPL?: NCA DCC and PDPL address different but overlapping concerns. DCC is a cybersecurity framework focused on technical and operational controls for data protection; PDPL is a privacy law regulating how personal data is collected, processed, shared, and retained. They overlap significantly on data classification, residency requirements, cross-border transfer controls, and breach notification. Organisations subject to both should map DCC controls against PDPL obligations to avoid duplicating effort — a single classification record and data-flow map can satisfy both frameworks simultaneously.
What are Saudi data residency requirements under NCA DCC?: The Data Residency & Cross-Border Transfers domain requires that classified and national-level sensitive data be stored within Saudi Arabia unless an explicit NCA-approved cross-border transfer arrangement is in place. Organisations must document hosting locations, map all data flows crossing borders, apply contractual and technical safeguards for any authorised transfers, and maintain an auditable record of sub-processor and third-party data handling arrangements.
How does NCA DCC differ from NCA ECC?: NCA ECC is the broad baseline cybersecurity framework covering all domains — governance, asset management, identity, network security, resilience, and third-party. NCA DCC is a specialised overlay focused exclusively on data: classification, encryption, DLP, residency, lifecycle, and resilience of data assets. Organisations subject to DCC must comply with ECC first, then apply the additional DCC data-specific controls on top. ECC does not contain a dedicated residency domain or explicit DLP controls — those are unique to DCC.
How does GRC Vantage help with NCA DCC compliance?: GRC Vantage ships with a pre-built NCA DCC control library, a data classification engine aligned to NCA sensitivity tiers, encryption and key management tracking, retention and disposal workflows, cross-border transfer register, and DLP evidence integration. Each control is linked to live evidence so your examination pack stays current. The platform is hosted inside Saudi Arabia for full NCA, SAMA, and PDPL data residency compliance.

Get started

Run your NCA DCC compliance programme with GRC Vantage

The complete NCA DCC control library is pre-loaded inside GRC Vantage with a data classification engine, encryption inventory, residency register, and submission-ready evidence packs. Hosted inside Saudi Arabia for full NCA, SAMA, and PDPL data residency compliance.

Book a demo All NCA frameworks