What is NCA ECC 2:2024?

The NCA Essential Cybersecurity Controls (ECC – 2 : 2024) is the second version of the baseline cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority. It defines the mandatory cybersecurity controls that government entities, critical national infrastructure (CNI) operators, and certain private-sector organisations in the Kingdom of Saudi Arabia must implement and evidence.

How many controls are in NCA ECC 2024?

NCA ECC 2:2024 is organised into 4 main domains, 28 subdomains, 108 controls and 92 sub-controls — 232 nodes in total. All assessable controls must be evidenced during NCA assessment.

Who must comply with NCA ECC?

Compliance is mandatory for all Saudi government entities (ministries, public authorities, agencies), all critical national infrastructure operators (energy, water, telecommunications, healthcare, transport), and private-sector organisations that hold or process national-level sensitive information. Foreign entities operating in scope are also subject to the framework.

What are the four domains of NCA ECC?

The four main domains are: (1) Cybersecurity Governance — strategy, organisation, policies, risk management and compliance; (2) Cybersecurity Defense — asset management, identity, network and system security, cryptography, backup, vulnerability management and monitoring; (3) Cybersecurity Resilience — cybersecurity within business continuity; (4) Third-Party and Cloud Computing Cybersecurity — supplier and cloud-service cyber requirements.

Is NCA ECC the same as SAMA CSF?

No. NCA ECC is the cross-sector cybersecurity baseline applied to government and critical infrastructure. SAMA CSF is the financial-sector cybersecurity framework issued by the Saudi Central Bank, applicable only to entities supervised by SAMA. The two frameworks share significant structural overlap and many controls map across both — but each carries its own assessment cadence, evidence expectations and supervisor.

How is NCA ECC assessed?

Entities are required to perform a structured self-assessment against each ECC sub-control and submit evidence through the NCA's national reporting service. The NCA may follow up with on-site review, additional evidence requests, and remediation orders for non-conformities. Maintained assessment evidence and a documented improvement plan are central to a credible NCA compliance posture.

NCA ECC 2:2024 Compliance Guide — Essential Cybersecurity Controls for Saudi Arabia

What NCA ECC covers

The NCA Essential Cybersecurity Controls (ECC – 2 : 2024) is the second iteration of Saudi Arabia's baseline cybersecurity framework, issued by the National Cybersecurity Authority (NCA). This compliance guide covers every control Saudi government entities and critical national infrastructure operators must implement — with the full control library, implementation checklist and audit-readiness steps in one place.

NCA ECC compliance is mandatory and assessable. Organisations in scope must maintain a current self-assessment, submit evidence via the NCA's national reporting service, and remediate non-conformities within prescribed timeframes. The NCA holds enforcement powers including remediation orders and, for critical sectors, licence conditions. A robust compliance posture requires mapped evidence, a documented improvement plan, and a clear owner for every control.

The complete NCA ECC control library — every domain, subdomain, control and sub-control — appears below. Each control is identified by its canonical NCA reference ID (for example 2-3-1) so your team can map evidence directly against the published framework and build an audit-ready control register.

Control library

Complete NCA ECC controls

The NCA Essential Cybersecurity Controls (ECC) — the baseline cybersecurity framework for Saudi government entities, critical national infrastructure operators, and private-sector organisations holding national-level data. Version 2 was issued in 2024.

4
Domains: 28
Subdomains: 108
Controls: 176
Assessable

NCA ECC · Domain 1

Cybersecurity Governance

subdomains

controls

NCA ECC · Domain 2

Cybersecurity Defense

subdomains

controls

NCA ECC · Domain 3

Cybersecurity Resilience

subdomains

controls

NCA ECC · Domain 4

Third-Party and Cloud Computing Cybersecurity

subdomains

controls

Reference

Frequently asked questions

What is NCA ECC 2:2024?: The NCA Essential Cybersecurity Controls (ECC – 2 : 2024) is the second version of the baseline cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority. It defines the mandatory cybersecurity controls that government entities, critical national infrastructure (CNI) operators, and certain private-sector organisations in the Kingdom of Saudi Arabia must implement and evidence.
How many controls are in NCA ECC 2024?: NCA ECC 2:2024 is organised into 4 main domains, 28 subdomains, 108 controls and 92 sub-controls — 232 nodes in total. All assessable controls must be evidenced during NCA assessment.
Who must comply with NCA ECC?: Compliance is mandatory for all Saudi government entities (ministries, public authorities, agencies), all critical national infrastructure operators (energy, water, telecommunications, healthcare, transport), and private-sector organisations that hold or process national-level sensitive information. Foreign entities operating in scope are also subject to the framework.
What are the four domains of NCA ECC?: The four main domains are: (1) Cybersecurity Governance — strategy, organisation, policies, risk management and compliance; (2) Cybersecurity Defense — asset management, identity, network and system security, cryptography, backup, vulnerability management and monitoring; (3) Cybersecurity Resilience — cybersecurity within business continuity; (4) Third-Party and Cloud Computing Cybersecurity — supplier and cloud-service cyber requirements.
Is NCA ECC the same as SAMA CSF?: No. NCA ECC is the cross-sector cybersecurity baseline applied to government and critical infrastructure. SAMA CSF is the financial-sector cybersecurity framework issued by the Saudi Central Bank, applicable only to entities supervised by SAMA. The two frameworks share significant structural overlap and many controls map across both — but each carries its own assessment cadence, evidence expectations and supervisor.
How is NCA ECC assessed?: Entities are required to perform a structured self-assessment against each ECC sub-control and submit evidence through the NCA's national reporting service. The NCA may follow up with on-site review, additional evidence requests, and remediation orders for non-conformities. Maintained assessment evidence and a documented improvement plan are central to a credible NCA compliance posture.

Get started

Run your NCA ECC assessment with GRC Vantage

The complete NCA ECC control library is pre-loaded inside GRC Vantage with evidence templates, ownership workflow and submission-ready reporting. Hosted inside Saudi Arabia for data residency.

Start free assessment Book a demo