The NCA Operational Technology Cybersecurity Controls (OTCC – 1 : 2022) is a mandatory framework issued by Saudi Arabia's National Cybersecurity Authority. It defines the cybersecurity controls that operators of OT systems — including ICS, SCADA, DCS, and PLCs — must implement to protect safety-critical and operationally critical environments across the Kingdom.

How does NCA OTCC relate to NCA ECC?

NCA ECC is the IT baseline covering information systems for all in-scope organisations. NCA OTCC is the OT-specific extension: where ECC controls cover assets, identity, monitoring, and incident response generically, OTCC adds OT-environment requirements — zone-and-conduit segmentation, OT-specific change management, hardware and software provenance, and OT-aware incident management. OT operators are expected to comply with both frameworks simultaneously.

What makes OT cybersecurity different from IT?

OT environments prioritise availability and safety over confidentiality, often run legacy systems with long refresh cycles, cannot be patched or rebooted without engineering coordination, and have physical consequences when compromised. Standard IT security practices — aggressive patching, endpoint agents, network scanning — can disrupt or damage OT systems. NCA OTCC addresses this reality with prescriptive controls for change management, remote access, segmentation, and continuity that are calibrated to OT constraints.

What are the key NCA OTCC implementation challenges?

Common challenges include: inventorying OT assets (many legacy systems lack documentation); applying segmentation without disrupting live operations; establishing patching programmes on equipment vendors will not support; defining access control for engineer workstations that are often shared; integrating OT monitoring into a SOC that was designed for IT; and coordinating supply chain integrity checks across vendors who may not have a cybersecurity maturity programme.

Does NCA OTCC align with IEC 62443?

Yes — NCA OTCC borrows heavily from IEC 62443 concepts, particularly zone-and-conduit modelling and security levels from IEC 62443-2-1 and -3-3. Organisations that have implemented IEC 62443 can cross-map a significant proportion of OTCC controls to existing evidence. GRC Vantage maintains a cross-reference between NCA OTCC and IEC 62443 so a single zone design or control implementation satisfies both frameworks, reducing duplication.

NCA OTCC — OT Cybersecurity Controls Compliance Guide | Saudi Arabia

Overview

What NCA OTCC covers

The NCA Operational Technology Cybersecurity Controls (OTCC – 1 : 2022) is Saudi Arabia's dedicated mandatory framework for securing industrial control systems and operational technology environments. Issued by the National Cybersecurity Authority, OTCC recognises that the cybersecurity challenges facing ICS, SCADA, DCS, and PLC environments are fundamentally different from those of enterprise IT — and that standard IT security controls, applied naively to OT, risk disrupting or damaging safety-critical operations.

OTCC sits alongside NCA ECC as a mandatory extension for OT operators. Where ECC provides the cross-sector IT baseline, OTCC adds the five OT-specific domains that ECC cannot adequately address: governance structures for operational environments, defence controls calibrated to industrial system constraints, OT-specific resilience and continuity, supply chain integrity for hardware and embedded software, and incident management procedures that account for OT forensics, CERT-SA escalation, and the safety implications of cyber events.

The framework encompasses approximately 85 prescriptive controls across five domains and 24 subdomains. There is no maturity model — controls are pass/fail, and organisations in scope are expected to maintain current evidence against every applicable control. The NCA holds enforcement powers including remediation orders, and for CNI sectors, compliance is tied to operating licences. Saudi Arabia's critical infrastructure concentration in oil and gas, water, and electricity means OTCC compliance is among the highest-priority cybersecurity obligations for industrial operators in the Kingdom.

Control library

NCA OTCC domains and subdomains

Domain 1OT Cybersecurity Governance

1-1

OT Strategy & Policy

1-2

OT Risk Management

1-3

Roles & Responsibilities

1-4

Regulatory Compliance

1-5

OT Security Awareness & Training

1-6

OT Security Audit

Domain 2OT Cybersecurity Defense

2-1

OT Network Architecture & Segmentation

2-2

OT Asset Management

2-3

Access Control & Privileged Access

2-4

Remote Access Security

2-5

OT Patch & Vulnerability Management

2-6

Physical Security of OT Systems

2-7

OT Change Management

2-8

Cryptography in OT

Domain 3OT Cybersecurity Resilience

3-1

OT Backup & Recovery

3-2

OT-Specific Business Continuity

3-3

Resilience Testing

Domain 4Third-Party & Supply Chain Security

4-1

OT Vendor Assessment

4-2

Supply Chain Integrity

4-3

Hardware & Software Provenance

Domain 5OT Incident Management

5-1

OT-Specific IR Plan

5-2

OT Forensics & Evidence Preservation

5-3

Escalation to CERT-SA

5-4

Post-Incident Review

Applicability

Who must comply with NCA OTCC

Energy & Electricity Operators

Electricity generation, transmission, and distribution operators whose control systems — including SCADA, EMS, and DERMS — are in scope for NCA OTCC as critical OT environments.

Oil, Gas & Petrochemicals

Upstream, midstream, and downstream operators running DCS, SCADA, and safety instrumented systems (SIS) that control production, pipeline, or processing operations.

Water & Wastewater Utilities

Water treatment, desalination, and wastewater operators using PLCs and SCADA to control treatment processes, pump stations, and distribution networks.

Healthcare OT Operators

Hospital systems and healthcare facilities operating building management systems, medical device networks, and OT infrastructure that falls outside traditional IT governance.

Transport Infrastructure

Railway, aviation ground systems, seaport, and road network operators relying on industrial control systems for safety-critical infrastructure management.

Manufacturing & Industrial CNI

Critical manufacturing operations and large-scale industrial facilities in the Kingdom where OT system compromise could cause physical harm, production loss, or public safety risk.

Comparison

NCA OTCC vs NCA ECC

Dimension	NCA ECC	NCA OTCC
Issuing body	National Cybersecurity Authority (NCA)	National Cybersecurity Authority (NCA)
Reference	ECC – 2 : 2024	OTCC – 1 : 2022
Scope	IT systems and environments	OT systems only (ICS, SCADA, DCS, PLCs)
Applies to	Government, CNI, regulated entities	OT system operators — not IT-only orgs
Total controls (approx.)	~108 controls	~85 controls
Domains	4 domains	5 domains (OT-specific)
Maturity model	No — prescriptive pass/fail	No — prescriptive pass/fail
IT/OT boundary	Not specifically addressed	Explicit zone-and-conduit segmentation
Supply chain	General third-party controls	Hardware & software provenance controls
Relationship	IT baseline — mandatory for all in-scope entities	OT extension — applies on top of ECC for OT operators

Platform capabilities

How GRC Vantage supports NCA OTCC compliance

GRC Vantage ships with a pre-built NCA OTCC control library, OT asset register, ICS change management workflows, and OT-aware monitoring evidence capture — designed to work around operational constraints, not against them.

NCA OTCC Control Library

All ~85 controls pre-loaded with evidence prompts, OT-specific guidance, and NCA reference IDs — mapped to your zones, conduits, and asset classes for immediate gap assessment.

OT Asset Inventory

Maintain a single OT asset register with criticality classification, zone and conduit assignment, IT/OT boundary visibility, and protection requirements per OTCC — without requiring connectivity to production systems.

ICS Change Management

Manage OT changes with segregated engineering and cybersecurity approval workflows, planned maintenance windows, rollback planning, and post-change verification trails aligned to Domain 2 requirements.

Remote Access Security Tracking

Document and periodically review all remote access pathways into OT environments — vendor connections, engineering workstations, and IT/OT interfaces — with session-level evidence capture.

Supply Chain Integrity Register

Track hardware and software provenance for OT components, capture vendor assessments, and flag supply chain risks across Domain 4 — including sub-vendor dependencies and country-of-origin criteria.

OT Incident Response Workflows

Pre-built OT-specific IR playbooks, CERT-SA escalation templates, forensic evidence preservation checklists, and post-incident review workflows aligned to Domain 5 obligations.

FAQ

NCA OTCC — common questions

What is NCA OTCC?: The NCA Operational Technology Cybersecurity Controls (OTCC – 1 : 2022) is a mandatory framework issued by Saudi Arabia's National Cybersecurity Authority. It defines the cybersecurity controls that operators of OT systems — including ICS, SCADA, DCS, and PLCs — must implement to protect safety-critical and operationally critical environments across the Kingdom.
Who must comply with NCA OTCC?: NCA OTCC applies to operators of OT environments, not IT-only organisations. In scope are energy, oil and gas, water, wastewater, healthcare (OT), transport, and critical manufacturing operators running industrial control systems in Saudi Arabia. Private-sector industrials whose OT systems could cause public safety risk or national disruption are also expected to comply.
How does NCA OTCC relate to NCA ECC?: NCA ECC is the IT baseline covering information systems for all in-scope organisations. NCA OTCC is the OT-specific extension: where ECC controls cover assets, identity, monitoring, and incident response generically, OTCC adds OT-environment requirements — zone-and-conduit segmentation, OT-specific change management, hardware and software provenance, and OT-aware incident management. OT operators are expected to comply with both frameworks simultaneously.
What makes OT cybersecurity different from IT?: OT environments prioritise availability and safety over confidentiality, often run legacy systems with long refresh cycles, cannot be patched or rebooted without engineering coordination, and have physical consequences when compromised. Standard IT security practices — aggressive patching, endpoint agents, network scanning — can disrupt or damage OT systems. NCA OTCC addresses this reality with prescriptive controls for change management, remote access, segmentation, and continuity that are calibrated to OT constraints.
What are the key NCA OTCC implementation challenges?: Common challenges include: inventorying OT assets (many legacy systems lack documentation); applying segmentation without disrupting live operations; establishing patching programmes on equipment vendors will not support; defining access control for engineer workstations that are often shared; integrating OT monitoring into a SOC that was designed for IT; and coordinating supply chain integrity checks across vendors who may not have a cybersecurity maturity programme.
Does NCA OTCC align with IEC 62443?: Yes — NCA OTCC borrows heavily from IEC 62443 concepts, particularly zone-and-conduit modelling and security levels from IEC 62443-2-1 and -3-3. Organisations that have implemented IEC 62443 can cross-map a significant proportion of OTCC controls to existing evidence. GRC Vantage maintains a cross-reference between NCA OTCC and IEC 62443 so a single zone design or control implementation satisfies both frameworks, reducing duplication.

Get started

Ready to bring your OT estate to NCA OTCC readiness?

Our Riyadh and Dammam teams specialise in OT cybersecurity for Saudi industrials. We can run an OT discovery sprint, gap baseline, and zone-and-conduit design — delivering a prioritised NCA OTCC roadmap calibrated to your operational constraints.

Schedule a demo Explore all NCA frameworks