The NCA Telework Cybersecurity Controls (TCC – 1) is a mandatory framework issued by Saudi Arabia's National Cybersecurity Authority that defines cybersecurity requirements for organisations enabling remote or hybrid work. It covers four domains: governance, device security, network security, and identity and access management — providing specific controls that extend the ECC baseline for telework environments.

How does NCA TCC relate to NCA ECC?

NCA ECC is the organisational cybersecurity baseline that all in-scope Saudi entities must comply with. NCA TCC adds a remote-work-specific layer on top of the ECC, introducing controls that the ECC addresses only at a high level — such as BYOD policy, dedicated VPN requirements, zero-trust architecture principles, and telework session recording. Organisations with remote workers must comply with both frameworks; TCC does not replace ECC, it supplements it for the telework context.

What are key NCA TCC device security requirements?

The Telework Device Security domain requires endpoint hardening against a documented baseline, mobile device management (MDM) enrolment for all corporate devices used remotely, documented BYOD policy with technical controls enforcing data segregation, encryption of all devices and storage media used for remote work, and a capability for remote device wipe and compliance checking. Evidence of MDM policy, device encryption certificates, and BYOD agreements must be maintained for NCA examination.

Does BYOD require special treatment under NCA TCC?

Yes. NCA TCC has a dedicated BYOD Policy & Controls subdomain within the Telework Device Security domain. Organisations permitting BYOD must have a documented BYOD policy, technical segregation between personal and corporate data on the device, enrolment and monitoring controls, acceptable-use agreements signed by employees, and a process for remotely removing corporate data when an employee departs. BYOD devices must meet the same encryption and endpoint hardening baseline as corporate-issued devices.

How does zero-trust relate to NCA TCC?

The Telework Identity & Access Management domain includes a Zero-Trust Architecture Principles subdomain. NCA TCC requires organisations with remote workers to move toward a zero-trust model — where access is never implicitly trusted regardless of network location and is instead granted based on continuous verification of identity, device posture, and context. In practice this means implementing conditional access policies, micro-segmentation, and identity-centric controls that treat each remote access request as untrusted by default.

NCA TCC — Telework Cybersecurity Controls Compliance Guide | Saudi Arabia

What NCA TCC covers

The NCA Telework Cybersecurity Controls (TCC – 1) is Saudi Arabia's mandatory cybersecurity framework for remote and hybrid working, issued by the National Cybersecurity Authority. TCC recognises that the shift to telework fundamentally changes the threat landscape — corporate endpoints leave the protected network perimeter, connections traverse untrusted home broadband and public Wi-Fi, and identity becomes the primary security boundary.

TCC applies to any organisation operating in Saudi Arabia that enables employees, contractors, or third parties to work remotely. It is mandatory for government entities and CNI operators; private-sector organisations enabling telework are also in scope. Compliance requires evidenced implementation of all applicable TCC controls — from documented telework policies through device posture records to session monitoring evidence — with periodic submission through the NCA's national reporting service.

The four TCC domains extend the NCA ECC baseline with controls specific to the remote-work context. Notably, TCC introduces a dedicated BYOD subdomain, explicit zero-trust architecture principles, VPN and tunnelling requirements, and detailed session recording obligations for privileged remote access — none of which are covered at this level of specificity in the ECC. Organisations subject to TCC must maintain ECC compliance simultaneously; TCC adds to, not replaces, the ECC baseline.

Control library

NCA TCC domains and subdomains

Telework Cybersecurity Governance

Telework Policy & Procedures

Telework Risk Assessment

Roles & Responsibilities for Remote Work Security

Security Awareness for Remote Staff

Telework Device Security

Endpoint Hardening & Baseline

Mobile Device Management

BYOD Policy & Controls

Device Encryption

Remote Device Wipe & Compliance

Telework Network Security

Secure VPN & Tunneling

Network Access Controls

DNS Security for Remote Workers

Wi-Fi & Home Network Guidelines

Telework Identity & Access Management

Multi-Factor Authentication for Remote Access

Privileged Remote Access Management

Session Monitoring & Recording

Zero-Trust Architecture Principles

Applicability

Who must comply with NCA TCC

Government & Semi-Government Entities

All Saudi government ministries, public authorities, and semi-government bodies with employees in remote or hybrid work arrangements.

CNI Operators

Critical national infrastructure operators whose staff access OT or IT systems remotely — energy, water, telecoms, healthcare, transport.

Private-Sector Organisations

Private companies operating in Saudi Arabia that permit employees, contractors, or third parties to work remotely or connect from outside organisational premises.

SAMA-Licensed Entities

Financial institutions supervised by SAMA that enable telework are required to align remote-work controls with both SAMA CSF and NCA TCC obligations.

Framework comparison

NCA TCC vs NCA ECC

Aspect	NCA TCC	NCA ECC
Primary focus	Remote and hybrid work security controls — device, network, identity, governance	Organisational cybersecurity baseline across all control domains
Scope	Any Saudi organisation enabling employees to work remotely	All government, CNI, and critical-sector organisations in Saudi Arabia
Endpoint / device security	Dedicated domain — hardening, MDM, BYOD, encryption, remote wipe all explicit	Endpoint addressed under asset management; less granular
VPN and remote access	Explicit secure VPN, tunnelling, and network access control requirements	Remote access addressed through identity and network controls at high level
BYOD controls	Dedicated BYOD Policy & Controls subdomain with specific obligations	Not explicitly addressed; implied through general asset and identity controls
Zero-trust principles	Zero-Trust Architecture Principles subdomain within IAM domain	Not an explicit framework construct; implied through segmentation and access controls
MFA for remote access	Explicit requirement within Telework IAM domain	MFA addressed within identity management subdomain as general requirement
Session monitoring & recording	Explicit subdomain for telework session monitoring and privileged access recording	Covered under monitoring domain at a general level
Control count	~50 controls	108 controls, 92 sub-controls
Assessment cadence	NCA-mandated periodic assessment and evidence submission	NCA-mandated annual self-assessment via national reporting service

Platform

GRC Vantage for NCA TCC

Six purpose-built capabilities covering the full TCC control set — from telework policy governance to device posture and privileged session recording — hosted inside Saudi Arabia for data residency compliance.

Remote Access Policy Lifecycle

Govern VPN, ZTNA, and remote desktop policies with role-based access models, change history, and NCA TCC-aligned approval workflows.

Endpoint Posture Tracking

Integrate MDM and EDR telemetry to track device hardening, patch posture, encryption status, and BYOD compliance against TCC requirements.

BYOD Control Register

Document BYOD policies, enrolment records, acceptable-use agreements, and segregation controls — with evidence linking directly to the TCC BYOD subdomain.

Privileged Remote Access Management

Track privileged remote sessions, enforce time-bound access, capture session recordings, and surface evidence for each TCC IAM control.

Awareness Campaign Tooling

Manage telework-specific awareness campaigns, phishing simulations, and staff acknowledgement records with NCA TCC training evidence per control.

NCA-Ready Evidence Packs

Auto-assemble examination packs linking each TCC control to live evidence — access logs, endpoint posture reports, policy records, and incident history.

Reference

Frequently asked questions

What is NCA TCC?: The NCA Telework Cybersecurity Controls (TCC – 1) is a mandatory framework issued by Saudi Arabia's National Cybersecurity Authority that defines cybersecurity requirements for organisations enabling remote or hybrid work. It covers four domains: governance, device security, network security, and identity and access management — providing specific controls that extend the ECC baseline for telework environments.
Who must comply with NCA TCC?: Any organisation operating in Saudi Arabia that permits employees, contractors, or third parties to work remotely must implement NCA TCC. This includes government ministries, semi-government entities, CNI operators, and private-sector companies with remote or hybrid workers. SAMA-licensed financial institutions enabling telework must align with both TCC and SAMA CSF remote-work requirements.
How does NCA TCC relate to NCA ECC?: NCA ECC is the organisational cybersecurity baseline that all in-scope Saudi entities must comply with. NCA TCC adds a remote-work-specific layer on top of the ECC, introducing controls that the ECC addresses only at a high level — such as BYOD policy, dedicated VPN requirements, zero-trust architecture principles, and telework session recording. Organisations with remote workers must comply with both frameworks; TCC does not replace ECC, it supplements it for the telework context.
What are key NCA TCC device security requirements?: The Telework Device Security domain requires endpoint hardening against a documented baseline, mobile device management (MDM) enrolment for all corporate devices used remotely, documented BYOD policy with technical controls enforcing data segregation, encryption of all devices and storage media used for remote work, and a capability for remote device wipe and compliance checking. Evidence of MDM policy, device encryption certificates, and BYOD agreements must be maintained for NCA examination.
Does BYOD require special treatment under NCA TCC?: Yes. NCA TCC has a dedicated BYOD Policy & Controls subdomain within the Telework Device Security domain. Organisations permitting BYOD must have a documented BYOD policy, technical segregation between personal and corporate data on the device, enrolment and monitoring controls, acceptable-use agreements signed by employees, and a process for remotely removing corporate data when an employee departs. BYOD devices must meet the same encryption and endpoint hardening baseline as corporate-issued devices.
How does zero-trust relate to NCA TCC?: The Telework Identity & Access Management domain includes a Zero-Trust Architecture Principles subdomain. NCA TCC requires organisations with remote workers to move toward a zero-trust model — where access is never implicitly trusted regardless of network location and is instead granted based on continuous verification of identity, device posture, and context. In practice this means implementing conditional access policies, micro-segmentation, and identity-centric controls that treat each remote access request as untrusted by default.

Get started

Run your NCA TCC compliance programme with GRC Vantage

The complete NCA TCC control library is pre-loaded inside GRC Vantage with remote access policy workflows, endpoint posture tracking, BYOD controls, and submission-ready evidence packs. Hosted inside Saudi Arabia for full NCA, SAMA, and PDPL data residency compliance.

Book a demo All NCA frameworks