NCA Essential Cybersecurity Controls (ECC): Official Framework Guide
NCA Essential Cybersecurity Controls (ECC): Official Framework Guide
Last Updated: December 2024
Framework Version: ECC-2:2024
Official Source: National Cybersecurity Authority (NCA)
What is NCA ECC?
The Essential Cybersecurity Controls (ECC) is a mandatory cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority (NCA). It establishes the minimum cybersecurity requirements for national entities to protect their information and technology assets.
The current version, ECC-2:2024, updates the original ECC-1:2018 framework with enhanced controls aligned to Saudi Arabia's Vision 2030 digital transformation goals.
Who Must Comply?
ECC compliance is mandatory for:
Government agencies in Saudi Arabia (ministries, authorities, establishments)
Affiliated companies and entities of government agencies (inside and outside the Kingdom)
Private sector entities owning, operating, or hosting Critical National Infrastructure (CNI)
The NCA strongly encourages all other entities in Saudi Arabia to adopt ECC as a cybersecurity best practice baseline.
Framework Structure
ECC-2:2024 consists of:
| Domain | Description |
|---|---|
| 1 — Cybersecurity Governance | Establishes the strategic foundation, organizational structure, policies, risk management, and human resources requirements for cybersecurity programs. |
| 2 — Cybersecurity Defense | Covers technical and operational controls including asset management, identity and access management, network security, data protection, vulnerability management, and incident response. |
| 3 — Cybersecurity Resilience | Addresses business continuity management and disaster recovery requirements to ensure organizational resilience against cyber incidents. |
| 4 — Third-Party and Cloud Computing Cybersecurity | Defines requirements for managing cybersecurity risks from third-party relationships, outsourcing arrangements, and cloud computing services. |
Domain 1: Cybersecurity Governance
This domain contains 10 subdomains covering strategy, management structure, policies, roles, risk management, project security, compliance, audits, human resources, and awareness training.
Subdomains:
1-1: Cybersecurity Strategy
1-2: Cybersecurity Management
1-3: Cybersecurity Policies and Procedures
1-4: Cybersecurity Roles and Responsibilities
1-5: Cybersecurity Risk Management
1-6: Cybersecurity in IT Project Management
1-7: Compliance with Standards, Laws, Regulations
1-8: Periodical Cybersecurity Review and Audit
1-9: Cybersecurity in Human Resources
1-10: Cybersecurity Awareness and Training Program
Key Governance Requirements
Independent Cybersecurity Department: Per High Order No. 37140 (dated 14/08/1438H), entities must establish a cybersecurity department independent from IT. It is recommended this department reports directly to the head of the entity.
Saudi Cybersecurity Professionals: All cybersecurity positions must be filled with full-time, qualified Saudi cybersecurity professionals. This requirement was strengthened in ECC-2:2024.
Cybersecurity Supervisory Committee: Entities must establish a committee to oversee compliance with and implementation of cybersecurity programs.
Domain 2: Cybersecurity Defense
This domain contains 15 subdomains covering the technical and operational security controls.
Subdomains:
2-1: Asset Management
2-2: Identity and Access Management
2-3: Information Systems and Processing Facilities Protection
2-4: Email Protection
2-5: Network Security Management
2-6: Mobile Devices Security
2-7: Data and Information Protection
2-8: Cryptography
2-9: Backup and Recovery Management
2-10: Vulnerability Management
2-11: Penetration Testing
2-12: Cybersecurity Event Logs and Monitoring Management
2-13: Cybersecurity Incident and Threat Management
2-14: Physical Security
2-15: Web Application Security
Key Defense Requirements
Multi-Factor Authentication (MFA): Required for remote access, privileged accounts, webmail access, and external web applications. ECC-2:2024 requires entities to define suitable authentication factors based on impact assessment of authentication failure.
Cryptography: Must comply with NCA's National Cryptographic Standards. Encryption required for data in-transit and at-rest based on classification level.
Event Log Retention: Cybersecurity event logs must be retained for at least 12 months.
Incident Reporting: Entities must report cybersecurity incidents to NCA and share threat intelligence, penetration indicators, and incident reports.
DDoS Protection: ECC-2:2024 added new requirement (2-5-3-9) for protection against Distributed Denial of Service attacks.
Domain 3: Cybersecurity Resilience
This domain contains 1 subdomain focused on business continuity.
Subdomain:
3-1: Cybersecurity Resilience Aspects of Business Continuity Management
Key Resilience Requirements
Entities must ensure continuity of cybersecurity systems and procedures, develop incident response plans affecting business continuity, and maintain disaster recovery plans.
Domain 4: Third-Party and Cloud Computing Cybersecurity
This domain contains 2 subdomains covering external relationships and cloud services.
Subdomains:
4-1: Third-Party Cybersecurity
4-2: Cloud Computing and Hosting Cybersecurity
Key Third-Party and Cloud Requirements
Managed Service Centers: Cybersecurity managed service centers for monitoring and operations using remote access must be fully located in Saudi Arabia.
Risk Assessment: Required before signing contracts with third parties providing IT, cybersecurity outsourcing, or managed services.
Cloud Data Protection: Cloud and hosting service providers must protect entity data according to its classification level and return data in usable format upon service completion.
Environment Separation: Entity's cloud environment (especially virtual servers) must be separated from environments of other entities.
Note on Data Localization: Data localization requirements previously in ECC have been transferred to the National Data Management Office (NDMO) at the Saudi Data and Artificial Intelligence Authority. Entities must refer to NDMO for data localization guidance.
Key Changes in ECC-2:2024
The 2024 update introduced several important changes from the original 2018 version:
Scope Expansion: Affiliated companies are now covered inside and outside the Kingdom.
Staffing Requirements: All cybersecurity positions (not just leadership) must be filled by Saudi professionals.
MFA Enhancement: Impact assessment is now required to determine appropriate authentication factors and techniques.
Email Security: Added DKIM and DMARC requirements alongside the existing SPF requirement.
DDoS Protection: New control (2-5-3-9) added for protection against Distributed Denial of Service attacks.
ICS/OT Removal: Industrial Control Systems controls (formerly Domain 5) have been moved to the separate OTCC framework.
Data Localization Transfer: Data localization requirements transferred to NDMO jurisdiction.
Cryptography Standards: Must now comply with NCA's National Cryptographic Standards.
Compliance and Assessment
Implementation Responsibility
Per Article 10(3) of NCA's Statute and High Order No. 57231, all entities within scope must take necessary measures to ensure ongoing compliance with ECC.
Assessment Methods
NCA evaluates compliance through self-assessment by entities, periodic reports via the compliance tool, and field auditing visits.
NCA provides an official assessment tool (ECC-2:2024 Assessment and Compliance Tool) to organize the compliance measurement process.
Related NCA Frameworks
ECC operates alongside other NCA cybersecurity frameworks:
CCC (Cloud Cybersecurity Controls): For cloud service providers and cloud tenants. Entities using cloud services must comply with both ECC and CCC.
TCC (Telework Cybersecurity Controls): For securing remote work environments.
CSCC (Critical Systems Cybersecurity Controls): For critical infrastructure systems.
OTCC (Operational Technology Cybersecurity Controls): For industrial control systems and operational technology. This was formerly ECC Domain 5.
Official Resources
Framework Document:
ECC-2:2024 English PDF
NCA Regulatory Documents:
nca.gov.sa/en/regulatory-documents
Implementation Guide:
Guide to Essential Cybersecurity Controls Implementation
Disclaimer
This guide is provided for informational purposes as a reference to official NCA publications. The Arabic version of ECC is the legally binding text for all matters relating to meaning or interpretation. Organizations should consult the official NCA documentation and seek professional guidance for compliance implementation.
Global Compliance Code provides vendor-neutral, source-based regulatory reference materials. All content is derived from official regulatory publications.
