Learning about NCA ECC Compliance in Brief

Published on : 03 Sep 2021

Learning about NCA ECC Compliance in Brief

An industry that is digitally driven requires cybersecurity to be its top-most priority.  Cybersecurity plays a key role in ensuring the security of an organization’s IT infrastructure and the safety of sensitive data against incidents of breach. Cybercrimes prevailing in the industry often have a huge impact on business, leaving behind legal implications, scarred reputation, and heavy financial losses. While regulators around the world have been working towards building strong security measures, it is the organizations that need to set up in the game and build strong cybersecurity measures against various cyber threats. 

That said, witnessing the urgent need for adopting the best and proven cybersecurity measures, Saudi Arabia’s National Cybersecurity Authority (NCA) issued an industry best practice for businesses to adopt in the region.  In 2018, NCA introduced the Essential Cybersecurity Controls (ECC) as a minimum cybersecurity requirement for organizations in Saudi Arabia. With the enforcement of the Essential Cybersecurity Controls Framework, the NCA looks to encourage organizations to adopt the framework and improve their cybersecurity resilience. Explaining more about the framework we have covered in brief details you need to know about the NCA ECC framework. So, before getting into the details let us first understand what the ECC framework is. 

What is NCA ECC Compliance?

After a comprehensive study of various national and international Cybersecurity Frameworks and Standards, the National Cybersecurity Authority (NCA) within the Kingdom of Saudi Arabia (KSA) introduced the Essential Cybersecurity Controls (ECC) Framework. The NCA ECC was developed so that organizations in Saudi Arabia maintain and support the Cybersecurity initiative. This ensures protecting the interests, national security, critical infrastructure, and government services in the country.

The framework is a minimum cybersecurity requirement in the country for ensuring the security of sensitive government data and technology assets in Saudi Arabia. The controls developed are based on the industry-best practices that aim at helping organizations build a strong defense against Cybersecurity Risks.  All organizations within Saudi Arabia are encouraged to implement the ECC framework to improve their cybersecurity measures. 

What is the intention behind establishing NCA ECC? 

The increasing number of cyber threats and evolving techniques of cybercrime have driven the National Cybersecurity Authority in Saudi Arabia to implement a strong cybersecurity framework for organizations to implement in the industry. The objective behind enforcing the Essential Cybersecurity Controls include –

  • To set a minimum cybersecurity requirement for protecting sensitive government information and technology assets. 
  •  To minimize the cybersecurity risks and prevent incidents of breaches in the country. 
  • To protect the Confidentiality, Integrity & Availability of critical government assets and data .

Applicability of NCA ECC Compliance

The NCA’s Essential Cybersecurity Controls Framework applies to government organizations in Saudi Arabia. This would include ministries, authorities, establishments companies, and private sector organizations owning, or dealing with Critical National Infrastructures (CNIs). So, for instance, if the organization uses cloud computing and hosting services, they must implement the controls in the subdomain of Cloud Computing & Hosting Cybersecurity, or organizations using industrial control systems must implement control requirements under the Industrial Control Systems Cybersecurity subdomain. However, NCA in general encourages every organization in the country to adopt this framework as a best cybersecurity practice. 

What are the Essential Cybersecurity Controls outlined in the Compliance? 

NCA ECC is a cybersecurity framework that was developed and enforced to improve the cybersecurity efforts within the country. The ECC framework consists of 114 cybersecurity controls, under 29 subdomains and is defined into five main domains including Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third-party & Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity. These cybersecurity controls are linked to related national and international law and regulatory requirements in the country.


29 Cybersecurity Subdomain in ECC 

Cybersecurity Governance
Cybersecurity StrategyCybersecurity ManagementCybersecurity Policies and ProceduresCybersecurity Roles and ResponsibilitiesCybersecurity Risk Management
Cybersecurity in Information and Technology Project ManagementCompliance with Cybersecurity Standards, Laws, and RegulationsPeriodical Cybersecurity Review and AuditCybersecurity in Human ResourcesCybersecurity Awareness and

Training Program

Cybersecurity Defense
Asset ManagementIdentity and Access ManagementInformation Systems and Information Processing Facilities ProtectionEmail ProtectionNetwork Security Management
Mobile Devices SecurityData and Information ProtectionCryptographyBackup and Recovery ManagementVulnerability Management
Penetration TestingCybersecurity Event Logs and Monitoring ManagementCybersecurity Incident and Threat ManagementPhysical SecurityWeb Application Security
Cybersecurity Resilience
Cybersecurity Resilience Aspects of Business Continuity Management (BCM)
Third-Party and Cloud Computing Cybersecurity
Third-Party Cybersecurity Cloud Computing and Hosting Cybersecurity
Industrial Control Systems Cybersecurity
Industrial Control Systems (ICS) Protection


The above brief on NCA ECC may seem to be challenging for implementation. But, with a detailed analysis of your current cybersecurity posture against the ECC framework, you can work towards fixing the gap. So, before implementing any ECC framework, we strongly recommend a detailed gap assessment using the ECC assessment toolkit provided by NCA. Thereafter, you must consult with an expert for evaluating and implementing the controls deemed necessary to achieve compliance.

Compliance with the ECC control should be supported by appropriate evidence that is validated to back your status of compliance. This is where and when experts are required to guide you through the process of Compliance.

We at VISTA InfoSec offer Cybersecurity consulting services to organizations looking to achieve compliance with various regulatory standards and compliance. If you are looking for assistance in NCA ECC Compliance, our expert compliance consultants can help you navigate through the entire process with complete handholding through the compliance journey. For more details on the regulation, you can check our blogs on https://www.vistainfosec.com/blog/ or for our service related query drop us a mail at info[@]vistainfosec.com

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.