What NCA ECC actually is (and isn’t)
The Essential Cybersecurity Controls (ECC) issued by Saudi Arabia’s National Cybersecurity Authority are a 114-control framework that became mandatory for in-scope organisations in 2018 and have steadily tightened in enforcement since. ECC is not a certification you earn once — it’s an ongoing compliance posture you demonstrate continuously, with periodic audits.
It applies to government agencies, public-sector entities, and the operators of National Critical Infrastructure. Many private-sector organisations adopt ECC voluntarily because it’s increasingly required in B2G procurement processes. If you’re tendering for government work or partnering with public-sector entities, ECC compliance has effectively moved from “nice to have” to “table stakes”.
The framework is structured around five domains, each with multiple control objectives and individual controls. Mid-market organisations frequently underestimate the integration burden — ECC controls don’t just sit in IT; they require explicit governance, documented procedures, and evidence collection.
Domain 1 — Cybersecurity Governance: 6 controls
Governance is the foundation. The controls cover cybersecurity strategy and policy, organisational structure and responsibilities, risk management, audit and review, and human resources cybersecurity. The single most common mid-market failure here is the absence of a board-approved cybersecurity policy with defined ownership.
Practical action: appoint a cybersecurity officer (or virtual CISO if internal hiring isn’t realistic), draft a one-to-three page cybersecurity policy approved by the most senior governance body in your organisation, and establish a documented annual review cycle.
Domain 2 — Cybersecurity Defence: 8 controls
This is the technical heart of ECC and where most mid-market budget goes. The controls cover asset management, identity and access management, information system and information processing facility protection, email protection, network security management, mobile devices security, data and information protection, and cryptography.
Practical priorities for mid-market organisations getting started: implement multi-factor authentication on all administrative and remote-access accounts, deploy enterprise-grade endpoint detection and response (EDR), segment your network with VLANs and explicit access control lists, and inventory your data assets with classification labels.
The single highest-leverage control in this domain is identity and access management. A well-implemented IAM programme — strong authentication, role-based access, privileged access management — reduces risk across virtually every other control area.
Domain 3 — Cybersecurity Resilience: 4 controls
Resilience covers business continuity, disaster recovery, backup, and incident response. Mid-market organisations frequently have backups but not tested restore procedures. The audit pattern here is consistent: backup files exist; nobody has done a full restore in 18 months; the backup might or might not work.
Practical action: schedule a quarterly tabletop incident response exercise, document the runbook, and run an annual full-restore test. Document the results either way — a failed restore documented and remediated is closer to compliance than a backup nobody has verified.
Domain 4 — Third-Party and Cloud
Third-party risk and cloud security have grown into their own domain because supply-chain attacks have become the dominant vector. Controls cover third-party cybersecurity assurance, cloud computing and hosting cybersecurity, and outsourcing cybersecurity. If you use cloud services — and you almost certainly do — these controls apply.
Practical priorities: maintain a vendor inventory with cybersecurity attestations, ensure all critical SaaS providers have appropriate certifications (ISO 27001, SOC 2 Type II), and document the data classification and residency for each cloud service. The NCA Cloud Cybersecurity Controls (CCC) — released as a complementary framework — give specific guidance for the cloud workloads.
Domain 5 — Industrial Control Systems (if applicable)
If your organisation operates industrial systems — manufacturing, utilities, oil and gas, smart buildings, hospitality plant control — Domain 5 applies. Controls cover industrial control system security, IT/OT segregation, and OT-specific incident response.
For most mid-market organisations, Domain 5 is partially applicable: building management systems, CCTV, access control, and HVAC may all sit on networks adjacent to corporate IT. The minimum bar is segregation: OT networks isolated from IT networks with controlled gateways.
The “in scope” question — who needs ECC and who doesn’t
The strict answer: government agencies, public-sector entities, and operators of National Critical Infrastructure as defined by NCA. The operational answer: anyone who tenders for government work, partners with regulated entities, or operates infrastructure that touches public services.
Many private-sector mid-market organisations adopt ECC voluntarily for two reasons: it positions them favourably for government contracts, and it provides a defensible cybersecurity posture for board-level discussions. ECC alignment also significantly accelerates downstream certifications like ISO 27001.
ECC vs ISO 27001 vs SAMA — what overlaps, what doesn’t
ECC and ISO 27001 share roughly 70% of control overlap, which means a mid-market organisation already on its ISO 27001 journey can often add ECC alignment with limited incremental effort. SAMA’s Cyber Security Framework — applicable to financial sector entities — adds layered requirements specific to banking, insurance, and capital markets.
Practical sequencing: if you’re doing only one, start with ECC for KSA-aligned organisations, ISO 27001 if you’re internationally focused. Most regulated mid-market organisations end up doing both within 18-24 months.
Common audit findings (and how to avoid them)
The recurring audit findings in mid-market ECC assessments are: missing policy documents, inconsistent privileged access controls, untested backups, undocumented third-party access, and no formal incident response runbook. Each of these is straightforward to remediate — but the absence of any of them stalls audit findings indefinitely.
Practical 90-day prep checklist
Days 1-30: gap assessment against ECC, asset and data inventory, policy framework drafted. Days 31-60: technical control gaps remediated (MFA, EDR, segmentation), backup tested. Days 61-90: incident response tabletop exercised, third-party register completed, documentation packaged for audit.
For a tailored gap assessment of your environment, book a cybersecurity readiness review. We deliver a control-by-control gap report mapped to ECC with effort and cost estimates per remediation. Pair cyber security with IT consulting, cloud computing, and server solutions for a complete compliance programme.
