NCA ECC Requirements Explained: A Practical Guide to ECC-2:2024 for Saudi Organizations

For any organization operating critical systems in the Kingdom, the National Cybersecurity Authority's Essential Cybersecurity Controls (ECC) are not optional guidance. They are the regulatory baseline against which an organization's security posture is measured. In October 2024 the NCA replaced the original ECC-1:2018 with an updated edition, ECC-2:2024, that reshaped how compliance is scoped, structured, staffed, and assessed. For boards and security leaders, understanding what changed is the difference between a smooth assessment and a scramble. This guide explains what the controls are, who they apply to, how the framework is structured, what changed, and how to build a compliance program that holds up under scrutiny.

What the ECC is

The ECC is a mandatory set of minimum cybersecurity controls developed by the NCA from an analysis of national legislation and leading international standards. [1] It serves two purposes at once. It is an implementation baseline that tells in-scope entities what they must put in place, and it is an assessment tool the NCA uses to measure whether they have done so. [2] Because it is the baseline rather than an aspirational target, every in-scope entity must meet it regardless of sector, size, or complexity.

Who must comply

ECC-2:2024 broadly mirrors the scope of its predecessor, with one notable clarification. It applies to government entities in the Kingdom — including ministries, authorities, government-established entities, and their subsidiaries and affiliates — and ECC-2 specifically confirms that government entities established outside Saudi Arabia also fall within scope. It also applies to private-sector organizations that own, operate, or host Critical National Infrastructure (CNI). [2]

Private-sector organizations that are not CNI operators are not always directly bound, but compliance is frequently required indirectly — through contractual relationships with government entities, or through sector-specific regulations that reference the ECC as a baseline. [2] In practice, any company that wants to win or keep public-sector business should treat ECC alignment as a commercial prerequisite.

How ECC-2:2024 is structured

The framework uses a hierarchy: main domains contain subdomains, which contain main controls, which contain subcontrols with specific implementation requirements. ECC-2:2024 consists of 4 main domains, 28 subdomains, 108 main controls, and 92 subcontrols. [1] The four domains are:

1. Cybersecurity Governance — strategy, management, policies and procedures, roles and responsibilities, risk management, security in IT projects, compliance, periodic review and audit, human-resources security, and an awareness and training program.

2.Cybersecurity Defence — the largest domain, covering asset management, identity and access management, network security, cryptography, and vulnerability management. This domain alone accounts for a substantial share of the controls.

3.Cybersecurity Resilience — embedding cybersecurity into business-continuity and disaster-recovery so the organization can withstand and recover from incidents.

4.Third-Party and Cloud Computing Cybersecurity — managing the risk introduced by vendors, contractors, and cloud providers.

The Cybersecurity Defence domain is where most technical effort concentrates, with published analysis describing it as containing 15 subdomains and roughly 60 controls. [3]

What changed from ECC-1:2018

•Streamlined structure: ECC-1 had 5 domains, 29 subdomains, and 114 controls; ECC-2 was consolidated to 4 domains, 28 subdomains, and 108 controls, with overlapping requirements merged and organizations directed to specific NCA standards.

•Saudization of cybersecurity roles: under ECC-1 only senior positions required Saudi nationals; ECC-2 now mandates that cybersecurity positions be filled by qualified, full-time Saudi professionals.

•Data localization realigned: responsibility for data-hosting and localization requirements shifted toward the National Data Management Office (NDMO) under SDAIA, rather than being prescribed directly within the ECC.

These changes are documented in published legal analysis of the new edition. [2]

A practical compliance roadmap

Reaching ECC alignment is a program, not a project. A credible sequence looks like this:

5. Scoping — confirm which systems and entities fall within scope, including subsidiaries and any hosted CNI.

6. Gap assessment — map your current controls against all 108 controls and identify where you fall short, with evidence.

7. Prioritized remediation — close the highest-risk gaps first, typically in governance and defence, before lower-risk items.

8. Evidence and documentation — most organizations do not fail for missing controls; they fail because they cannot demonstrate controls operated consistently over time. Build the evidence trail as you go.

9. Continuous monitoring — the NCA expects ongoing compliance, not a one-time pass, supported by the forthcoming ECC-2:2024 Assessment and Compliance Tool.

Internal validation note: The exact subdomain and control counts above are taken from the official NCA ECC-2:2024 document; confirm the current published figures against the NCA portal before citing them externally, as the NCA may issue revisions.

How ITBuilders helps

ITBuilders supports organizations across the full ECC lifecycle. We run a gap assessment against the current ECC-2:2024 controls, produce a prioritized remediation roadmap, and deliver the technical implementation that actually closes the gaps — network and endpoint defence, identity and access management, vulnerability management, and continuous monitoring through a managed SOC. Our consulting team handles the governance documentation and evidence trail the NCA assesses, while our engineers harden the environment itself. The result is alignment with the controls the regulator measures, backed by the evidence to prove it.

Book an ECC-2:2024 gap assessment. Call 920-020-750 or email [email protected].

Sources [1] https://cdn.nca.gov.sa/api/files/public/upload/86e09090-44e4-481f-bc28-355673607654_ECC--2024-EN.pdf

[2] https://www.securityscientist.net/blog/12-questions-and-answers-about-nca-ecc-standard/

[3] https://blog.qualys.com/product-tech/2025/05/05/bridging-the-gap-how-qualys-simplifies-nca-ecc-2024-compliance-for-businesses