NCA ECC Compliance
Saudi Arabia’s mandatory baseline cybersecurity controls for government bodies and critical national infrastructure, with sector extensions (CSCC, OTCC, CCC).
Saudi government entities, critical national infrastructure, and many regulated organisations operating in the Kingdom.
- 5 main domains and 114 controls in the ECC baseline
- Mandatory for in-scope entities, with regular compliance assessment
- Sector controls (cloud, OT, critical systems) layer on top
Free NCA ECC gap checker
Answer 8 quick questions for an instant readiness score and your priority gaps. ~2 minutes, no sign-up.
1. Do you have approved security policies and clear ownership of cyber risk?
2. How do you identify and treat information-security risks?
3. How are identity and access managed?
4. Do you maintain an inventory of assets and data?
5. How is sensitive/personal data protected?
6. What monitoring and detection do you have?
7. How prepared are you for a security incident?
8. How do you manage supplier/third-party risk?
NCA ECC — frequently asked
Who must comply with NCA ECC?
Saudi government organisations and critical national infrastructure operators, plus entities the NCA designates as in scope.
How is NCA ECC compliance assessed?
Through periodic self-assessment and NCA-led compliance evaluation against the control set.
Does ISO 27001 help with NCA ECC?
Yes — a strong ISMS covers much of the ECC, and a single control set can be mapped to satisfy both.
Related: all frameworks · GCC hub · automate it with CortexGuard
Ready to strengthen your security posture?
Book a confidential consultation with our advisors. We'll assess where you are and map a clear path to where you need to be.