NCA ECC: 4 Domains, 108 Controls & Compliance Explained
If you are reading about the NCA's Essential Cybersecurity Controls, there is a good chance the guidance in front of you is out of date. Most articles still describe ECC-1:2018 the original version including its control count, its five domains, and its Saudization rule. All three of those changed when the NCA released ECC-2:2024.
The Essential Cybersecurity Controls are the NCA's foundational framework: the minimum cybersecurity requirements that in-scope organisations in Saudi Arabia must meet. ECC-2:2024 restructured that framework into 4 main domains, 28 subdomains, and 108 main controls (with 92 subcontrols beneath them). It also introduced one change with serious operational consequences that many companies — particularly foreign firms operating in the Kingdom have not registered: every cybersecurity role must now be filled by a qualified Saudi national, not just senior positions.
This guide breaks down ECC-2:2024 the way it actually exists in 2026: what changed from the 2018 version, what each of the four domains requires, what auditors look for and the gaps they most often find, which controls are non-negotiable versus advisory, and the Saudization requirement in full. If you need the wider regulatory picture first, start with our guide to what the NCA is and come back here for the controls.
A note on numbers: you will see "110 controls" cited in several places online. The NCA's own ECC-2:2024 document specifies 108 main controls and 92 subcontrols that is the figure we use throughout.
- What Changed From ECC 1:2018 to ECC 2:2024
- Domain 1 — Cybersecurity Governance
- Domain 2 — Cybersecurity Defence
- Domain 3 — Cybersecurity Resilience
- Domain 4 — Third-Party and Cloud Cybersecurity
- Mandatory vs Advisory — What's Non-Negotiable
- Cybersecurity Saudization — The Requirement Many Miss
- How SecurityWall Conducts ECC Compliance Assessments
What Changed From ECC 1:2018 to ECC 2:2024
ECC-2:2024 is a refinement of ECC-1:2018, not a wholesale replacement of its philosophy. The control objectives are recognisably the same but the structure was streamlined, the headcount rules were tightened, and several authorities were reassigned. The differences are exactly where out-of-date guidance trips organisations up.
| Element | ECC-1:2018 | ECC-2:2024 |
|---|---|---|
| Main domains | 5 | 4 (streamlined) |
| Subdomains | 29 | 28 |
| Controls | 114 | 108 (+ 92 subcontrols) |
| ICS / OT domain | Standalone 5th domain | Consolidated out of the four |
| Saudization | Senior roles only | ALL cybersecurity roles |
| Data localisation | Addressed within the ECC | Authority moved to the NDMO |
| Scope | Govt entities and CNI operators | Same, with extraterritorial reach clarified |
The two rows that catch organisations out most: the controls count (it is 108, not the "110" widely quoted) and Saudization (now all roles, not just senior ones).
The scope of who must comply did not materially widen under ECC-2:2024 itself it remains government entities and operators of Critical National Infrastructure, with the extraterritorial reach to government subsidiaries and affiliates clarified. The framework that brought the wider private sector into mandatory cybersecurity obligations is the separate NCNICC-1:2025, covered in our NCA overview. If you are an in-scope entity for the ECC, the four domains below are your map.
Banks, insurers, payment firms, and fintechs operating in the Kingdom are typically in scope for the NCA's ECC as critical infrastructure — and separately regulated by SAMA's Cyber Security Framework. Meeting one does not satisfy the other. SecurityWall runs both NCA and SAMA programmes together, so financial-sector clients cover both regimes in a single coordinated engagement.
See our SAMA compliance work →Domain 1 — Cybersecurity Governance
Governance is where ECC compliance succeeds or fails, because it is the foundation auditors examine first. This domain establishes that cybersecurity is owned, resourced, and directed from the top of the organisation rather than left to IT.
Its subdomains cover the cybersecurity strategy; cybersecurity management, including the requirement to establish a cybersecurity function that is independent of the IT department; clearly defined cybersecurity roles and responsibilities; cybersecurity risk management; cybersecurity within IT project and change management; compliance with cybersecurity regulations and standards; periodic cybersecurity review and audit; and the cybersecurity aspects of human resources, from pre-employment screening through to secure offboarding.
Approved cybersecurity strategy and policies with review dates; evidence the cybersecurity function is genuinely independent of IT; a maintained risk register; and documented periodic audits.
The cybersecurity function reports into IT rather than independently, creating the conflict of interest the ECC is designed to prevent and policies that exist on paper but show no evidence of leadership approval or review.
Domain 2 — Cybersecurity Defence
This is the largest domain and the technical heart of the ECC. It translates governance into the operational controls that actually protect systems and data, and it is where the majority of the 108 controls sit.
Its subdomains span asset management; identity and access management, including multi-factor authentication and privileged access; the protection of information systems and processing facilities; email protection; network security management; mobile device and bring-your-own-device security; data and information protection; cryptography; backup and recovery management; vulnerability management; penetration testing; cybersecurity event logging and monitoring; incident and threat management; physical security; and web application security. In short, it covers the full defensive stack from identity through to data.
An accurate asset inventory; MFA on critical systems; periodic access reviews; encryption in transit and at rest with managed keys; tested backups; logging and monitoring with real alerting; and evidence of regular vulnerability scanning and penetration testing.
Penetration testing is treated as optional or done once and forgotten, and logs are collected but not actively monitored — so detection gaps stay invisible until an incident or an audit exposes them.
The penetration testing requirement in this domain is one of the controls organisations most often underestimate. We cover scope and expectations in detail in our guide to NCA penetration testing requirements.
Domain 3 — Cybersecurity Resilience
The resilience domain is compact but consequential. It ensures that cybersecurity is built into business continuity, so that the organisation can withstand, respond to, and recover from disruptive cyber incidents rather than treating continuity and security as separate disciplines.
In practice this means the cybersecurity aspects of business continuity management: that continuity and disaster-recovery plans explicitly account for cyber incidents, that recovery capabilities exist for critical systems, and crucially that those plans are tested rather than merely written.
A business continuity and disaster-recovery plan that covers cyber scenarios, defined recovery objectives for critical systems, and dated records of recovery and continuity testing.
Continuity plans exist but have never been exercised against a cyber scenario, and backups are assumed to work without a documented restoration test.
Domain 4 — Third-Party and Cloud Cybersecurity
The final domain addresses the risks an organisation inherits from others: its suppliers and its cloud providers. As Saudi organisations move workloads to the cloud and rely on external vendors, this domain has become one of the most scrutinised.
It is built around two areas. The first is third-party and supplier cybersecurity assessing vendors before onboarding, embedding cybersecurity requirements in contracts, and monitoring suppliers over time. The second is cloud computing and hosting cybersecurity, which sets expectations for data classification, separation of your data from other tenants, and the ability to retrieve your data in usable form when a service ends. This domain connects directly to the NCA's dedicated Cloud Cybersecurity Controls (CCC-2:2024), which go deeper for cloud-heavy organisations.
A maintained supplier inventory, evidence of vendor security assessments, cybersecurity clauses in contracts, and cloud configurations that demonstrate data classification, tenant separation, and data-return arrangements.
Critical cloud and SaaS vendors onboarded with no security assessment, and no contractual cybersecurity requirements — leaving a supply-chain hole the ECC explicitly targets.
A structured ECC gap assessment maps your organisation against all four domains and shows exactly where you stand. SecurityWall's NCA-registered team runs ECC-2:2024 gap assessments end to end.
Mandatory vs Advisory — What's Non-Negotiable
A frequent misreading of the ECC is that every line is equally binding. It is more precise than that, and understanding the distinction saves wasted effort.
For an in-scope entity, the ECC controls are mandatory minimums not a menu. They are written in the language of obligation ("the entity shall…"), and the NCA assesses compliance through self-assessments, on-site inspections, and its compliance tooling. There is no picking and choosing among the main controls that apply to you.
Three nuances sit alongside that. First, some controls are conditional: they apply only if your organisation operates the relevant technology or service a control about a particular system type does not apply if you do not run that system. Second, a smaller set of provisions use recommending rather than mandating language ("it is recommended that…"), such as the suggested reporting line for the cybersecurity function; these are advisory good practice rather than hard requirements. Third, for organisations that fall outside the ECC's mandatory scope entirely, the NCA strongly encourages voluntary adoption advisory at the level of the whole framework.
The safe operating assumption for an in-scope entity is simple: treat every applicable main control as mandatory, document why any control you have deemed not applicable genuinely does not apply, and treat the recommended provisions as the standard you will be measured against in practice even where the wording is softer.
Cybersecurity Saudization — The Requirement Many Miss
This is the single change in ECC-2:2024 most likely to catch an organisation off guard, because it is not a technical control it is a workforce mandate with direct hiring and contracting consequences.
Under ECC-1:2018, only senior cybersecurity positions needed to be held by Saudi nationals. ECC-2:2024 expanded this substantially: all cybersecurity positions within an in-scope organisation must now be occupied by full-time, qualified Saudi professionals. The intent is to build national cybersecurity talent and strengthen the Kingdom's local capability but the practical effect is immediate for any organisation whose security team is staffed by expatriates or outsourced offshore.
For foreign and multinational companies operating in Saudi Arabia, this has three implications. It is a compliance requirement non-conformity here is a finding like any other. It is a hiring challenge, in a market where qualified Saudi cybersecurity professionals are in high demand. And it is a structural decision: organisations must either build a compliant in-house Saudi team, invest in nationalisation and knowledge-transfer programmes, or work with an NCA-registered local provider whose team already meets the requirement.
The practical takeaway: if your cybersecurity function is staffed offshore or by expatriates, ECC-2:2024 Saudization is a gap you need to plan for now not discover during an assessment. Partnering with a locally grounded, NCA-registered provider is one route to meeting it while building internal capability.
How SecurityWall Conducts ECC Compliance Assessments
SecurityWall is an NCA-registered and approved cybersecurity firm that takes Saudi organisations through ECC-2:2024 compliance end to end from establishing scope, through a full gap assessment against all four domains, to the penetration testing the controls require and ongoing support. Our team holds OSCP, OSWE, CREST, CISM, and CISSP credentials and works to the NCA's current requirements, not the outdated 2018 structure.
ECC-2:2024 Gap Assessment
- Control-by-control assessment across all four domains and 28 subdomains
- Clear status for each applicable control, with conditional controls correctly scoped in or out
- A prioritised remediation roadmap mapped to the controls auditors weight most heavily
Evidence and Remediation Support
- Guidance on the exact evidence the NCA and its assessors expect for each domain
- Remediation advisory across governance, defence, resilience, and third-party or cloud controls
- Help separating mandatory controls from conditional and recommended provisions, so effort goes where it counts
Penetration Testing for the Defence Domain
- Penetration testing scoped to satisfy the ECC's testing controls, with retesting included
- The same offensive expertise behind our SAMA penetration testing work for financial-sector clients
Financial Sector — NCA and SAMA Together
- Combined NCA ECC and SAMA Cyber Security Framework programmes for banks, insurers, and fintechs
- One coordinated engagement covering both regulators, rather than two separate projects
- The same offensive team behind our SAMA penetration testing and SAMA red teaming work
NCA-Registered and Locally Grounded
- A recognised provider within the Kingdom's regulated cybersecurity ecosystem
- Familiar with NCA documentation standards and the assessment process
- Positioned to support organisations navigating the Saudization requirement
Related reading:
- What Is the NCA? Saudi Arabia's National Cybersecurity Authority Explained
- NCA Compliance Checklist
- NCA Penetration Testing Requirements
- SAMA Cybersecurity Compliance in Saudi Arabia
- SAMA Penetration Testing Guide
Frequently Asked Questions
How many controls are in NCA ECC 2:2024?
The NCA's ECC-2:2024 document specifies 108 main controls and 92 subcontrols, organised into 4 main domains and 28 subdomains. You will sometimes see "110 controls" quoted online, but 108 is the figure in the official document.
What are the four domains of ECC 2:2024?
Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, and Third-Party and Cloud Cybersecurity. ECC-1:2018 had a fifth domain for Industrial Control Systems, which was consolidated when the framework was streamlined to four.
What is the difference between ECC 1:2018 and ECC 2:2024?
ECC-2:2024 streamlined the structure from 5 domains and 114 controls to 4 domains and 108 controls, expanded Saudization so that all cybersecurity roles must be filled by Saudi nationals (not just senior ones), moved data-localisation authority to the NDMO, and clarified the framework's extraterritorial reach.
Who must comply with ECC 2:2024?
Government entities (including their subsidiaries and affiliates, inside and outside the Kingdom) and private sector organisations that own, operate, or host Critical National Infrastructure. Other private companies fall under the separate NCNICC-1:2025 framework rather than the ECC.
What is the Saudization requirement in ECC 2:2024?
ECC-2:2024 requires all cybersecurity positions in an in-scope organisation to be filled by full-time, qualified Saudi nationals an expansion from ECC-1:2018, which required this only for senior roles. It has direct hiring implications for foreign and multinational companies operating in Saudi Arabia.
Are all ECC controls mandatory?
For in-scope entities, the applicable main controls are mandatory minimums. Some controls are conditional and apply only if you operate the relevant technology, and a small number of provisions are phrased as recommendations rather than requirements. Organisations outside the ECC's mandatory scope are strongly encouraged to adopt it voluntarily.
