NCA Gap Assessment: What to Expect and How to Prepare
If you are looking for an NCA gap assessment in Saudi Arabia, you are at the decision point most organisations reach right after their first serious read of the Essential Cybersecurity Controls: you know the regulation applies to you, you suspect you are not fully aligned, and you want a clear, defensible picture of where the gaps are before you commit to a full implementation programme. That picture is exactly what a gap assessment produces, and the cost of skipping it paying for remediation work scoped against assumptions instead of evidence is the most common expensive mistake in NCA programmes.
This guide is written for that decision. It explains what an NCA ECC gap assessment actually is, who needs one, what a credible assessment covers, what the report should look like, how long it takes, what to prepare before it starts, and what to look for in the team delivering it. Throughout, we use the current framework ECC 2:2024, with its 4 domains, 28 subdomains, and 108 main controls plus 92 subcontrols rather than the older ECC-1:2018 numbers (five domains, 114 controls) that some providers still publish.
For the wider regulatory context, see our NCA ECC requirements guide. For a free self-check before you commission anything paid, our NCA ECC compliance checklist runs in your browser with no sign-up.
- What an NCA ECC Gap Assessment Is (and What It Isn't)
- Who Needs an NCA Gap Assessment
- What an NCA Gap Assessment Covers
- What the Gap Assessment Report Looks Like
- How Long an NCA Gap Assessment Takes
- What to Prepare Before Your Assessment
- What an NCA-Registered Team Should Deliver
What an NCA ECC Gap Assessment Is (and What It Isn't)
An NCA gap assessment is a structured, evidence-based comparison of your current cybersecurity posture against the controls the NCA requires of you for most organisations under ECC 2:2024 or NCNICC-1:2025. It produces a clear answer to three questions: which controls you already meet, which you partially meet, and which you do not meet at all with the evidence behind each finding, the severity, and what it will take to close.
It is not an NCA audit. The NCA conducts its own formal assessments through its assessors and approved third parties; a gap assessment is a private exercise that prepares you for those assessments and for the operational work in between. It is also not a penetration test testing validates whether technical controls work, while a gap assessment establishes whether they exist and are documented and operating. The two are complementary, and a credible programme uses both: gap assessment first to identify what to build, then penetration testing to validate it once built.
The reason it matters as a first step: scoping remediation against an assumed posture instead of a measured one is how organisations end up paying for work they didn't need and missing work they did.
Who Needs an NCA Gap Assessment
Almost any organisation operating in Saudi Arabia that has not already validated its posture against the NCA's current frameworks. In practice, the buyers fall into four groups:
- Private sector companies under NCNICC-1:2025. The NCA's January 2026 binding standard brings the entire private sector startups, SaaS, e-commerce, SMEs, larger enterprises into mandatory scope. A gap assessment establishes which class applies (A or B), which controls are in scope, and the current state against them.
- CNI operators and government entities under ECC 2:2024. The ECC's 4 domains and 108 controls are the deepest requirements, and assessments here typically feed both internal programmes and preparation for formal NCA review.
- Financial institutions facing dual compliance. Banks, fintechs, and payment firms regulated by both the NCA and SAMA see our NCA and SAMA dual compliance guide benefit from a gap assessment scoped to both rulebooks in one exercise.
- New market entrants and post-deal organisations. Foreign companies entering the Kingdom and acquired entities being integrated need a baseline, fast, before they inherit risk they cannot see.
If you are unsure which framework applies to you, the assessment itself starts by confirming that classification is the first deliverable, not an assumption.
What an NCA Gap Assessment Covers
A credible ECC 2:2024 gap assessment covers all four domains and every applicable subdomain because the controls are interdependent and a partial scope produces a misleading picture.
| Domain | Assessed |
|---|---|
| 1. Cybersecurity Governance | Strategy, function, risk management, policies, roles, training, awareness, project security |
| 2. Cybersecurity Defence | Asset management, IAM, system protection, email, network, mobile, data, crypto, backup, vulnerability management, penetration testing, monitoring, IR |
| 3. Cybersecurity Resilience | Business continuity, cybersecurity within BCM, recovery testing |
| 4. Third-Party and Cloud Cybersecurity | Third-party risk, contractual requirements, cloud security |
Plus the Saudization requirement that every cybersecurity role be held by a qualified Saudi national — a frequent gap for foreign-founded organisations. NCNICC-1:2025 assessments follow a calibrated, smaller version of the same shape.
For each control, the assessment establishes whether it is implemented, partially implemented, or not implemented; the evidence (or its absence); the gap's severity; and the effort required to close. A good assessment also flags dependencies gaps that cannot close until another is fixed first because remediation order matters as much as the list of gaps.
What the Gap Assessment Report Looks Like
The report is the deliverable that determines whether the assessment was worth commissioning. A weak gap assessment produces a colour-coded spreadsheet with no narrative; a strong one produces a document that leadership, auditors, and engineering teams can all use. At minimum, a credible NCA gap assessment report contains:
- Scope and approach. What was assessed, against which framework version, with what methodology
- Executive summary. The overall posture in business terms for leadership and the board
- Control-by-control findings. Each ECC control with status, evidence reviewed, gap description, and severity rating
- Priority classification. Mandatory gaps separated from advisory observations, so you can focus the budget on what actually moves the needle
- Remediation roadmap. Each gap mapped to recommended actions, effort estimate, and ownership, sequenced by dependency
- Quick wins. Items that can be closed in days, listed separately so you can show movement early
- Evidence inventory. What was provided, what was missing, and what to assemble for any future assessment
The remediation roadmap is the most important section because it determines whether the assessment leads to action or sits on a shelf. Effort estimates should be honest enough to use as a budgeting input, not aspirational.
How Long an NCA Gap Assessment Takes
For most organisations under ECC 2:2024 or NCNICC, a focused gap assessment takes around 2 to 3 weeks from kick-off to final report. The actual duration depends on three things: the scope (Class B SME or full ECC CNI), how much documentation already exists, and how responsive the in-house team is to evidence requests.
A typical timeline looks like:
- Week 1 — Scope, kick-off, and document collection. Confirm framework applicability, classify the entity, identify systems and stakeholders, gather existing policies, procedures, and evidence
- Week 2 — Interviews, walkthroughs, and control testing. Structured sessions with control owners, evidence review, system walkthroughs, sample testing where relevant
- Week 3 — Analysis, report drafting, and walkthrough. Findings consolidated, severity assigned, roadmap built, draft report walked through with the client, final report delivered
Faster timelines (around a week) are possible for narrowly scoped engagements; longer ones (4–6 weeks) are normal for large CNI operators or organisations with significant evidence to assemble. The single biggest delay factor is internal availability if control owners cannot make time for interviews and evidence requests, the timeline slips regardless of how fast the assessor moves.
What to Prepare Before Your Assessment
A short preparation phase shortens the engagement and improves the result. Before the assessment starts, assemble whatever you already have in these areas completeness is not required, but availability is what saves time:
- An asset inventory systems, services, data stores, and any sensitive or regulated data they hold
- An organisational chart with cybersecurity, IT, and risk roles clearly identified
- Existing policies and procedures cybersecurity policy, access management, incident response, BCM, third-party, and any sector-specific policies
- Recent risk assessments, audit reports, or prior gap analyses
- Evidence samples access reviews, training records, MFA configuration, encryption settings, backup test logs, monitoring outputs, vulnerability scan reports, prior penetration test reports
- Third-party register your vendors, what data or systems they access, and the contracts that govern them
- Cloud architecture overview, if relevant providers, services, and how data flows
- Key contacts control owners who can answer questions, in real time, during the assessment weeks
You will not have all of this. That is fine the gap assessment will tell you which gaps are because the controls do not exist and which are because they exist but are undocumented. Both are findings, but they are very different problems to solve.
What an NCA-Registered Team Should Deliver
SecurityWall is an NCA-registered cybersecurity firm conducting ECC 2:2024 and NCNICC-1:2025 gap assessments across Saudi Arabia. Our team holds OSCP, OSWE, CREST, CRT, CISM, and CISSP credentials and works to the current NCA framework rather than the older ECC-1:2018.
A Report Mapped to ECC 2:2024 Controls
- Every applicable control assessed and rated against current ECC 2:2024 requirements
- Findings tied to evidence reviewed, not assumptions
- Saudization, NCNICC classification, and third-party scope all included
Priority Classification That Drives Budget
- Mandatory gaps separated from advisory observations
- Severity rated consistently, with business impact stated in plain terms
- Quick wins flagged so you can show movement before the first remediation cycle
A Remediation Roadmap You Can Use
- Each gap mapped to actions, effort estimate, and sequencing
- Dependencies surfaced what must close first, what can run in parallel
- Realistic to deliver in months, not aspirational
Two-to-Three-Week Delivery
- Most assessments delivered in 2 to 3 weeks
- Weekly check-ins and a draft walkthrough before final report
- Faster for narrow scopes; longer only when scope or evidence demands it
NCA-Registered and Locally Grounded
- A registered cybersecurity service provider in the Kingdom, as the NCA requires
- Direct experience across the NCA and, where it stacks, SAMA and PDPL
- One partner across NCA compliance, penetration testing, and remediation
Related reading:
- NCA ECC 2:2024 Requirements: Every Control Domain Explained
- NCA ECC Compliance Checklist (Interactive)
- NCNICC-1:2025: Every Saudi Private Company Now in Scope
- NCA Penetration Testing Requirements in Saudi Arabia
- NCA and SAMA Dual Compliance for Banks and Fintech
- NCA Compliance for Startups in Saudi Arabia
- What Is the NCA? Saudi Arabia's Cybersecurity Authority
Frequently Asked Questions
What is an NCA gap assessment?
An NCA gap assessment is a structured, evidence-based comparison of an organisation's current cybersecurity posture against the controls the NCA requires for most organisations under ECC 2:2024 or NCNICC-1:2025. It identifies which controls are implemented, partially implemented, or not implemented, with the evidence behind each finding and a remediation roadmap.
Is a gap assessment the same as an NCA audit?
No. An NCA audit is a formal assessment conducted by the NCA or its approved third parties. A gap assessment is a private exercise that prepares an organisation for those assessments and for ongoing operational compliance work.
How long does an NCA gap assessment take?
For most organisations, around 2 to 3 weeks from kick-off to final report. Narrow scopes can be faster; large CNI operators with significant documentation to assemble can take 4 to 6 weeks. Internal availability for interviews and evidence requests is the biggest factor in the timeline.
What does an NCA gap assessment cover?
Under ECC 2:2024, all four domains Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, and Third-Party and Cloud Cybersecurity across all applicable subdomains and controls, plus the Saudization requirement. Under NCNICC-1:2025, a calibrated version of the same shape sized to the entity's class.
What does the gap assessment report contain?
Scope and approach, an executive summary, control-by-control findings with evidence and severity, priority classification separating mandatory gaps from advisory ones, a remediation roadmap with effort estimates and dependencies, quick wins flagged separately, and an evidence inventory.
What should I prepare before an NCA gap assessment?
An asset inventory, organisational chart, existing policies and procedures, recent risk assessments and audit reports, evidence samples (access reviews, training records, MFA, encryption, backups, monitoring, vulnerability scans, prior pentest reports), a third-party register, a cloud architecture overview if relevant, and key control-owner contacts available during the assessment.
Why does it matter that the provider is NCA-registered?
Since 1 August 2022, any entity providing cybersecurity services in Saudi Arabia is required to be registered with the NCA. Using an NCA-registered provider keeps your supplier-compliance answer clean during your own assessment and avoids a question you do not want raised about the firm that did your assessment.
