🇸🇦 Kingdom of Saudi Arabia 📞 +966 549983377 ✉ contact@pristinesaudi.com
24/7 SOC ACTIVE
🌐 عربي Client Portal
Home
About
About Pristine Leadership Team Certifications & Awards Technology Partners Careers
Services
SOC & Threat Monitoring Penetration Testing Cloud Security GRC & Compliance IAM & PAM Incident Response Cyber Training OT/ICS Security MSSP Services DevSecOps
Solutions
SIEM / SOAR Zero Trust DLP EDR / XDR Network Security Email Security
Compliance
NCA ECC & CCC SAMA Framework ISO 27001 / 27701 PDPL Compliance PCI DSS
Industries
Government & Defense Banking & Financial Energy & Oil & Gas Healthcare Telecom Retail & E-Commerce
Insights
Cyber Threat Reports Whitepapers Webinars & Events Case Studies FAQs
Home/Compliance/NCA ECC & CCC
NCA ECC-2:2024 · CCC-2:2024 · Saudi National Cybersecurity Authority

NCA ECC & CCC
Compliance.
First Pass.
Every Time.

Pristine InfoSolutions delivers Saudi Arabia's most trusted NCA Essential Cybersecurity Controls (ECC-2:2024) and Cloud Cybersecurity Controls (CCC-2:2024) compliance programme — 100% first-pass audit success rate across every client engagement in the Kingdom. Bilingual Arabic and English evidence packages.

Get Free NCA ECC Assessment → Explore Framework
100%First-Pass Audit Rate
110ECC Controls
4ECC Domains
AR+ENBilingual Evidence
NCA ECC-2:2024 COMPLIANCE POSTURE
AUDIT-READY
// ECC Domain Coverage
Cybersecurity Governance
100%
Cybersecurity Defence
100%
Cybersecurity Resilience
100%
Third-Party Cybersecurity
100%
✓ 100% First-Pass Audit Success Rate — 200+ Clients
NCA ECC-2:2024
CCC-2:2024
4 Domains
28 Subdomains
110 Controls
Cybersecurity Governance
Cybersecurity Defence
Cybersecurity Resilience
Third-Party Security
Cloud Cybersecurity Controls
Saudi Nationals Required
100% First-Pass Rate
Bilingual Arabic/English
NCA ECC-2:2024
CCC-2:2024
4 Domains
28 Subdomains
110 Controls
Cybersecurity Governance
Cybersecurity Defence
Cybersecurity Resilience
Third-Party Security
Cloud Cybersecurity Controls
Saudi Nationals Required
100% First-Pass Rate
Bilingual Arabic/English
About NCA ECC-2:2024

Saudi Arabia's Mandatory National Cybersecurity Standard

The NCA Essential Cybersecurity Controls (ECC) is Saudi Arabia's mandatory cybersecurity standard — issued by the National Cybersecurity Authority and applicable to all government entities, CNI operators, and their supply chains. The October 2024 revision (ECC-2:2024) introduced significant changes including Saudi-national staffing requirements for all cybersecurity roles and new AI, cloud, and IoT controls.

  • ECC-2:2024 (Oct 2024) — restructured from 5 to 4 domains; 28 subdomains; 110 controls. Saudi nationals required for all cybersecurity roles
  • CCC-2:2024 — Cloud Cybersecurity Controls for Saudi cloud tenants and providers; 4 domains, 24 subdomains
  • Who must comply — all Saudi government entities, CNI operators, and private-sector organisations with NCA obligations
  • Consequences of non-compliance — NCA enforcement actions, regulatory penalties, contract ineligibility, and reputational damage
  • Pristine delivers integrated ECC + CCC compliance — satisfying both standards simultaneously from one programme
Get Free ECC Gap Assessment →
// ECC-2:2024 vs ECC-1 Key Changes
Domains5 domains → 4 domains (restructured)
ControlsExpanded to 110 controls across 4 domains
Saudi NationalsAll cyber roles — Saudi nationals MANDATORY
AI ControlsNew AI cybersecurity sub-controls added
Cloud ControlsEnhanced cloud security requirements
IoT SecurityNew IoT device security sub-controls
TransitionTransition deadline — Oct 2024 (PASSED)
ECC-2:2024 Framework

4 Domains — Complete Pristine Implementation

Every ECC-2:2024 domain, subdomain, and control delivered through Pristine's integrated compliance programme — with bilingual Arabic/English evidence packages formatted for NCA audit submission.

Domain 1: Cybersecurity Governance

The foundation of ECC compliance — establishing board-level cybersecurity accountability, a documented strategy aligned to Vision 2030, a comprehensive policy framework, and a pervasive security culture across the organisation. NCA expects all cybersecurity roles to be filled by Saudi nationals under ECC-2:2024.

  • 1-1 Cybersecurity Leadership: Board-level cybersecurity committee with defined charter. CISO/equivalent with direct board access. Cybersecurity budget and headcount plan
  • 1-2 Cybersecurity Strategy: Formal strategy aligned to entity mission and Vision 2030 digital transformation. KPIs, milestones, and annual review cycle
  • 1-3 Cybersecurity Policy: Comprehensive policy library covering all ECC subdomains — Arabic as primary binding language
  • 1-4 Cybersecurity Roles: All cybersecurity roles defined and documented — Saudi national requirement for every cybersecurity position
  • 1-5 Cybersecurity Awareness: Annual awareness programme for all staff — executive, operational, and technical tracks
Get Domain 1 Delivered →
Domain 1 Coverage
✓ 100% EVIDENCE
1-1 Leadership
100%
1-2 Strategy
100%
1-3 Policy Library
100%
1-4 Roles (Saudi Nat.)
100%
1-5 Awareness
100%
✓ Pristine delivers 40+ Arabic/English policies — specifically formatted for NCA examiner review, not generic templates

Domain 2: Cybersecurity Defence

The largest and most technically demanding ECC domain — covering asset management, identity and access management, data protection, cryptography, physical security, email protection, network security, cloud security, application security, vulnerability management, and change management.

  • 2-1 Asset Management: Complete, continuously updated inventory of all information and technology assets with defined owners and classification
  • 2-2 Identity & Access: Least-privilege enforcement, MFA, PAM with JIT access, periodic access reviews, service account management
  • 2-3 Data Protection: Data classification policy, encryption at rest and in transit, DLP, and PDPL-aligned handling procedures
  • 2-7 Network Security: Segmentation, email security, web filtering, NGFW, wireless security, and NDR deployment
  • 2-9 Cloud Security (NEW): NCA CCC controls integrated — CSPM, CWPP, cloud IAM, and shared responsibility documentation
Get Domain 2 Delivered →
Domain 2 Coverage
✓ ALL SUB-CONTROLS
2-1 Asset Management
100%
2-2 Identity & Access
100%
2-3 Data Protection
100%
2-7 Network Security
100%
2-9 Cloud Security (New)
100%
✓ Domain 2 technical implementation delivered by Pristine's certified engineers — not documentation only

Domain 3: Cybersecurity Resilience

Ensuring the organisation can detect, respond to, and recover from cybersecurity incidents — covering SOC monitoring, threat intelligence, incident response, business continuity, disaster recovery, and cybersecurity testing including vulnerability management and penetration testing.

  • 3-1 Cybersecurity Event Management: SIEM deployment, 24/7 monitoring, log collection from all critical systems with NCA-required retention
  • 3-2 Threat Intelligence: Subscription to NCA-approved threat intelligence feeds. MENA-region threat intelligence integration. CERT-SA coordination procedures
  • 3-3 Incident Management: Documented IR procedures, tested response playbooks, and NCA mandatory notification procedures within 72 hours
  • 3-4 Business Continuity: BCP and DR plans tested annually — RTO/RPO validated. Backup and recovery procedures for all critical systems
  • 3-5 Cybersecurity Testing: Annual penetration testing, quarterly vulnerability scans, and tabletop exercises — results formatted for NCA evidence submission
Get Domain 3 Delivered →
Domain 3 Coverage
✓ SOC + IR + TESTING
3-1 Event Management
100%
3-2 Threat Intelligence
100%
3-3 Incident Response
100%
3-4 Business Continuity
100%
3-5 Cyber Testing
100%
✓ Pristine's 24/7 SOC provides automatic Domain 3 evidence collection — quarterly NCA packages auto-generated

Domain 4: Third-Party Cybersecurity

Managing cybersecurity risk introduced through vendor relationships, outsourcing arrangements, cloud service providers, and supply chain partners. ECC-2:2024 requires formal third-party risk management programmes with contractual cybersecurity obligations and periodic assessment.

  • 4-1 Vendor Risk Management: Cybersecurity requirements embedded in all vendor contracts — data handling, access controls, incident notification, and audit rights
  • 4-2 Outsourcing Security: Outsourcing policy with minimum security requirements. Right-to-audit provisions. On-site assessment for critical vendors
  • 4-3 Cloud Provider Security: CSP assessment against NCA CCC requirements. Shared responsibility model documented. Data residency verified
  • 4-4 Supply Chain Security: Hardware and software procurement security controls. Software component integrity verification. SBOM requirements for critical systems
Get Domain 4 Delivered →
Domain 4 Coverage
✓ ALL VENDORS
4-1 Vendor Risk
100%
4-2 Outsourcing
100%
4-3 Cloud Provider
100%
4-4 Supply Chain
100%
✓ Domain 4 + ISO 27001 Annex A vendor controls overlap — Pristine satisfies both simultaneously from one programme
NCA ECC Packages

NCA Compliance Programmes

Three structured NCA ECC compliance programmes for every Saudi organisation — from urgent gap assessment to full enterprise compliance transformation.

// Package 01
ECC Rapid

Urgent NCA ECC gap assessment and evidence portfolio for organisations with imminent audit deadlines. Delivered in 2-4 weeks.

  • Full ECC-2:2024 gap assessment (all 4 domains)
  • Compliance score per sub-control
  • Prioritised remediation roadmap
  • Core policy library (Arabic + English)
  • Pre-formatted NCA evidence template
  • Audit preparation briefing (Arabic)
  • Emergency delivery available (2 weeks)
  • Domain-level compliance report
Enquire — Rapid →
// MOST POPULAR
// Package 02
ECC Professional

Complete ECC-2:2024 compliance programme — gap assessment, policy library, full technical implementation, and audit-ready evidence package.

  • Full ECC-2:2024 gap assessment
  • Complete policy library (40+ docs, AR+EN)
  • Technical control implementation
  • Full NCA evidence portfolio (formatted)
  • Mock audit + Arabic facilitation
  • CCC-2:2024 simultaneous delivery
  • Post-audit finding response
  • Quarterly compliance monitoring (12mo)
Enquire — Professional →
// Package 03
ECC Enterprise

Full ECC + CCC compliance transformation with continuous automated evidence collection, real-time dashboard, and annual retainer.

  • All Professional features
  • CCC-2:2024 cloud compliance included
  • ISO 27001 simultaneous mapping
  • SAMA CSF simultaneous mapping
  • Continuous automated evidence collection
  • Real-time compliance dashboard (AR+EN)
  • Monthly board compliance report (Arabic)
  • Annual retainer — unlimited support
Enquire — Enterprise →
Why Pristine NCA

Why Saudi Organisations Choose Pristine for NCA ECC

🎯

100% First-Pass Audit Rate

Every client Pristine has prepared for NCA ECC examination has passed on first submission — zero critical findings, zero major audit failures. 200+ engagements. Verifiable track record.

🌐

Arabic-Native Evidence

All NCA evidence packages, policies, and board presentations written in Arabic as the primary language — not translated from English. Saudi NCA examiners consistently recognise the quality difference.

6-8 Week Delivery

Pristine achieves full NCA ECC-2:2024 audit-ready compliance in 6-8 weeks for most organisations — the fastest compliant delivery in the Saudi market. Urgent 2-week gap assessments available.

🔗

ECC + CCC + ISO + SAMA

One integrated programme satisfying NCA ECC, NCA CCC, ISO 27001, and SAMA CSF simultaneously — shared evidence, shared controls, dramatically lower cost and effort.

📊

Automatic Evidence Collection

Pristine's platform collects NCA ECC evidence automatically throughout the programme — SIEM logs, vulnerability scans, access reviews, and policy approvals organised for NCA submission without manual effort.

🏛️

NCA Regulatory Intelligence

Pristine tracks all NCA guidance updates, circular releases, and sector-specific directives — providing clients with early intelligence on regulatory changes before they become audit findings.

Client Testimonials

What Our NCA ECC Clients Say

★★★★★

Pristine took our Ministry from a failed NCA audit with 23 findings to a clean pass on re-examination within 8 weeks. Their Arabic evidence packages and policy documents were accepted by NCA examiners without a single clarification request. This is the genuine NCA ECC expertise Saudi organisations need.

KA
Khalid Al-Anazi
CISO, Saudi Government Ministry
★★★★★

We engaged Pristine 6 weeks before our NCA ECC audit having done almost no compliance preparation. They delivered a complete 40-document Arabic policy library, implemented all outstanding technical controls, and facilitated our pre-audit walkthrough in Arabic. We passed with zero findings. Remarkable work under pressure.

HM
Hamad Al-Mutairi
IT Director, Saudi National Authority
★★★★★

Pristine's integrated approach achieved NCA ECC and ISO 27001 compliance simultaneously — the ISO evidence portfolio used 85% of what was already collected for NCA. We saved 3 months of additional work and significant budget. Their NCA regulatory knowledge is genuinely superior to any other firm we evaluated.

FM
Faisal Al-Mohammed
Head of Security, Saudi Critical Infrastructure Operator
FAQs

NCA ECC & CCC FAQs

ECC-2:2024 (published October 2024) is the current version of Saudi Arabia's Essential Cybersecurity Controls — replacing ECC-1:2018. Key changes include: restructuring from 5 to 4 domains; new Saudi-national staffing requirement for all cybersecurity roles; new sub-controls for AI, cloud, and IoT security; and updated controls across all domains to reflect the evolving threat landscape. The transition deadline has passed — organisations still operating on ECC-1 are non-compliant.
ECC is mandatory for all Saudi government entities, critical national infrastructure (CNI) operators, and organisations that fall under NCA's regulatory scope. Many private-sector organisations that serve government or CNI clients also face ECC requirements through contractual obligations. If you are unsure whether ECC applies to your organisation, contact Pristine for a free regulatory scope assessment.
For organisations with a moderate compliance gap, Pristine targets full audit-ready compliance in 6-8 weeks. Organisations with minimal existing controls may require 12-16 weeks. Our 2-week rapid gap assessment produces a precise timeline estimate with a fixed delivery commitment before any implementation begins. Emergency 2-4 week deliveries are available for organisations with imminent audit deadlines.
ECC (Essential Cybersecurity Controls) covers overall cybersecurity management — governance, defence, resilience, and third-party risk. CCC (Cloud Cybersecurity Controls) is a separate NCA standard specifically for cloud environments — applicable to organisations using cloud services (CSTs) and those providing cloud services (CSPs). Saudi entities using cloud services must comply with CCC in addition to ECC. Pristine delivers both simultaneously from a single integrated programme.
NCA enforcement actions for non-compliance include: formal finding notifications requiring mandatory remediation within defined timelines; increased supervisory scrutiny and more frequent audits; financial penalties for persistent non-compliance; operational restrictions affecting government contract eligibility; and in serious cases, licence suspension. If you have already received NCA findings, Pristine specialises in rapid post-audit remediation — contact us immediately.
Yes — ECC-2:2024 explicitly requires Saudi nationals for all defined cybersecurity roles within the organisation. This includes CISO, cybersecurity managers, analysts, and all personnel in roles defined under the NCA cybersecurity career framework. This requirement applies to government entities and NCA-supervised organisations. Pristine advises on workforce planning and provides support for Saudisation of cybersecurity functions.
Free Assessment

Pass Your NCA ECC Audit.
First Time. Guaranteed.

Request a free NCA ECC gap assessment — our specialists will evaluate your current posture against all 110 controls and deliver a clear compliance roadmap in Arabic and English at no cost.

Request Free Assessment → 📞 +966 549983377
📞 +966 549983377
✉️ contact@pristinesaudi.com
🌐 pristinesaudi.com
📍 Riyadh, Saudi Arabia
Get Started

Request Your Free Assessment

A senior Pristine specialist will contact you within 4 business hours.

🔒 Data processed within Saudi Arabia · PDPL compliant · Response within 4 business hours

Related Services

Explore Related Pristine Services

🏦
SAMA Framework
SAMA CSF compliance for Saudi banks and financial institutions.
→ Explore
🏅
ISO 27001/27701
ISO certification with 95%+ NCA ECC control overlap — delivered simultaneously.
→ Explore
📋
GRC & Compliance
Multi-framework GRC programme covering NCA ECC + SAMA + ISO + PDPL.
→ Explore
🛡️
SOC Monitoring
24/7 SOC monitoring auto-generates NCA ECC Domain 3 compliance evidence.
→ Explore