The National Cybersecurity Authority (NCA) issues Saudi Arabia’s Key Digital Security Frameworks, such as the Essential Cybersecurity Controls (ECC), Cloud Cybersecurity Controls (CCC), Critical Systems Cybersecurity Controls (CSCC), Operational Technology Cybersecurity Controls (OTCC), Data Cybersecurity Controls (DCC), and Telework Cybersecurity Controls (TCC).
Saudi Arabia’s cybersecurity has grown quickly. The Kingdom has developed one of the most structured regulatory regimes in the Middle East, and the deployment of such extensive digital infrastructure in government, finance, healthcare, energy, etc., is creating a need for it. Vision 2030 and the extent of digital infrastructure being implemented across sectors, such as government, finance, healthcare, and energy, are driving the need for such a structured regulatory environment in the Kingdom. For all organizations working here, it is no longer an option not to understand the landscape.
Initiatives to protect national security are underway at the National Cybersecurity Authority, where it all begins.
In 2017, the King of Saudi Arabia issued a Royal Decree establishing the Saudi Arabian National Cybersecurity Authority (NCA) as the Kingdom’s main authority responsible for cybersecurity policy, the issuance of cybersecurity frameworks, and compliance monitoring. The NCA had been providing guidelines for years, and organizations were supposed to abide by those guidelines. Enforcement of these was not strict, and there were no clear penalties for non-compliance.
The NCA Regulations 2024 granted the NCA formal enforcement powers. It is now authorized to carry out inspections, insist on documentation, take evidence, and impose penalties. The fines range up to SAR 25,000,000. Licenses are subject to suspension. Violation of any rules may be broadcast. Those who adopted the NCA’s guidelines as recommendations face a new calculation.
But there’s also a misunderstanding to be cleared up. Many teams think the only way to be cybersecure in Saudi Arabia is to meet the ECC. It does not. The NCA is building a connected family of frameworks to address each risk environment. Part of the growing focus of inspectors is on acknowledging ECC as the whole picture.
A set of security controls deemed to be fundamental to the security of the system.
Imagine ECC as a base. It must be met by all levels of government, critical infrastructure operators, and all essential service providers within the Kingdom. This framework was also updated in October 2024 to ECC-2:2024, which removed 4 control points and restructured the framework from 5 domains to 4 (28 subdomains). The four pillars remain unchanged: Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, and Third-Party and Cloud Security.
An interesting change in the 2024 edition was the introduction of cybersecurity Saudization. The Saudi government has placed a Saudi-Australian in all cybersecurity roles. The earlier version only applied this requirement to senior positions. This is a wide scope that has grown significantly. ECC sets the floor. All else will be built upon that.
If compromised, some systems don’t just impact a business. They impact the nations. Systems in this category include energy grids, water systems, financial market infrastructure, and defense-adjacent systems. CSCC applies to those environments and requires network segmentation, ID, and real-time monitoring on a scale beyond the ECC baseline. Organizations in this space have two obligations: they must be simultaneously ECC and CSCC.
Adoption of cloud technology has been rapid in Saudi Arabia, across both the public and private sectors. CCC steps up to combat that reality. It applies to any organization that runs workloads in the cloud, whether private or hybrid, as well as to cloud service providers. It has four domains and 24 subdomains. In 2024, a revision moved the responsibility for data localization to the National Data Management Office, and CCC was updated accordingly. Where workloads run in the cloud, and organizations use only ECC, there is a compliance gap that they don’t justify.
Security solutions for industrial systems cannot be implemented to the same degree as those in office IT. OTCC includes operational technology in the energy, manufacturing, utilities, and water industries, as well as industrial control systems and SCADA applications. The controls center on separating OT networks from corporate IT, controlling and limiting remote access to industrial systems, and keeping systems running even under attack. This framework is highly significant given the shape of the Kingdom’s energy sector.
DCC is responsible for all aspects of data encryption, access control, data classification, audit processes, and data retention throughout the data lifecycle. The NCA coordinator coordinates with the NDO on localization needs. For healthcare, financial, and government services organizations, their DCC obligations add to any other frameworks that may apply in their environments.
Hybrid work is no longer temporary; it’s the new normal. From VPN standards and endpoint security to secure file transfer and remote access management, TCC addresses the risks posed by employees working beyond the office perimeter. For the organizations having teams distributed across the Kingdom, this is not an option.
In 2026, the scope of the expansion was changed.
In January 2026, NCA’s NCNICC-1:2025 was adopted, mandating NCA coverage for all private-sector companies across the Kingdom, regardless of infrastructure type. Before this, numerous non-governmental and non-critical-sector organizations believed the frameworks were primarily for government and critical sectors. Now this no longer holds. All businesses in Saudi Arabia are now subject to minimum cybersecurity requirements.
There are additional obligations for banks, insurance companies, and financial institutions regulated by the Saudi Arabian Monetary Authority. In many respects, the SAMA Cybersecurity Framework is prescriptive; it is not a replacement for the NCA baseline and should be adhered to in addition to it. For institutions with critical financial infrastructure, they may have to operate under ECC, CSCC, DCC, and SAMA at the same time and need to own this coordinated compliance work, not just the coordinated compliance efforts.
The TDMARC solution enforces DMARC compliance and flags email spoofing in real time, directly supporting ECC and DCC requirements.
Get the frameworks right, close the gaps, and invest in your people. That is what inspection-ready cybersecurity looks like.
Cybersecurity compliance in Saudi Arabia is now essential, with National Cybersecurity Authority regulations covering infrastructure, cloud, data governance, and HR. With stricter enforcement and updated regulations effective from December 2024, organizations must address both technical and human risks.
By combining TSAT and TDMARC, Threatcop helps Middle Eastern organizations build measurable, audit-ready human-layer security and support their NCA compliance journey.
The ECC must be met as a minimum standard by all in-scope organizations. Additional layers of functionality (not intended to replace ECC) add further levels to the ECC; these include CSCC, CCC, OTCC, DCC, and TCC.
Fines of up to SAR 25 million, suspension and/or revocation of the license, and publication of the violation are provided for under the NCA Regulations 2024.
One of the major compliance components of the NCA framework is through the people element. This is the list of key topics that NCA inspections will look for regarding human-layer security investments, and the evidence of these investments will be documented.
No. Both of the frameworks would have to be followed by financial institutions. In other respects, SAMA is more prescriptive, allowing for obligations to be multi-faceted, that is, obligations under SAMA and ECC, SAMA and CSCC, SAMA and DCC, etc.
Key Takeaways Fast phishing incident response reduces the impact of credential theft, malware, and account compromise. Employees should report...
Key Takeaways The NIST Cybersecurity Framework helps organizations identify, manage, and reduce cybersecurity risk. The framework is built around...
Key Takeaways Qatar’s cybercrime law places strict obligations on businesses handling digital systems and customer data. Organizations can face...