Compliance Guide

NCA ECC-2:2024 — Essential Cybersecurity Controls

The definitive guide to Saudi Arabia's most comprehensive cybersecurity framework. 108 controls across 4 domains, mandatory for government entities and critical national infrastructure operators.

What is NCA ECC-2?

The Essential Cybersecurity Controls (ECC-2:2024) are issued by the National Cybersecurity Authority (NCA) of Saudi Arabia. Updated from ECC-1:2018, the 2024 version reduces controls from 114 to 108, introduces a tier-based compliance model (Essential, Advanced, Minimal), and removes the standalone fifth domain by integrating third-party/cloud controls into the main four domains.

108
Controls
4
Domains
Tier-based
Model
Oct 2024
Updated

Who must comply?

  • Government entities (ministries, authorities, establishments)
  • Subsidiaries and affiliates of government entities
  • Critical National Infrastructure (CNI) operators
  • Private sector organizations hosting government data
  • Saudization: All cybersecurity roles must be filled by Saudi nationals

The 4 ECC-2 Domains

Cybersecurity Governance

Strategy, policies, roles & responsibilities, risk management, compliance, awareness & training. Establishes the organizational foundation for cybersecurity.

Cybersecurity Defense

15 subdomains, 60 controls. Asset management, IAM, network security, cryptography, vulnerability management, application security, email security, endpoint protection.

Cybersecurity Resilience

Business continuity management, disaster recovery, incident response, cyber crisis management. Ensures organizations can endure and recover from incidents.

Third-Party & Cloud Security

Previously Domain 5, now integrated. Third-party risk management, cloud security, outsourcing controls, vendor assessments.

Key changes from ECC-1:2018

Controls reduced from 114 to 108
Domain 5 removed — integrated into other domains
Tier-based compliance model introduced
Data localization transferred to NDMO/SDAIA
Saudization requirement for all cybersecurity roles
Enhanced alignment with international standards
Quantum vulnerability considerations added

How CYDER automates ECC-2 compliance

Automated compliance mapping

Every CYDER platform action automatically mapped to ECC-2 controls. Real-time compliance scoring across all 4 domains.

Evidence auto-collection

90% of compliance evidence collected automatically from platform operations. No manual screenshots or spreadsheets.

Gap analysis & remediation

Identify compliance gaps instantly. Prioritized remediation roadmap with estimated effort and timeline.

Assess your ECC-2 readiness

Start free assessment →