How is ECC-2 different from SAMA CSF?

ECC-2 is the broader national baseline maintained by NCA. SAMA CSF is the financial-sector framework maintained by the Saudi central bank for banks, insurers, finance companies and PSPs. SAMA-regulated entities typically need both.

What about cloud workloads?

NCA's Cloud Cybersecurity Controls (CCC) layer on top of ECC-2 for cloud customers and providers. We scope CCC as part of the engagement where cloud is in use.

Are critical-system controls separate?

Yes — NCA's Critical Systems Cybersecurity Controls (CSCC) apply on top of ECC-2 to designated critical systems. We map both and produce one evidence set.

How often is the assessment?

Annual is the working baseline. NCA may schedule additional assessments based on sector, incidents or maturity. Sector regulators may impose tighter cycles.

National Cybersecurity Authority · Essential Cybersecurity Controls v2

Saudi NCA ECC-2:2024 Audit

NCA ECC-2:2024 audit — baseline cybersecurity for all organisations in KSA.

Full NCA Essential Cybersecurity Controls v2 (ECC-2:2024) audit — applicability scoping, control-by-control assessment across governance, defence, resilience and third-party / cloud domains. Designed for government entities, critical national infrastructure operators and private-sector organisations in the Kingdom of Saudi Arabia.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

NCA Essential Cybersecurity Controls v2 (ECC-2:2024)
NCA Critical Systems Cybersecurity Controls (CSCC)
NCA Cloud Cybersecurity Controls (CCC)
NCA Telework Cybersecurity Controls
Saudi PDPL (Personal Data Protection Law)
SAMA CSF overlay (financial sector)
ISO 27001:2022 (mapped)
NIST CSF (mapped)

Why this matters

Compliance is leverage, not paperwork.

The National Cybersecurity Authority's Essential Cybersecurity Controls v2 (ECC-2:2024) is the baseline cybersecurity standard for any organisation operating in the Kingdom of Saudi Arabia — government, critical national infrastructure and private sector. NCA performs compliance assessments and references ECC compliance in its national cybersecurity reporting; sector regulators (SAMA, CMA, CITC, Ministry of Health) layer their own controls on top. Macksofy's NCA ECC-2 audit walks the four domains end-to-end and produces the assessment artefacts NCA samples first.

Applicability

Saudi government entities (ministries, authorities, government-owned companies)
Critical national infrastructure operators (energy, water, transport, finance, health)
Private-sector organisations operating in KSA (any size)
Cloud and digital-platform providers serving KSA customers
Suppliers and managed-service providers to NCA-regulated entities
Multinationals with Saudi operations or KSA data-residency commitments

Standards & frameworks

Aligned to the regulations that matter.

NCA Essential Cybersecurity Controls v2 (ECC-2:2024)

NCA Critical Systems Cybersecurity Controls (CSCC)

NCA Cloud Cybersecurity Controls (CCC)

NCA Telework Cybersecurity Controls

Saudi PDPL (Personal Data Protection Law)

SAMA CSF overlay (financial sector)

ISO 27001:2022 (mapped)

NIST CSF (mapped)

Methodology

How we run a NCA ECC-2 engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 / 5

20% complete

1 · Applicability + scoping

01
Sector classification + NCA scope test
02
Critical-system identification (CSCC overlay)
03
Cloud / telework overlay assessment

Deliverables

Everything you need to satisfy auditors.

NCA ECC-2 applicability + scoping memo
Control-by-control compliance register
Critical-system + cloud overlay risk pack
Incident-response + tabletop drill report
Third-party cybersecurity review
NCA-format submission pack
Annual recertification plan + closure tracker

Recent engagements

Saudi government-owned enterprise

NCA ECC-2 audit + CSCC overlay on critical systems

Outcome: Closed all priority-1 gaps in one cycle; NCA assessment cleared with no follow-up actions on critical systems

Multinational SaaS with KSA data-residency

ECC-2 + Cloud Cybersecurity Controls (CCC) overlay

Outcome: Cloud-overlay evidence pack accepted by two NCA-regulated customer assessments without remediation

At a glance

The shape of a NCA ECC-2 engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Applicability & scoping3 pts
Governance domain3 pts
Defence domain3 pts
Resilience domain3 pts
Third-party & cloud3 pts
NCA submission pack3 pts

Pillar 01

Applicability & scoping

ECC-2 baseline applies broadly — CSCC and CCC overlays apply selectively. Clean scoping prevents over-engineering.

Sector + criticality classification
Critical-system + cloud-overlay scoping
Telework-control applicability

Pillar 02

Governance domain

Cybersecurity strategy, risk management and human-resources controls — the spine of ECC-2.

Cybersecurity strategy + governance
Cyber-risk management framework
HR + awareness controls

Pillar 03

Defence domain

Asset, identity, network and endpoint defence walked end-to-end with technical evidence.

Asset + identity-and-access management
Network, endpoint + email defence
Cryptography + secure data handling

Pillar 04

Resilience domain

Backup, recovery, log management and incident response — the controls that decide breach outcomes.

Backup + recovery evidence
Event-log management + retention
Incident-response + tabletop drill

Pillar 05

Third-party & cloud

Supplier and cloud-provider controls under ECC-2 + the CCC overlay where cloud is used.

Third-party cybersecurity controls
Cloud Cybersecurity Controls (CCC) overlay
Contractual + exit-plan evidence

Pillar 06

NCA submission pack

Artefacts assembled exactly the way NCA assessments consume them.

Control-statement to evidence map
Compliance-level heatmap
Assessor Q&A walk-through

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a NCA ECC-2 engagement. Click any station for detail in the methodology section above.

Week 1

Applicability + scoping

Week 2

Governance + defence domains

Week 3

Resilience domain

Week 4

Third-party + cloud

Week 5

Assessment + submission

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

ECC-2 is the baseline for any organisation operating in KSA — government, critical national infrastructure and private sector. Sector regulators layer their own controls on top.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.