NCA-ECC Compliance. Mandatory for Every Licensed Saudi Entity.
The National Cybersecurity Authority's Essential Cybersecurity Controls apply to every organisation licensed to operate in Saudi Arabia. DeepNotch maps your evidence to all 29 controls and shows you exactly where you stand.
29 controls. 5 domains. Zero flexibility.
NCA-ECC is not a best-practice framework — it is a legal requirement. Every organisation licensed to operate in the Kingdom of Saudi Arabia must comply. Non-compliance exposes you to regulatory sanctions, operating licence risk, and financial penalties. There is no opt-out.
Cybersecurity Governance
Policies, roles, risk management framework, and board-level accountability
Cybersecurity Defense
Access control, identity management, vulnerability management, and threat detection
Cybersecurity Resilience
Business continuity, disaster recovery, and incident response
Third-Party Cybersecurity
Vendor assessments, supply chain risk, and third-party access controls
Cloud Cybersecurity
Cloud configuration, data residency, and shared responsibility compliance
Every NCA-ECC domain. Mapped. Scored. Reported.
DeepNotch's audit engine reads your evidence files and assigns them to the correct NCA-ECC control. You see pass, fail, or partial — per control, per domain, in real time.
| Domain | DeepNotch Capability | Evidence Types Accepted | Status |
|---|---|---|---|
| Cybersecurity Governance | Policy document analysis, governance gap scoring | PDFs, Word docs, policy templates | Live |
| Cybersecurity Defense | Access control evidence mapping, vulnerability report ingestion | CSV exports, PDF reports, screenshots | Live |
| Cybersecurity Resilience | BCP/DR document review, incident log analysis | PDFs, incident records | Live |
| Third-Party Cybersecurity | Vendor assessment templates, TPRM gap analysis | Questionnaires, contracts, PDF assessments | Live |
| Cloud Cybersecurity | Cloud configuration evidence, shared responsibility mapping | Config exports, screenshots, PDF reports | Live |
NCA-ECC gaps don't just fail audits. They have a dollar cost.
DeepNotch applies GCC-specific ALE (Annual Loss Expectancy) multipliers to every compliance gap. A control failure in Saudi Finance isn't a $1 risk — it's a $6.30 risk.
From evidence to NCA-ECC readiness in three steps.
No consultants. No custom setup. Connect your evidence and see your score within 24 hours.
Upload Your Evidence
Drag and drop policy documents, access control records, incident logs, and vendor assessments into the evidence vault.
AI Maps to NCA-ECC Controls
The audit engine reads every file and assigns it to the correct NCA-ECC control ID across all 5 domains.
Get Your Readiness Score
See pass/fail per control, identify your exact gaps, and export an audit-ready report for your NCA assessor.
NCA-ECC compliance doesn't happen in isolation.
Satisfying NCA-ECC puts you significantly ahead on ISO 27001 — the two frameworks share overlapping control areas. And if you deploy AI systems, ISO 42001 is now expected by enterprise buyers and regulators across the GCC.
NCA-ECC
You are here. 29 controls, 5 domains, mandatory for all licensed Saudi entities.
ISO 27001
NCA-ECC compliance covers approximately 60% of ISO 27001 requirements — close the remaining gap with one platform.
ISO 42001
If you deploy AI systems, ISO 42001 is the GCC's emerging AI governance standard. Required for enterprise procurement.
NCA-ECC — what you need to know.
What is NCA-ECC?
NCA-ECC (Essential Cybersecurity Controls) is a mandatory cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority. It defines 29 controls across 5 domains that all licensed organisations in the Kingdom must implement and demonstrate compliance with.
Who does NCA-ECC apply to?
NCA-ECC applies to all organisations licensed to operate in Saudi Arabia — including financial institutions, government entities, healthcare providers, and technology companies. If you are regulated by SAMA, CCHI, CITC, or any other Saudi authority, NCA-ECC applies to you.
What happens if we fail an NCA-ECC audit?
Non-compliance can result in regulatory sanctions, operating licence conditions, and reputational risk. For regulated sectors like banking and finance, SAMA may impose additional supervisory measures. NCA-ECC compliance is increasingly a prerequisite for government and enterprise procurement.
How does NCA-ECC relate to ISO 27001?
NCA-ECC and ISO 27001 share significant control overlap — roughly 60% of NCA-ECC requirements align with ISO 27001 domains. Organisations that have achieved ISO 27001 certification have a strong head start on NCA-ECC. DeepNotch maps both simultaneously.
How long does NCA-ECC compliance typically take?
For organisations starting from zero, initial compliance projects typically take 3–6 months depending on the existing security posture. DeepNotch accelerates this by automating evidence mapping and gap identification — what normally takes weeks of manual analysis happens in hours.
Know your NCA-ECC score before the auditor does.
Upload your evidence. See pass/fail per control. Close your gaps before the assessment.
29 controls · 5 domains · Saudi Arabia's mandatory cybersecurity framework