NCA-ECC

NCA-ECC Compliance. Mandatory for Every Licensed Saudi Entity.

The National Cybersecurity Authority's Essential Cybersecurity Controls apply to every organisation licensed to operate in Saudi Arabia. DeepNotch maps your evidence to all 29 controls and shows you exactly where you stand.

NCA-ECC READINESS
Cybersecurity Governance91%
Cybersecurity Defense78%
Cybersecurity Resilience65%
Third-Party Cybersecurity54%
Cloud Cybersecurity83%
29 Controls
5 Domains
3 Gaps Found
THE MANDATE

29 controls. 5 domains. Zero flexibility.

NCA-ECC is not a best-practice framework — it is a legal requirement. Every organisation licensed to operate in the Kingdom of Saudi Arabia must comply. Non-compliance exposes you to regulatory sanctions, operating licence risk, and financial penalties. There is no opt-out.

Cybersecurity Governance

7 controls

Policies, roles, risk management framework, and board-level accountability

Cybersecurity Defense

9 controls

Access control, identity management, vulnerability management, and threat detection

Cybersecurity Resilience

5 controls

Business continuity, disaster recovery, and incident response

Third-Party Cybersecurity

4 controls

Vendor assessments, supply chain risk, and third-party access controls

Cloud Cybersecurity

4 controls

Cloud configuration, data residency, and shared responsibility compliance

HOW DEEPNOTCH COVERS IT

Every NCA-ECC domain. Mapped. Scored. Reported.

DeepNotch's audit engine reads your evidence files and assigns them to the correct NCA-ECC control. You see pass, fail, or partial — per control, per domain, in real time.

DomainDeepNotch CapabilityEvidence Types AcceptedStatus
Cybersecurity GovernancePolicy document analysis, governance gap scoringPDFs, Word docs, policy templatesLive
Cybersecurity DefenseAccess control evidence mapping, vulnerability report ingestionCSV exports, PDF reports, screenshotsLive
Cybersecurity ResilienceBCP/DR document review, incident log analysisPDFs, incident recordsLive
Third-Party CybersecurityVendor assessment templates, TPRM gap analysisQuestionnaires, contracts, PDF assessmentsLive
Cloud CybersecurityCloud configuration evidence, shared responsibility mappingConfig exports, screenshots, PDF reportsLive
THE COST OF NON-COMPLIANCE

NCA-ECC gaps don't just fail audits. They have a dollar cost.

DeepNotch applies GCC-specific ALE (Annual Loss Expectancy) multipliers to every compliance gap. A control failure in Saudi Finance isn't a $1 risk — it's a $6.30 risk.

ALE FORMULA
SLE × ARO = ALE
SLESingle Loss Expectancy — cost of one incident
AROAnnual Rate of Occurrence — frequency per year
ALEAnnual Loss Expectancy — your true yearly exposure
SAUDI ARABIA MULTIPLIERS
Finance6.3×
Government3.6×
Healthcare2.4×
Source: GCC regional breach cost data. Applied to base ALE calculations.

From evidence to NCA-ECC readiness in three steps.

No consultants. No custom setup. Connect your evidence and see your score within 24 hours.

STEP 01

Upload Your Evidence

Drag and drop policy documents, access control records, incident logs, and vendor assessments into the evidence vault.

STEP 02

AI Maps to NCA-ECC Controls

The audit engine reads every file and assigns it to the correct NCA-ECC control ID across all 5 domains.

STEP 03

Get Your Readiness Score

See pass/fail per control, identify your exact gaps, and export an audit-ready report for your NCA assessor.

BEYOND NCA-ECC

NCA-ECC compliance doesn't happen in isolation.

Satisfying NCA-ECC puts you significantly ahead on ISO 27001 — the two frameworks share overlapping control areas. And if you deploy AI systems, ISO 42001 is now expected by enterprise buyers and regulators across the GCC.

NCA-ECC

You are here. 29 controls, 5 domains, mandatory for all licensed Saudi entities.

Currently viewing

ISO 27001

NCA-ECC compliance covers approximately 60% of ISO 27001 requirements — close the remaining gap with one platform.

ISO 42001

If you deploy AI systems, ISO 42001 is the GCC's emerging AI governance standard. Required for enterprise procurement.

FREQUENTLY ASKED

NCA-ECC — what you need to know.

What is NCA-ECC?

NCA-ECC (Essential Cybersecurity Controls) is a mandatory cybersecurity framework issued by Saudi Arabia's National Cybersecurity Authority. It defines 29 controls across 5 domains that all licensed organisations in the Kingdom must implement and demonstrate compliance with.

Who does NCA-ECC apply to?

NCA-ECC applies to all organisations licensed to operate in Saudi Arabia — including financial institutions, government entities, healthcare providers, and technology companies. If you are regulated by SAMA, CCHI, CITC, or any other Saudi authority, NCA-ECC applies to you.

What happens if we fail an NCA-ECC audit?

Non-compliance can result in regulatory sanctions, operating licence conditions, and reputational risk. For regulated sectors like banking and finance, SAMA may impose additional supervisory measures. NCA-ECC compliance is increasingly a prerequisite for government and enterprise procurement.

How does NCA-ECC relate to ISO 27001?

NCA-ECC and ISO 27001 share significant control overlap — roughly 60% of NCA-ECC requirements align with ISO 27001 domains. Organisations that have achieved ISO 27001 certification have a strong head start on NCA-ECC. DeepNotch maps both simultaneously.

How long does NCA-ECC compliance typically take?

For organisations starting from zero, initial compliance projects typically take 3–6 months depending on the existing security posture. DeepNotch accelerates this by automating evidence mapping and gap identification — what normally takes weeks of manual analysis happens in hours.

Know your NCA-ECC score before the auditor does.

Upload your evidence. See pass/fail per control. Close your gaps before the assessment.

Book a Demo

29 controls · 5 domains · Saudi Arabia's mandatory cybersecurity framework