Five domains. 114 controls. Mandatory for Saudi government entities and critical infrastructure. CyberHeed maps every control, tracks compliance, and manages evidence in one platform.
The Essential Cybersecurity Controls (ECC) were issued by Saudi Arabia's National Cybersecurity Authority (NCA) in 2018 and updated in subsequent revisions. The ECC establishes minimum cybersecurity requirements for government entities, their subsidiaries, and critical infrastructure operators across the Kingdom. Compliance is mandatory - the NCA conducts assessments and enforces adherence. The ECC is part of Saudi Arabia's broader Vision 2030 digital transformation programme, ensuring that rapid digitisation is accompanied by robust cybersecurity.
All ministries, government agencies, and public sector organisations in the Kingdom of Saudi Arabia. This includes entities under the jurisdiction of any Saudi government body, at national, regional, or local level.
Companies owned partially or wholly by the Saudi government, including those operating in oil and gas (Saudi Aramco ecosystem), telecommunications, utilities, and financial services.
Operators of critical infrastructure across energy, water, transportation, telecommunications, healthcare, and financial services. The NCA designates critical infrastructure operators and may impose additional requirements beyond the base ECC.
Private sector organisations in specific regulated sectors may be required to comply with ECC or NCA's sector-specific cybersecurity frameworks. The scope is expanding as Saudi Arabia's digital economy grows.
The National Cybersecurity Authority operates as Saudi Arabia's central cybersecurity regulator with extensive powers:
ECC compliance is not optional. The NCA conducts compliance assessments and entities must demonstrate adherence. Non-compliance is escalated through government channels and can have significant consequences.
The NCA assesses entities against ECC controls through structured assessments. Entities must prepare evidence of compliance, demonstrate control implementation, and show continuous improvement.
Beyond ECC, the NCA issues additional frameworks including the Critical Systems Cybersecurity Controls (CSCC), Cloud Cybersecurity Controls (CCC), Data Cybersecurity Controls (DCC), and Operational Technology Cybersecurity Controls (OTCC). These build on ECC for specific contexts.
The ECC organises its 114 controls across five domains and 29 subdomains. Each domain addresses a distinct aspect of cybersecurity, from governance and risk management through to industrial control system security.
Establish cybersecurity governance structures, strategy, policies, roles and responsibilities, risk management, and compliance. This domain ensures cybersecurity is led from the top and embedded in the organisation's governance framework.
Subdomains:
- Cybersecurity Strategy - Align cybersecurity with business objectives and national requirements
- Cybersecurity Management - Dedicated cybersecurity function with adequate resources and authority
- Cybersecurity Policies and Procedures - Comprehensive policy framework covering all ECC domains
- Cybersecurity Roles and Responsibilities - Clear accountability at all levels including board
- Cybersecurity Risk Management - Systematic risk identification, assessment, and treatment
- Cybersecurity in Project Management - Security integrated into all project lifecycles
- Compliance with Cybersecurity Standards - Adherence to NCA requirements and international standards
- Periodic Cybersecurity Review and Audit - Regular assessment of cybersecurity effectiveness
- Cybersecurity in Human Resources - Security throughout the employment lifecycle
- Cybersecurity Awareness and Training - Programmes for all staff appropriate to their roles
Implement technical and operational controls to defend against cyber threats. This domain covers the security controls that protect assets, detect threats, and prevent attacks - the operational core of cybersecurity.
Subdomains:
- Asset Management - Inventory, classification, and lifecycle management of all assets
- Identity and Access Management - Authentication, authorisation, privileged access management
- Information System and Processing Facility Protection - System hardening, configuration management
- Email Protection - Email filtering, anti-phishing, DMARC, SPF, DKIM
- Network Security Management - Segmentation, firewalls, IDS/IPS, network monitoring
- Mobile Device Security - MDM, containerisation, secure access from mobile devices
- Data and Information Protection - Data classification, DLP, encryption, data lifecycle
- Cryptography - Encryption standards, key management, PKI
- Backup and Recovery Management - Backup procedures, testing, offsite storage
- Vulnerability Management - Scanning, remediation, patch management
- Penetration Testing - Regular penetration testing of systems and applications
- Event Logs and Monitoring Management - Centralised logging, SIEM, alerting
Ensure the organisation can withstand, respond to, and recover from cybersecurity incidents. This domain covers incident management, business continuity, and disaster recovery - the ability to maintain operations through disruption.
Subdomains:
- Cybersecurity Event and Incident Management - Detection, classification, response, escalation
- Cybersecurity Threat Management - Threat intelligence, threat hunting, proactive defence
- Business Continuity Management - BCP, DRP, testing, crisis management
Manage cybersecurity risks associated with third parties, outsourcing, and cloud services. As organisations increasingly rely on external providers, this domain ensures that supply chain and cloud risks are identified and controlled.
Subdomains:
- Third-Party Cybersecurity - Vendor risk assessment, contractual security requirements, ongoing monitoring
- Cloud Computing and Hosting Cybersecurity - Cloud security architecture, shared responsibility, data sovereignty
Secure operational technology (OT) and industrial control systems. Critical for oil and gas, energy, water, and manufacturing sectors in Saudi Arabia. This domain recognises that ICS environments have distinct security requirements from IT systems.
Subdomains:
- Industrial Control Systems Protection - ICS-specific security architecture and controls
- Industrial Control Systems Components Security - Device hardening, firmware management, legacy systems
CyberHeed maps every ECC control across all five domains and 29 subdomains, captures your current compliance posture, identifies gaps, and tracks remediation with evidence that withstands NCA assessment.
SmartPrep guides your team through structured conversations covering each ECC domain and subdomain. AI captures your current cybersecurity posture against all 114 controls, identifies gaps, and prioritises remediation based on risk and NCA assessment focus areas.
For entities already compliant with ISO 27001 or NIST CSF, SmartPrep identifies what's already covered and focuses on ECC-specific additions - particularly governance, ICS, and cloud security requirements.
Upload evidence for each control. AI validates whether your documentation meets NCA expectations. Governance documents, security policies, technical configurations, training records, incident reports, and audit results - each mapped to the specific domain, subdomain, and control.
AutoMatch reads your existing security documentation and maps it to ECC controls automatically. Evidence from ISO 27001, NIST CSF, or DESC ISR is cross-referenced to eliminate duplicate effort.
NCA assessments are ongoing. CyberHeed ensures your evidence is always current - policies reviewed, controls tested, incidents documented, and training records up to date. Periodic reviews and audits (ECC Domain 1) are tracked with reminders and evidence collection.
Dashboard reporting provides cybersecurity leadership with real-time visibility across all five domains and 114 controls.
The NCA ECC draws on international standards including ISO 27001, NIST CSF, and CIS Controls. Organisations with existing international certifications have significant ECC coverage already in place. CyberHeed maps the overlaps automatically.
ISO 27001's management system and Annex A controls map strongly to ECC Domains 1 (Governance), 2 (Defence), and 3 (Resilience). Policy frameworks, access control, incident management, and risk assessment overlap substantially.
NIST CSF's five functions map across ECC domains. Identify aligns with governance and asset management. Protect maps to defence controls. Detect and Respond map to resilience. The frameworks are structurally complementary.
Gulf region frameworks share significant common ground. DESC ISR's twelve domains and NCA ECC's five domains cover the same cybersecurity fundamentals - governance, access control, incident management, and operations security.
Other frameworks: [Links to: desc-isr.html], [Links to: dfsa.html], [Links to: iso-27001.html], [Links to: nist-csf.html], [Links to: essential-eight.html], [Links to: cps-234.html], [Links to: pci-dss.html], [Links to: cps-230.html]
Five domains. 114 controls. AI-guided assessment and continuous compliance monitoring.
Book a Demo