Skip to main content
Outcome · Regulator-ready cybersecurity

Pass the NCA assessment. The first time.

The NCA Essential Cybersecurity Controls have moved from guidance to enforcement. Saudi government entities, regulated banks, telcos, and critical infrastructure are being assessed — and the gap between operating to the standard and being able to prove it is what most teams underestimate. We close that gap.

0 ECC controls covered
Regulator-ready evidence pack on handover
Zero remediation findings to date
// 01 · Why this matters now

The problem we solve.

Proving it to the auditor is <em>another problem entirely</em>.

The NCA Essential Cybersecurity Controls cover 47 controls across five domains. Most security teams have implementations in place for the majority. What most do not have, and what stalls Vision 2030 contracts every quarter, is the evidence chain that lets a regulator verify it without ambiguity.

The standard does not ask whether you encrypt data. It asks for proof of the policy, the implementation, the test results, the access reviews, and the incident drills. Eight things to evidence per control. Four hundred-plus artefacts across the framework. And a regulator that will not accept "we are working on it".

47 ECC controls in scope Across governance, defence, resilience, third-party, and ICS — every one needs evidence.
80% Cite evidence as the bottleneck Regulated entities self-reporting that producing the evidence pack — not the controls themselves — delays submission.
1 Finding can stall a contract A single material finding on first submission can defer a Vision 2030 procurement cycle by quarters.
// 02 · What you'll have

A posture you can prove.

Not just controls in place. A complete, audit-ready posture that maps to every ECC requirement.

PILLAR.01 100%

ECC control coverage

All 47 controls across the five ECC domains — governance, defence, resilience, third-party, and ICS — implemented and mapped.

PILLAR.02 Pack

Regulator-ready evidence

Control mapping, test results, runbooks, incident drills, and policy artefacts — assembled, indexed, ready to submit.

PILLAR.03 0

Remediation findings

Across every NAS-led ECC engagement to date, no material finding requested post-submission.

PILLAR.04 Quarterly

Re-assessment cadence

Compliance does not retire after submission. We bake quarterly re-assessment into the operating model.

0
Remediation findings, to date. Across every NAS-led ECC engagement, the regulator has come back with zero material findings post-submission.
// track record
// 03 · The 5 ECC domains

Five domains. 47 controls. One framework.

Every NCA ECC control sits inside one of these five domains. The evidence chain has to be complete across every one, partial coverage is the same as no coverage in a regulator's eyes.

// dom.01

Governance

Strategy, risk, policy, ownership. The accountability skeleton the rest of the framework hangs on.

// dom.02

Defence

Asset, identity, network, application, and data protection, the technical controls themselves.

// dom.03

Resilience

Continuity, backup, DR. The ability to take a hit and recover, evidenced through tested failovers.

// dom.04

Third-party

Cloud providers, SaaS vendors, integrators. Risk does not stop at your perimeter, neither does the evidence.

// dom.05

ICS

Industrial control systems, SCADA, OT. Specialised hardening for the workloads that don't reboot easily.

// 04 · In practice

What this looks like delivered.

Every ECC engagement runs through the same four phases, sequenced so evidence is captured at the moment a control is implemented, not reconstructed weeks later. Typical engagement 8–14 weeks depending on entity size and existing maturity.

01 // capture

01 · Capture

  • Regulatory baseline
  • Control gap analysis
  • Maturity scoring
02 // design

02 · Design

  • Architecture controls
  • Policy library
  • Operating model
03 // evidence

03 · Evidence

  • Control mapping
  • Test results
  • Runbooks & drills
04 // sustain

04 · Sustain

  • Quarterly re-assessment
  • Regulatory-change tracking
  • Audit-cycle support

In Saudi banking we cannot afford a finding on first submission. NAS shipped the evidence pack ready for the regulator in week 12. That changed how we plan every audit cycle since.

Tier-1 Saudi bank · client name withheld · CISO
// 06 · FAQ

Honest questions.

Q.01How long does an ECC readiness engagement run?

A typical engagement runs 8–14 weeks depending on entity size and existing maturity, with a phased delivery that keeps audit-readiness moving even on the longer programmes.

Q.02What exactly is in the evidence pack?

Control mapping for each of the 47 ECC controls, the policy library, implementation artefacts, test results, incident drill records, access reviews, and the regulator-facing narrative, assembled, indexed, and submission-ready.

Q.03How do you stop compliance drift after submission?

Quarterly re-assessment is baked into the operating model. We re-test each control on its own cadence, track regulatory change, and refresh the evidence pack so the posture stays current, not a snapshot.

Q.04Do you cover sectoral overlays, SAMA SCF, NHA, PDPL?

Yes. NCA ECC is the foundation. Where the workload requires it we add sector overlays (SAMA SCF for financial services, NHA for healthcare, PDPL for personal data) without rebuilding the underlying evidence chain.

Q.05What about ICS, the fifth domain?

ICS gets its own assessment track. Industrial control systems require specialised hardening, segmentation, and operational-technology-aware monitoring, covered under the same evidence framework but engineered for OT realities.

// 07 · Engage

Want a readiness review?

A 30-minute review of where you are against the 47 controls, what is in place, what is evidenced, and what would be a finding today. No deck, no pitch.