Pass the NCA assessment. The first time.
The NCA Essential Cybersecurity Controls have moved from guidance to enforcement. Saudi government entities, regulated banks, telcos, and critical infrastructure are being assessed — and the gap between operating to the standard and being able to prove it is what most teams underestimate. We close that gap.
The problem we solve.
Proving it to the auditor is <em>another problem entirely</em>.
The NCA Essential Cybersecurity Controls cover 47 controls across five domains. Most security teams have implementations in place for the majority. What most do not have, and what stalls Vision 2030 contracts every quarter, is the evidence chain that lets a regulator verify it without ambiguity.
The standard does not ask whether you encrypt data. It asks for proof of the policy, the implementation, the test results, the access reviews, and the incident drills. Eight things to evidence per control. Four hundred-plus artefacts across the framework. And a regulator that will not accept "we are working on it".
A posture you can prove.
Not just controls in place. A complete, audit-ready posture that maps to every ECC requirement.
ECC control coverage
All 47 controls across the five ECC domains — governance, defence, resilience, third-party, and ICS — implemented and mapped.
Regulator-ready evidence
Control mapping, test results, runbooks, incident drills, and policy artefacts — assembled, indexed, ready to submit.
Remediation findings
Across every NAS-led ECC engagement to date, no material finding requested post-submission.
Re-assessment cadence
Compliance does not retire after submission. We bake quarterly re-assessment into the operating model.
Five domains. 47 controls. One framework.
Every NCA ECC control sits inside one of these five domains. The evidence chain has to be complete across every one, partial coverage is the same as no coverage in a regulator's eyes.
Governance
Strategy, risk, policy, ownership. The accountability skeleton the rest of the framework hangs on.
Defence
Asset, identity, network, application, and data protection, the technical controls themselves.
Resilience
Continuity, backup, DR. The ability to take a hit and recover, evidenced through tested failovers.
Third-party
Cloud providers, SaaS vendors, integrators. Risk does not stop at your perimeter, neither does the evidence.
ICS
Industrial control systems, SCADA, OT. Specialised hardening for the workloads that don't reboot easily.
What this looks like delivered.
Every ECC engagement runs through the same four phases, sequenced so evidence is captured at the moment a control is implemented, not reconstructed weeks later. Typical engagement 8–14 weeks depending on entity size and existing maturity.
01 · Capture
- Regulatory baseline
- Control gap analysis
- Maturity scoring
02 · Design
- Architecture controls
- Policy library
- Operating model
03 · Evidence
- Control mapping
- Test results
- Runbooks & drills
04 · Sustain
- Quarterly re-assessment
- Regulatory-change tracking
- Audit-cycle support
In Saudi banking we cannot afford a finding on first submission. NAS shipped the evidence pack ready for the regulator in week 12. That changed how we plan every audit cycle since.
Three services. One delivered outcome.
This outcome is composed from our services. Each does one thing well, together they ship the posture above.
Infrastructure Services
Security baseline implementation — the technical controls that the ECC framework asks for evidence of.
Open Infrastructure Services // service.02Consultation
Compliance & audit consulting — gap analysis, evidence packs, and the regulator-facing narrative.
Open Consultation // service.03Compliance practice
The cross-cutting practice — frameworks, certifications, and the team that holds the regulator relationship.
Open Compliance practiceHonest questions.
Q.01How long does an ECC readiness engagement run?
A typical engagement runs 8–14 weeks depending on entity size and existing maturity, with a phased delivery that keeps audit-readiness moving even on the longer programmes.
Q.02What exactly is in the evidence pack?
Control mapping for each of the 47 ECC controls, the policy library, implementation artefacts, test results, incident drill records, access reviews, and the regulator-facing narrative, assembled, indexed, and submission-ready.
Q.03How do you stop compliance drift after submission?
Quarterly re-assessment is baked into the operating model. We re-test each control on its own cadence, track regulatory change, and refresh the evidence pack so the posture stays current, not a snapshot.
Q.04Do you cover sectoral overlays, SAMA SCF, NHA, PDPL?
Yes. NCA ECC is the foundation. Where the workload requires it we add sector overlays (SAMA SCF for financial services, NHA for healthcare, PDPL for personal data) without rebuilding the underlying evidence chain.
Q.05What about ICS, the fifth domain?
ICS gets its own assessment track. Industrial control systems require specialised hardening, segmentation, and operational-technology-aware monitoring, covered under the same evidence framework but engineered for OT realities.
Want a readiness review?
A 30-minute review of where you are against the 47 controls, what is in place, what is evidenced, and what would be a finding today. No deck, no pitch.