A Practical Implementation Guide to NCA ECC-2 and SAMA Cybersecurity Frameworks

1.0 The Strategic Imperative of Cybersecurity Compliance in Saudi Arabia

As the Kingdom of Saudi Arabia accelerates its ambitious Vision 2030 objectives, the digital landscape is undergoing a profound transformation. In this period of rapid digitization, compliance with national cybersecurity mandates has evolved from a technical checklist into a strategic imperative. The two pillars of this new regulatory environment are the National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC-2) and the Saudi Central Bank (SAMA) Cybersecurity Framework (CSF). For organizations operating within the Kingdom, adherence to these frameworks is no longer optional – it is a mandatory requirement for safeguarding critical infrastructure, maintaining stakeholder trust, and enabling sustainable business growth.

This guide is designed for cybersecurity managers, IT project teams, and governance leaders tasked with navigating this complex ecosystem. It provides a practical, step-by-step approach to understanding, implementing, and maintaining compliance with both the NCA ECC-2 and SAMA CSF.

It will move beyond theoretical principles to offer actionable guidance for translating regulatory obligations into a stable and resilient security posture. The first step toward successful implementation is a clear understanding of the core principles and applicability of each framework.

2.0 Understanding the Core Regulatory Frameworks

To successfully comply, it’s essential to clearly understand the different ideas, areas of focus, and structural differences between the SAMA CSF and NCA ECC-2. Both frameworks aim to enhance the Kingdom’s cyber resilience, but they tailor to different sectors and employ unique models for compliance assessment. This section will dissect each framework to provide teams with the necessary clarity to determine their specific obligations and architect an effective compliance strategy.

2.1 The SAMA Cybersecurity Framework (CSF): A Maturity-Driven Paradigm

The SAMA Cybersecurity Framework is a specialized mandate targeting all financial institutions regulated by the Saudi Central Bank. This includes:

1. Commercial banks
2. Insurance and reinsurance companies
3. Financing companies
4. Credit bureaus
5. Financial market infrastructure providers

The core architectural philosophy of the SAMA CSF is its use of a predefined maturity model.

This approach moves beyond binary, “compliant” or “non-compliant” assessments to measure the effectiveness and institutionalization of control implementation over time.

It requires organizations not only to implement controls, but also to formalize, manage, and continuously improve them.

The framework is structured around four main control domains that provide a holistic view of an organization’s security posture.

Domain ID	Main Control Domain	Subdomains	Primary Objective
3.1	Cybersecurity Leadership and Governance	6	Establish effective leadership, accountability, and strategic management of cybersecurity.
3.2	Cybersecurity Risk Management and Compliance	3	Systematically identify and evaluate cyber risks and ensure compliance with regulatory standards.
3.3	Cybersecurity Operations and Technology	11	Implement technical safeguards and operational processes to protect, detect, and respond to threats.
3.4	Third-Party Cybersecurity	3	Manage risks associated with external vendors, outsourcing, and cloud service providers.

A definitive characteristic of the SAMA CSF is its six-level maturity model, which provides a clear scale for measuring control effectiveness.

1. Level 0 (Non-Existent):  There is a total absence of attention to security mandates, with no documentation or awareness of cybersecurity controls.
2. Level 1 (Ad-Hoc):  Controls exist but are executed inconsistently on a case-by-case basis, with no defined standards or patterns.
3. Level 2 (Repeatable but Informal):  Controls are performed regularly, but they lack formal approval, documentation, or standardization across the organization.
4. Level 3 (Structured & Formalized):  Controls are well-defined, formally approved, and documented. Standardized procedures are adopted at a large scale.
5. Level 4 (Managed & Measurable):  Controls are regularly assessed for effectiveness using Key Risk Indicators (KRIs) and are refined based on measurable data.
6. Level 5 (Adaptive):  Controls are continuously improved, integrated into enterprise-wide risk management, and evaluated against peer and sector data. To be considered compliant with the framework’s baseline requirements, SAMA explicitly mandates that all member organizations must operate at a minimum of  Level 3 (Structured & Formalized).

2.2 The NCA Essential Cybersecurity Controls (ECC-2): A Foundation for National Resilience

While SAMA focuses on the financial sector, the NCA’s Essential Cybersecurity Controls (ECC) establish the minimum cybersecurity requirements for the entire nation’s digital backbone. The framework applies to all Saudi government organizations (ministries, authorities, etc.) and private sector entities that own, operate, or host  Critical National Infrastructure (CNI). In late 2024, the NCA introduced a landmark transition from ECC-1:2018 to ECC-2:2024. This update reflects a strategic shift toward a more streamlined, risk-centric, and nationally aligned security posture.This reorganization introduced several major shifts with significant strategic implications for covered organizations:

1. Saudization:  The ECC-1 framework mandated that Saudi nationals fill only senior cybersecurity positions. ECC-2:2024 elevates this mandate significantly, requiring that all cybersecurity positions  be occupied by full-time, qualified Saudi professionals. This change makes workforce development a core compliance activity.
2. Data Sovereignty:  ECC-2 decouples data localization from the NCA’s direct control. Authority over in-country data hosting requirements has been transferred to the  National Data Management Office (NDMO)  within the Saudi Data and Artificial Intelligence Authority (SDAIA). This creates a dual responsibility for organizations to align with both NCA for system security and NDMO for data governance.

The ECC-2:2024 framework is built upon four primary domains:

1. Cybersecurity Governance
2. Cybersecurity Defense
3. Cybersecurity Resilience
4. Third-Party and Cloud Computing Cybersecurity

2.3 Determining Applicability and Priority

To determine which framework(s) apply, organizations must first assess their sector and function. The regulatory hierarchy in Saudi Arabia is clear:

1. If an organization is regulated by  SAMA  (e.g., a bank or insurance company), the  SAMA CSF takes precedence  for sectoral compliance.
2. If that same SAMA-regulated entity is also designated as part of the Kingdom’s  Critical National Infrastructure (CNI) , it must  additionally align with the  NCA ECC. This overlap creates a significant strategic challenge. A major national bank, for instance, must develop a unified compliance program that satisfies both SAMA’s focus on periodic assessment and maturity and the NCA’s move toward evidence-based proof of maturity over time via its Assessment and Compliance Tool (ACT) portal. An effective strategy involves mapping controls across both frameworks to identify overlaps and unique requirements. This allows for efficiency, as evidence collected to demonstrate maturity for SAMA’s Level 3 and above can often be repurposed for the NCA’s continuous reporting obligations. Once an organization understands its unique obligations, it can begin a structured implementation process.

3.0 A Step-by-Step Plan for Implementation and Compliance

Achieving compliance is not a single event but a structured journey that requires careful planning, execution, and ongoing management. A phased approach ensures that foundational elements are established before more complex technical controls are implemented, creating a sustainable and audit-ready security program. This section breaks down the process into actionable phases, providing a clear roadmap for project teams from initial assessment to ongoing risk management.

3.1 Phase 1: Foundational Assessment and Governance

1. Conduct a Gap Assessment:  The first step is to understand your current security posture. Use the official NCA ECC assessment toolkit to conduct a detailed gap assessment against the required controls. This will identify areas of weakness and provide a clear baseline for your implementation roadmap.
2. Develop a Cybersecurity Strategy:  Formulate a comprehensive cybersecurity strategy that addresses both current business requirements and future growth plans. This strategy must include a roadmap of key initiatives, high-level action plans, and defined timeframes for achieving compliance milestones.
3. Establish Governance Structures:  Create a formal cybersecurity committee with a documented charter that defines its mandate, authority, membership, and roles. Define a RACI (Responsible, Accountable, Consulted, Informed) matrix for key cybersecurity activities to ensure clear ownership and accountability.
4. Define and Document Policies:  Review and enhance all existing cybersecurity policies and procedures. Where gaps are identified, define, document, approve, and communicate new policies to ensure they cover all relevant areas mandated by the applicable frameworks.

3.2 Phase 2: Implementing Core Technical Controls

1. Asset Management:  Maintain a centralized and up-to-date inventory of all information and technology assets, such as a Configuration Management Database (CMDB). This inventory must include details like asset ID, location, criticality level based on  Confidentiality, Integrity, and Availability (CIA) , and asset owner.
2. Identity and Access Management (IAM):  Implement  multi-factor authentication (MFA)  for all remote access and for privileged administrator access to critical systems. Deploying appropriate IAM and Privileged Access Management (PAM) technology solutions is essential for automating and enforcing principles of least privilege and need-to-know.
3. Data Protection:  Define a comprehensive ‘Data Protection Governance’ framework. This must include a  Data Classification, Handling, and Protection Standard  that dictates how data is protected at each stage of its lifecycle (collection, storage, use, transfer, and disposal) based on its sensitivity.
4. Vulnerability Management:  Establish a formal process for regularly scanning, monitoring, and patching systems to remediate vulnerabilities in a timely manner. To validate the effectiveness of your security program, conduct periodic  Red Team Assessments , which simulate real-world attack strategies to test your organization’s detection and response capabilities.
5. Logging and Monitoring:  Integrate all critical IT assets, including applications, servers, and network devices, with a  Security Information and Event Management (SIEM)  solution. Define a security event monitoring standard that identifies all critical events to be logged and monitored for each asset type.

3.3 Phase 3: Managing Resilience and Third-Party Risk

1. Cybersecurity Resilience:  Integrate cybersecurity resilience requirements directly into your organization’s Business Continuity Management (BCM) framework. This ensures that response plans for incidents like ransomware or denial-of-service attacks are documented and tested, minimizing the impact on critical e-services.
2. Third-Party and Cloud Security:  Implement a robust process for managing third-party risk. This must include performing  due diligence assessments  on vendors  prior  to engagement, obtaining independent security assessment reports, and including a  “right to audit” clause  in all contractual agreements to ensure ongoing compliance.

Beyond these general implementation phases, organizations must pay special attention to several unique and impactful mandates within the frameworks that require dedicated strategic focus.

4.0 Mastering Critical Mandates and Strategic Shifts

While the SAMA and NCA frameworks are comprehensive, certain mandates require special strategic focus due to their significant operational impact and reflection of national priorities. Achieving compliance in these areas goes beyond technical implementation and demands changes in workforce strategy, governance, and organizational culture. The following section provides targeted guidance on navigating SAMA’s unique maturity requirements and the fundamental updates in ECC-2.

4.1 How to Use the SAMA Maturity Model

For SAMA-regulated entities, compliance is not a simple “yes/no” state. The goal is to progress from ad-hoc, informal processes to a minimum of Level 3 (“Structured & Formalized”). This requires a concerted effort to institutionalize and measure security practices.

1. Achieving Level 3 (Structured & Formalized):  To reach Level 3, your primary focus must be on creating formal, approved documentation for every control. Without this evidence, you cannot meet the baseline. This marks the transition from informal practices to standardized, repeatable processes that are adopted across the organization.
2. Progressing to Level 4 (Managed & Measurable):  To move to Level 4, organizations must regularly assess the effectiveness of their controls using Key Risk Indicators (KRIs). This requires collecting measurable data to prove that controls are not only implemented but are working effectively. Processes must then be refined based on this data.
3. Reaching Level 5 (Adaptive):  The highest level represents a state of continuous improvement. At this stage, controls are fully integrated into enterprise-wide risk management, and their performance is benchmarked against peer and sector data. This adaptive posture allows the organization to proactively adjust to the evolving threat landscape.

4.2 The Saudization Principle: Building a Compliant Workforce

The ECC-2:2024 Saudization mandate transforms cybersecurity hiring from a personnel requirement into a core human capital strategy. Compliance is now contingent on proving the full-time employment of qualified Saudi professionals in  all cybersecurity roles. This means demonstrating a tangible investment in local talent is now a direct measure of an organization’s internal cybersecurity maturity, not just a quota to be met.

Actionable recommendations for building an ECC-2-ready workforce:

1. Align with SCyWF:  Use the  Saudi Cybersecurity Workforce Framework (SCyWF)  to define job roles, required skills, and career progression paths. This ensures your role descriptions and hiring criteria align with national standards.
2. Invest in Talent Development:  Organizations must demonstrate maturity by investing in the training, certification, and promotion of Saudi talent internally. This builds long-term organizational resilience and reduces reliance on external consultants.
3. Focus on Key Technical Skills:  The workforce must possess proven expertise in critical technical domains, including cloud security, incident response and forensics, third-party risk management, and DevSecOps.
4. Develop Regulatory Literacy:  Your team must understand how global standards like NIST CSF and ISO/IEC 27001 map to local NCA ECC-2 and SAMA requirements. This knowledge is essential for effective policy creation and audit preparedness.

4.3 Managing Data Sovereignty: The NDMO/SDAIA Intersection

Under ECC-2, the authority for data localization has been strategically transferred from the NCA to the  National Data Management Office (NDMO) , which operates under the  Saudi Data and Artificial Intelligence Authority (SDAIA) . This creates a critical intersection of regulatory responsibility:

1. The  NCA  remains focused on the security of systems and infrastructure.
2. The  SDAIA/NDMO  is now the authority on data governance, classification, and cross-border data flows. Organizations must now refer to NDMO regulations  before  making decisions about data hosting. It is crucial to ensure that data governance strategies are synchronized across both regulatory bodies to avoid compliance gaps.

For instance, a cloud service provider could be fully compliant with NCA’s infrastructure security controls but violate NDMO’s data residency rules if they store certain classes of citizen data outside the Kingdom without authorization. This creates a dual-front compliance risk. Technology can play a crucial role in managing these complex and overlapping requirements.

5.0 Leveraging Technology for Sustained Compliance

The complexity, scope, and evidentiary requirements of the SAMA and NCA frameworks make manual tracking and reporting inefficient, resource-intensive, and inherently risky. Achieving sustainable, audit-ready compliance demands a strategic investment in technology designed to automate and centralize governance, risk, and compliance activities. This section evaluates the pivotal role of Governance, Risk, and Compliance (GRC) platforms in achieving and maintaining an evidence-based compliance posture.

5.1 GRC Platforms and Automation

Governance, Risk, and Compliance (GRC) platforms are designed to address the challenges of managing multiple, overlapping regulatory requirements. They provide a unified system for documenting controls, collecting evidence, and reporting on compliance status, which is particularly valuable in the Saudi context. Key benefits of leveraging GRC platforms:

1. Automated Control Mapping:  GRC tools can automatically map a single internal control to multiple requirements across SAMA CSF, NCA ECC-2, and even international standards like ISO 27001. This supports a “comply once, satisfy many” approach, significantly reducing redundant effort.
2. Centralized Evidence Collection:  Demonstrating maturity to SAMA requires consistent, accessible evidence of control effectiveness. GRC platforms centralize and automate evidence collection, linking it directly to specific controls and reducing the immense burden of manual preparation for audits.
3. Streamlined Reporting:  These platforms can automate the generation of compliance reports tailored to specific regulatory needs. This includes periodic reports for SAMA’s maturity assessments and streamlined submissions to the NCA’s Assessment and Compliance Tool (ACT) portal.

5.2 Preparing for Audits and Continuous Monitoring

Both SAMA and the NCA prioritize continuous compliance over one-time certifications. Organizations must cultivate an “always-on” audit-ready posture, and technology is a key enabler of this capability. To maintain this posture, organizations should:

1. Establish a process for continuous monitoring  of security controls to track compliance status in real-time. GRC platforms facilitate this by providing dashboards that visualize security KPIs and alert teams to compliance drift or control failures.
2. Conduct periodic self-assessments  using the automated tools within a GRC platform. This allows teams to identify and remediate gaps proactively, long before a formal audit is scheduled. Ultimately, organizations must be prepared for ongoing monitoring, regular reporting, and the demand for evidence-based proof that controls are not just designed but are operating effectively. By using these technology-based methods, businesses can turn compliance from a reactive, burdensome regulatory task into a source of operational resilience and strategic strength.

6.0 Turning compliance into a strategic advantage

Compliance with Saudi Arabia’s SAMA CSF and NCA ECC-2 frameworks is a foundational requirement for operating in the Kingdom’s digital economy. As outlined in this guide, success hinges on a structured, multi-faceted approach. This includes conducting a phased implementation beginning with governance, building a skilled and compliant Saudi workforce in line with the national Saudization imperative, carefully navigating the NCA/SDAIA intersection for data sovereignty, and leveraging GRC technology to automate and sustain compliance efforts. Adherence to these mandates should not be viewed as a final destination or a regulatory burden. Instead, it is a continuous commitment that builds a secure, resilient, and trustworthy digital presence. By embedding these principles into their operational DNA, organizations can do more than just meet requirements – they can gain a competitive edge, foster stakeholder confidence, and contribute directly to the ambitious goals of Saudi Vision 2030.