The National Cybersecurity Authority's Essential Cybersecurity Controls — the NCA ECC — have been mandatory for Saudi organisations since 2020. Yet many SMEs operating in the Kingdom either don't know they apply to them, assume compliance is only for large enterprises, or have been told by their IT company that they're "basically compliant" without any formal assessment ever taking place.

This article gives you the plain-English version of what the ECC is, who it applies to, and what practical compliance actually looks like for a business with 50 to 500 users.

What the NCA ECC Actually Is

The Essential Cybersecurity Controls are a framework published by the National Cybersecurity Authority — Saudi Arabia's government body responsible for cybersecurity regulation. The framework defines a baseline set of security controls that organisations operating in the Kingdom are expected to implement.

The controls are organised into five domains:

For most SMEs, the first three domains are where the most attention is needed.

Does It Apply to You?

This is where most SME owners get confused. The NCA ECC technically applies to all government entities and organisations in the national critical information infrastructure. Healthcare, financial services, telecoms, energy, and transport are explicitly within scope.

However, any business operating in Saudi Arabia that processes sensitive data, works with government clients, or operates in a regulated sector should treat ECC alignment as expected practice — not a tick-box exercise but a genuine baseline. Increasingly, large Saudi enterprises require their suppliers and partners to demonstrate NCA ECC alignment as a condition of doing business.

If you're a fintech, a clinic, a logistics company, or a professional services firm operating in the Kingdom, ECC alignment is not optional in any practical commercial sense — even if your specific entity isn't explicitly named in the mandatory scope.

What the Controls Actually Require in Practice

Let's translate the five domains into what they mean operationally for a typical SME:

Governance

You need a written cybersecurity policy, a named person accountable for cybersecurity, and a process for reviewing and updating both. For an SME this doesn't need to be an elaborate CISO function — it needs to be documented, owned, and acted upon.

Defence

This is the largest domain and covers technical controls including: asset inventory, access management and multi-factor authentication, network segmentation, endpoint protection, email security, vulnerability management, and logging. Most SMEs have some of these in place already. The gap is usually in the documentation proving they exist and the consistency with which they're applied.

Resilience

You need tested backups, a documented recovery process, and evidence that you can restore operations within a defined timeframe. Having backups is not the same as having tested backups. The ECC requires both.

The single most common finding in Saudi SME assessments is a resilience gap — organisations that have backup systems configured but have never actually tested whether a full recovery works. Discovering this during an incident is significantly more expensive than discovering it during an assessment.

How to Approach Compliance Practically

The most common mistake is treating ECC compliance as a one-time project rather than an ongoing posture. The right sequence for an SME is:

  1. Gap assessment — understand where you currently stand against the ECC controls, documented formally
  2. Prioritised remediation — address high-risk gaps first, using a phased roadmap that's realistic for your budget and team
  3. Documentation — ensure all controls have written policies and evidence of implementation
  4. Periodic review — review your posture annually, or after any significant system change
A note on CITC and PDPL: In addition to the NCA ECC, Saudi businesses handling personal data should also be aware of the Personal Data Protection Law (PDPL), enforced by the Saudi Data and AI Authority (SDAIA). NCA ECC compliance provides a strong foundation for PDPL compliance, but the two are not identical. If you handle personal data — which most businesses do — PDPL requires separate consideration.

ECC compliance isn't about achieving a perfect score on day one. It's about being able to demonstrate, to a client, regulator, or insurer, that you understand your security posture and have a credible plan to manage it. That starts with knowing where you stand — which is exactly what a formal gap assessment provides.