SecurityWall Logo
Back to Blog
NCA Saudi Arabia
May 25, 2026
8 min read

NCA ECC Checklist: Score Your Readiness, No Sign-Up

BK

Babar Khan Akhunzada

May 25, 2026

NCA ECC Checklist: Score Your Readiness, No Sign-Up

Most NCA Essential Cybersecurity Controls checklists are static spreadsheets you download, fill in once, and forget. This one scores your readiness instantly no form, no download and shows you exactly where a checklist stops and a formal, NCA-registered assessment begins.

This is an interactive, use-it-now National Cybersecurity Authority Essential Cybersecurity Controls compliance checklist covering scope, all four ECC-2:2024 domains, the new NCNICC-1:2025 requirements for private companies, and the Saudization rule. Tick items as you go the progress bar tracks your readiness, and each section tells you exactly what evidence auditors look for and the failure they most often find. Nothing is saved or sent anywhere; it runs entirely in your browser.

It is based on the NCA's official ECC-2:2024 document distilled into the checkpoints that matter, so you do not have to read 100-plus pages of regulatory text to know where you stand. If you want the dense primary source, it is on the NCA's regulatory documents portal; this checklist is the readable version.

A point on what it is and isn't: this gives you the shape of ECC readiness the key checkpoints in each domain, not the full 108 controls. When you need an audit-ready answer, a formal gap assessment scores every applicable control and produces the evidence the NCA expects. New to the framework? Start with what the NCA is and the ECC 2:2024 requirements explained, then come back here to check yourself.

Interactive Checklist
NCA Essential Cybersecurity Controls Readiness
0%
0 / 0 checkpoints
This is a self-check. For an audit-ready answer across all 108 controls, book a formal ECC gap assessment →
What auditors look forA documented scope and applicability determination entity classification, the frameworks that apply, and the rationale for any framework deemed out of scope.
Most common failurePrivate companies assuming the ECC does not apply to them and missing that NCNICC-1:2025 now brings non-CNI private sector entities into mandatory scope.
What auditors look forApproved, dated cybersecurity strategy and policies; evidence the cybersecurity function is genuinely independent of IT; a maintained risk register; and records of periodic audit.
Most common failureThe cybersecurity function reports into IT the exact conflict of interest the ECC governance domain is designed to prevent.
What auditors look forAsset register, MFA configuration, dated access-review records, encryption and key-management evidence, backup restoration logs, and monitoring with real alerts and responses.
Most common failureLogs are collected but never actively monitored, and access reviews are either not run on schedule or not documented both surface immediately under assessment.
What auditors look forA BCP/DR plan that accounts for cyber incidents, defined recovery objectives, dated test records, an incident response plan, and a penetration test report.
Most common failureContinuity and incident response plans that exist on paper but have never been exercised against a cyber scenario.
What auditors look forA supplier inventory, vendor assessment records, contracts with security terms, and cloud configurations demonstrating classification, tenant separation, and data return.
Most common failureCritical cloud and SaaS vendors onboarded with no security assessment and no contractual cybersecurity requirements.
Want the Audit-Ready Answer?

This checklist shows you the key checkpoints. A formal ECC gap assessment scores every applicable control across all four domains and gives you a prioritised remediation roadmap — report in 2–3 weeks. SecurityWall is NCA-registered.

Book an ECC Gap Assessment →
What auditors look forYour documented entity-class determination, evidence of the applicable controls, a completed self-assessment, and readiness for third-party audit.
Most common failurePrivate companies unaware NCNICC-1:2025 applies to them at all or treating a binding regulation as optional guidance.
What auditors look forEvidence that cybersecurity roles are held by qualified Saudi nationals, supported by a workforce plan where roles are being transitioned.
Most common failureRelying on offshore or expatriate security teams, or assuming the old senior-only rule still applies ECC-2:2024 requires all cybersecurity roles to be filled by Saudi nationals.
This checklist covers the key checkpoints. Your ECC programme has 108 controls book a formal gap assessment →

What Your Readiness Score Means

Your percentage is a self-read, not an assessment result a checklist can confirm a control exists, but it cannot weight domains by audit scrutiny, score partial implementations, or judge whether your evidence would satisfy the NCA. Use the band below to decide your next step.

Pre-Assessment Summary Where You Stand, and What to Do Next
Readiness What it means Recommended next step
Below 50% Significant control gaps; not assessment-ready Foundational remediation before a formal assessment
50–75% Core controls exist; specific domains need work Targeted remediation, then a formal gap assessment
76–90% Largely in place; evidence and documentation gaps Formal gap assessment to close the last items
Above 90% Strong posture across the domains Pre-audit validation, then maintain and monitor

Wherever you land, a formal gap assessment converts a self-read into an evidence-backed position the NCA will recognise.

Official references

This checklist distils the NCA's primary documents into a usable format. The full regulatory text is published by the NCA — the Essential Cybersecurity Controls page and the complete ECC-2:2024 control document (PDF). They run to over a hundred pages of formal controls; this guide is the readable companion to them.

NCA-Registered · Report in 2–3 Weeks

From Self-Check to Audit-Ready.

SecurityWall is NCA-registered. Book a formal ECC gap assessment with our certified team — every applicable control scored across all four domains, a prioritised remediation roadmap, and the evidence the NCA expects. Report delivered in 2–3 weeks.

NCA-registered · OSCP, OSWE, CREST, CISM, and CISSP-certified team

Related reading:

For financial-sector organisations, the SAMA compliance service covers the second regulator you fall under. Offensive testing options include penetration testing, red teaming, and mobile app penetration testing.

Frequently Asked Questions

Is this NCA ECC compliance checklist free?

Yes it is completely free, requires no sign-up, and saves nothing; it runs entirely in your browser. For an audit-ready answer across all 108 controls, SecurityWall's NCA-registered team runs formal ECC gap assessments with a report in 2–3 weeks.

Does this checklist cover all 108 ECC controls?

No. It covers the key checkpoints across all four domains plus NCNICC-1:2025 and Saudization, so you can understand the shape of your readiness. ECC-2:2024 has 108 main controls and 92 subcontrols; a formal gap assessment scores every applicable one.

What is the difference between this checklist and a formal gap assessment?

This is a self-guided overview. A formal gap assessment is a consultant-led engagement control-by-control evaluation, evidence review, and a written remediation roadmap aligned to how the NCA assesses compliance. Most organisations self-check first, then commission an assessment.

Do private companies need to complete the NCNICC section?

If you are a non-CNI private sector entity in Saudi Arabia, NCNICC-1:2025 likely applies to you, so yes. Government entities and CNI operators follow the ECC and, where relevant, the CSCC instead.

How long does a formal NCA ECC gap assessment take?

SecurityWall typically delivers an ECC gap assessment report within 2–3 weeks, depending on organisation size and scope. The report covers every applicable control, prioritised gaps, and a remediation roadmap.

We are a financial company do we also need SAMA compliance?

Most likely, yes. Financial-sector organisations are typically regulated by both the NCA and SAMA, and meeting one does not satisfy the other. SecurityWall runs NCA and SAMA programmes together so financial-sector clients cover both in one engagement.

Tags

NCA Saudi ArabiaChecklistNCA ECCSaudi ComplianceSaudi Arabia
BK

About Babar Khan Akhunzada

Babar Khan Akhunzada leads security strategy, offensive operations. Babar has been featured in 25-Under-25 and has been to BlackHat, OWASP, BSides premiere conferences as a speaker.

Back to All Posts
    NCA ECC Checklist: Score Your Readiness, No Sign-Up