Saudi Arabia’s National Cyber Security – Updated Essential Cybersecurity Controls (ECC), ECC-2:2024

Sandbox Security

March 8, 2025

Saudi Arabia's National Cyber Security - Updated Essential Cybersecurity Controls (ECC), ECC-22024

AI Security Service

As digital threats change and digital environments evolve, Saudi Arabia’s National Cybersecurity Authority (NCA) has released its updated Essential Cybersecurity Controls (ECC), ECC-2:2024, supplementing its predecessor, ECC-1:2018. The new edition also reaffirms the Kingdom’s determination for robust Cyber Security. ECC-2:2024 is mapped to international standards and is responsive to new technology, like cloud infrastructure and industrial control systems, as well as legacy IT systems.

The NCA’s release is the result of a diligent examination of both global and national Cyber Security standards, incorporating best practice and lessons learned from previous Cyber Incidents targeting government departments and critical infrastructure. The ECC-2:2024 tries to present a comprehensive set of controls that can be adopted by organizations to defend against future as well as existing threats.

Key Changes in ECC-2:2024

1. Enhanced Structure:

The ECC-2:2024 features a more streamlined architecture with 4 high-level domains, 28 subdomains, and 110 controls, reduced from the 5 domains, 29 subdomains, and 114 controls of the earlier edition. This redesign simplifies the use of the framework by prioritizing the most critical Cyber Security challenges.

2. Scope of Application:

The scope of the ECC-2 is the same as ECC-1, covering government entities in Saudi Arabia (ministries, authorities, establishments, subsidiaries, and affiliates) and the private sector entities operating critical national infrastructure. ECC-2, however, specifies that Relevant Governmental Entities are those within, as well as outside, Saudi Arabia, acknowledging the Kingdom’s expanding international investments.

The extra-territorial application of the ECC-2, although confirmed, is not clearly guided on the percentage of government ownership required for the application of these controls over subsidiaries and affiliates. Official guidance is expected to be released by the NCA in this regard.

3. Data Localization:

The ECC-2 significantly features a change in not mentioning specific requirements to host in-country data. The controls of the data localization requirements, however, are now the responsibility of the National Data Management Office (NDMO) in the Saudi Data and Artificial Intelligence Authority (SDAIA). Organizations have the obligation to get advice from the NDMO on data localization before making any move, and they need to continue following available regulations about the hosting of government data, which include confidentiality agreement-related ones.

4. Saudization Requirements:

Following broader nationalization plans, ECC-2 mandates that all cybersecurity jobs be filled by Saudi-trained professionals, a step up from ECC-1, which only asked for top-tier jobs to be filled by Saudi nationals. This modification is aimed at enhancing local talent and supporting the Kingdom’s competitive edge in cybersecurity.

5. Control Streamlining and Updates:

The new framework decreases the Cyber Security controls from 114 to 110, thereby simplifying the implementation of the controls in an easier way. A few controls have been revised according to current-day cyber Security practices, and enhancements have been incorporated to deal with new threats efficiently. Further, the update consolidates redundant regulatory requirements, thereby lessening the compliance burden for organizations.

Implementation and Compliance – Consult SandBox Security

To enable compliance with the ECC-2, organizations must perform regular checks, which must involve self-assessments and on-site checks. To successfully navigate the complexities of ECC-2:2024 and bring your organization in line with the latest Cyber Security requirements, consult SandBox Security. Our expert guidance will walk you through assessing non-compliances, implementing best practices, and streamlining your compliance procedures. Protect your digital ecosystem and ensure the future of your business operations by partnering with our experienced Cyber Security professionals today!

Tags :

AI security, EDPS

Share this article :