NCA ECC-2 2024 Unveiled- Navigate Updates with TCG
About NCA
The National Cybersecurity Authority (NCA) was established in 2017 by The Royal Order that links it directly to His Majesty, King Salman bin Abdulaziz Al Saud, to be the national authority in charge of cybersecurity in the Kingdom, and the national reference in all its affairs.
NCA aims at strengthening cybersecurity to safeguard the State’s vital interests, national security, critical infrastructures, priority sectors, and government services and activities. NCA’s statute defines cybersecurity as “The protection of networks, information technology systems, and operational technology systems, including hardware and software, services provided thereby, and data included therein, against hacking, disruption, modification, unauthorized access, and unlawful exploitation or use. Cybersecurity includes information security, electronic security, digital security, and the like”.
NCA in Saudi Arabia has introduced an updated version of the Essential Cybersecurity Controls (ECC) for 2024. This revised ECC requirements is a critical regulatory milestone for organizations operating within the Kingdom, reinforcing cybersecurity defenses to align with evolving threats and regulatory expectations.
NCA ECC–1:2018 | NCA-ECC2:2024 |
5 main domains 29 subdomains 114 controls | 4 Main Domains 28 Sub-domains 108 Controls |
NCA ECC–2:2024 domains
Figure1 : Main domains of ECC
- Cybersecurity Governance
This domain aims to establish and set policies and guidelines and define roles and responsibilities and is concerned with raising awareness and training employees.
- Cybersecurity Defense
This domain aims to enhance security practices and procedures to protect against cyber-attacks.
- Cybersecurity Resilience
This domain aims to enable entities to manage business and recover from disasters and enhance the flexibility of systems and how to restore them.
- Third-Party and Cloud Computing Cybersecurity
This domain aims to ensure safe dealings with external parties and reduce external risks.
NCA ECC–2:2024 enhancements
The updated version of the NCA ECC includes:
- Remove all controls related to cybersecurity industrial systems.
- Modify controls by deleting 3 controls, enhancing 15 controls and adding one control.
- Modifiy the scope of the controls.
- Modifiy terms and conditions.
Benefit of Changes on Organizations
- Updated Terms and Conditions:
- Ensures organizational policies and procedures are aligned with the latest regulatory requirements.
- Helps organizations avoid penalties or non-compliance issues by adhering to the updated terms.
- Demonstrates a proactive approach to cybersecurity governance.
- Deleted Domain 5:
- Streamlines the framework by removing redundant or outdated security controls.
- Allows organizations to focus resources on the most critical cybersecurity priorities.
- Reduces the administrative burden of implementing and maintaining unnecessary controls.
- Adjusted Controls:
- Aligns the framework with current industry best practices and evolving threat landscapes.
- Ensures the security controls are effective in mitigating contemporary cyber risks.
- Improves the overall efficacy of the cybersecurity program.
- Enhanced Security Protocols:
- Bolsters the organization’s ability to detect, respond to, and recover from cyber incidents.
- Reduces the likelihood and impact of successful cyber attacks.
- Enhances customer and stakeholder confidence in the organization’s security posture.
By implementing the updated NCA ECC-2 framework, organizations in Saudi Arabia can experience benefits such as:
- Stronger overall cybersecurity posture and reduced risk exposure
- Improved compliance with evolving regulatory requirements
- Streamlined security operations and better resource allocation
- Increased resilience against emerging cyber threats
- Enhanced brand reputation and customer trust
The revisions to the framework demonstrate the NCA’s commitment to staying current with cybersecurity best practices and ensuring organizations in Saudi Arabia are equipped to protect their digital assets effectively. Implementing the updated NCA ECC-2 directives can provide a significant competitive advantage for Saudi organizations.
How TCG Supports Compliance with ECC-2 2024
TCG stands ready to assist organizations in adapting to and complying with ECC controls through a suite of comprehensive services:
- Gap Analysis and Assessment:TCG experts conduct thorough assessments to identify gaps between your current cybersecurity practices and the ECC-2 2024 requirements. This crucial first step helps prioritize areas needing immediate attention.
- Customized Cybersecurity Framework Implementation:Leveraging ECC-2 2024 requirements, TCG designs and implements customized cybersecurity solutions tailored to the specific needs and risk profiles of your organization.
- Third-Party Management:With enhanced focus on third-party risks, TCG offers robust vendor management strategies and solutions.
- Training and Awareness Programs:TCG develops targeted training programs to enhance the cybersecurity skills of your workforce, aligning with ECC-2’s emphasis on human factors in cybersecurity resilience.