NCA ECC, Framework Overview
ECC-2:2024 in one map: four domains, 28 subdomains, 108 controls, Saudi Arabia's mandatory cyber baseline.
▶ Explore it interactively: open the interactive framework map to drill from any domain into its subdomains and the exact controls, what to implement, and why.
The Essential Cybersecurity Controls are published by Saudi Arabia’s National Cybersecurity Authority (NCA). They are the country’s minimum cybersecurity baseline, mandatory for government bodies and entities owning or operating Critical National Infrastructure, and strongly encouraged for everyone else. This page reflects the current edition, ECC-2:2024.
Everything hangs off a strict hierarchy: Domain → Subdomain → Main Control → Subcontrol. ECC-2:2024 has 4 domains, 28 subdomains, 108 main controls, and 92 subcontrols. Learn the four domains and their weight, Defence alone carries 15 of the 28 subdomains, and the rest of the framework slots into place.
| # | Domain | What it covers | Subdomains |
|---|---|---|---|
| 1 | Governance | Strategy, risk, roles, compliance, people | 10 |
| 2 | Defence | Technical protection of assets, data, networks | 15 |
| 3 | Resilience | Cybersecurity inside business continuity | 1 |
| 4 | Third-Party & Cloud | Outsourcing, suppliers, hosting | 2 |
What changed from ECC-1:2018 → ECC-2:2024: the old Domain 5 (Industrial Control Systems) was removed, OT/ICS now lives in the NCA’s separate OTCC framework. So the count dropped from 5 domains / 29 subdomains / 114 controls to 4 / 28 / 108 (plus 92 subcontrols).
The common trap: treating ECC as a checklist of 108 items. It is a governance-led baseline, Domain 1 drives the other three. Skip governance and the technical controls have no owner, no risk basis, and no audit trail.