26 May 2026 NCA ECC AI vendor compliance

NCA ECC-1 deep-dive: what KSA AI vendors actually need to comply with in 2026

TL;DR

Saudi Arabia’s National Cybersecurity Authority (NCA) published the Essential Cybersecurity Controls v1.0 (ECC-1:2018) as the baseline cybersecurity standard for government and critical-infrastructure entities — five domains, 29 subdomains, 114 controls.¹ In 2024, NCA issued a new standard, ECC-2:2024, which superseded ECC-1:2018 with a reduced control count and structural changes including expanded Saudization of cybersecurity positions.² If you are selling AI into KSA in 2026, ECC-2:2024 is the operative document; ECC-1 is historical context. The gaps foreign vendors usually fail on are operational evidence: personnel-security checks for staff with privileged access, 24x7 SOC log evidence rather than a tool license, timely breach notification on a defined channel, and HSM-backed key custody aligned with NCA’s National Cryptographic Standards (NCS-1:2020). ECC stacks with SAMA CSF (financial sector), NDMO (data classification), and PDPL (personal data — 72-hour SDAIA notification).³⁴ This post is a practitioner’s reading of the framework, not a regulatory filing.

Why ECC sits where it does

NCA ECC is the single document a Saudi government CISO will hand you on the first call if you are trying to sell into a ministry, an authority, a state-owned enterprise, or a critical-infrastructure operator. It is published by the National Cybersecurity Authority, the executive body created by Royal Order in 2017 with regulatory authority over cybersecurity across government and the national critical sectors.⁵ ECC-1 v1.0 was issued in 2018 as the baseline standard.¹

In 2024, NCA published a new standard, ECC-2:2024, that supersedes ECC-1:2018. ECC-2 is the operative document a 2026 KSA buyer will hold you to.² Key changes documented in NCA’s announcement and legal-sector briefings include a reduced overall control count, structural reorganization, and expanded Saudization expectations across cybersecurity positions.²⁶

The controls are not optional. For in-scope entities — every government body, every critical-infrastructure operator (energy, water, telecom, transport, health, financial) — implementation is mandatory. The entities push the obligations down to their vendors through procurement clauses. If you are a foreign AI vendor selling into the Kingdom in 2026, your contract will require you to demonstrate ECC compliance, even if you are not directly regulated by NCA.

This is the layer most vendors underestimate. ISO/IEC 27001 and SOC 2 are necessary, but they are not sufficient. ECC has Saudi-specific requirements that those frameworks do not cover.

ECC-1:2018 — the historical baseline

ECC-1:2018 was organized into five main domains across 29 subdomains and 114 total controls.¹ The five domains were:

Cybersecurity Governance — strategy, policies, roles, risk management, compliance.
Cybersecurity Defense — asset management, identity, access, cryptography, network, applications, data protection, logging.
Cybersecurity Resilience — business continuity, incident management, backup, disaster recovery.
Third-Party and Cloud Cybersecurity — supplier risk, cloud services, hosted services.
Industrial Control Systems (ICS) — OT, SCADA, ICS protocols.

The exact per-domain control counts vary across consultancy summaries, and the audit-trail of the NCA PDF is the only authoritative source — practitioners should pull the per-domain breakdown from the NCA PDF directly rather than relying on third-party tables.¹ The phrasing in our audit-log glossary entry and incident-response glossary entry maps to ECC logging and incident management controls directly.

Most AI vendors selling to KSA touch the governance, defense, resilience, and third-party domains. The ICS domain matters only if you are selling to an OT environment — an oil-and-gas operator, a power utility, a water utility, a refinery — in which case it is non-negotiable and you need OT security expertise on the team.

ECC-2:2024 — what changed

ECC-2:2024 replaced ECC-1:2018 as the operative NCA Essential Cybersecurity Controls standard. The widely-reported headline changes from the NCA-published PDF and from legal/consultancy briefings are:²⁶

Reduced control count. ECC-2:2024 publishes a smaller control set than the 114 controls in ECC-1:2018, with public summaries citing figures in the ~108–110 range. Pull the exact figure from the NCA PDF for any procurement filing.²
Structural reorganization. ECC-2:2024 restructures domains and subdomains relative to ECC-1.²
Expanded Saudization. ECC-2:2024 expands the Saudization expectation to all cybersecurity positions, not only senior roles.⁶
Data-localization treatment moved. In-Kingdom hosting mandates that had been read into ECC-1 are now treated through NDMO/SDAIA frameworks rather than ECC text itself.⁶

The practical implication for vendors: a 2026 compliance program should be designed against ECC-2:2024, with ECC-1 referenced only for historical context. If a procurement questionnaire still names ECC-1, the customer security team will accept ECC-2:2024 evidence — the converse is not true.

Mandatory vs recommended: what binds you

ECC reads as if all controls are mandatory for in-scope entities, and at the entity level that is correct. What is mandatory for you as a vendor depends on what data you touch and what role you play in the customer’s environment.

The framing below is Annota8’s editorial structuring of how ECC controls land in practice on a vendor — it is not NCA terminology. NCA’s own applicability statements live in the ECC PDF itself.¹²

Always mandatory: Governance, access control, logging, incident response, encryption in transit and at rest, vendor risk management.
Mandatory when you process Confidential or higher data: personnel security and background verification appropriate to role, processing-location requirements per NDMO classification, hardened endpoints, dedicated SOC coverage.
Mandatory when you serve a critical-sector entity: 24x7 SOC with documented response SLAs, HSM-backed key custody aligned with NCS-1:2020 for high-classification data, network segmentation that passes NCA audit, ICS-specific controls if any OT integration exists.
Frequently requested in procurement: Zero Trust Network Architecture, continuous control monitoring, automated evidence collection, threat-intel feed integration.

Cross-reference our ZTNA glossary entry and the HSM glossary entry for the technical detail.

Where foreign AI vendors usually fail

Four gaps recur in conversations with KSA buyer security teams. None of them is unsolvable, but each requires deliberate operational design — they cannot be retrofitted in a week before a procurement deadline.

Gap 1 — Personnel security for privileged staff. ECC personnel-security controls require background and identity verification appropriate to the role. For KSA-resident staff this typically uses Absher and adjacent national systems. For staff resident outside the Kingdom, the vendor needs verifiable checks from the staff member’s country of residence in line with the customer’s policy. ECC-2:2024 also expanded the Saudization expectation to cover all cybersecurity positions, not only senior ones — material for any vendor planning a KSA delivery team.⁶

Gap 2 — 24x7 SOC with documented evidence. A SOC tool subscription is not a SOC. NCA auditors expect tickets, shift rosters, escalation runbooks, mean-time-to-detect and mean-time-to-respond metrics, and a named analyst on call at any hour. See our SOC glossary entry. A small AI vendor can satisfy this through a managed-detection-and-response partner — there are several Saudi MSSPs and a handful of regional ones with the right footprint — but the contract has to be in place and the evidence has to have history. Six months of SOC tickets carries more weight than a license renewal dated last week.

Gap 3 — Timely breach notification to NCA. NCA operates a Cyber Incident Response framework with a dedicated reporting portal; in-scope entities are required to notify NCA via the portal, and vendors inherit the obligation through customer contracts.⁷ Specific timelines vary by sector and incident classification — practitioners should read the applicable sectoral directive rather than treat any single number as a universal SLA. PDPL adds a separate 72-hour notification to SDAIA for personal-data breaches; the timelines are different and you may have to fire both.³ Coordinating the two is the single hardest tabletop exercise foreign vendors run.

Gap 4 — HSM-backed key custody. ECC cryptography controls reference NCA’s National Cryptographic Standards (NCS-1:2020) for approved cryptographic standards. NCS-1 is where HSM expectations and FIPS 140-2/140-3 Level 3 surface for advanced or high-assurance use cases — vendor and NCA-aligned guidance commonly cite Level 3 HSM-backed key custody for high-classification workloads.⁸ Software key vaults do not pass. Cloud KMS satisfies this only if the underlying HSM has the right certification and the customer accepts the cloud model — many KSA customers do not, for high-classification workloads. Vendors selling into critical infrastructure typically end up either using an in-Kingdom cloud region’s HSM service or running their own HSM on customer premises. Our HSM glossary entry covers the practical procurement notes.

Gap 5 — Network segmentation and IAM that survives an audit. ECC expects segmented network zones with documented flows, role-based access with periodic recertification, MFA for privileged access, and audit logs retained for a defined period. See our IAM glossary entry. Most cloud-native AI vendors have flat networks and IAM roles that grew organically. The remediation work — drawing zones, writing flow policies, recertifying every privileged role, enabling MFA universally — typically takes a full quarter for a 50-person company.

A note on maturity scoring

ECC does not publish a formal 1–5 maturity scale in the public ECC-1 or ECC-2 text — the formal six-level (0–5) cyber-security maturity model used in KSA financial-sector compliance work belongs to SAMA’s Cyber Security Framework, the central bank’s framework, not to NCA ECC.⁹ If you see a vendor gap-assessment scoring ECC controls on a 1–5 scale, treat it as the consultancy’s editorial scoring lens, not an NCA artifact. For a procurement-grade self-assessment, score against the literal ECC control text and document evidence per control rather than a synthetic level.

For a small vendor, the right question is not “how do I hit Level 5” but “where are my gaps that will fail a procurement audit, and how do I close them in the next six months.”

How ECC interacts with SAMA CSF, NDMO, and PDPL

ECC is the baseline. Sector-specific frameworks stack on top.

SAMA CSF (Cybersecurity Framework) is the central bank’s framework for financial-sector entities — banks, insurers, payment companies, fintechs under SAMA. SAMA published its Cyber Security Framework v1.0 in May 2017; it is mandatory for SAMA-regulated entities and structurally similar to NIST CSF and ISO 27001 with finance-specific controls.¹⁰ A vendor selling to a Saudi bank must demonstrate ECC compliance and SAMA CSF compliance for the financial-sector controls. See our SAMA CSF glossary entry.

NDMO governs data classification and management. The data category determines which controls apply, where the data may be processed, and whether cross-border transfer is even legal. The exact classification labels should be matched against the NDMO Data Management standard directly before any contractual claim — public summaries vary in label choice. See NDMO data classification glossary.

PDPL governs personal data specifically. ECC covers cybersecurity; PDPL covers privacy. The two overlap in incident notification and access control but the obligations are distinct. PDPL imposes a 72-hour notification to SDAIA for personal-data breaches, with administrative fines up to SAR 5 million (doubled for repeats) and criminal liability up to two years’ imprisonment plus SAR 3 million for intentional disclosure of sensitive personal data.³ See PDPL compliance and our PDPL 2026 deep-dive.

NIST CSF is what most foreign vendors come in already aligned to. ECC maps reasonably well to NIST CSF, and you can use the mapping as a starting point — but treat it as a starting point only. The Saudi-specific requirements (Saudization, processing-location rules under NDMO, NCA notification channels, NCS-1 cryptographic standards, Arabic-language documentation in some cases) are not in NIST CSF. See our NIST CSF glossary entry.

What to implement first: a practical sequence

If you are starting from a NIST-CSF / ISO 27001 / SOC 2 baseline and you have a 6-month runway to a KSA contract, this is a defensible sequence:

Month 1 — Gap assessment against ECC-2:2024. Map your existing controls to the published ECC-2:2024 control set and identify the gaps. Plenty of Saudi consultancies do this; you can also do it internally if you have a security lead with KSA experience.
Month 1–2 — Governance and policy refresh. Update your information security policy, your acceptable use, your access policy, your incident response policy, and your supplier security policy to explicitly reference ECC-2:2024 and to satisfy the documentation evidence requirements.
Month 2–3 — Identity, access, and MFA. Get to MFA-everywhere, role-based access, periodic recertification, and privileged-access logging. This is the highest-leverage Tier-1 work and clears multiple controls at once.
Month 3–4 — SOC and logging. Either build a 24x7 SOC capability or contract one. Configure logging to satisfy retention and audit requirements. Start collecting evidence — tickets, runbook executions, MTTD/MTTR metrics — because evidence with history matters more than fresh evidence.
Month 4–5 — Encryption, key management, HSM. Inventory all cryptographic operations, move keys to an NCS-1-aligned HSM configuration, document the key-management lifecycle. This is where many vendors discover they need a cloud-region or on-prem HSM that they did not budget for.
Month 5–6 — Incident response, breach notification, third-party. Run a tabletop with the NCA portal-reporting flow and the 72-hour PDPL SDAIA notification clock. Update your vendor risk management to push ECC obligations to your sub-processors. Prepare the procurement evidence pack.

This is a compressed schedule. Nine months is more realistic; twelve is comfortable. The vendors who hit it in six were already at SOC 2 Type II with a mature security org going in.

For the procurement-side deliverables, see our security questionnaire response template and the government tender response playbook.

How this lands for an AI annotation and data-ops vendor

ECC was not written with AI annotation in mind, and that creates two specific challenges. First, annotation workforces are distributed and often international — personnel-security checks for every privileged annotator are a real cost, and ECC-2:2024’s expanded Saudization expectation tightens the local-talent requirement.⁶ Second, training data is frequently sensitive under NDMO classification, which can drive processing-location requirements that put parts of the work physically inside the Kingdom. The hybrid model — Cairo for Public / Internal data, KSA for Confidential and above — is the operationally honest answer.

How Annota8 is approaching this

Annota8 is in early-stage operations. We are not certified against ECC (and ECC is not a certification framework in the ISO sense — there is no NCA-issued certificate to hold up). Our approach is to design the workforce, data flows, and incident-response patterns toward the ECC-2:2024 control set, and we will share a gap-remediation roadmap with any KSA customer that requests it. This post is a practitioner’s reading of ECC-1:2018 and the superseding ECC-2:2024, not a regulatory filing.

Discuss ECC readiness for your KSA program — 30-min session Read the PDPL 2026 deep-dive

References

National Cybersecurity Authority, Essential Cybersecurity Controls (ECC – 1: 2018). NCA official PDF — https://nca.gov.sa/ecc-en.pdf. Regulatory documents landing — https://nca.gov.sa/en/regulatory-documents/controls-list/ecc/. ↩ ↩² ↩³ ↩⁴ ↩⁵
National Cybersecurity Authority, Essential Cybersecurity Controls (ECC – 2: 2024). NCA official PDF — https://cdn.nca.gov.sa/api/files/public/upload/86e09090-44e4-481f-bc28-355673607654_ECC—2024-EN.pdf. ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷
Saudi Data and Artificial Intelligence Authority (SDAIA), Personal Data Breach Procedural Guide — https://sdaia.gov.sa/en/SDAIA/about/Documents/PersonalDataBreachIncidents.pdf. PDPL administrative fines, criminal-liability provisions, and 72-hour SDAIA notification window summarized in SDAIA guidance and PDPL implementing regulations. ↩ ↩² ↩³
National Data Management Office (NDMO) data management and personal data protection standards — referenced via SDAIA / NDMO published frameworks. Practitioners should pull the exact classification scheme labels from the NDMO standard before contractual claims. ↩
National Cybersecurity Authority “About” page and Saudipedia entry — NCA established by Royal Order No. 55775 dated 23/8/2017, statute by Royal Order No. 6801 dated 31/10/2017. ↩
Clyde & Co, Saudi Arabia’s Essential Cybersecurity Controls (January 2025) — https://www.clydeco.com/en/insights/2025/01/saudi-arabia-essential-cybersecurity-controls. CyberArrow, NCA ECC-2:2024 — a comprehensive update — https://www.cyberarrow.io/blog/nca-ecc-2-2024-a-comprehensive-update/. Library of Congress, Saudi Arabia: National Cybersecurity Authority Issues New Regulations (Feb 2024) — https://www.loc.gov/item/global-legal-monitor/2024-02-04/saudi-arabia-national-cybersecurity-authority-issues-new-regulations-instructions-and-procedures-to-enhance-cybersecurity-readiness/. ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶
National Cybersecurity Authority — Report an Incident: https://nca.gov.sa/en/report-incident/. Cyber Incident Response service: https://nca.gov.sa/en/services/cyber-incident-response/. Specific notification timelines vary by sector and incident classification — practitioners should read the applicable sectoral NCA directive. ↩
Entrust, NCA compliance standards: impact on resilience, growth, prosperity to Saudi cyberspace (November 2025) — https://www.entrust.com/blog/2025/11/nca-compliance-standards-impact-on-resilience-growth-prosperity-to-saudi-cyberspace. NCA National Cryptographic Standards (NCS-1:2020) is the document referenced by ECC for approved cryptographic standards; FIPS 140-2/140-3 Level 3 HSM expectations are surfaced in NCS-1-aligned vendor guidance for advanced and high-assurance use cases. ↩
Saudi Central Bank (SAMA), Cyber Security Maturity Model (six-level, 0–5) — Rulebook section 2.4: https://rulebook.sama.gov.sa/en/24-cyber-security-maturity-model-0. SAMA Cyber Security Framework Rulebook: https://rulebook.sama.gov.sa/en/cyber-security-framework-3. ↩
Saudi Central Bank (SAMA), Cyber Security Framework v1.0, May 2017 — https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdf. ↩

Limitations & disclaimer

Limitations of this analysis. This post reflects Annota8's reading of publicly available evidence as of its last-modified date. Vendor positioning, regulatory frameworks, benchmark numbers, and program scope can change without notice. Where numeric ranges are cited, those numbers are reproducible from the source linked in the post's References section — Annota8 has not independently re-run the benchmarks unless explicitly stated in the post.

Privacy & legal posture. Annota8 is an early-stage AI data operations company in soft launch. We do not currently hold SOC 2, ISO 27001, PDPL certification, or any other third-party security or privacy certification. We design with PDPL principles in mind and can sign a DPA modelled on the EU SCC template. Specific compliance posture for your engagement is available on request from [email protected].

Nothing in this post is legal, tax, or investment advice. Regulatory citations should be verified with counsel in your jurisdiction. Vendor names mentioned in this post are referenced as industry-landscape context only — Annota8 is not asserting a comparative product claim, a customer relationship, or any other affiliation with any platform named, unless that affiliation is explicitly stated.

Reach the team:[email protected] · annota8.ai