Saudi NCA ECC & OTCC Compliance: An Executive Guide for Getting Audit-Ready

Saudi Arabia’s National Cybersecurity Authority (NCA) frameworks set a minimum, enforceable cybersecurity baseline for organizations that run public services, critical national infrastructure, and high-impact digital operations.

Two documents matter most for regulated organizations:

• ECC-2:2024 (Essential Cybersecurity Controls): the baseline across governance, defense, resilience, and third-party/cloud security.
• OTCC-1:2022 (Operational Technology Cybersecurity Controls): an extension for OT/ICS environments, scaled by facility criticality.

This guide explains what each framework covers, who is in scope, how audits are evidenced, and how to roll out compliance without turning the program into a documentation exercise.

ECC-2:2024 at a glance

Who is in scope

ECC applies to:

• Government agencies in KSA (and affiliated entities, inside or outside the Kingdom)
• Private sector entities owning, operating, or hosting Critical National Infrastructures (CNIs)

NCA also encourages other organizations to leverage ECC to improve cybersecurity posture, even when not mandated.

How ECC is structured

ECC-2:2024 consists of:

• 4 main domains
• 28 subdomains
• 108 main controls
• 92 sub-controls

The domains are:

1. Cybersecurity Governance
2. Cybersecurity Defense
3. Cybersecurity Resilience
4. Third-Party and Cloud Computing Cybersecurity

ECC is explicit that not every control applies equally to every organization. Each entity must comply with all applicable controls, and applicability can vary (for example, cloud controls apply to entities using or planning to use cloud/hosting services).

How compliance is evaluated

NCA can evaluate compliance through:

• Self-assessment by the entity
• Periodic reports from the compliance tool
• Field auditing visits

NCA also issues an ECC-2:2024 Assessment and Compliance Tool to organize assessment and measure compliance. The practical implication is straightforward: implementation can be phased, but evidence cannot be deferred. If a control is “in place,” you must be able to prove it.

OTCC-1:2022 at a glance (for OT/ICS environments)

What OTCC covers

OTCC raises cybersecurity levels for OT systems by setting minimum requirements to protect Industrial Control Systems (ICS) from cyber threats that can cause operational impact. It is positioned as aligned with international standards and as an extension to ECC.

OTCC contains:

• 4 main domains
• 23 subdomains
• 47 main controls
• 122 sub-controls

Who is in scope

OTCC applies to ICS in facilities deemed critical, owned or operated by government organizations or by private-sector organizations owning, operating, or hosting CNIs (in the Kingdom or abroad).

OTCC includes a key operational constraint: applicable controls must be implemented after ensuring implementation does not jeopardize continuity of operations.

ECC prerequisite and OTCC compliance mechanisms

OTCC states that compliance with Essential Cybersecurity Controls (ECC 1:2018) is a mandatory prerequisite. In program terms, treat ECC compliance as the foundation OTCC builds on.

NCA evaluates OTCC compliance through self-assessment and/or audit field visits by NCA or designated third parties. NCA also issues:

• an OTCC Assessment and Compliance Tool
• an OTCC Facility Level Identification Tool (to assign appropriate levels)

Facility levels (L1–L3): phased implementation by criticality

OTCC defines three control levels (L1–L3) dependent on criteria such as service availability impact, HSE impact, and potential national economic/security/social impact.

Control volume scales by level:

• L1: 151 controls/sub-controls (includes L2 and L3)
• L2: 117 controls/sub-controls (includes L3)
• L3: 56 controls/sub-controls

This is OTCC’s “phasing” model: you implement the correct level per facility, based on criticality, and you document the basis for that decision.

The compliance reality: phased rollout, immediate proof

The fastest way to misunderstand NCA frameworks is to treat them like static checklists. They require an operating model. Because compliance can be evaluated through tools, reports, and audits, the program must be built so that controls produce evidence continuously, not as a one-off document sprint.

A credible compliance posture has three attributes:

1. Clear applicability decisions (what applies, what doesn’t, and why)
2. Implemented controls mapped to owners and processes
3. Repeatable evidence (reports, logs, approvals, test results)

A practical rollout roadmap

Step 1: Confirm scope and regulatory posture

Confirm whether you are in ECC scope (government or CNI owner/operator/host). Confirm whether you operate ICS in critical facilities (OTCC scope). Confirm cloud/hosting usage that triggers binding cloud controls. The outcome should be a written scope statement agreed by security, IT, OT, procurement, and leadership.

Step 2: Build the “Statement of Applicability” discipline

ECC recognizes that applicability varies by entity and technology usage. Turn this into a formal compliance habit:

• Map systems and services to ECC/OTCC subdomains
• Mark controls as applicable/not applicable with rationale
• Identify compensating controls where required
• Assign owners and timelines

This is one of the highest-leverage moves for audit readiness.

Step 3: Implement ECC foundations (governance, then defense, then resilience)

ECC’s structure defines “foundation.” Governance is a full domain (strategy, policies, roles, risk, compliance, audit cadence, HR security, awareness). Defense typically includes asset management, IAM, network security, vulnerability management, logging/monitoring, and incident handling. Resilience and third-party/cloud security complete the baseline.

Step 4: Classify OT facilities and apply OTCC level requirements

Use the OTCC Facility Level Identification approach to assign L1–L3 levels, then implement OTCC controls appropriate to each facility, while respecting OT constraints and avoiding operational disruption.

Step 5: Operationalize evidence so audits become routine

Build an evidence register from day one:
Control → Owner → System/Process → Evidence Artifact → Review Frequency.
This removes ambiguity and forces teams to treat evidence as an operational output.

The audit-ready evidence pack (what “good” looks like)

ECC evidence essentials

• Governance: approved strategy, policies/procedures, roles and responsibilities, review/audit cadence, awareness/training records
• Risk and compliance: risk methodology and register, applicability rationale (including cloud decisions), exceptions and approvals
• Defense: IAM enforcement evidence (including MFA coverage where required), vulnerability management outputs, monitoring/logging reports, incident tickets/runbooks
• Resilience: BCP/DR artifacts and test results
• Third-party/cloud: supplier due diligence, contractual security clauses, access boundaries, periodic supplier reviews, cloud isolation/segmentation evidence

OTCC evidence essentials (in addition to ECC)

• Facility level determination records and resulting control scope
• OT zoning/segmentation design and remote access governance
• OT change management evidence aligned with safety and availability constraints
• OT backup/recovery evidence and resilience testing appropriate to OT operations
• Monitoring evidence tuned for OT protocols and operational priorities

Common pitfalls (and how to avoid them)

1. Treating “applicability” as a narrative instead of a controlled decision with owners
2. Building OTCC in isolation from ECC (OTCC is meant to build on the ECC baseline)
3. Implementing OT controls without operational safety governance and continuity safeguards
4. Leaving evidence late or relying on slides instead of system-generated proof

How UDV Technologies typically supports ECC/OTCC programs

For organizations that need speed and defensibility, the most effective path is:

• A rapid ECC/OTCC applicability and gap assessment
• A prioritized remediation roadmap tied to owners and evidence
• Hands-on implementation support across identity security (IGA/PAM), monitoring, and OT segmentation so controls become operational and auditable

Disclaimer

This guide is informational and does not constitute legal advice. Always confirm applicability and assessment expectations with NCA guidance and sector regulator requirements.