Compliance · Saudi Arabia

Meet NCA ECC, CCC and CSCC requirements on Cloudgenics images in-Kingdom.

The Saudi National Cybersecurity Authority (NCA) publishes the Essential Cybersecurity Controls (ECC), Critical Systems Cybersecurity Controls (CSCC) and Cloud Cybersecurity Controls (CCC) — a tiered national framework mandatory for government and critical infrastructure entities in the Kingdom.

About the framework

What is Saudi NCA Essential Cybersecurity Controls?

The NCA framework is enforced across Saudi government entities, critical sector operators and cloud service providers. The CCC targets cloud-hosted workloads with tiered controls. PDPL data residency adds further constraints.

Who it applies to

Saudi government ministries, critical national infrastructure operators (finance, energy, water, telecom, transport), and any cloud-hosted system classified Critical or above. Deployments into Google Cloud Dammam, Oracle Cloud Jeddah, AWS Bahrain and Alibaba Cloud Riyadh satisfy residency.

Cloudgenics mapping

How we satisfy Saudi NCA Essential Cybersecurity Controls

In-Kingdom image staging for Google Cloud Dammam and Oracle Cloud Jeddah
ECC, CSCC and CCC control catalogues mapped to image controls
PDPL-aligned data handling and cross-border transfer guardrails
SOC integration into NCA Haseen reporting workflows where required
Sovereign key custody options inside customer-controlled HSMs

Evidence model

What auditors get on day one.

Mapped control catalogue

Every Saudi NCA Essential Cybersecurity Controls requirement mapped to the Cloudgenics technical controls that satisfy it, with traceability.

Continuous evidence feed

Telemetry, configuration scans and audit logs streaming into a tamper-evident evidence store with retention aligned to the framework.

Walkthrough kit

Standardised auditor walkthrough materials — diagrams, run-books and policy templates — that fast-track the assessment.