Compliance Reference

Saudi Compliance Frameworks: Sourced From the Regulators, Not From Blogs

Most Saudi compliance content is copied between consultancy decks and vendor pages, and a surprising amount of it is wrong in ways that matter: controls cited against the wrong domains, documents that do not exist, and precise-sounding figures the regulator never published. Every guide below was built from the regulator's own document. Where the regulator states no figure, we say so rather than inventing one.

NCA CCC-2:2024

Cloud Cybersecurity Controls

CCC-2:2024 deleted the in-Kingdom hosting mandate. 4 domains, 24 subdomains, separate Provider (P) and Tenant (T) control sets.

Read the guide
NCA ECC-2:2024

Essential Cybersecurity Controls

It is 108 main controls, not the 114 almost everyone still quotes. That figure is ECC-1:2018.

Read the guide
NCA CSCC-1:2019

Critical Systems Cybersecurity Controls

Where the NCA put its real numbers: 6-month pen tests, 3-month access reviews, 18-month log retention. ECC compliance is a prerequisite.

Read the guide
NCA OTCC-1:2022

Operational Technology Cybersecurity Controls

ECC-1's deleted ICS domain moved here. 47 controls, 122 subcontrols — and 92 of them sit in Cybersecurity Defense alone.

Read the guide
NCA SOC

Building a SOC to NCA Expectations

Logging is ECC 2-12 and incident management is 2-13 — not 2-10/2-11, which is the error repeated across the market.

Read the guide
SAMA CSF

SAMA Cyber Security Framework

There is no SAMA "Cloud Rulebook" and no Tier 1–4 RTO/RPO grid. The cloud pre-approval is real, though — CSF 3.4.3.4(a)(2).

Read the guide
ZATCA Phase 2

ZATCA Phase 2 E-Invoicing Integration

The self-billing invoice type code is 0100001. The 0211000 circulating online decodes to self-billed = 0, and it needs ZATCA's prior approval anyway.

Read the guide
SDAIA PDPL

Personal Data Protection Law

PDPL grants exactly five rights in Article 4. There is no right to object and no right to restriction — those are GDPR imports.

Read the guide
Aramco SACS-002

Aramco Third Party Cybersecurity Standard

92 controls, TPC-1 to TPC-92. Includes a diff of the retired 2020 issue (86 controls) against the current 2022 issue.

Read the guide

How we work with these frameworks

We design and operate infrastructure — data centre, network, security, hosting — to these controls, including an in-Kingdom region in Dammam powered by Google Cloud. No vendor can make you "fully compliant": several controls are structurally yours alone and cannot be carried by a provider. What we can do is build the infrastructure and produce the evidence an assessor actually asks for.