🛡Cybersecurity

NCA ECC-1:2018 Compliance — Audit, Remediation, Certification-Ready

Saudi Arabia's National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC-1:2018) are mandatory for government, public, and select regulated private entities. We deliver gap assessment, remediation, and audit-ready evidence packages aligned with all 5 ECC domains (Strategy, Defense, Resilience, Third Party, ICS).

Starting price from 14,999 SAR
The challenge

NCA ECC isn't optional for regulated KSA entities

NCA ECC-1:2018 covers 114 controls across 5 main domains and 29 sub-domains. Government entities, critical infrastructure operators, and increasingly private-sector firms with critical data must comply.

Failed audits trigger regulatory action and exclusion from government RFPs. Most internal teams underestimate the documentation requirement: ECC requires not just controls in place but evidence trails (policies, logs, audit reports, board approvals) for every control.

SKYLINE's SACS-210 (Aramco) experience is directly applicable — both frameworks share roots in NIST CSF, ISO 27001, and the same Saudi regulatory thinking. We deliver ECC compliance in 8-16 weeks depending on starting maturity.

Why SKYLINE

Why SKYLINE for your NCA ECC project

  • Active SACS-210 implementations for Aramco — proven framework expertise that maps directly to ECC controls.
  • Bilingual policy templates (Arabic + English) aligned with NCA expectations — pre-built and customizable.
  • Tooling included: SIEM, IAM, vulnerability management, asset inventory, log retention — leveraging Skyline OpenSec where appropriate to reduce TCO.
  • Audit-ready evidence trails: every control mapped to artifact location, owner, review cadence — generated automatically, not hand-built.
Network security operations
What you get

What you get

01 Gap assessment against all 114 ECC controls + scoring report
02 Remediation roadmap with priority, effort, and cost per control
03 Policy + procedure pack (29 documents, bilingual)
04 Technical control implementation: SIEM, vulnerability mgmt, asset inventory, IAM, log retention
05 Audit-ready evidence packages per control domain
06 NCA pre-audit dry run + remediation of findings
Get a quote

Get an ECC gap assessment

High demand — typical 2-week response window
Book a demo Email security@alskyline.com
FAQ

Common questions.

Is my organization in scope for NCA ECC?
Mandatory: government entities, public-sector contractors, critical infrastructure (energy, water, telecom, finance, healthcare), and entities handling restricted-classification data. Many private firms also adopt voluntarily for procurement advantages and cyber insurance.
How does ECC relate to ISO 27001 / SAMA / SACS-210?
ECC is the floor mandated by NCA. ISO 27001 covers similar ground but with broader internationally-recognized scope. SAMA is for financial sector, SACS-210 is Aramco-specific. We map controls across frameworks so a single implementation can satisfy multiple.
How long for full ECC compliance?
Starting from low maturity: 12-16 weeks. Mid maturity (some ISO 27001 done): 8-10 weeks. High maturity (just gap-closing): 4-6 weeks.
Do I need to buy security tools or use SKYLINE's?
Either. We can integrate your existing stack (Splunk, CrowdStrike, etc.) or deploy ours (including Skyline OpenSec, our open-source SOC platform). The choice depends on your existing investments.
Who performs the actual NCA audit?
NCA-authorized audit firms perform the formal audit. We are not the auditor (that would be a conflict). We prepare your organization, run a pre-audit dry run, and remediate any gaps before the formal audit.
What's the ongoing cost after certification?
NCA ECC requires continuous compliance, not point-in-time. Annual maintenance covers control monitoring, log review, policy updates, and pre-audit reviews — typically 25-35% of original project cost per year.