The Saudi NCA ECC module in Venvera provides a centralised compliance hub for the Essential Cybersecurity Controls (ECC-1:2018) published by the Saudi National Cybersecurity Authority (NCA). The ECC framework applies to all government entities, critical national infrastructure operators, and their suppliers within the Kingdom of Saudi Arabia.
Regulatory Background
The NCA issued the ECC to establish a minimum cybersecurity baseline across Saudi organisations. The framework comprises 114 controls organised into 5 main domains and 29 subdomains. Compliance is mandatory and subject to NCA audits.
| Domain | Subdomains | Focus |
|---|---|---|
| 1. Cybersecurity Governance | 6 | Strategy, policies, roles, risk management, compliance, and awareness |
| 2. Cybersecurity Defence | 8 | Asset management, IAM, data protection, cryptography, network security, mobile & email |
| 3. Cybersecurity Resilience | 4 | Business continuity, disaster recovery, vulnerability & threat management |
| 4. Third-Party Cybersecurity | 4 | Outsourcing, cloud, ICS/OT, and managed services |
| 5. Industrial Control Systems | 7 | ICS-specific governance, defence, resilience, and third-party controls |
Dashboard Metrics
The ECC dashboard shows your organisation's compliance posture at a glance:
A percentage score calculated from all implemented controls weighted by domain. The circular gauge shows your current score with colour coding: red (<40%), amber (40-69%), green (70-89%), dark green (90%+).
A bar chart showing compliance percentage per ECC domain. Hover over any bar to see the exact count of implemented vs total controls in that domain.
A timeline of the latest control updates, evidence uploads, and assessment activities across your ECC programme.
Controls with approaching review dates, pending evidence requests, and scheduled NCA audit milestones.
Getting Started
When you first enable the ECC module, Venvera automatically seeds all 114 ECC controls for your organisation. Navigate to the Controls page to begin assessing your implementation status, then run a Gap Assessment to identify priority areas.