What Is the NCA ECC and Why Does It Matter for Cloud?

Saudi Arabia’s National Cybersecurity Authority (NCA) published the Essential Cybersecurity Controls (ECC) as the kingdom’s baseline cybersecurity framework for all government entities and critical national infrastructure operators. If your organisation operates in Saudi Arabia — in banking, energy, healthcare, government, or telecommunications — NCA ECC compliance is not optional.

What makes ECC particularly challenging for cloud adopters is that it was written with data sovereignty in mind. Several of its controls implicitly or explicitly require that sensitive data remain within the Kingdom of Saudi Arabia, that you maintain full visibility and control over your infrastructure, and that your cloud provider can demonstrate compliance with Saudi regulatory standards.

Hyperscaler cloud platforms — AWS, Azure, Google Cloud — have launched Saudi Arabia regions, but their shared-responsibility models, global support structures, and cross-border data flows create compliance gaps that many organisations only discover during an NCA audit.

NCA ECC: The Five Domains

The ECC framework organises controls into five core domains. Each has direct implications for how you architect your cloud environment.

1. Cybersecurity Governance (1-xx controls)

Requires executive accountability for cybersecurity, a formally documented cybersecurity programme, and defined roles and responsibilities. For cloud, this means you must be able to show that your cloud provider’s security posture falls within your governance structure — not just reference their ISO 27001 certificate and hope for the best.

2. Cybersecurity Defence (2-xx controls)

The largest domain, covering asset management, identity and access management, infrastructure protection, event logging, vulnerability management, and cryptography. Key cloud-specific requirements here include:

• Asset inventory must include all cloud-hosted assets
• Multi-factor authentication for all privileged access
• Encryption at rest and in transit using NCA-approved algorithms
• Centralised log management with tamper protection
• Vulnerability scanning of cloud workloads on a defined schedule

3. Cybersecurity Resilience (3-xx controls)

Business continuity and disaster recovery requirements that map directly onto your cloud architecture. NCA ECC requires documented and tested recovery plans with defined RPO and RTO targets. Your cloud provider must be able to support failover within Saudi Arabia — cross-border DR to a European or US region does not satisfy this control.

4. Third-Party and Cloud Computing Cybersecurity (4-xx controls)

This is the domain that catches most cloud adopters off-guard. Controls 4-1 through 4-3 specifically address cloud computing and require:

• Contractual guarantees of data residency within the Kingdom
• Right-to-audit clauses in cloud service agreements
• Documented exit strategy (no vendor lock-in without a transition plan)
• Cloud provider compliance with Saudi regulatory requirements

A global hyperscaler’s standard terms of service typically do not include right-to-audit provisions. Negotiating these clauses with AWS or Azure at enterprise scale can take six to twelve months and may still result in a limited-scope audit arrangement that does not fully satisfy NCA auditors.

5. Industrial Control Systems Cybersecurity (5-xx controls)

Applies to organisations operating OT/ICS environments — energy, water, manufacturing. If your SCADA or ICS components connect to cloud infrastructure, these controls define strict segmentation and access requirements.

The Three Compliance Gaps Hyperscalers Cannot Close

Gap 1: Right-to-Audit

NCA ECC Control 4-2 requires that cloud service agreements include audit rights. Hyperscalers operate at a scale where individual enterprise audits of physical infrastructure are not feasible. They offer third-party audit reports (SOC 2, ISO 27001) as proxies — but NCA auditors increasingly expect direct audit access to satisfy this control.

With a sovereign cloud provider operating dedicated infrastructure in Saudi Arabia, right-to-audit is a standard contractual provision, not an exception.

Gap 2: Data Residency Guarantees

Hyperscalers’ data residency commitments are contractual promises, not technical enforcements. Support escalations, metadata, telemetry, and training data for AI services may still flow outside the Kingdom depending on service configuration. NCA ECC requires data residency to be technically enforced, not merely contracted.

Gap 3: Incident Response Localisation

NCA ECC requires that security incidents be reported to CERT-SA within defined timeframes and that incident response capabilities be available within Saudi Arabia. Relying on a hyperscaler’s global incident response team — staffed across time zones with English as the primary working language — creates operational and regulatory risk.

NCA ECC Compliance Checklist for Cloud Environments

Use this checklist to assess your current cloud posture against NCA ECC requirements:

• ☐ Cloud service agreement includes explicit data residency within KSA
• ☐ Right-to-audit clause covers physical infrastructure, not just third-party reports
• ☐ All privileged access to cloud management plane is MFA-protected
• ☐ Encryption at rest uses AES-256; in transit uses TLS 1.2 or higher
• ☐ Centralised log retention meets NCA minimum (12 months online, 36 months archive)
• ☐ Vulnerability scanning cadence documented and evidenced (minimum quarterly)
• ☐ DR environment is within KSA — cross-border failover is not permitted for classified data
• ☐ Cloud provider can produce NCA-specific compliance documentation on request
• ☐ Exit strategy documented: data can be exported within 30 days
• ☐ Incident response SLA includes Arabic-speaking support and CERT-SA notification capability

How Sovereign Cloud Architecture Satisfies NCA ECC by Design

The controls above describe, almost exactly, the architecture of a purpose-built sovereign cloud: dedicated infrastructure in Saudi Arabia, contractual and technical data residency enforcement, right-to-audit in standard agreements, local incident response teams, and no cross-border data flows.

MomentumX deploys private and hybrid cloud infrastructure across UAE and Saudi Arabia. For Saudi enterprise customers, we provide:

• NCA ECC compliance documentation mapped to each control domain
• Right-to-audit as a standard contract provision — no negotiation required
• Data residency enforced at the network layer — not just in policy
• Arabic-speaking NOC and security operations team available 24/7
• CERT-SA incident notification support built into our managed security offering
• OpenStack-based infrastructure with no proprietary lock-in — full exit portability

What to Ask Your Cloud Provider

If you are evaluating cloud platforms for NCA ECC compliance, ask these questions before signing:

1. Can you grant us audit rights to physical infrastructure in Saudi Arabia? If the answer involves third-party reports only, that is a gap.
2. Where does your support team access our data from? Global support access to KSA-hosted data creates a residency risk.
3. What happens to our data if we terminate the contract? A 30-day certified deletion and export guarantee is the minimum.
4. Do you have a documented NCA ECC mapping? Providers serious about the Saudi market have this ready.

NCA ECC compliance in the cloud is achievable — but it requires a provider that was built for it, not one retrofitting compliance onto a global platform. For a detailed compliance walkthrough specific to your sector, contact the MomentumX team.

Related reading: SAMA Cloud Compliance 2026 | Run LLMs Inside Saudi Arabia | Sovereign AI vs Hyperscaler AI | AWS vs MomentumX | Azure vs MomentumX.