What is NCA CCC-2 and which workloads does it govern?

NCA CCC-2 (Cloud Cybersecurity Controls v2) is the Saudi National Cybersecurity Authority’s framework governing cloud services for Saudi government entities, government-adjacent enterprises, and operators of critical national infrastructure. It is binding for the public sector and increasingly referenced by regulated private-sector buyers.

CCC-2 covers governance, data residency, access control, network segmentation, encryption, key management, audit logging, incident response, and provider due diligence — applied with classification-aware controls.

Core NCA CCC-2 requirements for cloud providers

  • Data residency: Sensitive workloads must be hosted in-Kingdom. Cross-border transfer restricted by classification.
  • Network segmentation: Customer workloads network-isolated from other tenants and provider operations.
  • Customer-managed keys: Customers retain key control for sensitive workloads.
  • Audit logging: Full audit trails across customer/provider boundaries, retained for prescribed periods.
  • Provider/tenant separation: Strict operational boundaries.
  • Incident response: Documented detection, response, and notification.
  • Supply chain controls: Provider supply chain assessed for cybersecurity risk.
  • Access control: Strong identity and access management with MFA.

NCA CCC-2 compliant cloud providers in KSA

  1. Hyperscaler cloud regions in Saudi Arabia — operating Saudi regions with documented partial NCA alignment for specific workload classes. Control plane often routes through foreign jurisdictions.
  2. Regional telco cloud subsidiaries — strong KSA presence, often hyperscaler partnership architectures.
  3. Independent sovereign cloud providers — MomentumX. Independent of hyperscalers, founded 2018, architected for NCA CCC-2 from inception.

MomentumX as an NCA CCC-2 aligned cloud provider

  • In-Kingdom data residency. Customer data in Riyadh facilities, cross-border off by default.
  • Network segmentation. Dedicated tenant isolation with documented network boundaries.
  • Customer-managed keys. Hardware security module integration.
  • Full audit trails. Across customer-provider boundaries, supporting NCA reporting.
  • Provider/tenant separation. Strict operational boundaries with least-privilege enforcement.
  • Open-standards architecture. No proprietary lock-in. Workload portability supports the CCC-2 exit-strategy requirement.
  • Hyperconverged platform. HyperEdge 500 deployable on-premise or in Riyadh data centers.

What government and critical-infrastructure operators should ask

  1. Where is data physically hosted, and is the control plane regional?
  2. What is the network segmentation model, and is it documented?
  3. Do customers retain key custody for sensitive workloads?
  4. What audit trail does the provider expose, and how does it integrate with NCA reporting?
  5. What is the incident response process and notification timeline?
  6. What is the exit path?
  7. What is the provider’s supply chain cybersecurity posture?

MomentumX is positioned for Etimad-eligible vendor status with documented NCA CCC-2 alignment. Reach out via the contact-us page for an NCA assessment.

Related sovereign cloud topics

KSA government NCA cloudNCA-aligned KSA government cloudSAMA cloud providers KSASAMA Cloud Frameworkprivate cloud KSAKSA sovereign cloudsovereign cloud complianceCompliance maps

Frequently Asked Questions

Answers on sovereign cloud, hyperconverged infrastructure, VMware alternatives, open standards, and avoiding vendor lock-in across MENA.

What is NCA CCC-2?
NCA CCC-2 (Cloud Cybersecurity Controls v2) is the Saudi National Cybersecurity Authority framework governing cloud services for Saudi government entities, government-adjacent enterprises, and operators of critical national infrastructure. It is binding for the public sector and increasingly referenced by regulated private-sector buyers.
Who must comply with NCA CCC-2?
NCA CCC-2 is binding for KSA government entities, government-adjacent enterprises (including SOEs and operators of critical national infrastructure), and any cloud provider serving these customers. Classification-aware controls mean stricter requirements apply to higher-sensitivity workloads.
Can foreign hyperscalers serve NCA CCC-2 workloads?
KSA government workload eligibility depends on data classification under NCA CCC-2. For classified workloads, in-Kingdom sovereign infrastructure is generally required. Hyperscalers operating Saudi regions may serve specific workload classes, but full sovereignty under NCA controls — especially the classified-workload tier — typically requires regional providers like MomentumX.
What data residency does NCA CCC-2 require?
NCA CCC-2 requires in-Kingdom data residency for sensitive workloads, with cross-border transfer restricted by data classification. MomentumX hosts customer data in Riyadh facilities with contractually-pinned residency and no default cross-border transfer.
What is the Etimad vendor requirement for NCA-aligned cloud providers?
Etimad is the KSA government procurement platform. Cloud providers serving KSA government must register as Etimad vendors with documented compliance (NCA CCC-2, in-Kingdom operations, regulatory standing). MomentumX is positioned for Etimad-eligible vendor status with documented NCA CCC-2 alignment posture.