The National Cybersecurity Authority (NCA) of Saudi Arabia has established comprehensive cloud computing controls that every enterprise operating in the Kingdom must comply with. The Cloud Cybersecurity Controls (CCC) framework specifically addresses how organizations should evaluate, deploy, and manage cloud services.

This checklist breaks down the essential requirements your cloud infrastructure must meet to maintain NCA compliance.

Section 1: Cloud Service Provider Assessment

• Provider is registered or authorized to operate in Saudi Arabia
• Provider has documented data residency capabilities within KSA
• Provider can demonstrate compliance with NCA’s Essential Cybersecurity Controls (ECC)
• Provider has undergone third-party security assessment or holds ISO 27001
• Service Level Agreement (SLA) explicitly addresses data sovereignty requirements
• Provider has a documented incident response procedure accessible to the customer
• Exit strategy and data portability plan documented in the contract

Section 2: Data Classification & Residency

• All data assets classified according to NCA data classification guidelines
• Classified and sensitive data confirmed to reside within Saudi Arabia
• Data processing (not just storage) occurs within KSA borders
• Backup and disaster recovery copies also stored within the Kingdom
• Encryption keys managed within KSA jurisdiction
• Data transfer mechanisms documented — no unauthorized cross-border transfers
• Metadata and logs also covered under residency requirements

Section 3: Access Control & Identity Management

• Multi-factor authentication (MFA) enforced for all administrative access
• Role-based access control (RBAC) implemented across all cloud resources
• Privileged access limited and monitored with session recording
• Service accounts audited and rotated regularly
• Administrative access from outside KSA requires additional controls
• Employee background checks completed for personnel with access to classified data

Section 4: Network Security

• Network segmentation between tenants (if multi-tenant environment)
• Encrypted connections (TLS 1.2+) for all data in transit
• DDoS protection measures in place
• Intrusion detection/prevention systems (IDS/IPS) operational
• DNS security measures implemented
• Network activity logging enabled with minimum 12-month retention

Section 5: Monitoring & Incident Response

• Security Information and Event Management (SIEM) deployed
• Real-time monitoring of security events operational
• Incident response plan documented, tested, and NCA-compliant
• Security incidents reported to NCA within required timeframes
• Quarterly vulnerability assessments performed
• Annual penetration testing conducted by accredited third party
• Audit logs immutable and retained per NCA guidelines

Section 6: Business Continuity

• Business Impact Analysis (BIA) completed for cloud-hosted workloads
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) documented
• Failover tested at least annually
• Backup encryption and access controls verified
• Provider’s own business continuity plan reviewed and validated

Section 7: Contractual & Governance

• Cloud governance framework established internally
• Risk assessment completed before cloud adoption
• Contracts reviewed by legal for NCA compliance alignment
• Right-to-audit clause included in provider agreement
• Data ownership explicitly stated — customer retains ownership
• Subprocessor/subcontractor disclosures obtained from provider
• Regular compliance reviews scheduled (minimum quarterly)

How MomentumX Helps

MomentumX’s Hyper Private Cloud and HyperEdge infrastructure are designed from the ground up for NCA compliance:

• In-Kingdom data residency — all data, processing, backups, and encryption keys stay in Saudi Arabia
• Dedicated infrastructure — no shared tenancy means no cross-contamination risk
• ISO 27001-aligned operations with documented incident response
• Full data portability — no vendor lock-in, documented exit strategy included in every contract
• Operational sovereignty — management team subject to Saudi jurisdiction

Discuss your NCA compliance requirements →

This checklist is provided as a guide and should be validated against the latest NCA CCC documentation. Regulatory requirements may change. Consult with qualified legal and compliance professionals for your specific situation.