Axidian recently hosted a webinar for IT and security leaders in Saudi Arabia, dedicated to one of the key challenges for 2025: meeting the requirements of ECC-2:2024, the updated cybersecurity framework by the National Cybersecurity Authority (NCA) of Saudi Arabia.
The session gathered experts from both government entities and private companies that host or operate in Critical National Infrastructure. In this article, we recap the main points and insights shared during the discussion.
What is NCA ECC-2:2024 and who must comply
The Essential Cybersecurity Controls (ECC) is a regulatory cybersecurity framework introduced by Saudi Arabia’s National Cybersecurity Authority (NCA). Its goal is to establish minimum cybersecurity standards for sectors with a high impact on national stability and resilience.
NCA ECC applies to:
- Government bodies, such as ministries, authorities, and affiliated entities.
- Private-sector organizations that own, operate, or host Critical National Infrastructure (CNI) assets.
- Companies and entities under government ownership or control.
The updated NCA ECC-2:2024 version includes:
- 4 cybersecurity domains: cybersecurity governance, cybersecurity defense, cybersecurity resilience, third-party and cloud computing cybersecurity
- 29 subdomains
- 110 controls, further detailed into sub-controls
The new version expands expectations for identity management, access control, cryptography, and vendor governance.
What happens if you’re not compliant
Non-compliance can lead to:
- Financial penalties
- Legal complications
- Contractual and reputational risks, especially for public-facing organizations
Beyond the actual compliance, organizations may refer to NCA ECC for guidance on cybersecurity best practices and to build resilience and fill the gaps. NCA ECC was built based on the analysis of local and international laws and regulations, and on international cybersecurity standards and developments.
Where to begin: aligning people, processes, and technology
To make real progress, divide your efforts across three pillars:
- People — team awareness, training, and accountability
- Processes — policies, governance, documentation
- Technology — platforms that enforce and support control implementation
The people component varies from organization to organization. It relies a lot on your internal leadership. As for processes and technology, there are proven tools and ready-to-use checklists to accelerate progress.
Axidian has developed a practical NCA ECC compliance guide based on version 2:2024. Our guide includes:
- a checklist of all cybersecurity policies and documents that NCA ECC mandates
- a calendar checklist for all reviews, practices and updates that need to take place regularly
- a list of cybersecurity solutions that may help fulfill Controls related to practical implementations
- a detailed mapping of Axidian solutions to NCA ECC Controls
Our guide is available upon request.
NCA ECC requirements that can be fully covered by Axidian solutions
Several ECC controls can be addressed directly through modern identity and access tools. Below are two examples where Axidian products deliver full alignment:
Identity and Access Management (Control 2-2-3)
Covered by: Axidian Access and Axidian Privilege
- Multifactor authentication with OTP, biometrics, and smart cards
- Role-based access and least privilege enforcement
- Centralized management of access policies
- Secure privileged access with session monitoring and approval workflows
Secure management of cryptographic keys during their life cycles (Control 2-8-3)
Covered by: Axidian CertiFlow
- Automation of certificate issuance and lifecycle
- Monitoring of smart card expiration and token status
- Central PIN policy management
- Integration with certificate authorities
How to handle partially covered or shared-responsibility controls
Besides the controls above that require identity security solutions, Axidian can help you achieve a wider coverage and enhance compliance to more NCA ECC requirements:
1-3-3: Cybersecurity policies and procedures
1-5-3: Cybersecurity risk assessment procedures
1-9-4: Personnel cybersecurity requirements during employment
2-1-4 / 2-1-5: Acceptable use policy of information and technology assets
2-12-3: Requirements for event logs and monitoring management
2-13-3: Requirements for incidents and threat management
2-14-3: Physical protection of information and technology assets
2-15-3: Cybersecurity requirements for external web applications
3-1-3: Requirements for business continuity management
4-1-2: Requirements for contracts and agreements with third-parties
Why organizations in Saudi Arabia choose Axidian
Axidian is an identity security vendor with a presence in over 30 countries and growing operations across the GCC.
Our portfolio includes:
- Axidian Access — MFA, SSO and centralized authentication management
- Axidian Privilege — Privileged access management, third-party and remote access security
- Axidian CertiFlow — Automation of certificate and smart card lifecycles and PKI management
- Axidian Shield (launching soon) — Identity threat detection and response (ITDR)
What to do next: checklist, demo, or direct support
If your organization is preparing for an ECC audit in 2025, we recommend three immediate steps:
- Download the Checklist for NCA ECC-2:2024
Prioritize implementation and audit preparation efforts - Find out more about how Axidian helps to comply with NCA ECC
Explore how Axidian Access, Privilege, and CertiFlow support NCA ECC Controls - Book a consultation
Our team can map your current capabilities to ECC requirements and identify gaps
Stay connected — follow Axidian on LinkedIn for updates from the region.
