Press TechRound interviews Secure.com CEO on the future of AI security
Read
Compliance Published: May 5, 2026 10 min read

ECC 2-2024: What Changed in July 2025 and What It Means for Your GCC Security Program

The NCA updated ECC 2-2024 controls in July 2025. Find out what changed, who's affected, and what your GCC security program needs to do.

By Secure.com

Key Takeaways

  • Saudi Arabia’s NCA updated ECC 2-2024 to strengthen national cybersecurity and protect the information and technology assets of national entities. 
  • Controls were reduced from 114 to 108, and data localization authority shifted from ECC to the National Data Management Office (NDMO) under SDAIA.
  • All cybersecurity roles must now be filled by qualified Saudi nationals, not just senior positions as required under ECC-1.
  • ECC 2-2024 introduces a tier-based compliance model, classifying organizations as Essential, Advanced, or Minimal based on criticality and risk exposure. 
  • Non-compliance can lead to formal audits, financial fines, reputational damage, and in serious cases, suspension of services or loss of operating licenses. 
  • The July 2025 public consultation page on eparticipation.gov.sa was updated on July 3, 2025, signaling ongoing regulatory activity around ECC.

Introduction

A security team in Riyadh spent three months mapping controls to the old ECC-1 framework. Then ECC 2-2024 dropped, and the entire roadmap needed a rethink.

That’s the reality for hundreds of organizations across the GCC right now. The NCA updated the framework, added a July 2025 consultation update, and the clock is running. Here’s what you actually need to know.

What Is ECC 2-2024 and Why Did It Change?

The NCA released ECC 2-2024 after evaluating various global and national cybersecurity frameworks, incorporating international standards, national regulations, and lessons from past cyber incidents affecting government and critical organizations.

The original ECC-1:2018 set the baseline. It worked for its time. But cloud adoption, ransomware, supply chain attacks, and AI-driven threats changed the threat landscape faster than the old controls could keep up with.

The updated framework addresses emerging threats associated with AI, cloud services, and supply chain vulnerabilities, while also expanding focus on remote work and IoT security.

The July 2025 activity on the NCA’s public consultation portal (last updated July 3, 2025) reflects that this framework is still being actively shaped, not a static document to file and forget. Organizations treating ECC 2-2024 as a one-time compliance project will face continuous gaps as the NCA refines requirements.

Who Does ECC 2-2024 Apply To?

These controls apply to government entities in Saudi Arabia including ministries, authorities, and institutions, their affiliates and subsidiaries inside and outside the Kingdom, and private sector entities that own, operate, or host Critical National Infrastructure (CNI).

The most significant recent regulatory shift is that the NCA now requires all private companies to meet baseline cybersecurity controls, not just those managing critical infrastructure.

So if you run a private business operating in the Kingdom and assumed ECC was only a government problem, that assumption no longer holds.

The Core Changes in ECC 2-2024 You Cannot Ignore

1. Fewer Controls, Sharper Focus

ECC 2-2024 is built on four key cybersecurity domains, divided into 28 subdomains and 108 controls with 92 sub-controls, covering cybersecurity governance, defense, resilience, and third-party and cloud computing security.

That’s down from 114 controls in ECC-1. The reduction is not a loosening of standards. It’s the NCA cleaning up redundancies and pointing organizations to specific NCA standards rather than duplicating requirements across documents.

2. Domain 5 Was Deleted

Key changes include the deletion of Domain 5 and adjustments to controls for better alignment with current cybersecurity practices, alongside enhancements to address evolving threats.

The four remaining domains now cover everything: cybersecurity governance, defense, resilience, and third-party and cloud computing security. Each subdomain has clearer ownership expectations baked in.

3. Data Localization Moved to NDMO

ECC 2-2024 removes the explicit requirement for in-country data hosting that existed under ECC-1. However, this does not mean data localization requirements have relaxed. Authority over those requirements transferred to the National Data Management Office (NDMO) under the Saudi Data and Artificial Intelligence Authority (SDAIA), and organizations must check with NDMO before taking any action. 

This matters more than people realize. Skipping the NDMO check because ECC no longer lists it explicitly is a compliance gap waiting to happen. We’ve seen organizations assume data localization obligations disappeared when they simply moved to a different regulatory authority.

4. Saudization Now Covers All Cybersecurity Roles

Under ECC-1, only senior positions were required to be filled by Saudi nationals. ECC 2-2024 now mandates that all cybersecurity roles be occupied by full-time, qualified Saudi nationals. 

For organizations that relied on international contractors or outsourced cybersecurity functions, this is a workforce planning problem as much as a compliance one. The timeline to hire, train, and certify local talent takes months, not weeks. Organizations should budget 6-12 months for recruitment, onboarding, and certification of Saudi cybersecurity professionals to meet ECC 2-2024 Saudization requirements.

5. Tier-Based Compliance Model

Organizations are now classified into Essential, Advanced, or Minimal tiers based on criticality and risk exposure, enabling more tailored and scalable implementation without a one-size-fits-all approach. This tier-based model is a significant improvement over ECC-1’s blanket requirements.

This is actually good news for smaller organizations. The tier system means you’re measured against expectations appropriate to your size and risk level, not held to the same bar as a national bank or power utility.

What the Compliance Landscape Looks Like Now

Penalties Are Real

Failing ECC 2-2024 compliance is not just a technical gap. Organizations face formal audits, financial penalties, reputational damage, and in severe cases, suspension of services or revocation of operating licenses.

Regulatory scrutiny across Saudi Arabia and the GCC is tightening. One-time certification is no longer the goal. Continuous compliance is.

The Compliance Tool Is Coming

The NCA plans to introduce an ECC 2-2024 Assessment and Compliance Tool to help organizations organize their evaluation processes and measure how well they meet the ECC requirements. As of this writing, the tool has not yet been released.

When it launches, use it. Organizations that rely on manual tracking and periodic audits are already running behind. Automated evidence gathering and continuous posture monitoring are where compliance programs need to go—and where platforms like Secure.com provide immediate value.

Supply Chain and Third-Party Risk Got Harder

Verifying that vendors meet ECC 2-2024 requirements adds significant complexity, requiring organizations to assess supplier security practices, validate compliance documentation, and enforce contractual obligations.

Your security posture is only as strong as the weakest vendor in your chain. If your third-party risk management program is not mapped to ECC controls, start there.

How to Build Your ECC 2-2024 Action Plan

Most organizations do not fail compliance because they are missing the controls. They fail because they cannot show those controls were operating consistently. That gap between having a policy and proving it ran continuously is where audits get uncomfortable.

Here is a practical starting point:

  • Run a gap analysis first. Map your current state against the 108 controls using the NCA’s own toolkit. Do not skip the Saudization workforce audit.
  • Confirm your compliance tier. Essential, Advanced, or Minimal determines what evidence level you need to maintain.
  • Check NDMO on data localization. Do not assume the removal from ECC means it disappeared as an obligation.
  • Update your third-party contracts. Vendors must contractually commit to ECC-aligned security practices.
  • Build continuous monitoring, not point-in-time audits. Compliance is not a one-time effort. It demands real-time visibility into your cybersecurity posture and automated evidence collection to prove controls are operating consistently.
  • Start hiring and training Saudi cybersecurity professionals now. This takes longer than any technical control.

If your security program is built on frameworks like ISO 27001 or NIST CSF, you are not starting from zero. ECC 2-2024 is aligned with international standards such as NIST and ISO/IEC 27001, which supports international cooperation and reduces duplicated compliance effort. Organizations with existing ISO 27001 or NIST CSF programs can map many controls directly to ECC 2-2024 requirements, significantly reducing implementation time.

How Digital Security Teammates Help You Maintain ECC 2-2024 Compliance

ECC 2-2024 compliance isn’t a project you finish—it’s something you maintain every single day. That is where most security teams run into trouble. They have the controls documented, but they cannot show continuous evidence that those controls are actually working. Audits expose the gap fast.

Secure.com’s platform supports compliance workflows aligned with major regulatory standards including ISO 27001 and SOC 2, alongside other major global regulatory standards including ISO 27001 and SOC 2. The platform provides automated framework mapping capabilities for supported compliance standards. 

Here is what that looks like in practice across the four ECC domains:

Cybersecurity Governance

Compliance managers often spend days pulling together evidence before an audit. Secure.com continuously monitors policy adherence and generates real-time reports mapped to regulatory standards. Live evidence packs and automated mappings remove the manual grind and reduce audit risk. Your governance posture is visible at any point, not just when an auditor asks. 

Cybersecurity Defense

Identity and asset management are two of the heaviest areas inside the ECC Defense domain. Secure.com discovers assets across cloud, endpoint, and SaaS environments—agentless by default—correlating scans and integrations into a live knowledge graph that closes blind spots before attackers exploit them. For ECC controls around IAM, vulnerability management, and network security, that full asset visibility is the foundation everything else builds on. 

Cybersecurity Resilience

Response time matters in compliance just as much as it does in an actual incident. Secure.com’s Digital Security Teammates deliver 30-40% faster mean time to detection (MTTD) and 75% faster alert triage, saving over 2,000 hours annually across security operations. Faster detection and documented response trails directly support the resilience controls the NCA looks for during assessments. 

Third-Party and Cloud Security

Secure.com integrates with 200+ security and business tools, connecting signals across your full stack rather than replacing what you already have. That matters for ECC’s third-party domain, where you need visibility into vendor-connected environments, not just your own perimeter.

Here’s the bigger picture: Secure.com unifies posture, compliance, vulnerabilities, and live threats into one board with a continuously updating security score, synthesizing signals into executive-ready reporting with drill-downs for analysts. When the NCA or your board asks about your compliance position, you have a clear answer ready, not a spreadsheet scramble. 

FAQs

Does ECC 2-2024 apply to private companies outside critical infrastructure?
Yes. The NCA now requires all private companies operating in Saudi Arabia to meet baseline cybersecurity controls, not just organizations designated as Critical National Infrastructure.
What happened to the data localization requirement under ECC 2-2024?
The explicit in-country hosting requirement was removed from ECC 2-2024, but data localization obligations did not disappear. They transferred to the NDMO under SDAIA, and organizations must consult NDMO before making any data hosting decisions.
What are the consequences of not complying with ECC 2-2024?
Non-compliance can lead to formal audits, financial fines, reputational damage, and in severe cases, suspension of services or revocation of operating licenses.
Do international cybersecurity frameworks like ISO 27001 help with ECC 2-2024 compliance?
They help significantly. ECC 2-2024 aligns with international standards including the NIST Cybersecurity Framework and ISO/IEC 27001, which means organizations already certified or partially aligned to these frameworks have a head start. You will still need to address Kingdom of Saudi Arabia (KSA)-specific requirements like Saudization and NDMO data localization checks.

Conclusion

ECC 2-2024 is not a bureaucratic update. It’s a meaningful shift in how the NCA expects organizations to govern, defend, and demonstrate cybersecurity maturity. The July 2025 consultation activity signals the framework continues to evolve, and organizations that treat compliance as a one-time project rather than an ongoing program will keep getting caught off guard.

At Secure.com, we help organizations build continuous compliance programs that adapt as frameworks evolve—so you’re always audit-ready, not scrambling when regulations change.

Start with a gap analysis. Fix the workforce piece early, because local talent pipelines take time. And watch the NDMO for data localization guidance, because that story is not finished yet.

Related Blogs