NCA ECC 2-2024 Audit Gaps: How to Close Them

Key Takeaways

ECC 2-2024 now covers 110 controls across 4 domains. Organizations that passed the old ECC 1 assessment are not automatically ready for the new one.
Domain 2 carries 60 controls across 15 subdomains and is where most audit findings come from. Start your gap assessment there.
Having a control in place is not the same as being able to prove it. Auditors want evidence, not policies. Logs, timestamps, and access records matter more than written procedures.
A gap assessment using the official NCA toolkit before the audit gives you time to fix and document rather than explain under pressure.
Compliance that only happens before an audit will always produce findings. The organizations that pass cleanly run compliance as a continuous program, not a seasonal event.

Introduction

A compliance officer at a mid-size Saudi government entity spent three months preparing for their NCA audit. Policies were written. Controls were documented. The team felt ready.

The auditor arrived and asked one question: “Can you show me the evidence?”

They could not. Not in any consistent form. Policies existed. Evidence did not. That is where most ECC 2-2024 failures actually happen.

What ECC 2-2024 Actually Changed and Why Teams Are Caught Off Guard

ECC 2-2024 features a more streamlined architecture with 4 high-level domains, 28 subdomains, and 110 controls, down from the 5 domains, 29 subdomains, and 114 controls in the earlier version. On paper, fewer controls sounds easier. In practice, the consolidation made each remaining control harder to satisfy because it now carries more weight.

The new ECC introduced enhanced controls that address a wider range of threats, including phishing, malware, and ransomware, while placing greater emphasis on risk assessment, management, and mitigation.

Teams that passed the old assessment are not automatically ready for the new one. The bar moved.

Who Has to Comply

ECC applies to government bodies such as ministries, authorities, and affiliated entities, as well as private sector organizations that own, operate, or host Critical National Infrastructure assets, and companies and entities under government ownership or control.

If you operate in Saudi Arabia and touch national systems, sensitive data, or critical services, the NCA expects you to comply. No exemptions based on size.

What a Real Domain 2 Audit Gap Looks Like

The Cybersecurity Defense domain comprises 15 critical subdomains and 60 controls covering asset management, Identity and Access Management, network security, cryptography, and vulnerability management.

Domain 2 is the largest section in the framework. It is also where most audit findings land. Not because organizations ignore it, but because 60 controls across 15 subdomains is a lot of ground to cover consistently.

The Five Gaps That Come Up Most Often

These are not edge cases. They show up repeatedly across Saudi organizations preparing for NCA visits:

Asset inventory that is incomplete or not maintained in real time. Auditors ask to see a current list of all information assets. A spreadsheet last updated six months ago is not that.

Identity and access management controls that exist in policy but are not enforced in practice. MFA may be documented as a requirement but only applied to some user groups. That inconsistency is an immediate finding.

Vulnerability management logs that show scans were run but cannot confirm what was remediated, by whom, and when. Running a scan and remediating its findings are two very different things to an auditor.

Event logging that covers primary systems but misses cloud workloads, remote access sessions, and privileged user accounts. ECC requires activation of cybersecurity event logs on critical information assets, remote access, and privileged user accounts. Partial coverage fails the control.

Network segmentation that is configured on paper but has not been tested or verified since deployment. Auditors may request evidence of testing, not just configuration records.

Why Evidence Is the Actual Problem

Having a control in place is step one. Being able to prove it is step two, and most teams skip step two until the audit is already scheduled.

Compliance is not a one-time effort. It requires real-time visibility into an organization’s cybersecurity posture, and organizations must shift away from traditional methods that rely on periodic audits and manual assessments.

Manual evidence collection from spreadsheets, email threads, and shared drives does not hold up under scrutiny. Auditors want logs, timestamps, and records that were generated automatically, not assembled the night before.

How to Run a Gap Assessment Before the Auditor Shows Up

A gap assessment done internally gives you time to fix findings rather than explain them. A gap assessment is not optional groundwork. It separates a clean first audit from an expensive failed one.

Use the NCA Toolkit First

The NCA provides its own assessment and compliance tool that maps directly to ECC 2-2024. Start there. It shows you exactly what an auditor will look at for each control. Teams that build their own checklists from scratch often miss sector-specific requirements that are baked into the official toolkit.

Work Through Domain 2 Control by Control

Do not try to assess all 110 controls at once. Start with Domain 2’s 60 controls since that is where most findings come from.

For each control, answer two questions:

Is this implemented?
Can we produce evidence on request?

If the answer to the second question is anything other than a fast yes, that control is a gap.

Document as You Remediate

Every fix you make before the audit only counts if it is captured. For each control, record what it requires, what was done to satisfy it, who is responsible, and the date it was last reviewed. That is the evidence package an auditor expects to see.

Closing Gaps Without Burning Out Your Team

The NCA ECC 2-2024 framework can be overwhelming given the detailed controls and subdomains it covers. A checklist approach helps break down complex requirements into manageable tasks and helps teams stay organized as they work through the framework.

That is true. But a checklist only helps if someone is working through it consistently between audits, not just in the six weeks before one.

Assign an Owner to Every Control

Compliance gaps often stay open because nobody knows who is responsible for closing them. Each of your 110 controls needs a named owner, a remediation deadline, and a clear definition of what done looks like. Without that, the same gaps reappear audit after audit.

Automate Evidence Collection

Manual reporting across 110 controls is not realistic for most teams. Automated evidence collection across integrations and auditor-approved document templates make it significantly easier to maintain continuous compliance without relying on manual assembly before each audit.

When evidence is generated automatically as part of normal operations, audit prep stops being a crisis and starts being a report you already have.

Treat Compliance as Ongoing, Not Annual

ECC 2-2024 introduces mandatory audits and expects organizations to conduct regular self-assessments using NCA’s Compliance Tool for ongoing monitoring.

The NCA does not want a snapshot of your compliance on audit day. It wants to see a program that runs continuously. Teams that operate this way have far fewer surprises when the auditor visits.

How Secure.com Helps You Close ECC 2-2024 Gaps Before the Visit

Most teams do not have a compliance problem. They have a visibility and evidence problem. Secure.com’s Compliance Teammate keeps your ECC posture current without last-minute scrambles.

Continuous compliance monitoring maps your controls to ECC 2-2024 so gaps surface before auditors arrive, not during the visit
Automated evidence collection pulls audit-ready documentation from across your environment, significantly reducing manual compilation effort
Configuration drift detection flags when a previously compliant control slips out of alignment between audit cycles
Risk-based prioritization surfaces Domain 2 gaps that carry the most regulatory exposure first, so your team can focus on what matters most
Real-time compliance dashboards give security leadership and executives a live view of where the organization stands across every control domain

Conclusion

Most ECC 2-2024 audit failures don’t happen because organizations ignored security. They happen because teams did the work but couldn’t prove it, or treated compliance as something to prepare for rather than something to maintain.

Closing gaps before the NCA visit means knowing exactly where they are, assigning clear ownership, and building evidence as part of daily operations, not just before audits. That requires a different approach than most teams are currently running. Specifically, it requires visibility, automation, and a program that keeps running between audits, not just before them.

FAQs

Who does ECC 2-2024 apply to in Saudi Arabia?

It applies to all government entities including ministries, authorities, and affiliated bodies, plus private sector organizations that own, operate, or host Critical National Infrastructure (CNI). Both Saudi-based entities and subsidiaries operating within the Kingdom fall under this scope.

What is Domain 2 in ECC 2-2024 and why does it matter most for audits?

Domain 2 is the "Cybersecurity Defense" domain. It is the largest section of the framework, containing 15 subdomains and 60 controls. It covers technical essentials like asset management, identity and access management (IAM), network security, and event logging. It is where most organizations accumulate audit findings because the evidence requirements are highly specific and must be maintained continuously.

What does an NCA auditor actually look for during a visit?

Auditors look for "Technical Truth"—evidence of actual implementation, not just policy documentation. They require system-generated logs, access records, patch timelines, and configuration reports. Manual spreadsheets assembled specifically for the audit are rarely accepted as sufficient proof of compliance.

How long does it take to fix ECC 2-2024 compliance gaps?

Organizations starting from scratch typically need six to twelve months to implement and document all 110 controls. Organizations migrating from the previous ECC 1-2018 version can usually close remaining gaps in two to four months, provided they have clear ownership and automated evidence collection in place.

Does the NCA check compliance only during formal audits?

No. The NCA monitors compliance through various methods beyond scheduled visits, including periodic reporting requirements. Organizations are expected to perform regular self-assessments using the NCA's official compliance tools. Point-in-time preparation is no longer enough; the shift is toward continuous compliance monitoring.