Press TechRound interviews Secure.com CEO on the future of AI security
Read
Cybersecurity Published: June 11, 2026 3 min read

See Your ECC 2:2024 Control Gaps Before Your NCA Audit

ECC 2:2024 trimmed Saudi controls to 108. Find your gaps with a free assessment before the NCA audit does.

By Sameed Khan
Summary

Quick Verdict

Saudi Arabia’s National Cybersecurity Authority cut its Essential Cybersecurity Controls from 114 down to 108 with ECC 2:2024, which landed in October 2024. Fewer controls does not mean less work. If your organization runs critical infrastructure or sits under a government entity, the auditor will ask one hard question: can you prove it?

Key Takeaways

  • ECC 2:2024 is the updated NCA framework that replaces ECC 1:2018, now with 108 controls instead of 114.
  • It applies to Saudi government entities and private firms that run critical national infrastructure, plus their subsidiaries and affiliates.
  • New rules include staffing every cybersecurity role with qualified Saudi nationals and clearer cloud and industrial control requirements.
  • A gap assessment shows you where you fall short, long before the NCA audit puts it on record.

What Changed in ECC 2:2024 

The update is not a fresh coat of paint. Controls moved, merged, and tightened, so passing the old version does not mean you pass the new one.

  • Controls were trimmed from 114 to 108, with overlapping items merged for clarity
  • All cybersecurity positions must now be filled by full time, qualified Saudi professionals, not only senior roles
  • Data localization rules moved to the National Data Management Office under SDAIA
  • The framework now covers cloud infrastructure and industrial control systems alongside traditional IT
  • The NCA released an Assessment and Compliance Tool to help organizations measure how well they meet the controls

Why Gaps Hide Until the Audit 

Most teams assume they are covered because they cleared ECC 1:2018. But a policy that satisfied the old version can quietly miss the new mark. The gap sits there unseen until an assessor opens the file.

Gaps tend to hide in three spots:

  • Evidence that is months old and no longer matches your live setup
  • Controls with no clear owner, so nobody keeps them current
  • Cloud and operational technology assets that were never mapped to a control

How to Find Your Gaps Before the NCA Does

You do not need to wait for audit week to learn where you stand. A simple check, done early, turns a stressful scramble into a short to do list.

  • Map your current controls against all 108 ECC 2:2024 requirements
  • Flag every control with missing or outdated evidence
  • Give each gap a clear owner and a fix date
  • Check again on a regular basis, not once a year, so you stay ready

How Secure.com Helps 

Secure.com runs a continuous check of your live environment against control requirements and shows your gaps in plain language. Its Compliance Teammate maps evidence for you, so audit prep drops from weeks to minutes.

  • A free gap assessment that scores your readiness against the control set
  • Automatic evidence mapping pulled from your assets, configs, and access data
  • Live dashboards that flag drift the moment a system falls out of line
  • A clear owner and fix date for every gap, tracked to closure
  • Audit ready reports you can hand to assessors on demand

Related Blogs