Operlity gives government agencies, ministries, and critical national infrastructure operators a structured platform to implement, manage, and demonstrate compliance with the Saudi Essential Cybersecurity Controls — the Kingdom's mandatory cybersecurity baseline established by the National Cybersecurity Authority.
The Essential Cybersecurity Controls is a mandatory cybersecurity framework issued by the National Cybersecurity Authority of Saudi Arabia, applicable to all government agencies, ministries, and critical national infrastructure operators in the Kingdom. First published in 2018, the ECC establishes a comprehensive baseline of cybersecurity controls that organizations must implement to protect their information assets, systems, and infrastructure.
The ECC is organized across five domains — Cybersecurity Governance, Cybersecurity Defense, Cybersecurity Resilience, Third Party and Cloud Computing Cybersecurity, and Industrial Control Systems Cybersecurity — covering 114 essential controls and 36 advanced controls. The NCA conducts regular cybersecurity assessments of government entities and critical infrastructure operators, and organizations are expected to demonstrate full implementation of essential controls and progressive adoption of advanced controls over time.
114 essential controls and 36 advanced controls spanning governance, defense, resilience, third party, and industrial control systems — requiring structured implementation tracking and evidence management across the entire organization.
Organizations operating OT and ICS environments face additional cybersecurity obligations that require specialized governance approaches not covered by conventional IT security frameworks.
The ECC's dedicated third party and cloud computing domain imposes specific requirements on how organizations govern their technology vendors and cloud service providers.
NCA assessments require structured evidence, documented policies, and demonstrated control implementation — organizations must maintain examination-ready documentation at all times.
Organizations subject to ECC frequently also need to meet other NCA frameworks and sector-specific cybersecurity requirements — duplicating compliance effort without a platform that maps controls across frameworks.
The NCA expects organizations to demonstrate progressive improvement in cybersecurity maturity across assessment cycles, not just point-in-time compliance.
| ECC Domain | Operlity Capability |
|---|---|
| Cybersecurity Governance | Policy lifecycle management, role and responsibility assignment, and governance program management |
| Cybersecurity Defense | Control implementation tracking, vulnerability management, access governance, and incident register |
| Cybersecurity Resilience | BC/DR planning, drill management, incident response, and business continuity program management |
| Third Party & Cloud Computing Cybersecurity | Third party risk management with vendor due diligence, cloud provider assessments, and contract oversight |
| Industrial Control Systems Cybersecurity | ICS-specific control implementation tracking with ownership assignment and evidence management |
| Maturity Assessment | Structured maturity assessment workflows with domain-level scoring and progressive improvement tracking |
Scope the ECC against your organization and conduct a structured gap assessment across all five domains — establishing your baseline compliance posture against essential and advanced controls and prioritizing remediation efforts.
Implement all applicable ECC essential controls with structured tracking, ownership assignment, and evidence collection — maintaining a continuous record of implementation progress before progressing to advanced controls.
Audit your technology vendor and cloud service provider ecosystem — documenting cybersecurity due diligence, conducting third party risk assessments, and managing contractual cybersecurity obligations aligned to ECC domain requirements.
Create and maintain all cybersecurity policies required by the ECC — with documented approval workflows, annual review cycles, and workforce acknowledgement tracking across the organization.
Conduct structured internal maturity assessments across all five ECC domains — identifying gaps, tracking improvement, and building the maturity evidence that NCA examiners expect to see across assessment cycles.
Monitor your ECC compliance posture continuously — tracking control status, managing incidents, maintaining evidence, and preparing for NCA examinations as a structured, ongoing program rather than a reactive exercise.