Outcome · Regulator-ready cybersecurity

Pass the NCA assessment. The first time.

The NCA Essential Cybersecurity Controls have moved from guidance to enforcement. Saudi government entities, regulated banks, telcos, and critical infrastructure are being assessed — and the gap between operating to the standard and being able to prove it is what most teams underestimate. We close that gap.

47 ECC controls covered Evidence pack regulator-ready Zero remediation findings (to date)

Why this matters now

The problem we solve.

Proving it to the auditor is another problem entirely.

The NCA Essential Cybersecurity Controls cover 47 controls across five domains. Most security teams have implementations in place for the majority. What most do not have — and what stalls Vision 2030 contracts every quarter — is the evidence chain that lets a regulator verify it without ambiguity.

The standard does not ask whether you encrypt data. It asks for proof of the policy, the implementation, the test results, the access reviews, and the incident drills. Eight things to evidence per control. Four hundred-plus artefacts across the framework. And a regulator that will not accept "we are working on it".

ECC controls in scope

Across governance, defence, resilience, third-party, and ICS — every one needs evidence.

80%

Cite evidence as the bottleneck

Regulated entities self-reporting that producing the evidence pack — not the controls themselves — delays submission.

Finding can stall a contract

A single material finding on first submission can defer a Vision 2030 procurement cycle by quarters.

What you'll have

A posture you can prove.

Not just controls in place. A complete, audit-ready posture that maps to every ECC requirement.

100% ECC control coverage

All 47 controls across the five ECC domains — governance, defence, resilience, third-party, and ICS — implemented and mapped.

Pack Regulator-ready evidence

Control mapping, test results, runbooks, incident drills, and policy artefacts — assembled, indexed, ready to submit.

Remediation findings

Across every NAS-led ECC engagement to date, no material finding requested post-submission.

Quarterly Re-assessment cadence

Compliance does not retire after submission. We bake quarterly re-assessment into the operating model.

In practice

What this looks like delivered.

Every ECC engagement runs through the same four phases — sequenced so evidence is captured at the moment a control is implemented, not reconstructed weeks later.

A typical engagement runs 8–14 weeks depending on entity size and existing maturity, with a phased delivery that keeps audit-readiness moving even on the longer programmes.

01 · Capture

Regulatory baseline Control gap analysis Maturity scoring

02 · Design

Architecture controls Policy library Operating model

03 · Evidence

Control mapping Test results Runbooks & drills

04 · Sustain

Quarterly re-assessment Regulatory-change tracking Audit-cycle support

“In Saudi banking we cannot afford a finding on first submission. NAS shipped the evidence pack ready for the regulator in week 12. That changed how we plan every audit cycle since.”

CISO · Tier-1 Saudi bank · client name withheld

Built on

Three services. One delivered outcome.

This outcome is composed from our services. Each does one thing well — together they ship the posture above.

Want a readiness review?

A 30-minute review of where you are against the 47 controls — what is in place, what is evidenced, and what would be a finding today. No deck, no pitch.

Book a 30-min readiness review See more case studies

Regulator angle

Compliance built into the engagement — frameworks aligned, evidence captured at delivery time.

Compliance practice

Talk to a solution architect

Skip the form — reach our delivery lead directly. Honest assessment of fit before you commit.

[email protected]