Saudi Arabia's Essential Cybersecurity Controls 2024 (ECC-2): Key Updates and Implications

Saudi Arabia’s National Cybersecurity Authority (NCA) has issued an updated version of the Essential Cybersecurity Controls (ECC-2), building on the previous ECC-1:2018 (ECC-1). The ECC-2 mark a landmark reform of the cybersecurity regulatory framework in the Kingdom of Saudi Arabia (KSA) and aim to strengthen governance, improve resilience, and align with KSA’s evolving national cybersecurity strategy. Key changes include amendments to the scope of the ECC, transfer of authorities in relation to data localization, introduction of new Saudization requirements, streamlining of controls, and enhanced clarity.

Changes to the Scope of Application 

The ECC-2 generally mirror the scope of application set out in the ECC-1: government entities in KSA (including ministries authorities, establishments and their subsidiaries and affiliates) (Relevant Governmental Entities) and private sectors organisations owning, operating or hosting Critical National Infrastructures. 

However, the ECC-2 clarify that Relevant Governmental Entities include those established inside and outside the KSA. This clarification is particularly relevant if we consider the increasing involvement of Saudi governmental entities in foreign direct investment (FDI) initiatives in economies outside the KSA. 

While this change confirms the extra-territorial application of the ECC-2, the material scope of application of the ECC-2 remains unclear. In particular, no official guidance is given on the degree of governmental ownership of subsidiaries and affiliates required to trigger the application of the ECC-2. Pragmatically, it is likely that the ECC-2 will apply extraterritorially to KSA consulates, embassies and the like, along with foreign entities fully and directly owned by Saudi government entities. It can be expected that official guidance on this matter will be issued by the NCA.

Data Localization 

A major update in ECC-2 is the removal of explicit requirements for in-country data hosting, which previously mandated that data be stored within KSA. However, this does not necessarily result in an ease in data localization requirements. This is because the ECC-2 clarify that controls related to data localization have been transferred from the ECC-2 to the National Data Management Office (NDMO) at the Saudi Data and Artificial Intelligence Authority (SDAIA) and entities must refer to the NDMO regarding data localization before taking any action in this regard. At this time, the main reference for questions pertaining to data localization is the Regulations on the Use of Information and Communication, Technologies in Government Entities issued pursuant to Council of Ministers Resolution No. (555) dated 23/9/1440 H (28 May 2019) (ICT Regulations) which relate to the hosting of government data on servers located in the KSA and require agreements to include confidentiality undertakings, which must be read in tandem with sector specific regulations that may mandate a degree of data localization even after the ECC-2 amendments. We expect the NDMO to issue guidance or additional regulations governing the requirements relating to hosting government data in the future.

Other Key Changes 

The ECC-2 introduce additional updates that reflect the evolving cybersecurity landscape, including:

• Streamlining of controls: The ECC-2 reduce the number of controls from 114 to 108 to make the framework more efficient and easier to implement.
• Enhanced clarity and alignment: The ECC-2 consolidates requirements overlapping with other regulatory provisions and directs organisations to specific NCA standards to ease compliance burden.
• Saudization requirements: Under ECC-1, only senior positions needed to be filled by Saudi nationals. ECC-2 now mandates that all cybersecurity positions within organisations be occupied by full-time and qualified Saudi professionals. This change aligns with broader nationalisation efforts and will enhance KSA’s competitive race to source local talent.

Next Steps

Organisations within the scope of ECC-2 operating in KSA should act promptly to align their practices with ECC-2. As the cybersecurity landscape continues to evolve, ECC-2 serves as a vital tool for safeguarding digital assets and maintaining operational continuity in an increasingly connected world.

To comply with the ECC-2 and enhance their cybersecurity readiness, entities within the scope of the ECC-2 should take the following steps:

Assess Compliance

1.  Assess Compliance
Conduct a gap analysis to identify areas where current practices fall short of ECC-2 requirements and prioritise addressing high-risk vulnerabilities.

2.  Update Policies
Revise cybersecurity policies and procedures to align with the updated framework, focusing on governance, defense, resilience, and third-party security.

3.  Prepare for Workforce Localization
Ensure all cybersecurity roles are filled by qualified Saudi professionals, leveraging training programs and local recruitment strategies.

4.  Monitor Regulatory Updates
Stay informed about changes to cybersecurity regulations and review practices periodically to ensure ongoing compliance, particularly in relation to data localization requirements.

For more information on KSA’s cybersecurity regulatory framework and its implications for your business, please contact Lamisse Bajunaid or Masha Ooijevaar.

Our dedicated Doing Business in Saudi Arabia Hub helps businesses stay informed and understand the latest developments and opportunities.