AWS Advanced Tier PartnerISO 9001:2015 CertifiedISO 27001:2022 Certified
Book Free Review →
NCA ECC on AWS

NCA ECC on AWS for Saudi government and critical sectors.

The Saudi National Cybersecurity Authority Essential Cybersecurity Controls (ECC) are mandatory for government entities and critical infrastructure operators. The Cloud Cybersecurity Controls (CCC) supplement adds cloud-specific requirements. We implement both on AWS.

Book Free Architecture Review →View Saudi Arabia Hub
AWS Advanced Tier Partner
Google Cloud Partner
RedHat Partner
Google Cloud Partner
ISO 27001:2022 Certified
ISO 9001:2015 Certified
Saudi Arabia · GovernmentNCA ECC · CCC

NCA expects structured evidence.

5
ECC Domains
114
ECC Controls
CCC
Cloud Annex
KSA
Government
NCA ECC is the baseline for Saudi government entities. CCC extends it for cloud workloads. SaaS companies selling to Saudi government need both.— HAZERCLOUD NCA practice
NCA on
AWS.
NCA ECC framework

Five domains, 114 controls.

The Saudi NCA Essential Cybersecurity Controls (ECC-1:2018) are mandatory for all government entities and operators of critical infrastructure. The framework groups 114 controls across five main domains: Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, Third-Party Cybersecurity, and Industrial Control Systems Cybersecurity.

For cloud workloads, NCA published the Cloud Cybersecurity Controls (CCC) supplement. CCC adds cloud-specific obligations, including requirements for cloud service provider selection, multi-tenancy controls, encryption of data at rest and in transit, and incident response coordination with cloud providers.

The Critical Systems Cybersecurity Controls (CSCC) apply additional requirements to systems classified as critical. SaaS scale-ups selling to Saudi government typically need ECC + CCC. Critical infrastructure operators need ECC + CCC + CSCC.

NCA ECC Domains on AWS

Five domains, AWS-native implementations.

1

Cybersecurity Governance

AWS Organizations + AWS Control Tower for policy enforcement. AWS Config for governance evidence.

2

Cybersecurity Defence

AWS WAF, AWS Shield, GuardDuty, Inspector. Identity at IAM Identity Center. Encryption via KMS.

3

Cybersecurity Resilience

AWS Backup, multi-AZ deployment, disaster recovery patterns. Business continuity testing automated.

4

Third-Party Cybersecurity

AWS Artifact for AWS attestations. Third-party risk register entries. AWS as CSP documented per CCC.

5

ICS Cybersecurity

For critical infrastructure operators. Network segmentation, OT/IT boundary controls, AWS for non-OT workloads.

Our NCA Engagement Process

Three phases to ECC + CCC compliance.

ECC Gap Assessment

Current state mapped to ECC + CCC. Gap analysis. Roadmap with cost estimates.

Implementation

10 to 16 weeks. AWS architecture changes. Control implementations across all five domains.

Evidence Pack

NCA-defensible evidence assembled. Documentation, configurations, control mappings.

The Founder Commitment

Same AWS-certified specialist, discovery to handover.

The AWS-certified specialist on your discovery call leads the implementation team on your engagement. No bait-and-switch. No junior-led delivery. Six touchpoints I personally own: discovery call, architecture sign-off, weekly review, every material decision, every deliverable sign-off, and 30 days post-handoff.

Jobin JosephFounder & CTO, HAZERCLOUD INFOTECH LLP
AWS Security Specialty5× AWS Certified
NCA ECC Implementation

NCA Essential Cybersecurity Controls on AWS.

30-minute call. Direct with the founder. One specific recommendation about your NCA ECC + CCC posture on AWS.

Book Free Architecture Review →

AWS Advanced Tier Services Partner · ISO 27001:2022 · ISO 9001:2015 · 5× AWS-Certified Founder