The National Cybersecurity Authority published the second version of the Essential Cybersecurity Controls in 2024. ECC-2 supersedes ECC-1:2018. If you've spent the last six years building toward ECC-1, you're not starting over, but the changes are real and they shape what you should be doing for the next twelve months.
Here are the five changes that matter most to the entities I work with.
1. Control count: 114 → 108
ECC-2 consolidates and tightens. Six controls are gone or merged. The rest have been clarified to remove overlap with other NCA standards (CCC, CSCC, DCC, TCC). If your existing control matrix maps every control 1:1 to ECC-1, you'll need to re-map. Most of the changes are housekeeping; the consolidation is mostly welcome.
2. Saudization expanded to all cybersecurity roles
Under ECC-1, only senior cybersecurity positions had to be filled by Saudi nationals. Under ECC-2, this applies to every cybersecurity role: SOC analysts, GRC specialists, security architects, the lot. For entities that have been relying on expatriate consultants or contractors to fill day-to-day positions, this is the biggest operational change in the release. It rewrites the staffing model.
I'd start by mapping which positions you currently have that ECC-2 now requires to be Saudi-occupied, and whether you have the pipeline to fill them. A common pattern I'm seeing: organizations that had foreign senior analysts but Saudi managers are now inverted, the seniors stay, the day-to-day analyst seats become the recruitment problem.
3. Data localization moved out of ECC
ECC-1 had explicit in-country hosting language. ECC-2 strips it out. That doesn't mean data localization is now optional. It means the authoritative source for data localization is now the National Data Management Office (NDMO) at SDAIA, not ECC. If a vendor is telling you "ECC-2 removed the hosting requirement, we can move you to a foreign region," they're reading one document and ignoring the one that actually governs your data. Check the NDMO regulations for your data classification before any cross-border move.
4. Scope extended to Saudi government presence outside the Kingdom
ECC-2 explicitly covers Saudi government entities established inside and outside KSA. Diplomatic missions, foreign offices, sovereign wealth investments with KSA government ownership: all now in scope. If you support a KSA-affiliated entity operating abroad, your ECC obligation just expanded.
5. Tighter integration with other NCA standards
ECC-2 now directs you to specific NCA standards (CCC for critical systems, CSCC for cloud, DCC for data classification) instead of restating those rules inside ECC. The benefit: less duplication, fewer interpretive disagreements between an ECC assessor and a CCC assessor on the same control. The cost: you need to read the dependent standards as a set, not as an ECC-only exercise.
What to do in the next ninety days
If you completed an ECC-1 assessment within the last two years, here's the order I'd suggest:
- Map your existing 114-control matrix to the new 108. Most controls survive verbatim; some merge. Note which of your existing evidence packs you can carry forward.
- Audit your cybersecurity staffing roster against the expanded Saudization rule. Identify the seats you'll need to refill and the timeline.
- Re-read the NDMO data residency rules for your classification tier. Document the lawful basis for any data that lives outside KSA today.
- Re-check the boundary between ECC-2 and CCC if you're in scope of both. Where ECC used to cover something CCC now governs, your evidence needs to move with the rule.
- Plan the next assessment against ECC-2, not ECC-1. Auditors will not be sympathetic to "we built this against the old version."
If you completed nothing under ECC-1, the practical advice is unchanged: foundation first. Asset inventory. Ownership. Then build the policy and control stack around the new 108 with the framework consolidation in mind from day one.
ECC-2 isn't a rewrite. It's a tightening. The organizations that handled ECC-1 well will find ECC-2 manageable; the ones that treated ECC-1 as a paperwork exercise will discover that consolidating overlap exposes the gaps that the duplication was previously hiding.