Definition

Saudi Arabia's National Cybersecurity Authority (NCA) has issued three mandatory frameworks: the Essential Cybersecurity Controls (ECC-1:2018, 5 domains, 114 controls), the Operational Technology Cybersecurity Controls (OTCC-1:2022, for ICS/SCADA environments), and the Cloud Cybersecurity Controls (CCC-1:2020, for cloud service providers and consumers). Organisations subject to all three — typically energy, utilities, or financial entities — can build a single unified control library that satisfies all three simultaneously, reducing duplication across approximately 45% of overlapping controls.

Why it matters

The pressure on Regulatory (UAE/GCC) programmes is shifting in specific, observable ways:

• NCA compliance is a licensing prerequisite for entities in critical national infrastructure sectors; non-compliance identified during NCA inspection triggers mandatory remediation under the Saudi Cybersecurity Law (Royal Decree M/17, 2017).
• ECC-1 control ECC-1 2-3-1 (access management) and CCC-1 control 3-1 (cloud access control) address the same risk domain — treating them separately doubles evidence collection with no additional risk reduction.
• OTCC-1 Section 4 (OT network segmentation) imposes requirements not present in ECC-1; organisations that omit OTCC-1 from their ICS environments during NCA assessments receive critical findings affecting their NCA readiness score.
• Saudi PDPL Article 29 intersects with ECC-1 domain 3 (cybersecurity resilience) for organisations processing personal data; a unified programme satisfies both simultaneously.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Unified control library — ECC-1 control ID, OTCC-1 control ID, CCC-1 control ID, shared evidence artefact reference, owner, status.
• Network segmentation diagrams — OT/IT boundary, OTCC-1 Section 4 compliance notation, firewall rule set review date.
• Cloud security assessment — CCC-1 Section 5 controls, CSP configuration evidence (AWS Config / Azure Policy), misconfiguration count.
• Access management audit log — user provisioning/deprovisioning records, privileged access reviews, ECC-1 2-3-1 compliance status.
• NCA self-assessment questionnaire (SAQ) submission — domain scores, last submission date, prior-cycle delta.
• Incident response drill records — tabletop exercise date, OTCC-1 Section 6 scenario coverage, findings and remediation actions.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: CISO maps all three frameworks into a unified control library (spreadsheet or Archer); identifies the 45% overlap; tags OTCC-1 and CCC-1 delta controls requiring separate evidence.
• Day 31–60: OT Security Engineer implements OTCC-1 Section 4 network segmentation requirements for all ICS/SCADA environments; documents firewall rule changes and DMZ architecture.
• Day 61–90: Cloud Security Engineer runs CCC-1 self-assessment using AWS Config or Azure Policy; remediates critical misconfigurations; generates compliance report mapped to CCC-1 control IDs.
• Day 90+: Compliance Officer consolidates evidence across all three frameworks into GRC platform; submits NCA SAQ with supporting evidence package; engages NCA-approved assessor for independent validation.
• Ongoing: Security team patches NCA-critical vulnerabilities within 48 hours; updates unified control library quarterly; repeats NCA SAQ submission annually.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Unified control library coverage: 100% of ECC-1, OTCC-1 and CCC-1 controls mapped within 30 days; ≥45% sharing a common evidence artefact.
• NCA SAQ maturity score: target ≥85% across ECC-1 domains; ≥80% across OTCC-1 and CCC-1 domains.
• OT network segmentation: zero direct IT-to-OT routable paths (OTCC-1 Section 4 compliance); validated by quarterly firewall rule review.
• Cloud misconfiguration rate: ≤5 high-severity misconfigurations open at any time per CCC-1 self-assessment.
• Incident response drill cadence: ≥2 tabletop exercises per year covering OTCC-1 scenarios; findings remediated within 60 days.

A the next two quarters working plan

MAST Consulting Group runs this Regulatory (UAE/GCC) work in four moves. Each move is short, evidence-producing, and signed off by a Lead Practitioner before the next begins.

• Frame (week 1). Confirm scope, regulators in play, and the decisions the work has to enable — referenced against SAMA CSF v1.1. Without that framing, the rest becomes a documentation exercise the audit committee will not read.
• Diagnose (weeks 2–4). Walk through thematic review responses and regulator on-site evidence pack as they exist today. Capture not just gaps but the design decisions behind every existing control — those are usually where audit findings hide.
• Design (weeks 5–8). Make the contested choices early and pre-clear them with TDRA / NESA / SIA / DESC. Document the rationale; Regulatory (UAE/GCC) reviewers care more about reasoned decisions than perfect ones.
• Operate (weeks 9–12). Move evidence collection into evidence repository with regulator tagging and data extracts from core systems on a fixed cadence. A control that depends on a separate GRC tool nobody opens will fail within two cycles.

Pitfalls we keep seeing

Across MAST Consulting Group's Regulatory (UAE/GCC) portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: controls listed against the regulator but not operating consistently. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: thematic-review responses prepared in the week of the visit. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: no single source of truth across multiple supervisors. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: evidence packs that are unique to each regulator instead of harmonised. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Regulatory (UAE/GCC) engagements because the integrations are cheap and the evidence is defensible:

• a unified control framework (UCF) in a GRC tool or curated spreadsheet — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• evidence repository with regulator tagging — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• data extracts from core systems on a fixed cadence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Regulatory (UAE/GCC) programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this playbook is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Regulatory (UAE/GCC) programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.