The regulator publishes a framework. The consultant produces a 200-page policy document. The audit committee asks “are we compliant?” and nobody can answer because nobody operationalized it. This is the GRC gap that defines most KSA cybersecurity programs in 2026 — and it’s the gap EIE was built to close.

We turn regulator requirements into engineering specifications, audit evidence, and operational runbooks. Not policy theatre.

The KSA regulator landscape

National Cybersecurity Authority (NCA) — three layered frameworks:

Essential Cybersecurity Controls (ECC) — the floor for all government and many private-sector entities. Now in v2 with five domains: cybersecurity governance, cybersecurity defence, cybersecurity resilience, third-party risk, industrial control systems.
Critical Sectors Cybersecurity Controls (CCC) — applies to energy, water, telecommunications, transportation, financial services, healthcare. Higher bar than ECC, with sector-specific controls.
Cloud Cybersecurity Controls (CSCC) — specific to cloud-hosted data and workloads. Cross-references CCC and ECC.

SAMA Cybersecurity Framework — mandatory for banks, financial institutions, insurance under SAMA supervision. Maturity-based across four levels (Initiated, Managed, Defined, Optimized). Requires evidence of continuous control operation, not point-in-time compliance.

Personal Data Protection Law (PDPL) — effective 2024. KSA’s GDPR equivalent. Data subject rights (access, rectification, erasure, portability), 72-hour breach notification, cross-border transfer restrictions, Data Protection Officer requirement for certain processing. Penalties up to SAR 5 million per violation.

ISO 27001 / 27701 — international standards. Often required for enterprise contracts and increasingly demanded by KSA government tenders.

Healthcare-specific — KSA Health Data Law and MOH-specific cybersecurity requirements for healthcare providers handling PHI.

NCA ECC implementation

The NCA ECC’s five domains break into 110+ controls. Implementation isn’t a checklist exercise; it’s an architecture exercise.

Our methodology:

Phase 1 — Gap analysis (4-6 weeks) — current-state assessment against each control, evidence collection, scoring, prioritized roadmap. Deliverable: gap analysis report + remediation roadmap.

Phase 2 — Roadmap implementation (3-9 months) — execute the roadmap, control by control. Includes documentation, technical implementation, process changes, training. Deliverable: implemented controls + evidence package.

Phase 3 — Audit readiness (4 weeks) — pre-audit dry run, evidence package finalization, audit firm liaison preparation. Deliverable: audit-ready organization.

Phase 4 — Continuous compliance (ongoing) — quarterly control effectiveness review, evidence refresh, drift detection. Deliverable: sustained compliance.

Common implementation patterns we see across 200+ KSA clients: governance domain is usually weakest (board oversight, RACI, risk register), defence domain is usually strongest (firewalls, EDR are common), resilience domain is uneven (backup yes, tested recovery often not), third-party risk is almost universally weak (vendor due diligence is a one-time gate, not continuous), ICS domain is binary — either non-existent or mature.

NCA Critical Sectors (CCC)

If you’re a bank, hospital, energy provider, telecommunications carrier, or transportation operator, NCA CCC applies. The bar is higher than ECC. Sector-specific controls add depth — for healthcare, additional controls around medical device cybersecurity, PHI handling, telemedicine; for energy, OT/ICS-specific controls.

CCC implementation builds on ECC; an organization with strong ECC implementation can reach CCC compliance with focused incremental work.

NCA Cloud Security Controls (CSCC)

Detailed treatment in Cloud Security Posture Management. The short version: CSCC requires that cloud-hosted workloads meet NCA standards regardless of cloud provider. Cross-references ECC and CCC. CSPM tooling is the operational mechanism for continuous CSCC compliance.

SAMA Cybersecurity Framework

Banking-specific. Maturity-based assessment with four levels per control area: Initiated (basic), Managed (defined process), Defined (organizational), Optimized (continuous improvement). SAMA examines evidence that controls operate continuously, not just exist on paper.

Our SAMA engagements typically include: gap-to-maturity mapping per control area, prioritized roadmap by maturity gain per quarter, monthly reporting in SAMA-aligned format, quarterly tabletop exercises with documentation, audit firm coordination, and SAMA examiner liaison support.

Reporting expectations include incident summaries, control effectiveness metrics, third-party risk dashboards, and trend analytics across the framework.

PDPL — practical implementation

The PDPL is younger than other regulators here, and the implementation patterns are still maturing. Our practical implementation approach:

Data subject rights workflow — a public-facing form on your website (right-to-access, right-to-rectification, right-to-erasure, right-to-portability), a backend ticketing system that routes the request to your DPO and IT teams, a data discovery process that finds the requested data across your systems (CRM, ERP, marketing platforms, backups, archives), a fulfilment process that delivers the response within statutory timelines (typically 30 days). The hardest part is data discovery — most KSA enterprises don’t know where personal data lives.

Cookie consent and tracking pixel governance — every public-facing website needs PDPL-aligned cookie consent. We deploy CookieYes or similar tools, configure consent categories, integrate with Google Analytics and HubSpot pixel suppression for non-consenting users.

Cross-border data transfer — when personal data leaves KSA (cloud workloads in non-KSA regions, third-party processors abroad), PDPL requires specific safeguards. Standard Contractual Clauses, adequacy decisions, explicit consent — depending on context.

Data Protection Officer role — required for certain processors. Outsourced DPO services available for organizations without an internal hire.

Data breach notification (72-hour rule) — if a breach affects personal data, the regulator must be notified within 72 hours. Affected individuals where applicable. Our DFIR retainer integrates this notification workflow.

Penalties — up to SAR 5 million per violation. Regulators have shown they will enforce.

ISO 27001 readiness

ISO 27001 is the international cybersecurity management system standard. Increasingly demanded by KSA government tenders and large enterprise customers.

6-month vs 12-month pathway — depends on starting point. Organizations with strong NCA ECC implementation can compress to 6 months; greenfield organizations need 12.

Stage 1 audit — documentation review, readiness assessment by certifying body.

Stage 2 audit — operational evidence assessment. The harder one.

Statement of Applicability — the document defining which ISO 27001 controls apply to your organization and how. We prepare this with your team.

Risk treatment plan — how each identified risk is mitigated. Living document.

Internal audit cadence — minimum annual, typically twice yearly. We can run internal audits as a service.

From framework to operations

The retrofit anti-pattern: build something, then ask “is this compliant?” The retrofit costs two to four times more than designing in compliance from the start, and usually leaves residual gaps the auditor finds.

EIE’s pattern: gap → roadmap → operational runbooks → audit-ready evidence. At every stage, we produce artifacts that become operational rather than going into a binder.

Continuous compliance vs annual audit panic — most organizations cycle into a panic three months before audit, scrambling to assemble evidence. Continuous compliance maintains the evidence chain throughout the year, so audit week is calm.

Audit firm liaison

We don’t replace your audit firm; we make their job easier. Pre-audit readiness reviews, evidence package preparation, post-audit remediation tracking. We’ve worked with all major KSA audit firms — KPMG, Deloitte, PwC, EY, BDO, Crowe — and dozens of regional firms. We know what they want to see, and we deliver it in the format they expect.

Frequently asked questions

Do you replace our internal compliance team or augment? Augment, primarily. Smaller organizations sometimes outsource the function entirely; larger organizations use us for specialist expertise (NCA implementation, ISO 27001 readiness, PDPL operationalization) on top of internal compliance leadership.

How long does NCA ECC implementation take from gap analysis to ready-for-audit? Six to nine months for a typical mid-size enterprise. Variables: existing maturity (most pivotal), management commitment, technical complexity, third-party risk inventory size.

Can EIE serve as outsourced DPO under PDPL? Yes. Our outsourced DPO service includes the role’s statutory responsibilities — advisory, monitoring, training, regulator liaison, breach notification handling — at a fraction of a full-time hire’s cost. Particularly suitable for mid-market organizations with PDPL exposure but not enough scale for an in-house DPO.

Does ISO 27001 certification automatically satisfy NCA ECC? No, but they overlap substantially. Roughly 70% of ECC controls map to ISO 27001 Annex A. Organizations with ISO 27001 typically need 4-8 weeks of incremental work to reach ECC.

How do you handle conflicting requirements between SAMA and ISO 27001? By controls mapping. Where a control exists in both frameworks, we implement to the higher bar. Where they truly conflict (rare), we document the decision rationale.

What evidence does NCA actually request during an audit? Policy documents, control implementation records (configurations, system screenshots, logs), incident records, training records, third-party assessment records, internal audit reports, board minutes referencing cybersecurity governance, and risk register with treatment status.

Can EIE coordinate with regulator authorities during a breach? Yes for technical briefing and evidence support. The legal communication remains your authority. We’ve supported clients through both NCA-reportable incidents and SAMA-reportable incidents.

What about subsidiaries and sister companies — does each need its own program? Depends. If the subsidiary has independent operations and ICT, yes. If it inherits from the parent, often a unified program with subsidiary-specific addenda works. We design the structure to fit the legal entity reality.