Saudi Arabia’s Critical Systems Cybersecurity Controls (CSCC): What In-Scope Organizations Need to Know

Critical systems have become one of the most attractive targets for cyberattacks.
Energy providers, financial institutions, healthcare organizations, telecommunications companies, government entities, and industrial operators rely on systems that support essential services. A successful cyberattack against these environments can disrupt operations, impact public services, expose sensitive information, and create significant financial and reputational damage.
Recognizing these risks, Saudi Arabia’s National Cybersecurity Authority (NCA) introduced the Critical Systems Cybersecurity Controls (CSCC) to strengthen the protection of systems whose compromise could have serious national or organizational consequences.
The framework goes beyond general cybersecurity recommendations. It establishes governance, technical, operational, and resilience requirements specifically designed for organizations operating critical systems within the Kingdom.
What Is the NCA CSCC?
The Critical Systems Cybersecurity Controls (CSCC) is a regulatory framework published by the Saudi National Cybersecurity Authority (NCA). It builds upon the Essential Cybersecurity Controls (ECC) while introducing additional requirements for systems classified as critical.
The framework applies to organizations responsible for operating or managing critical systems whose disruption could significantly affect national security, public services, economic stability, or critical business operations.
Unlike broader cybersecurity frameworks, CSCC focuses specifically on protecting high-impact environments where system availability, operational resilience, and security governance are equally important.
Why CSCC Exists
Critical systems face a different level of risk than traditional enterprise environments.
Attackers targeting operational technology, industrial control systems, healthcare infrastructure, financial platforms, and government services are often pursuing objectives beyond data theft. Operational disruption, service outages, ransomware, espionage, and supply chain compromise have become increasingly common across critical sectors.
Saudi Arabia developed CSCC to provide organizations with a structured framework for reducing these risks while improving cyber resilience across nationally important services.
The framework encourages organizations to adopt consistent security practices while maintaining visibility into the systems that support critical operations.
How CSCC Differs From the Essential Cybersecurity Controls (ECC)
Organizations already complying with the NCA Essential Cybersecurity Controls sometimes assume that CSCC introduces an entirely separate compliance program.
In practice, the relationship is different.
The ECC establishes the baseline cybersecurity requirements expected across regulated organizations. CSCC builds on that foundation by introducing additional controls that address the higher risks associated with critical systems.
These additional requirements strengthen areas such as:
- Critical asset identification
- Operational resilience
- Secure architecture
- Network segregation
- Third-party access
- Continuous monitoring
- Incident response
- Disaster recovery
- System availability
Organizations operating critical systems should therefore view CSCC as an extension of existing cybersecurity governance rather than a replacement for ECC.
The Four Control Domains
The CSCC consists of 32 main controls and 73 subcontrols organized across four domains.
Cybersecurity Governance. This domain covers the policies, roles, and risk management processes that govern how critical systems are owned and managed. Organizations must assign clear accountability for critical system security, maintain documented policies, and integrate cybersecurity into their broader governance structures. Risk assessments specific to critical systems are required, as is ongoing compliance monitoring against both the ECC and CSCC.
Cybersecurity Defense. The defense domain specifies the technical controls organizations must implement to protect critical systems. These include asset management, access control, network segmentation, vulnerability management, and security monitoring. Compared to ECC requirements, CSCC tightens operational cadences: firewall configurations must be reviewed every six months, vulnerability assessments must be conducted monthly, and penetration testing must occur at least twice a year. Security event logging and threat detection capabilities must be in place and actively maintained.
Cybersecurity Resilience. Resilience controls address what happens when a critical system is disrupted. Business continuity plans must account for the impact of cybersecurity incidents, and recovery capabilities must be tested. Incident response procedures must be established, documented, and exercised. The CSCC recognizes that continuity planning for a system with national significance requires more than standard disaster recovery, it demands scenario-tested playbooks and formal recovery time objectives tied to the criticality classification.
Third-Party and Cloud Computing Cybersecurity. This domain reflects the interconnected nature of critical system environments. Organizations must extend their security requirements to third parties who have access to or provide services for critical systems. Vendor risk assessments, contractual security obligations, and ongoing monitoring of third-party access are all required. Cloud-specific controls under subdomain 4-2 apply only where an organization uses or plans to use cloud services, and organizations are expected to maintain their own security posture regardless of shared responsibility models with cloud providers.
The CSCC in Practice: Key Compliance Considerations
Operationalizing the CSCC requires more than deploying security tools. The framework demands demonstrable, evidence-backed compliance. The NCA can conduct audits, and compliance must be treated as a continuous process rather than a point-in-time exercise. Several practical realities define what this looks like on the ground.
Self-assessment is the starting point, not the endpoint. Organizations must formally identify which systems are critical and produce a Statement of Applicability that justifies which controls apply and why. This document is a live artifact that needs to reflect changes in systems, services, and risk exposure.
Cadence matters. The CSCC is specific about frequency. Monthly vulnerability assessments, semi-annual firewall reviews, and twice-yearly penetration tests are minimum requirements, not recommendations. Organizations that rely on annual cycles for these activities will not meet the standard.
ECC compliance is a prerequisite. An organization cannot satisfy the CSCC without first fully implementing the ECC. The two frameworks are hierarchical. Gaps at the ECC level compound into larger gaps at the CSCC level, and NCA auditors assess both.
Multi-framework mapping reduces duplication. Organizations subject to both the ECC and CSCC often also operate under SAMA’s Cybersecurity Framework, ISO 27001, or other standards. Many controls overlap across these frameworks. Mapping controls systematically — showing how a single implemented control satisfies requirements in multiple frameworks — avoids redundant evidence collection and reduces audit burden.
Managing CSCC Compliance with a GRC Platform
The volume of controls, the frequency of required activities, and the evidence documentation expected by NCA auditors make manual compliance management impractical for most organizations. A GRC platform structured around the CSCC and ECC control frameworks gives compliance teams a single system of record: one place to track control implementation status, assign control ownership, collect and store audit evidence, and monitor compliance posture in real time. For organizations managing obligations across multiple frameworks simultaneously, Complyan‘s control mapping capability links implemented controls to requirements across NCA ECC, CSCC, SAMA CSF, UAE IA, and ISO 27001 within a single platform, eliminating the fragmented evidence trails that make multi-framework audits costly and error-prone.
For organizations building their NCA compliance program from the ground up, it is also worth reviewing Complyan’s detailed coverage of the NCA ECC framework, which provides context on how the ECC operates and what ECC-2:2024’s tier-based compliance model means for organizations in scope. Since ECC compliance is a prerequisite for CSCC compliance, understanding the baseline framework is an essential first step.
Compliance as Operational Reality
The CSCC reflects a considered regulatory position: that systems with the potential to affect national security, public safety, and economic stability require a higher standard of cybersecurity discipline than general-purpose IT environments. For organizations that fall within scope, compliance is a legal obligation enforced through NCA audit authority. Beyond the regulatory requirement, the CSCC’s control structure, governance accountability, tightened operational cadences, tested resilience, and extended third-party requirements represents a credible framework for managing cybersecurity risk in high-stakes environments.
Organizations that treat CSCC compliance as a checkbox will find audits difficult and control gaps persistent. Those that build compliance into their operational processes, with clear ownership, continuous monitoring, and structured evidence management, will find the framework achievable and the audit process manageable.
Governance and Policy Management