NCA Compliance Standards’ Impact on Resilience, Growth, Prosperity to Saudi Cyberspace

The National Cybersecurity Authority (NCA) established in 2017 in the Kingdom of Saudi Arabia, aims at strengthening cybersecurity to safeguard the State’s vital interests, national security, critical infrastructure, priority sectors, and government services and activities.

Key takeaways:

• Saudi Arabia’s National Cybersecurity Authority (NCA) has introduced a set of mandatory cybersecurity frameworks, including Essential Cybersecurity Controls (ECC), Cloud Cybersecurity Controls (CCC), and Critical Systems Cybersecurity Controls (CSCC) to protect national data, infrastructure, and digital services—all central to the Kingdom’s Vision 2030 digital transformation goals.
• Compliance with NCA standards ensures data protection, regulatory alignment, and operational resilience, especially for sectors like government, finance, healthcare, and telecom.
• The Entrust Cryptographic Security Platform (CSP) is designed to help organizations meet NCA’s cybersecurity mandates, particularly around cryptographic key management and data protection by providing centralized visibility and control, policy automation, and audit and reporting tools.
• Businesses who meet NCA suggested guidelines can see reduced regulatory exposure and cybersecurity risks, improved operational efficiency, and positive organizational growth.

National Cybersecurity Authority Essential Cybersecurity Controls (NCA ECC)

The Essential Cybersecurity Controls (ECC), established by Saudi Arabia's National Cybersecurity Authority (NCA), set the minimum cybersecurity requirements for organizations within the Kingdom. The document includes 114 controls designed to ensure the confidentiality, integrity and availability of an organization’s information and technology assets. They revolve around the four pillars of people, technology, processes and strategy. For cryptography related controls, it refers to NCS.

NCS is National Cryptographic Standards, developed and published by NCA in 2020, (NCS –1:2020) to prescribe the minimum acceptable cryptographic requirements for civilian and commercial purposes to protect national data, systems and networks. It defines two levels of strength and security for cryptographic systems and mechanisms, which are the MODERATE level and the ADVANCED level to ensure flexibility and efficiency in implementation.

It includes accepted symmetric and asymmetric primitives, symmetric and asymmetric schemes, some of the accepted common application protocols related to cryptography, Public Key Infrastructure (PKI) and Key Lifecycle Management (KLM). The document also presents appendices with topics of importance related to cryptographic operations such as: (Pseudo Random Number Generation (PRNG), Post-Quantum Cryptography and Side-Channel Attacks).

Each national entity is required to choose and implement the appropriate cryptographic standard level based on the nature and sensitivity of the data, systems and networks to be protected. Furthermore, other cybersecurity regulations, issued by the NCA, may mandate the use of a particular cryptographic standard level to protect data, systems and networks.

ECC requirements: Cryptographic Key Management

ECC recommends 114 different controls or set of guidelines meant to help organizations improve their cyber security posture. There are different cyber security solutions available to comply with these recommendations to help meet a wide range of areas including governance, resilience, and cloud security. Out of these 114 controls, Entrust can help you meet the controls related with cryptographic keys management by managing cryptographic keys in accordance with FIPS standards. Entrust can help you establish visibility and control of those keys.

Along with NCA ECC (Essential Cybersecurity Controls), CCC (Cloud Cybersecurity Controls), and CSCC (Critical Systems Cybersecurity Controls) are cybersecurity frameworks established by Saudi Arabia's National Cybersecurity Authority (NCA).

Here are the relevant controls recommended from ECC, CCC and CSCC, under section 2.8 Cryptography.

2-8 Cryptography

To ensure the proper and efficient use of cryptography to protect information assets as per objective organizational policies and procedures, and related laws and regulations.

ECC defined Controls:

• 2-8-1 Cybersecurity requirements for cryptography must be defined, documented and approved.
• 2-8-2 The cybersecurity requirements for cryptography must be implemented.
• 2-8-3 The cybersecurity requirements for cryptography must include at least the following:
  • 2-8-3-1 Approved cryptographic solutions standards and its technical and regulatory limitations.
  • 2-8-3-2 Secure management of cryptographic keys during their lifecycles.
  • 2-8-3-3 Encryption of data in-transit and at-rest as per classification and related laws and regulations.
• 2-8-4 The cybersecurity requirements for cryptography must be reviewed periodically.

In addition, the Cloud Cybersecurity Controls (CCC – 1: 2020) is developed as an extension to the ECC; to achieve higher levels of national cybersecurity goals by focusing on cloud computing services from the perspective of Cloud Service Providers (CSPs) and Cloud Service Tenants (CSTs)

Relevant CCC defined Controls under Section 2.7 and Section 2.15:

• 2-7-P-1 In addition to subcontrols in the ECC control 2-8-3, the CSP and CST shall cover the following additional subcontrols for cryptography, as a minimum:
  • 2-7-P-1-1 Technical mechanisms and cryptographic primitives for strong encryption, in according to the advanced level in the National Cryptographic Standards (NCS-1:2020).
  • 2-7-P-1-2 Certification authority and issuance capability in a secure manner, or usage of certificates from a trusted certification authority.
• 2-15-P-1 Cybersecurity requirements for key management process within the CSP shall be identified, documented and approved.
• 2-15-P-2 Cybersecurity requirements for key management process within the CSP shall be applied.
• 2-15-P-3 In addition to the ECC subcontrol 2-8-3-2, cybersecurity requirements for key management within the CSP shall cover, at minimum, the following:
• 2-15-P-3-1 Ensure well-defined ownership for cryptographic keys.
• 2-15-P-3-2 A secure cryptographic key retrieval mechanism in case of cryptographic key lost (such as backup of keys and enforcement of trusted key storage, strictly external to cloud).
• 2-15-P-3-3 Activating and monitoring of all audit trails of keys.
• 2-15-P-4 Cybersecurity requirements for key management within the CSP shall be reviewed periodically.

CSCC defined controls:

In addition to the subcontrols in ECC control 2-8-3, cybersecurity requirements for cryptography must include at least the following:

• 2-7-1-1 Encrypting all critical systems’ data-in-transit. Encrypting all critical systems’ data-at-rest at the level of files, database or certain columns within database.
• 2-7-1-2 Using secure and up-to-date methods, algorithms, keys and devices in accordance with what NCA issues in this regard.

Entrust Cryptographic Security Platform (CSP):

The Entrust Cryptographic Security Platform is a next-generation solution designed to empower government and enterprise organizations in the Kingdom of Saudi Arabia with cryptographic control, visibility, and policy enforcement to help align with the stringent cybersecurity standards set forth by the National Cybersecurity Authority (NCA).

As the Kingdom accelerates its digital transformation under Vision 2030, Entrust CSP can play a foundational role in helping ensure the integrity, confidentiality, and compliance of cryptographic systems across diverse sectors, from eGovernment services and healthcare to finance and telecommunications.

The platform provides a centralized, policy-driven architecture that enables organizations to gain complete visibility and control over all digital certificates, encryption keys, and secrets distribution across their environments. With its intuitive dashboard, CSP allows security teams to continuously assess cryptographic posture, identify misconfigurations or non-compliant assets in real-time, and automatically enforce policy updates in alignment with evolving NCA control frameworks. It also offers built-in templates for cryptographic policy mapping, key usage constraints, and certificate authority across internal and third-party cryptographic services.

Entrust CSP further helps strengthen operational compliance by supporting automation of certificate issuance, renewal, revocation, and monitoring across both traditional IT environments and modern cloud-native infrastructures. Its compatibility with industry-standards protocols ensures seamless integration into existing DevOps and enterprise IT workflows, while reducing the risks of manual errors or expired certificates that could lead to service outages or regulatory violations.

Importantly, Entrust CSP supports Saudi-specific data residency, sovereignty, and segmentation needs allowing deployment models that adhere to NCA guidelines on localized data processing and cryptographic boundary control. Through detailed audit logging, real-time risk scoring, and immutable activity tracking, Entrust CSP enables full traceability of cryptographic operations and key lifecycle events, which helps support both internal audit and NCA compliance reporting.

Entrust KeyControl:

Entrust KeyControl, part of the CSP platform, redefines cryptographic key management by combining traditional key lifecycle management and a decentralized vault-based architecture with a comprehensive central policy and compliance management dashboard. The platform offers decentralized security with centralized visibility across your enterprise’s cryptographic ecosystem. This helps you in achieving control 2-8-3-2 under ECC, that recommends secure management of cryptographic keys for their lifecycle.

KeyControl, the vault based key manager, offers you the ability to tightly manage, monitor, and control keys and secrets, which helps you to comply with national, and international standards and regulations including NCA. It offers a flexible way to architect and deploy key and secrets vaults using either a single centralized approach or a decentralized model more suited to local regulations or security posture. Each vault manages keys and secrets for a wide range of use cases requiring a high level of security.

KeyControl provides cost-effective key packs per vault, meaning you only pay for what you need. There is no heavy capital investment required to get you up and running. Increase your quantity of key packs as your deployment needs grow and extend into other use cases in the KeyControl ecosystem.

Compliance Manager

At the apex of CSP platform is Compliance Manager, which provides a single, unified dashboard that allows you to view and monitor your organization’s cryptographic assets like keys, certificates or secrets, located in one or many vaults.

The Compliance Manager policy engine allows detailed control of your cryptographic keys, certificates and secrets, offering full visibility, traceability, compliance tracking, and an immutable audit trail of all keys and secrets. This is useful to help meet ECC 2-8-3-1 ensuring use of only approved cryptographic solutions standards and CCC 2-7-P-1-1 for strong encryption, in accordance with NCS-1:2020 and CSCC 2-7-1-2 using secure and up-to-date methods, algorithms, keys and devices in accordance with what NCA issues in this regard. Keys (even as encrypted tokens) never leave their vaults except to authorized endpoints.

nShield HSM Integration

KeyControl is certified to FIPS 140-3 Level 1. As per NCS, advanced organizations require higher levels of assurance. KeyControl can be seamlessly integrated with a FIPS 140-3 Level 3 Entrust nShield Hardware Security Module HSM. This helps in meeting CCC 2-7-P-1-1 for strong encryption, in accordance with the advanced level in the National Cryptographic Standards (NCS-1:2020).

The HSM is used to protect the master key for the KeyControl virtual appliance. It helps in generating cryptographic keys, ensuring high-quality entropy from the HSM’s random number generator and helps comply with FIPS 140-3 level 3 Root of trust.

Example Architecture

The suggested deployment journey:

1. Start with one node of either CSP PKI or CSP Compliance Manager and Vault, which are independent of each other. The platform allows you to select appropriate licenses for required functionality like Key Management, Certificate Management, PKI, etc.
2. Add appropriate licenses or products to complete the use case. For example, you can add Database Key Management Licenses or Cloud Key Management Licenses on top of Key Control Vault. You may add Timestamping, Validation authority, or Certificate Enrollment gateway on top of PKI.
3. Add HSMs if needed. HSMs forms a root of trust for your key management or PKI setup.
4. Distribute the functionalities across multiple nodes.
5. Establish visibility and control for all cryptographic assets managed in different vaults, using Compliance Manager in CSP. It allows you to create policies, compliance documentation and analyze risk.

Should you have any questions, reach out to the Entrust CSP Sales team to discuss your compliance needs in detail.