NCA ECC MFA Compliance: Requirements, Implementation & Best Practices
Saudi Arabia’s National Cybersecurity Authority (NCA) sets the cybersecurity standard for government entities and critical infrastructure operators across the Kingdom. At the heart of that framework is the Essential Cybersecurity Controls (ECC) — a mandatory set of requirements that explicitly includes Multi-factor Authentication (MFA) as a core control. If your organization operates in Saudi Arabia or handles Saudi government data, understanding and implementing these requirements is not optional.
This guide covers what the NCA ECC requires for authentication and MFA, who must comply, and how to build a compliant, effective deployment.
What is the NCA and the Essential Cybersecurity Controls?
The National Cybersecurity Authority (NCA) is the Kingdom of Saudi Arabia’s national authority for all matters related to cybersecurity. Established in 2017, with its Statute issued by Royal Order No. 6801, the NCA reports directly to the Head of State and serves as the national reference and regulatory body for cybersecurity policy, frameworks, standards, controls, and guidelines across the Kingdom.
The NCA’s flagship compliance instrument is the Essential Cybersecurity Controls (ECC) — a comprehensive set of mandatory cybersecurity requirements developed for government entities and critical infrastructure operators. The ECC was first issued in 2018 (ECC-1:2018) and has since been updated to ECC 2-2024, strengthening several controls including those related to MFA.
The ECC is structured around 4 main domains, 28 subdomains, 108 main controls, and 92 subcontrols, covering everything from cybersecurity governance and identity management to incident response, resilience, and third-party security. It is not a voluntary framework. For entities within its scope, continuous compliance is required under Article 10(3) of the NCA Statute and High Order No. 57231.
The ECC was developed in the context of Saudi Vision 2030, which drives an ambitious national digital transformation agenda. As government services and critical infrastructure become increasingly digitized, the NCA’s controls provide the minimum cybersecurity baseline required to protect that transformation.
Who Does the NCA ECC Apply To?
The ECC’s mandatory requirements apply to two primary categories of organizations:
Government Agencies: All Saudi government entities — including ministries, authorities, establishments, and their affiliated companies and entities, whether located inside or outside the Kingdom of Saudi Arabia. This is a broad and mandatory obligation with no exceptions for size or sector.
Critical National Infrastructure (CNI) Operators: Any private sector entity that owns, operates, or hosts Critical National Infrastructure in the Kingdom. CNI is defined as infrastructure whose loss or compromise would result in significant negative impacts on essential services, national security, national defense, the state economy, or national capacities.
In addition, the NCA strongly encourages all other private sector organizations operating in Saudi Arabia to adopt and comply with the ECC as a cybersecurity best practice baseline — even when not strictly mandated.
A note for international organizations: The ECC’s reach extends to affiliated entities of Saudi government agencies operating outside the Kingdom. International companies providing technology services, cloud hosting, managed security services, or IT outsourcing to Saudi government entities or CNI operators are expected to comply with ECC requirements under their service agreements. ECC Control 4-1-3-2 specifically requires that cybersecurity managed service centers for monitoring and operations that use remote access be fully located within Saudi Arabia. Organizations should review their specific service model and third-party obligations against this and related cloud and hosting controls to determine applicability.
What Are the NCA ECC Requirements?
The ECC is organized into four main domains. The controls most directly relevant to MFA and authentication fall within the Cybersecurity Defense domain, but governance and audit requirements across all domains support a compliant MFA deployment.
The following table summarizes the ECC controls most relevant to MFA and authentication:
ECC Control
Requirement
MFA Relevance
LoginTC Relevance
2-2-3-2
MFA for remote access and privileged accounts
Mandatory
VPN, RDP, admin access via RADIUS/LDAP/AD
2-4-3-2
MFA for remote and webmail email access
Mandatory
Email access flows where supported
2-15-3-5
Authentication factors for external web apps based on impact assessment
Risk-based
Web application MFA
2-12-3
Cybersecurity event logs and monitoring, 12-month retention
Audit evidence
Authentication logs, SIEM integration
4-1 / 4-2
Third-party, outsourcing, cloud and hosting requirements
Architecture review
On-premises deployment option
Domain 1: Cybersecurity Governance
Before deploying any technical controls, entities must establish the governance foundations that support them.
Cybersecurity Strategy (1-1): Entities must define, document, and gain authorized approval for a cybersecurity strategy aligned with legislative and regulatory requirements — including the ECC itself.
Cybersecurity Risk Management (1-5): A risk management methodology must be implemented and applied at the start of technology projects, before infrastructure changes, and during planning for new services. This risk-first approach directly informs MFA deployment decisions.
Cybersecurity Awareness and Training (1-10): All personnel must receive cybersecurity awareness training. Staff in technical and cybersecurity roles require specialized training aligned with their responsibilities. This has direct implications for MFA rollout — user training is an ECC requirement, not just a best practice.
Domain 2: Cybersecurity Defense — Identity and Access Management
The Identity and Access Management subdomain (2-2) is where the ECC’s MFA requirements are most directly stated.
Control 2-2-3 requires that cybersecurity requirements for identity and access management include, at minimum:
Single-factor authentication based on username and password (2-2-3-1)
Multi-factor Authentication for remote access and privileged accounts, with authentication factors, their number, and techniques defined based on an impact assessment of authentication failure and bypass (2-2-3-2)
User authorization based on Need-to-Know, Need-to-Use, Least Privilege, and Segregation of Duties principles (2-2-3-3)
Privileged access management (2-2-3-4)
Periodic review of identities and access rights (2-2-3-5)
The 2024 update to the ECC strengthened this control significantly. Where ECC-1:2018 required MFA simply for “remote access,” ECC 2-2024 now explicitly extends the requirement to privileged accounts and introduces the requirement that authentication factors be defined based on an impact assessment — raising the bar from checkbox compliance to risk-informed deployment.
Control 2-4-3-2 requires MFA for remote and webmail access to an entity’s email service, with authentication factors and techniques defined based on an impact assessment of authentication failure and bypass.
Given that email is one of the most targeted attack surfaces in any organization, and that phishing is cited throughout the ECC as a primary threat vector, this control recognizes that password-only email access is an unacceptable risk for entities handling sensitive government or infrastructure data.
Domain 2: Cybersecurity Defense — Web Application Security
Control 2-15-3-5 requires user authentication for external web applications, with the appropriate authentication factors, their numbers, and techniques defined based on an impact assessment of authentication failure and bypass.
While this control does not explicitly name MFA, the impact assessment requirement for any externally exposed application — combined with the NCA’s broader guidance — makes MFA the expected and appropriate implementation for applications handling sensitive data or government transactions.
Domain 2: Cybersecurity Defense — Event Logs and Monitoring
Control 2-12 requires that cybersecurity event logs be activated and continuously monitored, with a minimum retention period of 12 months. This includes logging for critical and privileged accounts and remote access events — meaning MFA authentication events must be logged and available for audit. Any MFA solution deployed under the ECC must support centralized, auditable logging.
Domain 4: Third-Party and Cloud Computing Cybersecurity
Control 4-1 governs third-party cybersecurity requirements. When organizations bring in external IT, cybersecurity outsourcing, or managed service providers, those providers must be bound to apply the entity’s cybersecurity requirements and policies. This means third-party vendors — including MFA solution providers — are subject to ECC compliance expectations through contractual obligations.
Control 4-1-3-2 specifically requires that cybersecurity managed service centers for monitoring and operations that use remote access be fully located within the Kingdom of Saudi Arabia. For organizations using managed cybersecurity services, this control has direct architectural implications. For organizations deploying MFA as a product within their own environment rather than consuming it as a managed service, applicability should be assessed against their specific service model and confirmed with their compliance function.
Is MFA Required by the NCA ECC?
Yes — MFA is explicitly required under the ECC for defined access scenarios, and the 2024 update made those requirements more specific and demanding.
Remote access to any systems or networks (Control 2-2-3-2)
Privileged accounts — including administrative, root, and elevated access accounts (Control 2-2-3-2)
Remote and webmail email access (Control 2-4-3-2)
Web application user access, where the impact assessment supports it (Control 2-15-3-5)
What distinguishes the ECC’s approach from some other frameworks is its emphasis on impact assessment. Rather than prescribing a single MFA method for all scenarios, the ECC requires entities to assess the consequences of authentication failure or bypass for each use case, and define appropriate authentication factors based on that assessment. This means a risk-proportionate approach is not just recommended — it is the required methodology.
In plain terms: if your organization is within ECC scope, deploying MFA for remote access and privileged accounts is a mandatory compliance requirement backed by Royal Decree. The question is not whether to implement MFA, but whether your implementation is appropriately risk-calibrated, well-documented, and auditable.
Consequences of NCA ECC Non-Compliance
Unlike some frameworks that publish explicit tiered fine structures, the NCA ECC operates within Saudi Arabia’s broader regulatory and legal enforcement environment. The consequences of non-compliance are nonetheless significant.
Regulatory enforcement: Under Article 10(3) of the NCA’s Statute and High Order No. 57231, all entities within scope must take all necessary measures to ensure ongoing and continuous compliance with the ECC. The NCA enforces compliance through multiple mechanisms, including entity self-assessments, periodic compliance tool reporting, and field auditing visits conducted at the NCA’s discretion.
Audit findings and remediation obligations: When the NCA identifies non-compliance during an audit, entities are required to document findings, implement corrective actions, and submit remediation plans to the cybersecurity supervisory committee and the Authorized Official. Repeated or unaddressed findings escalate the severity of the regulatory response.
Contractual and procurement impact: For private sector organizations seeking to work with Saudi government entities or bid on government contracts, demonstrated ECC compliance is increasingly a prerequisite. Non-compliant vendors face disqualification from government procurement and may have existing contracts reviewed.
Reputational and operational risk: Saudi Arabia’s Vision 2030 digital transformation has made cybersecurity a matter of national strategic priority. Organizations that suffer breaches attributable to inadequate controls — particularly basic ones like MFA — face significant reputational consequences in a market where government trust is foundational.
Sector-specific escalation: For entities operating Critical National Infrastructure, the stakes are higher still. Cybersecurity failures affecting CNI are treated as national security matters, carrying consequences that extend well beyond administrative penalties.
How to Implement MFA for NCA ECC Compliance
The ECC’s risk-assessment-first approach provides a clear starting point. Here is a practical path to a compliant MFA deployment.
1. Conduct an Impact Assessment for Authentication
Before selecting MFA methods, the ECC requires you to assess the impact of authentication failure or bypass for each access scenario. Map out every system, application, and access point in scope — remote access gateways, VPNs, email platforms, web applications, privileged admin consoles — and assess what happens if authentication is compromised at each point. This assessment drives your MFA method selection and is the documented basis for your compliance position.
2. Identify All In-Scope Access Points
Based on your impact assessment, identify every access point that requires MFA under Controls 2-2-3-2, 2-4-3-2, and 2-15-3-5. This must include at minimum:
All remote access connections (VPN, RDP, remote desktop gateways)
All privileged and administrative accounts
All remote and webmail email access
External web applications handling sensitive or government data
3. Select an MFA Solution That Fits Your Architecture
Choose an MFA solution that supports your organization’s infrastructure. For Saudi government entities and CNI operators, solution architecture should be reviewed carefully against ECC third-party, cloud, hosting, and managed-service requirements. Control 4-1-3-2 requires cybersecurity managed service centers for monitoring and operations using remote access to be located within Saudi Arabia. On-premises or customer-deployed MFA within the Kingdom simplifies this assessment and gives organizations tighter control over their authentication infrastructure. Ensure the solution supports the protocols in use across your environment, including RADIUS, LDAP, and Active Directory integration, which are commonly required in government infrastructure.
4. Document Your Authentication Policy
The ECC requires that cybersecurity requirements for identity and access management be identified, documented, and approved by the Authorized Official (Control 2-2-1). Your MFA deployment must be underpinned by a formally approved authentication policy that specifies which factors are required for which access scenarios, based on your impact assessment.
5. Enable Centralized Logging and Monitoring
Deploy MFA logging from day one. Control 2-12-3-2 requires that event logs for privileged and critical accounts and remote access events be activated and monitored continuously, with a minimum 12-month retention period. Ensure your MFA solution generates detailed authentication logs that integrate with your SIEM or central logging platform.
6. Train Your Workforce
Control 1-10 requires that all personnel receive cybersecurity awareness training, and that staff in technical roles receive specialized training. Before rolling out MFA, run training sessions that explain how to use the solution, why it is required, and what to do if they encounter issues. Document that training took place — this is an auditable requirement.
7. Conduct Periodic Reviews
The ECC is explicit that identity and access management requirements must be periodically reviewed (Control 2-2-4). Establish a review cadence — at minimum annually — and whenever significant changes occur to your infrastructure, access model, or threat landscape.
NCA ECC MFA Best Practices
Meeting the minimum ECC requirements is the baseline. These practices will help ensure your deployment is genuinely secure and audit-ready:
Document your impact assessments: The ECC’s MFA requirements are explicitly tied to impact assessments of authentication failure. Keep these assessments documented and up to date — they are your primary evidence of a compliant, risk-informed approach during an NCA audit.
Extend MFA beyond the minimum scope: The ECC mandates MFA for remote access and privileged accounts, but a strong security posture applies MFA to all access points, including internal systems handling sensitive data. Over-compliance is far better than a breach that reveals gaps.
Prioritize phishing-resistant authentication factors: Given the ECC’s emphasis on email phishing as a primary threat vector (Control 1-10-3-1), authentication methods that are resistant to phishing — hardware tokens, push notification apps, or FIDO2 keys — are strongly preferable to SMS-based OTPs for high-risk accounts.
Plan for data residency from the start: If you are using or considering cloud-based authentication services, evaluate them carefully against Control 4-1-3-2. On-premises or Saudi-hosted MFA deployment avoids the compliance complexity of cross-border data flows for entities subject to the managed services data residency requirement.
Pair MFA with privileged access management: The ECC requires both MFA (2-2-3-2) and privileged access management (2-2-3-4) as distinct controls. Deploy them together — MFA at the authentication layer and PAM policies governing what privileged users can access once authenticated — for a compliant and defence-in-depth access control strategy.
Ensure your MFA logs meet the 12-month retention requirement: Set up log retention policies from deployment. An audit finding about incomplete or unavailable authentication logs is avoidable with proper initial configuration.
How LoginTC Helps with NCA ECC Compliance
LoginTC is particularly well-suited for organizations navigating NCA ECC compliance, especially those dealing with complex infrastructure requirements common in Saudi government and CNI environments.
For entities with strict data residency requirements under Control 4-1-3-2, LoginTC’s on-premises deployment option keeps all authentication infrastructure within your own environment — no dependency on external cloud services, no cross-border data transfer concerns. This is a significant advantage for government agencies and CNI operators who need full control over where their authentication data lives and is processed.
LoginTC’s broad connector support covers the RADIUS, LDAP, and Active Directory integrations that are standard in government IT infrastructure. Whether you’re securing VPN remote access, Windows logins, privileged admin consoles, or legacy systems, LoginTC can add MFA without requiring infrastructure replacement. Detailed audit logs, centralized administration, and flexible per-application authentication policies make it straightforward to demonstrate compliance with the ECC’s logging, monitoring, and periodic review requirements during an NCA assessment.
Yes. The ECC 2-2024 explicitly requires MFA for remote access and privileged accounts (Control 2-2-3-2) and for remote and webmail email access (Control 2-4-3-2). Web application authentication requirements (Control 2-15-3-5) are also expected to include MFA where the impact assessment supports it. These are mandatory controls for all entities within the ECC’s scope.
Who is required to comply with the NCA ECC?
The ECC is mandatory for all Saudi government agencies and their affiliated entities (inside and outside the Kingdom), and for all private sector organizations that own, operate, or host Critical National Infrastructure in Saudi Arabia. Other private sector entities are strongly encouraged to comply.
Does the NCA ECC specify which MFA methods are acceptable?
The ECC does not mandate specific MFA technologies, but requires that authentication factors and techniques be selected based on an impact assessment of authentication failure and bypass. The ECC’s definition of MFA covers knowledge factors (passwords), possession factors (OTP devices, authenticator apps), and inherent factors (biometrics). Phishing-resistant methods are advisable given the ECC’s emphasis on phishing as a primary threat.
Does the ECC apply to international companies working with Saudi government entities?
International companies providing IT outsourcing, managed services, or cloud hosting to Saudi government entities or CNI operators are contractually required under Control 4-1 to apply the entity’s cybersecurity requirements, including the ECC. Additionally, Control 4-1-3-2 requires that managed cybersecurity services using remote access be fully located within Saudi Arabia.
How does the NCA enforce ECC compliance?
The NCA enforces compliance through entity self-assessments, the ECC Assessment and Compliance Tool, periodic compliance reporting, and field auditing visits conducted at the NCA’s discretion. Findings must be reported to the entity’s cybersecurity supervisory committee and Authorized Official, with corrective action plans documented and implemented.
How does the 2024 ECC update change MFA requirements compared to the 2018 version?
ECC-1:2018 required MFA for remote access. ECC 2-2024 extends this to explicitly include privileged accounts and introduces the requirement that authentication factors and techniques be defined based on an impact assessment of authentication failure and bypass — raising the standard from a blanket rule to a risk-calibrated obligation. The email protection MFA control was similarly updated to require impact-assessment-driven factor selection.
Get a Free NCA ECC MFA Strategy Session
Meeting NCA ECC requirements for MFA requires more than deploying an authenticator app. It demands a risk-informed approach, proper documentation, audit-ready logging, and a deployment architecture that respects Saudi Arabia’s data handling requirements — all of which need to work smoothly across the diverse, often legacy infrastructure common in government and critical infrastructure environments.
Our team has experience helping organizations design and deploy MFA solutions that satisfy stringent compliance requirements without disrupting operations. If you’re preparing for an NCA assessment or building out your ECC compliance program, we’re ready to help.
