🇸🇦 Live Defense & National Security

NCA Cloud Cybersecurity Controls (CCC-2:2024)

NCA cybersecurity controls for cloud computing services covering cloud governance, identity management, and data protection. Applies to organisations using or providing cloud services in Saudi Arabia.

Rules extracted

175

Obligations decomposed

7.3x

Avg obligations per rule

🇸🇦 Saudi Arabia

Jurisdiction

What AuditDSS covers

Source

Regulation

Extracted

Rules

Decomposed

175

Obligations

7.3x

Decomposition ratio

Each rule is decomposed into an average of 7.3 atomic obligations — the smallest testable units that can be independently violated.

Fully extracted & scored

All 175 obligations have been decomposed, titled, risk-scored, and embedded for semantic matching.

Risk scoring

Every obligation in CCC-2:2024 is scored across independent risk dimensions:

Obligation Weight

How critical within the regulatory framework

Violation Likelihood

How often breached in practice

Enforcement Evidence

Regulator enforcement history and penalties

Cascade Dependency

How many obligations depend on this one

Regulatory details

Full title: NCA Cloud Cybersecurity Controls (CCC-2:2024)
Regulatory body: National Cybersecurity Authority
Jurisdiction: 🇸🇦 Saudi Arabia
Document type: regulation
Effective date: January 1, 2024
Industry: Defense & National Security

Who this applies to

government organizationscloud service providerscloud service tenantscritical national infrastructure operators

Key requirements

4 main domains
24 subdomains
37 CSP main controls
94 CSP subcontrols
18 CST main controls
26 CST subcontrols
cloud security governance
identity and access management
data protection
key management
business continuity

Frequently asked questions about CCC-2:2024

What is CCC-2:2024?

Who does CCC-2:2024 apply to?

CCC-2:2024 applies to government organizations, cloud service providers, cloud service tenants, critical national infrastructure operators.

How many obligations does CCC-2:2024 contain?

AuditDSS has decomposed CCC-2:2024 into 175 atomic obligations from 24 rules. Each obligation is independently testable and risk-scored.

What are the key requirements of CCC-2:2024?

The key requirements include: 4 main domains, 24 subdomains, 37 CSP main controls, 94 CSP subcontrols, 18 CST main controls, 26 CST subcontrols, cloud security governance, identity and access management, data protection, key management, business continuity.

How can I assess my CCC-2:2024 compliance?

Upload your compliance policy to AuditDSS. The platform maps your document against all 175 CCC-2:2024 obligations using deterministic AI scoring — not checklists or LLM summaries. You get a risk-scored gap analysis showing exactly which obligations are covered, partially covered, or missing.

Which jurisdiction enforces CCC-2:2024?

CCC-2:2024 is enforced in Saudi Arabia by National Cybersecurity Authority.

When did CCC-2:2024 come into effect?

CCC-2:2024 became effective on January 1, 2024.

What industry does CCC-2:2024 apply to?

CCC-2:2024 is primarily relevant to the Defense & National Security industry. AuditDSS covers 69 regulations in this industry sector.

Build a CCC-2:2024 compliance pack

Don't have a compliance policy yet? AuditDSS generates a complete compliance pack for CCC-2:2024 — alone or combined with other regulations your business needs. Every clause is mapped to specific obligations.

Policy

High-level commitments and governance framework covering CCC-2:2024 requirements.

Procedures

Step-by-step operational procedures to implement each policy commitment.

Forms & checklists

Ready-to-use forms, registers, and checklists for day-to-day compliance operations.

Multi-regulation

Combine CCC-2:2024 with other regulations into a single unified compliance pack for your business.

Build CCC-2:2024 compliance pack

Already have a policy? Assess it against CCC-2:2024

Upload your document

Upload your compliance policy, program manual, or operational document. AuditDSS accepts any text-based document.

AI maps against 175 obligations

Your document is scored against every obligation in CCC-2:2024. Each claim is mapped to the obligation tree and evaluated for coverage.

Risk-scored gap report

Receive every gap ranked by risk priority with remediation guidance, enforcement evidence, and cascade impact analysis.