Key Takeaways
Saudi Arabia's National Cybersecurity Authority made the Essential Cybersecurity Controls mandatory for government bodies, critical infrastructure, and their suppliers. Vision 2030 is pulling thousands of organisations into scope, yet most cannot meet ECC alone. For MSPs and GRC consultancies willing to package the work properly, that gap is a durable service line. This guide covers who to target, how to structure the offer, where margin leaks, and how to move from one-off assessments to recurring compliance governance revenue in the Kingdom.
Most Providers Are Underestimating the Saudi Compliance Wave
There is a quiet gold rush happening in the Kingdom, and most managed service providers are watching from the sidelines. Saudi Arabia’s National Cybersecurity Authority has made the Essential Cybersecurity Controls, the ECC, a hard requirement for government entities, operators of critical national infrastructure, and a widening ring of their suppliers. Vision 2030 is accelerating this. Every giga-project, every new digital government service, every financial and health platform being stood up pulls more organisations into scope, and most of them have no internal capability to meet the controls.
That is the opportunity. Not selling firewalls. Not reselling a SIEM. The real, defensible, recurring revenue sits in helping Saudi organisations achieve and then sustain ECC compliance. And yet most MSPs treat it as a one-off audit-prep favour for a client who asked nicely, quote it badly, deliver it inconsistently, and walk away from the recurring money entirely.
If you run an MSP or a GRC consultancy that wants a durable service line in one of the fastest-growing cybersecurity markets on earth, ECC is the wedge. This is how to build it properly.
What the ECC Actually Covers
Before you can sell it, you have to respect what it is. The ECC is structured around five main cybersecurity domains: Cybersecurity Governance, Cybersecurity Defence, Cybersecurity Resilience, Third-Party and Cloud Computing Cybersecurity, and Industrial Control Systems cybersecurity. Underneath those sit subdomains and dozens of individual controls covering everything from asset management, identity and access, and data protection to backup, incident management, penetration testing, and supplier risk.
Two things matter commercially. First, the ECC is deliberately broad, so almost no mid-market client meets it out of the box. That is your remediation revenue. Second, the NCA expects controls to be implemented and continuously operated, evidenced, and periodically re-assessed. That is your recurring revenue. A framework that demanded a one-time checklist would be a poor business. The ECC is not that.
There is also a maturity dimension. The NCA and related regulators increasingly expect organisations to demonstrate not just that a control exists on paper, but that it works, produces evidence, and improves over time. That expectation is exactly what separates a consultancy that keeps clients from one that gets fired after the first certificate.
Who to Target First
Do not try to sell ECC to everyone. Concentrate on organisations that already feel the pressure:
- Government-linked entities and their digital arms. Ministries, authorities, and the special economic and giga-project entities standing up new services all carry ECC obligations directly.
- Critical national infrastructure suppliers. Energy, water, telecoms, transport, and their technology vendors face both direct scope and prime-contractor flow-down.
- Financial institutions. These sit under the SAMA Cybersecurity Framework as well, and ECC-aligned work opens the door to that richer engagement.
- Health, education, and large private enterprises bidding for government tenders, where a security requirement is now standard.
The buying trigger is almost always external: a tender clause, a regulator letter, a prime contractor’s supplier questionnaire, or a board that has read the news. When you hear one of those, the client is warm and usually under time pressure. That is when packaged delivery beats open-ended consulting.
Package the Offer Into Three Phases
The single biggest mistake providers make is quoting ECC as an amorphous consulting block. Clients cannot buy that confidently and you cannot deliver it profitably. Break it into three clean phases.
Phase one: baseline gap assessment. Scope the environment, define the system boundary, and assess the client against every applicable ECC domain and subdomain. Output a control-by-control gap analysis, a risk register, and a prioritised remediation roadmap with effort and ownership. Fixed scope, fixed price, fast turnaround. This phase qualifies the client and funds everything after it.
Phase two: remediation programme. Close the gaps. Some are policy and governance work, some are technical control implementation, some are process changes. Track everything against the roadmap with clear owners and deadlines. This is where the largest single project revenue lives, and where a structured GRC automation platform stops the programme from collapsing into a spreadsheet swamp.
Phase three: recurring governance retainer. Once the client is compliant, keep them compliant. Monthly evidence reviews, control monitoring, policy upkeep, supplier checks, change reviews, and readiness for the next NCA assessment or tender. This is the recurring revenue that turns a one-off project into a multi-year relationship, and it is the phase most MSPs never even offer.
Sell all three up front as a journey. The client buys phase one; you have already framed two and three as the obvious continuation.
Map Controls to Evidence, Not Theory
Here is the delivery discipline that separates winners from talkers. Auditors and the NCA do not want essays. They want evidence that a control is operating. The consultancy that can pull that evidence cleanly from live systems wins the account and keeps it.
Tie every ECC control to the systems where its evidence already lives. Identity and access controls map to your client’s directory and MFA tooling. Logging and monitoring map to their SIEM and endpoint platform. Data protection maps to encryption and DLP configuration. Backup and resilience map to their backup platform and tested restore records. Third-party controls map to contracts and supplier assessments. When you standardise this mapping once, every subsequent client engagement gets faster and more profitable.
This is also where a purpose-built platform pays for itself. Manually chasing screenshots across dozens of controls for dozens of clients does not scale and destroys margin. Automating evidence collection and control mapping is what lets a single consultant carry a portfolio of ECC clients instead of drowning in one.
Standardise or Stay Small
If every ECC engagement depends on your best senior consultant improvising, you do not have a service line. You have a bottleneck wearing a suit. Productisation is the whole game.
Build and reuse a standard toolkit: a control-mapping workbook aligned to the ECC domains, a fixed gap-assessment report structure, a risk register template, a remediation plan format, and a board-ready executive summary. Standard artefacts mean junior staff can deliver most of the work under senior review, quality stays consistent, and you can quote confidently because you already know the effort. The MSPs that treat ECC delivery like a repeatable product, backed by a proper vCISO services platform and a shared frameworks library, are the ones that scale past a handful of clients.
Standardisation also protects you when the framework evolves. The NCA updates and extends its controls, and sector regulators layer their own on top. If your delivery is codified once, absorbing a framework change means updating a template, not re-teaching your whole team.
Where the Margin Leaks
A few predictable traps quietly eat ECC profitability:
- Underscoping the assessment. Broad ECC domains hide a lot of work. Scope the system boundary tightly and price accordingly, or the fixed-price phase one turns into a loss leader.
- Manual evidence chasing. Screenshot archaeology across clients is the number one margin killer. Automate collection early.
- Giving away the retainer. Providers close the project, feel relief, and forget to sell ongoing governance. That is the highest-margin, stickiest revenue in the whole model. Never skip it.
- Ignoring data residency and language. Saudi clients care about where data lives and increasingly expect Arabic-capable delivery. Getting this wrong loses deals you should win.
Pricing and Delivering in the Kingdom
Two practical realities shape how you deliver ECC profitably in Saudi Arabia. The first is local credibility. Clients want a provider who understands NCA expectations, data-residency rules, and how government tenders actually judge security. International consultancies routinely solve this by partnering with a registered Saudi entity, hiring Arabic-speaking delivery staff, or basing part of the team in Riyadh, Jeddah, or the giga-project hubs. What the buyer pays for is confidence that you can pass NCA scrutiny, not a specific address.
The second is pricing structure. Resist the urge to sell ECC by the hour, which caps your income at your team’s calendar and punishes you for getting efficient. Price phase one as a fixed-scope assessment, phase two on a defined remediation scope, and phase three as a recurring monthly retainer tied to portfolio size and control count. As your templates and automation mature, the same work takes less senior time, so productised pricing lets you keep the margin your efficiency creates instead of handing it back. This is also the model that makes ECC compatible with a broader vCISO offering, where compliance governance is one recurring line inside a wider security-leadership relationship.
The Bigger Play: One Framework, Many Doors
ECC is rarely the end of the conversation. A financial client will also need SAMA alignment. A cloud-heavy client will face the NCA’s cloud cybersecurity controls. A critical-systems client pulls in operational technology requirements. Because the underlying evidence and governance discipline overlap heavily, an MSP that delivers ECC well is perfectly positioned to sell the next framework to the same client with a fraction of the effort. This is how a single ECC wedge becomes a multi-framework Middle East compliance practice.
The providers who win the Saudi market over the next few years will not be the ones with the flashiest tooling. They will be the ones who packaged compliance as a clear, repeatable, evidence-driven service and who never let a client leave phase two without signing phase three.
If you are ready to build that service line on top of automation instead of spreadsheets, book a demo and see how GetCybr helps MSPs and consultancies deliver ECC and the frameworks around it at scale.
Further Reading
Ready to Scale Your vCISO Practice?
See how GetCybr helps MSPs deliver enterprise-grade security services.