Orchra Back to Orchra
NCA ECC & CCC Readiness
Last updated: 31 May 2026
Status: pre-launch. Orchra is onboarding a limited early-access cohort. The information below describes our current practices and the program we are building toward Saudi enterprise and public-sector procurement requirements. We do not claim any certification (such as SOC 2, ISO 27001, or NCA ECC/CCC) until it is formally completed and evidence is available.
This page describes Orchra's approach to the Saudi National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) and Cloud Cybersecurity Controls (CCC). Orchra does not hold and does not claim any NCA certification or attestation. Control mapping is in progress as part of our security program.
What ECC and CCC are
The NCA ECC sets baseline cybersecurity controls for organizations in the Kingdom, while the NCA CCC addresses cloud-specific cybersecurity and data-localization requirements for cloud service providers and their tenants. Saudi enterprise and public-sector buyers increasingly map vendors against these controls during procurement.
Orchra's approach
- Data localization — early-access and application data are stored on our application backend located in the Kingdom of Saudi Arabia. See data residency.
- Control mapping in progress — we are mapping our security controls (access control, encryption, logging, change management, incident response) against ECC and CCC domains.
- Governed AI — agent permissions, human approval, and audit trails align with the accountability expectations of regulated buyers. See AI Governance.
- Evidence on request — we are building a procurement evidence pack (control summary, data-flow, DPA) available to qualified buyers under NDA.
Control domain status
| Domain | Status |
|---|---|
| Governance & cybersecurity policy | Mapping in progress |
| Identity & access management | Mapping in progress |
| Data protection & cryptography | Mapping in progress |
| Logging, monitoring & incident response | Mapping in progress |
| Cloud data localization (CCC) | In-Kingdom storage of application data |
Nothing on this page should be read as a claim of NCA compliance, certification, or accreditation. Statuses reflect internal mapping work only and will be updated as the program matures.
Contact
For procurement questions or our evidence pack, contact security@orchra.io.