Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 1-7-1 – The organization must comply with related national cybersecurity laws and regulations.
Understanding the Requirement
This control requires the organization to identify and follow all national cybersecurity laws, regulations and official orders relevant to its operations and to demonstrate ongoing compliance. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024) this means working across legal, governance and IT functions to maintain a current inventory of applicable NCA-issued requirements (for example royal orders, council orders, circulars and regulatory orders), implement the required controls, verify compliance with appropriate technologies, and produce periodic reports for the National Cybersecurity Authority (NCA) when requested.
Technical Implementation
- Create and maintain a legal/regulatory registry. Assign a compliance owner (could be a combined role for an SMB: IT lead + external counsel) to work with legal/governance stakeholders to list all applicable national cybersecurity laws, NCA circulars and any sector-specific orders. Record the source, effective date, required actions, and renewal/review dates in a central spreadsheet or lightweight compliance tool.
- Map legal requirements to controls and processes. For each requirement in the registry, map it to specific technical and procedural controls (e.g., logging and retention rules, incident reporting timelines, encryption requirements). This makes it clear what configuration, policy or activity satisfies each legal obligation.
- Implement verification technologies and logging. Put simple, affordable technical measures in place to demonstrate compliance: enable centralized logging (syslog/host logs), configure basic SIEM or log-aggregation (even cloud-native services), apply endpoint protection with reporting, and use configuration management (baseline images, automated checks) to prove security settings. Retain logs and evidence according to the legal retention schedule you documented.
- Perform regular internal audits and gap remediation. Schedule quarterly or biannual checks to validate controls vs. the registry: run configuration scans, review access controls, and test incident detection/response. Track findings in a remediation backlog with owners and timelines so you can demonstrate corrective actions if audited by the NCA.
- Prepare standardized reporting and escalation procedures. Build templates for the NCA reporting requirements (compliance summary, incident reports, attestation documents). Define who prepares the report, how evidence is attached, and the approval process so you can respond promptly when the NCA requests documentation.
- Maintain awareness and update processes. Subscribe to official NCA announcements or designate someone to monitor national publications. Incorporate a schedule to review and update the registry and mapped controls after any legal change—document the review and the action taken.
Example in a Small or Medium Business
A 75-person managed services SMB appoints its IT manager as the compliance owner and engages an external legal advisor for interpretation of national cybersecurity directives issued by the NCA. They build a simple regulatory registry in a shared document that lists each NCA circular and the required actions, such as incident notification windows and log-retention periods. The IT team maps those requirements to existing systems: their backup and SIEM retention policies are adjusted to meet retention rules, endpoint protection and encryption are documented as meeting specific technical requirements, and a configuration checklist is created for server hardening. Quarterly internal checks are scheduled; findings are tracked in a small ticket queue and assigned owners. The SMB sets up a short report template that summarizes compliance posture and attaches verification artifacts (logs, scan results) so they can respond to NCA requests within the required timeframe. Staff receive a one-hour briefing on what to report internally for potential incidents, and the firm adds a compliance clause in vendor contracts to ensure third-party services support the documented requirements.
Summary
Meeting Control 1-7-1 is primarily about turning national cybersecurity rules into a repeatable operational program: keep a current registry of NCA-issued laws, map each requirement to technical and procedural controls, use logging and lightweight verification technologies to produce evidence, and prepare standardized reports for the authority. For SMBs, clarity of ownership, simple documentation, regular checks, and ready-to-use reporting templates are the practical steps that convert legal obligations into demonstrable compliance.
