Qualys for UAE and Gulf Businesses: What TruRisk Means for NCA ECC Compliance

Q: What is Qualys TruRisk and how does it relate to NCA ECC compliance?

Qualys TruRisk is a risk scoring system that quantifies cyber risk across an organisation's assets, vulnerabilities, and threat landscape. It maps directly to NCA ECC compliance requirements because several ECC controls — specifically in the Asset Management, Vulnerability Management, and Threat Intelligence domains — require continuous monitoring and documented risk scores. TruRisk provides the quantifiable evidence that auditors and NCA assessors require when reviewing an organisation's cybersecurity posture.

Q: Which NCA ECC controls does Qualys VMDR cover?

Qualys VMDR (Vulnerability Management, Detection and Response) covers NCA ECC controls in the following domains: Asset Management (2-1) through continuous asset discovery; Vulnerability Management (2-3) through authenticated scanning and patch prioritisation; Configuration Management through policy compliance scanning; and Web Application Security (4-1) through web application scanning. Qualys Cloud Agent provides continuous coverage for endpoints across on-premises and cloud environments.

Q: Is Qualys available in the Gulf region and does it support Arabic?

Yes. Qualys operates a cloud platform available globally including the Gulf region, with data residency options that can support Saudi PDPL and UAE data localisation requirements. The Qualys platform interface supports English; Arabic language support varies by module. For organisations with PDPL data residency requirements, Qualys can be configured to process and store data within approved geographic boundaries.

⚡ Key takeaways from this article

Saudi Arabia's National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) are mandatory for all organisations operating in the Kingdom — and increasingly referenced by UAE regulators as a benchmark framework.
Qualys TruRisk provides a quantifiable, continuous risk score that directly satisfies the evidence requirements for several NCA ECC control domains — particularly Asset Management, Vulnerability Management, and Web Application Security.
Running Qualys without mapping its output to NCA ECC domains means your organisation is collecting valuable compliance evidence but not presenting it in the format regulators and auditors expect.
The gap between having Qualys deployed and being able to demonstrate NCA ECC compliance is primarily a configuration and reporting gap, not a technology gap.
PDPL data residency requirements in Saudi Arabia interact with Qualys deployment architecture — organisations must confirm their Qualys data processing region before beginning a compliance engagement.

Qualys is one of the most widely deployed vulnerability management platforms in the Gulf region. It is used by government entities, financial institutions, healthcare organisations, and industrial operators across Saudi Arabia and the UAE. Yet a significant proportion of Qualys deployments in the region are not configured to produce the specific outputs that NCA ECC compliance assessments require.

This article covers what Qualys TruRisk actually measures, which NCA ECC control domains it addresses, and the practical steps Gulf organisations need to take to bridge the gap between having Qualys running and being able to demonstrate NCA ECC compliance to an assessor.

What NCA ECC actually requires

The NCA Essential Cybersecurity Controls framework covers five main domains with 114 controls across Governance, Defence, Resilience, Third-Party and Cloud Security, and Industrial Control Systems. For most private sector organisations operating in Saudi Arabia, the most immediately relevant domains are:

2-1 Asset Management: Complete, up-to-date inventory of all hardware and software assets
2-3 Vulnerability Management: Continuous scanning, prioritisation, and remediation of vulnerabilities
2-6 Web Application Security: Regular scanning and testing of internet-facing applications
2-8 Configuration Management: Hardening and compliance monitoring for systems against approved baselines
2-10 Threat Intelligence: Active monitoring and response to emerging threats

The framework requires not just that these activities happen, but that they are documented, continuous, and measurable. This is where Qualys TruRisk becomes directly relevant.

What Qualys TruRisk actually measures

📊 TruRisk in plain language

Qualys TruRisk is a composite risk score that combines three inputs: the severity of a vulnerability (based on CVSS score), the likelihood that vulnerability will be exploited in the wild (based on active threat intelligence), and the business impact of the affected asset (based on asset criticality tags assigned by the organisation).

The result is a risk score per asset, per vulnerability, and per organisational unit — expressed as a number between 0 and 1,000. Unlike raw CVSS scores, TruRisk reflects the real-world exploitability of a vulnerability in the current threat landscape, not just its theoretical severity at time of publication.

For NCA ECC compliance purposes, TruRisk provides exactly what auditors want: a continuous, quantifiable, defensible measure of an organisation's vulnerability risk posture — not a point-in-time snapshot.

Mapping Qualys capabilities to NCA ECC control domains

NCA ECC Domain	Control	Qualys Module	Coverage
Asset Management	2-1-1: Hardware asset inventory	VMDR Asset Discovery / CyberSecurity Asset Management (CSAM)	Full
Asset Management	2-1-2: Software asset inventory	VMDR Cloud Agent — software inventory	Full
Vulnerability Management	2-3-1: Vulnerability scanning	VMDR — authenticated scanning + Cloud Agent	Full
Vulnerability Management	2-3-2: Patch management	Qualys Patch Management	Full
Web Application Security	2-6-1: Web application scanning	Qualys Web Application Scanning (WAS)	Full
Configuration Management	2-8-1: Security configuration baselines	Qualys Policy Compliance (PC)	Full
Threat Intelligence	2-10-1: Threat monitoring	VMDR TruRisk + Threat Intelligence feeds	Partial — needs SIEM integration
Incident Management	2-11-1: Detection and response	Qualys EDR / Multi-Vector EDR	Partial — EDR licence required

68%

of critical vulnerabilities exploited in Gulf region incidents in 2025 had CVSS scores below 7.0 — meaning they would not have been prioritised under traditional severity-based patching programmes. Qualys TruRisk specifically addresses this gap by factoring in active exploitability rather than theoretical severity, making it significantly more effective for NCA ECC compliance than basic CVSS-based vulnerability management.

Source: Qualys TruRisk Research Report 2025 / NCA threat landscape analysis

The five configuration steps that bridge Qualys and NCA ECC compliance

Deploy Cloud Agents on all in-scope assets

NCA ECC 2-1 requires a complete and continuously updated asset inventory. Qualys Cloud Agents — deployed on all servers, endpoints, and cloud instances — provide authenticated, continuous scanning without network-based scan windows. This is the foundation. Without full agent deployment, asset inventory is incomplete and NCA assessors will identify gaps immediately.

Configure asset criticality tagging aligned to your business context

TruRisk scores are only meaningful when asset criticality is correctly configured. Tag assets by business function (production systems vs. development, internet-facing vs. internal), data classification (systems processing personal data under PDPL), and regulatory scope (systems in NCA ECC scope). This transforms TruRisk from a generic score into a business-contextual risk measure that maps directly to ECC evidence requirements.

Enable Qualys Web Application Scanning for all internet-facing applications

NCA ECC 2-6 specifically addresses web application security. Qualys WAS must be configured to scan all internet-facing applications on a defined schedule — minimum quarterly for low-criticality applications, continuously for high-criticality or customer-facing applications. WAS scan reports with remediation status are direct evidence for ECC 2-6 compliance.

Configure Policy Compliance against CIS or STIG baselines

NCA ECC 2-8 requires documented configuration baselines and continuous compliance monitoring against them. Qualys Policy Compliance includes pre-built CIS Benchmark policies for Windows, Linux, cloud platforms, and network devices. Selecting and activating the appropriate CIS benchmark for each asset type — and generating regular compliance reports — provides direct ECC 2-8 evidence.

Generate and retain TruRisk dashboard exports for audit evidence

NCA assessors require documented evidence that vulnerability management is continuous and that risk posture is tracked over time. Configure Qualys to generate scheduled TruRisk summary reports — weekly or monthly — and retain these in a compliance evidence repository. A declining TruRisk score over time is the most compelling evidence of an effective vulnerability management programme.

PDPL data residency and Qualys deployment architecture

Saudi Arabia's Personal Data Protection Law (PDPL) requires that personal data of Saudi residents be processed and stored within the Kingdom unless specific cross-border transfer conditions are met. This has direct implications for how Qualys is deployed in organisations that process personal data.

Qualys scan data — which may include system names, usernames, application data, and configuration details — should be reviewed against PDPL classification requirements before configuring cloud data regions. Organisations in scope for PDPL should confirm with their Qualys account team that data processing is configured to remain within approved regions.

“Having Qualys deployed is not the same as being NCA ECC compliant. The platform provides the capability — but compliance requires correct configuration, continuous operation, and documented evidence retention that maps to each control domain.”

Need help mapping your Qualys deployment to NCA ECC compliance?

House 35 Global Infotech provides cybersecurity infrastructure support for UAE and Gulf businesses — Qualys configuration, NCA ECC mapping, and compliance evidence frameworks.

Get a free consultation → 💬 WhatsApp us

📚 Official resources referenced in this article

Frequently asked questions

What is Qualys TruRisk and how does it relate to NCA ECC compliance?+

Qualys TruRisk is a composite risk score combining vulnerability severity, active exploitability, and asset criticality. It maps directly to NCA ECC compliance requirements in the Asset Management, Vulnerability Management, and Web Application Security domains — providing the continuous, quantifiable, and auditable evidence that NCA assessors require. Running Qualys without configuring TruRisk output for NCA ECC means collecting compliance evidence but not presenting it in the format regulators expect.

Which NCA ECC controls does Qualys VMDR cover?+

Qualys VMDR covers NCA ECC controls in Asset Management (2-1) through continuous asset discovery, Vulnerability Management (2-3) through authenticated scanning and patch prioritisation, Web Application Security (2-6) through WAS module, and Configuration Management (2-8) through Policy Compliance. Qualys Cloud Agent provides continuous coverage for endpoints across on-premises and cloud environments without scan windows.

Is Qualys available in the Gulf region and does it support PDPL data residency?+

Yes. Qualys operates globally including the Gulf region with configurable data residency options. Organisations with Saudi PDPL data residency requirements should confirm their Qualys data processing region with their account team before deployment. Scan data including system names, usernames, and configuration details should be reviewed against PDPL classification requirements.

How does Qualys help with PDPL compliance in Saudi Arabia?+

Qualys supports PDPL compliance by identifying systems that store or process personal data, scanning them for vulnerabilities that could lead to data breaches, and providing the documentation trail required for PDPL breach notification obligations. Asset discovery and classification capabilities in VMDR help organisations map which systems contain personal data — a prerequisite for PDPL compliance.

Can House 35 Global Infotech help set up Qualys for NCA ECC compliance?+

Yes. House 35 Global Infotech provides cybersecurity infrastructure support for UAE and Gulf businesses including Qualys deployment, configuration, and NCA ECC compliance mapping. Contact us or WhatsApp +91 9082730445 to discuss your specific compliance requirements.

Written by House 35 Global Infotech LLP

We are a registered Indian IT company (LLP ACl-1059) delivering software development, web design, IT consulting, web hosting, BPO and training to businesses in India, Dubai, Qatar and Saudi Arabia. We provide cybersecurity infrastructure support for UAE and Gulf businesses including Qualys deployment and NCA ECC compliance mapping.

Get a free consultation About us