NCA compliance doesn’t come ready-made. So Axipro built it for MBC- the biggest media company in MENA.

Certification

Custom Framework (NCA) Implementation on Drata

Industry

TV Broadcasting

Engagement Length

10 Weeks

Location

MENEA

01- THE CHALLENGE

A national mandate with no ready-made path

As the largest media company in the Middle East and North Africa, MBC operates at a scale — and under a regulatory weight — that few organizations in the region face. Compliance with the Saudi National Cybersecurity Authority (NCA) framework underpins how it handles sensitive data and sustains the trust of regulators, partners, and audiences.

But NCA isn’t a framework that ships ready-made inside compliance tooling. MBC had no built or mapped NCA framework in Drata, and its IT and security policies weren’t yet structured for audit. It needed more than a platform — it needed a partner who could design a custom, fully-auditable NCA framework, map every policy to the right controls, and keep it current as the regulation evolves.

No built or mapped NCA framework in Drata.

The custom framework did not yet exist, and policies were not ready for audit.

Momentum disrupted by a client-side pause.

MBC paused work in November 2025 due to internal changes, delaying policy uploads and mapping.

Uncertainty around timelines and ownership.

The pause made it difficult to progress toward certification readiness with confidence.

02- THE SOLUTON

A custom NCA framework, built and mapped inside Drata

Axipro built MBC a custom NCA framework inside Drata and ran the implementation end-to-end: reviewing and refining critical IT and security policies, mapping each to the right controls across all five NCA domains, and standing up a maintenance process to keep the framework audit-ready as requirements change.

The work was structured into five sequenced phases with clear deliverables — so MBC’s teams could focus on supplying controls and evidence while Axipro handled the technical mapping and ongoing upkeep.

Custom, fully-auditable NCA framework structured natively in Drata
Critical IT and security policies reviewed, standardized, and version-controlled
Every policy mapped to controls across all five NCA domains
Ongoing regulatory monitoring and framework maintenance built into the engagement

03- IMPACT HIGHLIGHTS

What changed for MBC

  Audit-ready framework

A custom NCA framework live in Drata, with policies versioned and mapped to controls across every domain.

  Streamlined policy management

Refined, standardized policies ready for evidence mapping, so internal teams focus on controls, not formatting.

  Faster next framework

The established foundation and partnership cut scoping and delivery time for additional frameworks.

04- BACKGROUND

Compliance at broadcast scale

MBC is the leading media company across the Middle East and North Africa, operating an enterprise of more than 2,000 people across broadcast, streaming, and digital. At that reach, cybersecurity obligations are not a back-office concern. They touch sensitive data, critical systems, and a public footprint that includes the organization’s own social-media presence.

The NCA framework reflects exactly that breadth, spanning essential controls through data, cloud, telework, and social-media account security. Meeting it demanded a structured, auditable program rather than a one-off effort, and a partner who could own the technical build while MBC’s teams stayed focused on the business.

05- IMPLEMENTATION JOURNEY

Confident, collaborative, and fast

When MBC paused the engagement in late 2025 during a period of internal change, Axipro held the plan, re-scoped quickly, and resumed in January 2026, then delivered against an accelerated schedule.

Phase 1
by end Jan 2026

Framework foundation

Custom NCA framework structured inside Drata, ready for policy and control mapping.

Phase 2
by end Jan 2026

Policy refinement

Critical IT and security policies reviewed, standardized, and prepared for audit.

Phase 3
by mid Feb 2026

Control mapping

Policies mapped to the right controls, establishing traceability from document to requirement.

Phase 4
by mid Feb 2026

Full domain coverage

Mapping completed across ECC, DCC, CCC, TCC, and OSMAC, the full NCA control set.

Phase 5
by end Mar 2026

Maintenance and monitoring

Ongoing framework upkeep and regulatory monitoring, keeping the program current as NCA evolves.

06- BEYOND THE CHECKBOX

Compliance as operating infrastructure

For MBC, a mapped NCA framework is not a one-time certification exercise. It is operating infrastructure.

With the framework built and maintained, audit preparation becomes a continuous state rather than a periodic fire drill. Internal teams are freed from manual policy work. And adding the next framework is faster, because the foundation and the working relationship already exist. Compliance shifts from a cost the business absorbs to a capability it can build on.

08- WHAT'S NEXT

Building on the foundation

With the NCA framework live and maintained, MBC has engaged Axipro for additional frameworks, extending the foundation and the partnership already in place. Trust is not the finish line. It is the platform for what comes next.

Case Studies

Explore More Case Studies