Common questions about the Saudi Central Bank's Cyber Security Framework: what it requires, who must comply, and how SAMA measures maturity.
The SAMA Cyber Security Framework is the cyber security regime for financial institutions regulated by the Saudi Central Bank. This FAQ covers the questions that come up most often when compliance and security teams first engage with it: scope, the maturity model, self-assessment and audit, and how it relates to frameworks they may already follow.
The SAMA Cyber Security Framework is the regulatory cyber security regime for financial institutions supervised by the Saudi Central Bank (SAMA). It was created so regulated entities can identify and address cyber security risks through a common, principle-based approach, and so SAMA can periodically assess and benchmark cyber security maturity across the sector. It is built on SAMA requirements together with established industry standards including NIST, ISF, ISO, BASEL, and PCI, and it supersedes all previous SAMA cyber security circulars.
It is issued, owned, and maintained by SAMA, the prudential supervisor of the Saudi financial sector. Adoption and implementation are mandatory for the institutions SAMA regulates. SAMA is solely responsible for interpreting the framework's principles, objectives, and control considerations, and it reviews and audits compliance directly as part of its supervisory role.
Both names refer to the same institution. The framework was issued by the Saudi Arabian Monetary Authority. The institution was renamed the Saudi Central Bank in 2020 but kept the long-established SAMA acronym, so the framework is still universally referred to as the SAMA CSF. If you see "SAMA" and "Saudi Central Bank" used interchangeably in tenders or audit requests, they mean the same regulator.
It applies to all Member Organizations regulated by SAMA: banks, insurance and reinsurance companies, financing companies, and credit bureaus operating in Saudi Arabia, plus the Financial Market Infrastructure. If your institution holds a SAMA licence to operate in the Kingdom's financial sector, the framework applies to you.
Yes. The framework gives direction for the Member Organization and its subsidiaries, staff, third parties, and customers. Its scope spans electronic and hardcopy information, applications and databases, computers and ATMs, storage devices, and the premises, equipment, and communication networks that make up the technical infrastructure.
All domains apply to the banking sector. For other financial institutions, a few subdomains carry exceptions. Alignment with the banking-sector cyber security strategy is mandatory only when applicable. The "compliance with international industry standards" subdomain can be excluded unless the organization stores, processes, or transmits cardholder data or uses SWIFT services, in which case PCI and the SWIFT Customer Security Controls Framework apply. Some operations subdomains are excluded for non-banks, but multi-factor authentication is still expected where online customer services are offered.
It is organized into four main domains: Cyber Security Leadership and Governance; Cyber Security Risk Management and Compliance; Cyber Security Operations and Technology; and Third Party Cyber Security. Each domain contains subdomains, and each subdomain states a principle (the required outcome), an objective (why it matters), and control considerations (the mandated controls to consider). The framework is principle-based and risk-based rather than a flat checklist.
Compliance is measured against a maturity model with levels running from 0 (Non-existent) through 5 (Adaptive): Non-existent, Ad-hoc, Repeatable but informal, Structured and formalized, Managed and measurable, and Adaptive. The levels are cumulative, so a Member Organization must satisfy every criterion of the lower levels before it can claim a higher one.
SAMA expects Member Organizations to operate at maturity level 3 (Structured and formalized) or higher. Level 3 means cyber security controls are defined, approved, implemented, and documented in policies, standards, and procedures, with compliance monitored and key performance indicators in place. The framework explicitly notes that monitoring this documentation is preferably done using a governance, risk, and compliance tool. Level 4 adds periodic measurement and key risk indicators with trend reporting; level 5 adds continuous improvement integrated with enterprise risk management and peer and sector benchmarking.
Each Member Organization performs a periodic self-assessment using a questionnaire. SAMA then reviews and audits those self-assessments to determine the organization's compliance level and cyber security maturity level, and it compares results across Member Organizations. This makes compliance an ongoing supervisory obligation with continuous readiness expected, not a one-time certification.
The framework is principle-based, so a control consideration that genuinely cannot be implemented can be handled through compensating controls plus a documented internal risk acceptance. Where a deviation is needed, the Member Organization submits a formal waiver request to SAMA using the framework's waiver process. Requests to change the framework itself also go through SAMA. A control is not simply opted out of without that documented route.
SAMA owns the framework and is solely responsible for interpreting it. SAMA reviews it periodically for effectiveness against emerging threats and maintains it under version control, retiring the previous version when a new one is published. A Member Organization remains responsible for compliance with the current version while any update request it has submitted is pending. Always work from the version published in the official SAMA Rulebook.
Ultimate responsibility rests with the board, which can delegate to a cyber security committee or a senior manager from a control function. An independent cyber security function must be established, kept separate from the information technology function to avoid conflicts of interest, with its own reporting line, budget, and staff evaluations, reporting to the CEO or managing director or to a control-function general manager.
Yes, and they catch teams off guard. A full-time senior manager for the cyber security function, the CISO, must be appointed at senior management level. The framework states the CISO should hold Saudi nationality, be sufficiently qualified, and that SAMA's no-objection is required before the appointment is made. This is a governance requirement, not just a technical one.
Third Party Cyber Security is one of the four domains. It covers contract and vendor management, outsourcing, and cloud computing. Vendor cyber security is expected to be assessed and contractually enforced, and outsourcing and cloud arrangements are explicitly in scope rather than treated as out-of-band exceptions. Teams without a vendor cyber security program usually find this domain the hardest to evidence.
Three areas recur. First, the jump from informal practice to "Structured and formalized" level 3 documentation, where auditors want traceable, approved policies and procedures rather than tribal knowledge. Second, the move to level 4, which requires measured, periodically evaluated control effectiveness with key risk indicators, not point-in-time evidence. Third, the governance requirements: an independent cyber security function, board oversight, and the CISO conditions are organizational decisions that take longer than the technical work.
They are different regimes with different regulators. SAMA CSF governs SAMA-regulated financial institutions; NCA ECC is the national cyber security baseline for government and critical national infrastructure. A SAMA-regulated entity is primarily accountable to SAMA, but the two overlap substantially in governance, risk management, access control, and operations, so a single control implementation and its evidence can usually serve both with a mapping exercise. Many Saudi financial institutions track both in parallel. See our companion NCA ECC FAQ for that side.
Substantially, yes. SAMA CSF is explicitly built on industry standards including ISO and PCI, so an ISO 27001 information security management system maps well onto the Risk Management and Compliance and the Operations and Technology domains, and PCI DSS evidence transfers directly where cardholder data is in scope. What ISO and PCI do not give you: the maturity-level expectation, SAMA's specific governance, independence, and CISO requirements, and SAMA's self-assessment and audit cadence. Plan to layer those on top rather than assuming an existing certificate is sufficient.
Adoption is mandatory for Member Organizations, and the framework supersedes prior SAMA cyber security circulars. SAMA reviews and audits self-assessments, determines the compliance and maturity level, and can require remediation through its supervisory powers. Because maturity is benchmarked across the sector, a lagging institution is visible to its regulator relative to peers, which is itself a strong driver. Always confirm current supervisory expectations with SAMA, as enforcement is applied through its prudential mandate.
Only the cyber security aspects. SAMA sets out business continuity requirements separately in its Business Continuity Minimum Requirements, so the CSF should be read alongside that document rather than as a complete resilience program. The framework also notes interrelationships with other corporate areas such as physical security and fraud management, which it deliberately does not fully address on the non-cyber side.
Kevala supports SAMA CSF out of the box. Talk to us.