NCA and SAMA Dual Compliance for Banks and Fintech

Most Saudi financial institutions discover the problem the same way: they finish a SAMA compliance programme, feel done, and then learn the National Cybersecurity Authority has its own mandatory requirements they have not touched. Or the reverse they treat the NCA's controls as the whole job and miss the maturity-level evidence SAMA's supervisors expect. SecurityWall NCA ECC Checklist and SAMA Compliance Checklist can assist you with initial vetting.

If you are a bank, fintech, payment company, BNPL provider, or financing company operating in the Kingdom, you almost certainly answer to both. SAMA the Saudi Central Bank regulates your sector through its Cyber Security Framework. The NCA regulates you as part of the national cybersecurity regime, through the ECC if you are critical infrastructure or NCNICC-1:2025 if you are not. Meeting one does not satisfy the other, and no single piece of guidance has explained how to handle both together. This article does.

The good news is that the two frameworks share a large common core, so the right approach is not two separate projects it is one control environment, built to the union of both, with evidence mapped across each. Below: why both apply, exactly what overlaps and what does not, how one penetration testing can serve both, the order to tackle things in, who specifically is caught by both, and the gaps that appear when companies focus on one and ignore the other.

1. Why Saudi Financial Institutions Must Comply With Both
2. The NCA vs SAMA Framework Map — Overlap and Difference
3. Penetration Testing Under Both — One Test, Two Needs
4. The Priority Order for Implementation
5. Who Specifically Must Comply With Both?
6. Common Gaps When You Focus on One and Ignore the Other
7. How SecurityWall Handles Dual Compliance

Why Saudi Financial Institutions Must Comply With Both

The two regulators have different jobs, and you sit at the intersection.

SAMA is your sector regulator. Its Cyber Security Framework, established in 2017, sets cybersecurity expectations for the financial institutions SAMA supervises and it is enforced through supervisory review, self-assessment, and a maturity model that organisations are expected to progress along. If SAMA licenses or regulates you, the CSF applies.

The NCA is the national cybersecurity authority, with a mandate that spans the whole Kingdom. Financial institutions come under the NCA in one of two ways: through the Essential Cybersecurity Controls (ECC) if they are classed as Critical National Infrastructure which most established banks are or through NCNICC-1:2025 if they are a non-CNI private-sector entity, which is where many smaller fintechs land.

So a Saudi financial institution typically faces SAMA's CSF plus one NCA framework. The two were written by different bodies for different purposes, and neither defers to the other. Compliance with SAMA does not discharge your NCA obligations, and vice versa. That is the reality this guide is built around and the reason a single, mapped programme beats two disconnected ones.

The NCA vs SAMA Framework Map — Overlap and Difference

The encouraging part: the frameworks rhyme. Both are built on governance, risk management, technical defence, resilience, and third-party control so the bulk of the work counts twice. The table below maps the NCA ECC's structure to its SAMA CSF equivalent.

Unique to the NCA

• Cybersecurity Saudization. ECC-2:2024 requires all cybersecurity roles to be filled by qualified Saudi nationals a workforce mandate SAMA's framework does not impose. For foreign-owned financial firms, this is often the hardest NCA-specific gap.
• NCNICC-1:2025 scope. If you are a non-CNI fintech, the NCA reaches you through NCNICC rather than the ECC, with its own classification and baseline. SAMA has no equivalent tiering.

Unique to SAMA

• The maturity model (Levels 0–5). SAMA does not just ask whether a control exists; it assesses how mature it is on a six-level scale, and expects member organisations to reach at least Level 3. This is a fundamentally different bar from the ECC's control-by-control approach.
• Ethical red teaming. SAMA places strong emphasis on intelligence-led, red team testing of financial entities going well beyond standard penetration testing.
• Open banking security. SAMA's open banking regime brings security requirements specific to financial data sharing that have no NCA counterpart.

Penetration Testing Under Both — One Test, Two Needs

Penetration testing is the clearest example of where dual compliance can be efficient rather than duplicative. Both frameworks require it: SAMA expects regular, structured penetration testing within its Cyber Security Operations and Technology domain as evidence that technical controls actually work, and the NCA ECC requires penetration testing within its Cybersecurity Defence domain. Two regulators, the same underlying activity.

The mistake is commissioning two separate tests to two separate specifications. The efficient path is a single engagement, scoped from the outset to satisfy both — covering the systems each framework cares about, producing evidence formatted for both supervisory reviews, and including the retesting both expect. For SAMA specifically, the testing should speak to maturity: a one-off scan does not demonstrate Level 3-plus maturity, whereas a structured, repeatable programme does.

This is how SecurityWall structures financial-sector testing one offensive engagement, designed against both rulebooks, with reporting your SAMA reviewer and your NCA assessment can each use. Where SAMA's red-teaming expectations apply, we extend the same programme into intelligence-led testing rather than starting again. Full detail is in our SAMA penetration testing guide and our overview of NCA penetration testing requirements.

The Priority Order for Implementation

When both frameworks apply, sequence matters tackle the shared foundation first, then the framework-specific items, so you are never doing the same work twice.

1. Confirm your dual scope. Establish that you are SAMA-regulated, and determine which NCA framework applies ECC if you are CNI, NCNICC if you are not. This single decision shapes everything that follows.
2. Build the shared governance and risk foundation. Cybersecurity strategy, an independent security function, risk management, and policies satisfy Domain 1 of both frameworks at once.
3. Implement the common technical controls. Access management and MFA, encryption, network security, logging and monitoring, and backups all map across both — build them to the higher of the two bars.
4. Run one penetration test for both. Scope a single engagement to serve SAMA and the NCA, formatted for both reviews.
5. Close the framework-specific gaps. SAMA maturity levelling, red teaming, and open banking on one side; NCA Saudization and any NCNICC-specific items on the other.
6. Self-assess and report to each regulator. Complete SAMA's self-assessment and maturity reporting, and the NCA's assessment, mapping the same evidence to both.

Who Specifically Must Comply With Both?

If SAMA regulates you and you operate in the Kingdom, assume both frameworks apply until proven otherwise. In practice that captures:

• Commercial banks: SAMA CSF, and the NCA ECC as critical infrastructure.
• Payment companies and payment service providers: SAMA CSF, plus the NCA via ECC or NCNICC depending on CNI status.
• BNPL (buy-now-pay-later) providers: SAMA-regulated, and in NCA scope.
• Microfinance and financing companies: SAMA CSF, plus the applicable NCA framework.
• Fintechs with SAMA licensing or under the regulatory sandbox: SAMA CSF, and typically NCNICC-1:2025 as a non-CNI private-sector entity.

The practical takeaway: the larger and more systemically important you are, the more likely your NCA obligation runs through the ECC; the smaller and newer you are, the more likely it runs through NCNICC. Either way, the SAMA obligation is constant and the two stack.

Common Gaps When You Focus on One and Ignore the Other

The failure pattern is predictable, and it runs in both directions.

• SAMA-focused firms miss NCA Saudization. A mature SAMA programme says nothing about who staffs your security function so firms sail through SAMA and then fail the ECC's requirement that cybersecurity roles be held by Saudi nationals.
• SAMA-focused firms miss their NCA framework entirely. Having "done SAMA," they never scope ECC or NCNICC and are unaware of an obligation that already applies.
• NCA-focused firms miss SAMA maturity evidence. They implement controls but cannot demonstrate Level 3-plus maturity, because the ECC never asked them to think in maturity terms.
• NCA-focused firms miss red teaming and open banking controls. SAMA-specific expectations that simply are not in the NCA frameworks.
• Everyone duplicates effort. The most common and most expensive gap is organisational, not technical: running two disconnected programmes, commissioning two penetration tests, and re-collecting the same evidence for each regulator instead of mapping one control set to both.

The fix for all of these is the same a single programme designed to the union of both frameworks, with evidence mapped across them.

How SecurityWall Handles Dual Compliance

SecurityWall is an NCA-registered cybersecurity firm that runs NCA and SAMA programmes together for Saudi financial institutions one engagement covering both regulators rather than two parallel projects. Our team holds OSCP, OSWE, CREST, CRT, CISM, and CISSP credentials and works to the current requirements of both frameworks.

Dual-Scope Assessment

• Confirm SAMA applicability and your NCA framework (ECC or NCNICC) in one exercise
• A single gap assessment mapped to both rulebooks, so nothing is assessed twice
• A unified remediation roadmap prioritised by what serves both regulators first

One Penetration Testing Programme

• A single penetration test scoped to satisfy SAMA's Operations and Technology testing and the NCA's Defence testing
• Red teaming extended from the same programme where SAMA expects intelligence-led testing
• Reporting formatted for both supervisory and assessment review, with retesting included

Maturity and Evidence Mapping

• Building controls to SAMA's maturity model targeting Level 3 and above, not just existence
• Evidence packs mapped once and presented to each regulator
• Support through SAMA self-assessment and NCA assessment

NCA-Registered and Financial-Sector Focused

• A recognised provider within the Kingdom's regulated cybersecurity ecosystem
• Familiar with how both SAMA and the NCA assess financial institutions
• A single partner across SAMA compliance and NCA compliance

Related reading:

• SAMA Cybersecurity Framework: Compliance Guide for Saudi Financial Institutions
• NCA Penetration Testing Requirements
• SAMA Penetration Testing Guide
• SAMA Red Teaming in Saudi Arabia
• SAMA Compliance Checklist - Gap Assessment & Audit Readiness Guide
• NCA ECC 2:2024 Requirements: Every Control Domain Explained
• NCNICC-1:2025: Every Saudi Private Company Now in Scope
• What Is the NCA? Saudi Arabia's Cybersecurity Authority

Frequently Asked Questions

Do Saudi banks have to comply with both NCA and SAMA?

Yes. SAMA regulates banks through its Cyber Security Framework, and the NCA regulates them through the Essential Cybersecurity Controls as Critical National Infrastructure. The two frameworks are separate, and meeting one does not satisfy the other.

What is the difference between NCA and SAMA compliance?

SAMA is the financial-sector regulator; its CSF uses a six-level maturity model and adds requirements like ethical red teaming and open banking security. The NCA is the national cybersecurity authority; its ECC and NCNICC frameworks are control-based and add requirements like cybersecurity Saudization. They overlap heavily on governance, technical controls, and third-party security.

Do fintechs in Saudi Arabia need both NCA and SAMA compliance?

Usually yes. A SAMA-licensed fintech is bound by the SAMA CSF, and is typically in NCA scope through NCNICC-1:2025 as a non-CNI private-sector entity, or through the ECC if it operates critical infrastructure.

Can one penetration test satisfy both SAMA and NCA?

Yes, if it is scoped to both from the start. Both frameworks require penetration testing — SAMA within its Operations and Technology domain, the NCA within its Defence domain so a single engagement designed against both specifications, with appropriately formatted reporting, can serve both reviews.

What is unique to SAMA that the NCA frameworks do not require?

SAMA's maturity model (Levels 0–5, with at least Level 3 expected), its emphasis on intelligence-led red teaming, and its open banking security requirements have no direct equivalent in the NCA's ECC or NCNICC.

What is unique to the NCA that SAMA does not require?

Cybersecurity Saudization the requirement that cybersecurity roles be filled by qualified Saudi nationals and the NCNICC-1:2025 classification for non-CNI private-sector entities are NCA-specific and absent from the SAMA CSF.