What Is the SAMA Cybersecurity Framework and Why Is It Mandatory?
The Saudi Central Bank (SAMA — formerly the Saudi Arabian Monetary Authority) published its Cybersecurity Framework (CSF) to protect the Kingdom's financial sector from escalating cyber threats. Compliance is not optional: every institution that holds a SAMA licence — or operates under SAMA's supervisory authority — must demonstrate that its cybersecurity controls meet the framework's maturity requirements. SAMA conducts supervisory inspections, and non-compliance can lead to formal sanctions, licence conditions, or revocation. With Saudi Arabia's financial sector digitising rapidly under Vision 2030, the framework has become the single most important cybersecurity regulation for any organisation that touches money in the Kingdom.
Who Must Comply with the SAMA Cybersecurity Framework?
The framework applies to all SAMA-regulated Member Organizations. In practice, that includes:
All commercial, digital, and wholesale banks licensed in Saudi Arabia
Including cooperative insurance firms — note that insurance entities face additional SAMA circulars on data localisation and third-party outsourcing
Consumer finance, micro-lending, and leasing companies
Any fintech operating under a SAMA sandbox or full licence, including open-banking providers
Payment gateways, card acquirers, e-wallet operators, and money transfer services
SIMAH and other financial market utilities
If you process, store, or transmit financial data in Saudi Arabia, the SAMA CSF almost certainly applies to you. Third-party service providers to regulated entities are also indirectly in scope — Member Organizations must ensure their vendors meet the framework's third-party risk management requirements.
SAMA CSF Maturity Levels Explained (Level 0–5)
The SAMA Cybersecurity Framework uses a six-level maturity model to measure how well an organisation's controls are defined, implemented, and optimised. Understanding these levels is essential — they determine whether you pass or fail a SAMA inspection.
| Level | Name | What It Means |
|---|---|---|
| 0 | Non-existent | No controls in place. The organisation has not recognised the need for the control. |
| 1 | Ad-hoc | Controls exist but are informal, inconsistent, and undocumented. Execution depends on individual effort. |
| 2 | Repeatable | Controls are documented and repeatable but not yet standardised across the organisation. Some processes are followed consistently. |
| 3 | Defined | Controls are fully documented, standardised, and consistently applied across the organisation. This is the minimum level SAMA requires for all domains. |
| 4 | Managed | Controls are measured using KRIs and metrics. The organisation can demonstrate that controls are performing as intended. Required for critical subdomains. |
| 5 | Optimised | Continuous improvement is embedded. Controls are regularly refined based on lessons learned, threat intelligence, and industry best practices. |
Most organisations we assess initially score between Level 1 and Level 2 across the majority of subdomains. The jump from Level 2 to Level 3 is where the bulk of remediation work happens — and where organisations need the most help.
What SAMA Maturity Level 3 Actually Requires
Level 3 ("Defined") is the minimum passing grade across all SAMA CSF domains. Reaching it means your organisation has moved beyond ad-hoc or partially documented controls into a state where cybersecurity is standardised and consistently applied. Specifically, Level 3 requires:
A documented cyber strategy aligned with business objectives, approved by the Board of Directors, and reviewed at least annually.
Written policies covering all eight SAMA CSF domains, with supporting procedures that staff can follow consistently. Generic templates are not enough — policies must reflect your actual operating environment.
A full-time CISO at senior management level, a functioning Cybersecurity Committee, and clear reporting lines to the Board.
Access controls, network segmentation, encryption, logging, vulnerability scanning, and incident detection tools — deployed and operational, not just planned.
A documented vendor risk assessment process, contractual security requirements for third parties, and ongoing monitoring of critical suppliers.
A tested incident response plan with defined roles, communication protocols, and escalation procedures. Tabletop exercises or simulations must have been conducted.
A cybersecurity awareness programme covering all employees, with role-specific training for technical staff and senior management.
Documentation alone is not enough. SAMA expects evidence that controls are being followed in practice — logs, reports, meeting minutes, training records, and audit trails.
For four critical subdomains — Cyber Event Management, Incident Management, Threat Management, and Vulnerability Management — SAMA expects organisations to also develop a roadmap toward Level 4, which adds measurable KRIs and demonstrated control effectiveness.
Our 5-Step SAMA Compliance Process
We have guided financial institutions across Saudi Arabia and the wider GCC through SAMA compliance — from first assessment to successful inspection. Our process is designed to be efficient, thorough, and audit-ready from day one.
Gap Assessment
3–4 weeksWe assess your current cybersecurity posture against every SAMA CSF domain and subdomain. Each control is scored on the maturity model, giving you a clear baseline and a precise picture of where you stand versus where SAMA expects you to be. The output is a detailed gap analysis report with control-by-control scoring.
Compliance Roadmap
4–6 weeksBased on the gap assessment, we develop a prioritised remediation roadmap. Critical gaps that could trigger immediate SAMA action are addressed first. The roadmap includes timelines, resource requirements, budget estimates, and clear ownership assignments. This roadmap is designed to be board-presentable — because SAMA requires Board approval.
Implementation
3–12 monthsWe work alongside your team to implement the controls, policies, governance structures, and technical capabilities required to reach Level 3 (and Level 4 where needed). This includes drafting policies, configuring security tools, establishing your threat intelligence function, setting up KRI dashboards, and building your incident response capability. We can supplement your team with specialist resources where gaps exist.
Testing & Validation
2–4 weeksBefore you face a SAMA inspection, we validate that your controls actually work. This includes penetration testing, red team exercises, control effectiveness testing, and tabletop incident simulations. We test against the same criteria SAMA inspectors use, so there are no surprises.
Audit Preparation
2–3 weeksWe prepare your evidence packs, conduct mock SAMA inspections, brief your CISO and senior management on what to expect, and ensure all documentation is organised and audit-ready. When SAMA arrives, your team knows exactly what to present and how to respond.
The 8 Domains of the SAMA Cybersecurity Framework
The SAMA CSF is organised into eight domains, each containing multiple subdomains with specific control requirements. Our compliance services cover all eight:
Cybersecurity Strategy
Board-level strategy, governance, and resource allocation for cybersecurity across the organisation.
Threat Management
Threat intelligence capabilities, threat landscape monitoring, and proactive threat hunting.
Vulnerability Management
Systematic vulnerability identification, prioritisation, remediation tracking, and patch management.
Incident Management
Detection, response, containment, recovery, and post-incident analysis processes.
Cyber Event Management
Security event monitoring, log management, SIEM operations, and correlation analysis.
Risk Management
Cybersecurity risk assessment frameworks, risk registers, and risk treatment planning.
Access Control
Identity management, privileged access controls, authentication mechanisms, and access reviews.
Third-Party Risk Management
Vendor security assessments, contractual controls, and ongoing third-party monitoring.
Why SecurityWall for SAMA Compliance
SAMA compliance is not a checkbox exercise — it requires deep cybersecurity expertise combined with an understanding of the Saudi regulatory environment. Here is why financial institutions across the Kingdom trust SecurityWall:
Certified offensive and defensive expertise
Our team holds OSCP, OSWE, CISSP, and CREST certifications. We do not just write policies — we test them with the same techniques real attackers use. When we say a control works, we have validated it hands-on.
Saudi and UAE regulatory experience
We have delivered SAMA compliance programmes for banks, insurance companies, and fintech firms in Saudi Arabia. We also work with NESA in the UAE, giving us cross-border GCC regulatory expertise that few firms can match.
End-to-end capability
From gap assessment through implementation to penetration testing and audit preparation, we handle the entire compliance lifecycle. You do not need to coordinate between a consulting firm, a pen-testing vendor, and a documentation specialist — we are all three.
Practical, audit-ready deliverables
Every policy, procedure, and report we produce is designed to survive a SAMA inspection. We have been through the process and know what inspectors look for, what questions they ask, and what evidence satisfies them.
Dedicated CISO support
If your organisation needs CISO advisory support — whether as an interim measure or ongoing guidance — we provide senior-level cybersecurity leadership to fill the gap while you recruit.
SAMA Compliance for Insurance Companies
Insurance and reinsurance companies face additional SAMA requirements beyond the core CSF. These include specific circulars on data localisation, outsourcing restrictions, and enhanced reporting obligations. Insurance firms must also navigate the intersection of SAMA's cybersecurity requirements with the insurance sector's operational risk frameworks. Our team has specific experience with the insurance sector's unique compliance challenges and can help you address both the core CSF requirements and the sector-specific circulars simultaneously.
