Compliance Guide

SAMA CSF — Cybersecurity Framework for Financial Institutions

The Saudi Central Bank's cybersecurity framework for all regulated financial entities. 4 domains, 5 maturity levels, mandatory for banks, insurance, fintech, and payment providers.

What is SAMA CSF?

The Saudi Central Bank (SAMA) Cybersecurity Framework establishes minimum cybersecurity requirements for all financial institutions regulated by SAMA. It defines a maturity model from Level 0 (Non-existent) to Level 5 (Adaptive), requiring organizations to demonstrate progressive cybersecurity capabilities.

4
Domains
0–5
Maturity Levels
All SAMA
Regulated
Quarterly
Self-assessment

Who must comply?

  • Banks and banking institutions
  • Insurance companies
  • Finance companies
  • Payment service providers
  • Fintech companies (including SAMA Sandbox participants)
  • Credit bureaus
  • Money exchange services

The 6 maturity levels

0
Non-existent

No cybersecurity processes or controls

1
Ad-hoc

Informal, reactive cybersecurity practices

2
Repeatable

Basic processes defined but inconsistently applied

3
DefinedMinimum target

Standardized processes documented and implemented — minimum target for most institutions

4
Managed

Processes measured and controlled with metrics

5
Adaptive

Continuous improvement and proactive threat anticipation

The 4 SAMA CSF Domains

Cyber Security Leadership & Governance

Strategy, governance structure, risk management, compliance oversight. Board-level accountability and executive responsibility for cybersecurity.

Cyber Security Risk Management & Compliance

Risk assessment methodology, regulatory compliance tracking, internal audit coordination. Continuous risk monitoring and treatment.

Cyber Security Operations & Technology

Security operations center, identity and access management, network security, application security, endpoint protection, vulnerability management.

Third Party Cyber Security

Vendor due diligence, outsourcing controls, supply chain risk management, contractual security requirements for third parties.

How CYDER automates SAMA CSF compliance

SAMA maturity scoring

Real-time maturity level tracking across all 4 domains. Progress from Level 0 to target level with guided remediation steps.

Sandbox compliance

Pre-configured compliance profile for SAMA Sandbox participants. Automatic transition path to full licensing requirements.

Quarterly reporting

Auto-generate SAMA-formatted quarterly self-assessment reports in Arabic and English. Board-level cyber risk dashboards.

Assess your SAMA maturity

Start free assessment →