The Saudi Central Bank mandates Level 3 maturity under SAMA CSF v1.0 for every regulated financial institution — with fines of up to SAR 10,000,000 and licence suspension for non-compliance. CyberSilo automates gap assessment, maturity scoring, and audit evidence collection across all four SAMA CSF domains.
The SAMA Cybersecurity Framework (SAMA CSF) is a mandatory cybersecurity compliance automation standard published by the Saudi Central Bank — formally known as SAMA, the Saudi Arabian Monetary Authority — in July 2017, with subsequent enforcement circulars issued through 2024. SAMA CSF v1.0 establishes a structured set of cybersecurity controls across four domains and 19 sub-domains, requiring all regulated entities to demonstrate a minimum maturity level of 3 (Defined) through an annual self-assessment process. The framework governs how Saudi financial institutions protect information assets, manage cyber risk, operate security controls, and oversee third-party suppliers — making it the foundational cybersecurity obligation for the entire Saudi financial sector.
SAMA CSF compliance is mandatory — not voluntary — for every entity holding a licence from the Saudi Central Bank. This encompasses Saudi commercial banks including Al Rajhi Bank, Saudi National Bank, and Riyad Bank; all insurance and reinsurance companies; finance companies; money changers; credit bureaus; payment service providers; and fintech companies licensed under SAMA's Open Banking and Payment frameworks. There are no revenue thresholds or size exemptions: a newly licensed fintech startup with ten employees faces the same mandatory minimum Level 3 requirement as a systemically important bank. Geographic scope is Saudi Arabia, though Saudi banks with international subsidiaries increasingly align group-level standards to SAMA CSF requirements. The framework also applies to foreign banks operating through branches in the Kingdom. Compliance Standards Automation (CSA) from CyberSilo maps your entity's current posture against every mandatory control from day one of deployment.
Non-compliance consequences under the SAMA Cybersecurity Framework are substantive and multi-dimensional. The Saudi Central Bank can impose administrative fines of up to SAR 10,000,000 (approximately USD 2.67 million) per violation under the Banking Control Law and SAMA's regulatory circulars. In 2022 and 2023, SAMA exercised this authority by suspending the operating licences of several payment service providers and fintech firms that failed to demonstrate adequate cybersecurity maturity — with insufficient third-party risk management and SOC capability cited as primary deficiencies. Secondary consequences extend beyond direct fines: SAMA routinely conditions approval for new product launches, international expansion, M&A activity, and new licence categories on demonstrated cybersecurity compliance posture. Accessing Saudi Arabia's growing Vision 2030 financial infrastructure — including the real-time payments network Sarie, SAMA's Open Banking platform, and the Saudi Payment Network — is practically contingent on maintaining SAMA CSF compliance in good standing. For leading compliance automation platforms compared in terms of SAMA CSF coverage, CyberSilo consistently addresses the broadest scope of the framework's evidence requirements.
Beyond legal minimums, Saudi banks, insurance companies, and fintech platforms pursue SAMA CSF maturity improvements proactively for compelling commercial reasons. Domestic enterprise procurement teams across Vision 2030 giga-projects — Neom, Red Sea Global, Diriyah Gate, and others — require financial service vendors to demonstrate SAMA CSF compliance as a contract prerequisite, not merely a regulatory box-tick. Saudi Aramco and major SABIC subsidiaries require their financial services providers to evidence Level 3 maturity before onboarding. Cyber insurance underwriters operating in the Kingdom specifically reference SAMA CSF maturity level in premium calculations, with Level 4 (Managed) institutions receiving measurably better terms. M&A due diligence for Saudi financial sector acquisitions now routinely includes SAMA CSF maturity assessment as a material valuation factor. In this environment, continuous security monitoring via ThreatHawk SIEM isn't just a compliance checkbox — it's a commercial asset that differentiates compliant institutions in Saudi Arabia's competitive financial market.
SAMA CSF v1.0 organises its 143 controls across 4 domains and 19 sub-domains. Every control is scored on a six-level maturity scale (0–5), and every SAMA-regulated entity must demonstrate Level 3 (Defined) across all domains in their annual self-assessment.
The CLG domain requires SAMA-regulated entities to establish Board-level cybersecurity oversight, a formally appointed CISO with independent reporting lines outside IT, a Board-approved Cybersecurity Strategy aligned to the institution's business objectives, a comprehensive Policy Framework covering all aspects of information security, and structured annual cybersecurity awareness and training programmes for all staff. For Saudi banks, the CLG domain mandates that the Board of Directors and Executive Management formally own cybersecurity risk — not delegate it entirely to technology leadership. CyberSilo's compliance automation platform tracks CLG policy documentation, training completion rates, and Board reporting cycles in a single dashboard.
The CRMC domain mandates a documented Cybersecurity Risk Management Framework with quantified risk appetite, annual risk assessments, formal risk treatment plans, and a risk register maintained at the enterprise level. It additionally requires independent cybersecurity audit functions, regulatory compliance monitoring, structured cybersecurity change management processes for system modifications, and a formal Human Resources security programme covering background screening, onboarding procedures, and joiner/mover/leaver controls. Saudi insurance companies and fintech platforms frequently cite CRMC as the most time-consuming domain to achieve Level 3 maturity in, due to the breadth of documentation and process formalisation required across sub-domains. Evidence from annual risk assessments and audit findings are among the primary artefacts SAMA reviewers examine.
The COT domain is the most technically demanding in SAMA CSF v1.0, covering seven sub-domains: Cybersecurity Architecture (network segmentation, zero-trust design), Identity and Access Management (privileged access, MFA, access reviews), Asset Management (hardware and software inventory), IT Operations Management (patch management, vulnerability scanning, incident response), Application Security (SDLC controls, DAST/SAST), Cryptography (encryption standards, key management), and Physical and Environmental Security. At Level 3, organisations must operate a 24/7 Security Operations Center capability with documented incident detection and response procedures. ThreatHawk SIEM directly satisfies the COT sub-domain requirements for continuous monitoring, log management, and security event detection — generating the event logs and incident records SAMA auditors require as primary COT evidence.
The TPC domain requires all SAMA-regulated entities to conduct formal cybersecurity due diligence assessments on every third-party IT vendor and service provider before onboarding — including software vendors, cloud providers, payment processors, and managed service providers. Third-party cybersecurity obligations must be formalised in contractual agreements, including right-to-audit clauses and specific incident notification timelines. The Cloud Computing Security sub-domain addresses the growing adoption of AWS, Microsoft Azure, and Oracle Cloud in Saudi banking, requiring entities to assess and document cloud provider security controls, data residency compliance, and shared responsibility boundaries. SAMA's 2022–2023 enforcement actions specifically cited inadequate TPC controls as a primary compliance failure, making the third-party and cloud sub-domains among the highest-risk areas for compliance automation tool evaluation in the Saudi financial sector.
SAMA CSF measures compliance on a 0–5 maturity scale across all 19 sub-domains. Level 3 (Defined) is the mandatory minimum every regulated entity must achieve. Progressing toward Level 4 and 5 is expected as part of each institution's annual improvement roadmap.
Cybersecurity controls are completely absent. The organisation has no documented policies, no security processes, and no awareness of the risk areas the framework addresses. A self-assessment score of Level 0 in any sub-domain constitutes a critical regulatory non-compliance finding requiring immediate remediation.
Some security activities exist but are informal, inconsistent, and reliant on individual effort rather than documented process. Cybersecurity practices are reactive — applied after incidents rather than preventively. Level 1 is common in newly licensed fintech entities during their first year of operations under SAMA supervision.
Cybersecurity controls are applied consistently but lack formal documentation, defined ownership, or measurable outcomes. Processes depend on institutional knowledge rather than written procedures. Level 2 represents the minimum baseline expected of any operating SAMA-regulated entity and is insufficient to satisfy the annual self-assessment requirement.
Cybersecurity controls are formally documented in approved policies and procedures, consistently implemented across the organisation, and supported by measurable evidence of operation. A Board-approved Cybersecurity Strategy exists. Risk assessments are conducted annually. The SOC operates with defined incident response procedures. All 19 sub-domains must reach Level 3 to satisfy SAMA's mandatory compliance threshold and pass the annual self-assessment.
Cybersecurity performance is quantitatively measured through defined KPIs and KRIs. Security metrics are reported to Board-level committees. Controls are tested regularly, and improvement actions are tracked through a formal programme. SAMA expects institutions providing critical financial infrastructure to demonstrate Level 4 maturity in COT sub-domains related to IAM and Architecture.
The cybersecurity programme continuously evolves based on threat intelligence, industry benchmarking, and lessons learned from incidents and assessments. Threat modelling drives proactive control investment. Cybersecurity is embedded in strategic planning, product development, and M&A due diligence. Level 5 is the aspirational target for Saudi systemically important banks within their multi-year SAMA compliance roadmap.
CyberSilo's automated gap assessment engine evaluates your organisation against every SAMA CSF sub-control across CLG, CRMC, COT, and TPC domains, scoring your current maturity level (0–5) for each of the 19 sub-domains and generating a prioritised remediation roadmap anchored to the mandatory Level 3 threshold. The SAMA compliance automation gap analysis identifies control deficiencies, maps them to specific SAMA sub-domain references, and produces a structured remediation backlog your CISO can action immediately.
For every control gap below Level 3, CyberSilo generates structured remediation tasks linked to the specific SAMA sub-domain — whether closing access control gaps in the COT IAM sub-domain, establishing formal third-party due diligence processes under TPC, formalising annual cybersecurity risk assessments under CRMC, or documenting a Board-approved Cybersecurity Strategy under CLG. Remediation tasks are prioritised by regulatory risk and assigned to responsible owners with tracked completion dates. Organisations can review how industry-adopted CIS benchmarking tools complement SAMA CSF technical control implementation in the COT domain.
SAMA CSF auditors require policy documents, access control logs, IAM configuration records, SOC event logs, incident response records, penetration test reports, vendor assessment records, training completion evidence, and Business Continuity test results. CyberSilo automatically collects, timestamps, and organises all artefacts by domain and sub-domain — replacing weeks of manual evidence compilation. The ISO 27001 control crosswalk built into CyberSilo means organisations pursuing ISO 27001 alongside SAMA CSF generate shared evidence for both frameworks simultaneously, eliminating duplicated compliance effort.
CyberSilo generates a structured Annual Cybersecurity Self-Assessment Report in the format expected by SAMA, displaying maturity scores for all four domains and all 19 sub-domains with evidence references for each scored control. The SAMA maturity assessment report provides your Board with a clear, quantified cybersecurity posture view against the mandatory Level 3 benchmark, and gives your CISO the documented artefact needed for SAMA submission, internal governance, and — if SAMA commissions a third-party review — external auditor access.
CyberSilo's four-stage automation workflow eliminates the manual evidence compilation, spreadsheet-based control tracking, and consultant-intensive assessment cycles that make SAMA CSF compliance unnecessarily expensive for Saudi financial institutions. Organisations running both SAMA CSF and NESA compliance in UAE operations can manage both frameworks from a single unified platform, sharing evidence across parallel GCC regulatory requirements.
SAMA's enforcement actions and examination findings between 2020 and 2024 consistently identify four recurring compliance gaps across Saudi banks, insurers, and fintech platforms. First, insufficient CISO independence under the CLG Governance Framework sub-domain: many institutions appoint a CISO who reports to the CTO or Head of IT rather than directly to the CEO or Board Risk Committee — a structural gap that SAMA assessors flag as a Level 2 finding regardless of how strong technical controls are. Second, underdeveloped third-party due diligence under the TPC domain: organisations onboard cloud providers, payment processors, and software vendors without completing SAMA's required pre-onboarding cybersecurity assessment, creating TPC sub-domain gaps that are among the most frequently penalised. Third, inadequate Security Operations Center documentation under COT IT Operations Management: the SOC may be operationally functional but lacks the formal incident response procedures, escalation matrices, and detection playbooks required for Level 3 scoring. Fourth, missing annual penetration testing evidence: SAMA CSF requires documented penetration testing results as a COT artefact, yet many smaller institutions fail to commission qualified external testers on the mandatory annual cycle. A review of leading compliance automation platforms compared for SAMA CSF coverage shows that automated evidence collection closes the documentation gap faster than any manual process. Understanding common SIEM gaps that affect compliance evidence quality is particularly important for COT domain evidence completeness in the Saudi context.
Unlike ISO 27001, which mandates third-party certification by an IAF-accredited body, SAMA CSF's primary compliance mechanism is an annual self-assessment submitted by the regulated entity to SAMA. There is no mandatory third-party certification body, no IAF-accredited auditor requirement, and no external certification mark. The annual self-assessment — structured across all four domains and 19 sub-domains with a maturity score for each — is submitted directly to SAMA as part of the institution's regular regulatory reporting cycle. However, SAMA retains the authority to commission independent third-party assessments at any time, conducted by SAMA-approved external assessors, and these assessments carry binding weight. SAMA increasingly exercises this authority when preliminary review of a self-assessment reveals inconsistencies or when an institution has experienced a significant cybersecurity incident. Initial SAMA CSF compliance programmes — from gap assessment through to Level 3 achievement and first annual submission — typically take 12–18 months for institutions starting from a low baseline, and 6–9 months for those with existing ISO 27001 or NIST CSF implementations. How AI-powered SOC automation supports SAMA COT domain evidence generation is increasingly relevant as SAMA tightens monitoring requirements on Saudi financial institutions' detection capabilities.
Achieving Level 3 maturity in a single annual self-assessment cycle does not constitute permanent SAMA CSF compliance. Post-assessment obligations under SAMA CSF v1.0 and subsequent SAMA circulars require ongoing effort across multiple dimensions. Annual self-assessments must be submitted each year, with maturity scores expected to improve over time — stagnant scores across multiple assessment cycles are treated by SAMA as a potential indicator of a compliance programme that achieved minimum thresholds on paper without embedding controls operationally. Material changes to the organisation — new system acquisitions, significant cloud migrations, mergers and acquisitions, new product launches involving customer data, and major infrastructure changes — require re-assessment of affected SAMA sub-domains before go-live, not after. Penetration testing must be repeated annually at minimum for Level 3 organisations and semi-annually for institutions targeting Level 4. The COT IAM sub-domain requires documented access review cycles — typically quarterly for privileged accounts and annually for standard users — generating ongoing access log evidence that must be continuously collected and retained. Third-party contract cybersecurity obligations under the TPC domain must be actively monitored: when a vendor's own security posture changes materially, the regulated entity bears responsibility for updating its due diligence assessment. Configuration drift in network architecture, new API integrations with fintech partners, and changes to cloud provider agreements all create continuous SAMA CSF compliance risk that only automated, real-time threat exposure management can systematically address. Additionally, SAMA's strengthening of cybersecurity expectations under Saudi Arabia's Vision 2030 financial sector digitalisation programme means that the definition of what constitutes Level 3 acceptable practice continues to evolve — making CIS benchmarking tools essential for Saudi banks seeking to stay ahead of tightening SAMA expectations. Exploring how CIS benchmarking tools map to SAMA COT technical controls helps institutions validate their ongoing compliance posture between formal annual assessment cycles.
NIST CSF is the foundational international framework that SAMA CSF partially draws from — but the two differ critically in enforceability, scope, and assessment mechanism. NIST CSF is voluntary and applicable globally to any organisation; SAMA CSF is legally mandatory for all Saudi Central Bank-regulated entities and applies exclusively to Saudi financial institutions. NIST CSF 2.0 uses six functions (Govern, Identify, Protect, Detect, Respond, Recover) without prescribing a maturity scoring mechanism; SAMA CSF enforces a six-level maturity scale with Level 3 as a hard regulatory minimum. Saudi banks pursuing both frameworks will find that SAMA CSF's four domains map well to NIST CSF functions, with CRMC aligning to Govern and Identify, and COT aligning to Protect, Detect, and Respond — allowing significant evidence reuse across both frameworks from a single compliance programme.
Read Full ComparisonFor Saudi banking, insurance, and fintech organisations navigating both SAMA CSF and ISO 27001, the critical distinction is that ISO 27001 requires external certification by an IAF-accredited certification body while SAMA CSF uses a self-assessment model with SAMA oversight. Both frameworks address governance, risk management, access control, and operations security — with SAMA CSF's CLG domain mapping directly to ISO 27001 Clause 5 and Annex A.5, and COT's IAM sub-domain mapping to ISO 27001 Annex A.9. Saudi organisations often pursue ISO 27001 certification first as a strategic accelerator for SAMA CSF Level 3 achievement, since ISO 27001's certification audit produces the policy documentation and control evidence that directly satisfies SAMA CSF scoring requirements. The key tradeoff: ISO 27001 certification provides internationally recognised proof of controls; SAMA CSF compliance is a non-negotiable domestic licence condition.
Read Full ComparisonIf your Saudi financial institution is also operating in the UAE, EU, or US markets — or processing card payments, managing CUI data, or serving European data subjects — you may be subject to SAMA CSF alongside NESA, PCI-DSS, GDPR, or other frameworks simultaneously. CyberSilo's framework finder identifies every compliance obligation applicable to your entity based on your industry, geography, data types, and customer base.
Use the Framework FinderSAMA's maximum per-violation fine of SAR 10,000,000 (approximately USD 2.67 million) represents only the direct regulatory exposure — the commercial cost of licence suspension, product restriction, or exclusion from Vision 2030 financial infrastructure programmes is typically far greater. The IBM Security Cost of a Data Breach Report 2024 places the average breach cost for financial services globally at $5.9 million, while Saudi financial sector breaches involving PHI or financial records routinely carry additional SAMA notification obligations and customer indemnity costs. Manual SAMA CSF compliance programmes run SAR 2–5 million annually in staff and consulting costs. CyberSilo's automation platform reduces evidence compilation time by 70% and eliminates the specialist consultant dependency that makes manual SAMA compliance disproportionately expensive for mid-tier banks, finance companies, and licensed fintech platforms.
CyberSilo's compliance standards automation platform is the primary SAMA CSF engine — managing control mapping across all 143 SAMA controls, scoring maturity levels for each of the 19 sub-domains, tracking remediation tasks to closure, and generating the Annual Cybersecurity Self-Assessment Report in SAMA's expected format. For the CLG domain, CSA tracks policy version histories, Board approval timestamps, and CISO reporting chain documentation. For CRMC, it manages the risk register, annual risk assessment schedules, and audit finding lifecycle. For TPC, it runs the third-party due diligence assessment workflow and monitors contractual cybersecurity clause compliance across all vendor relationships — producing the complete evidence package that Saudi Central Bank assessors and SAMA-appointed third-party auditors expect.
ThreatHawk SIEM directly satisfies the COT domain's most demanding evidence requirements — specifically the IT Operations Management and Cybersecurity Architecture sub-domains. ThreatHawk ingests log data from banking applications, core banking systems, payment gateways, network infrastructure, identity platforms, and endpoint agents — generating the continuous monitoring evidence, security event logs, and incident records that SAMA assessors treat as primary COT artefacts. For the IAM sub-domain, ThreatHawk correlates identity events, privileged access activity, and access review outcomes into structured audit trails. The platform's pre-built SAMA CSF dashboard displays real-time maturity scores across all COT sub-domains, giving your CISO instant visibility into detection capability gaps before the annual self-assessment cycle opens.
SAP is the dominant ERP platform across Saudi Arabia's banking, insurance, and financial services sector — and SAP environments represent one of the most significant SAMA CSF coverage gaps for institutions relying on general-purpose SIEM tools. CyberSilo SAP Guardian provides native SAP security monitoring, ingesting SAP audit logs, change documents, authorisation changes, and basis configuration events into the SAMA CSF compliance platform. For Saudi banks running SAP S/4HANA for core banking operations and financial reporting, SAP Guardian satisfies the COT IAM sub-domain requirement for privileged access monitoring within SAP environments and the CRMC change management sub-domain requirement for tracking critical system configuration changes — both areas where generic SIEM platforms lack the SAP-native visibility required to generate credible SAMA audit evidence.
SAMA CSF's COT IT Operations Management sub-domain requires documented evidence of security event triage, investigation, and resolution — artefacts that a traditional SOC generates manually and inconsistently. CyberSilo's AI-driven autonomous SOC platform automatically triages alerts, conducts preliminary investigations, and generates structured incident records with complete investigation timelines — satisfying the COT requirement for documented incident handling that SAMA assessors verify as evidence of a functioning security operations capability. For Saudi financial institutions managing lean security teams, Agentic SOC AI closes the gap between having a nominally operational SOC and having the documented, evidenced SOC capability that SAMA CSF Level 3 actually requires: not just detection infrastructure, but a provable history of alert investigation, escalation decisions, and incident resolution at the cadence SAMA expects.
CIS Controls v8.1 benchmarking maps directly to SAMA CSF's COT domain — particularly the Architecture, Asset Management, and IT Operations sub-domains. This guide explains how CIS benchmark scores translate into COT maturity level evidence for Saudi financial institutions' annual SAMA self-assessments.
CIS Benchmarking Tools GuideHow leading GRC platforms handle SAMA CSF's four-domain evidence collection, maturity scoring, and annual self-assessment generation — evaluated against the specific sub-domain evidence types that Saudi Central Bank assessors review. Includes multi-framework management capability for Saudi institutions also subject to PCI-DSS and ISO 27001.
Compliance Automation Tools ComparedHow enterprise SIEM platforms satisfy the specific log management and continuous monitoring requirements in SAMA CSF's COT IT Operations Management sub-domain. Covers log retention requirements, security event correlation capabilities, and the structured audit log format that SAMA assessors expect as Level 3 evidence for Saudi financial institutions.
SIEM Tools for SAMA CSF MonitoringReal-world examples of how Saudi banks, insurance companies, and fintech platforms use SIEM technology to generate SAMA CSF COT domain audit evidence — covering account takeover detection, privileged access monitoring, third-party API abuse, and payment fraud scenarios that directly map to SAMA's annual assessment scoring criteria.
SIEM Use Cases for SAMA CSF EvidenceCost ranges and licensing models for the SIEM infrastructure required to meet SAMA CSF COT domain continuous monitoring obligations — including on-premises, cloud-native, and hybrid deployment options relevant to Saudi financial institutions subject to SAMA's data residency and sovereignty requirements for in-Kingdom data processing.
SIEM Cost and Licensing Guide 2025How threat exposure management platforms help Saudi banks and fintech companies satisfy SAMA CSF's COT Cybersecurity Architecture and IT Operations Management sub-domains — covering attack surface monitoring, vulnerability prioritisation, and continuous exposure scoring that generates the proactive risk management evidence SAMA assessors look for in Level 4 maturity organisations.
Threat Exposure Tools for SAMA ComplianceStay ahead of evolving cyber threats with our expert insights
SIEM
Explore cloud-native SIEM alternatives, SOAR platforms, and CSPM tools for scalable and automated cloud security solutions tailored to modern enterprises.
Read Article
SIEM
Explore the integration of SIEM tools with EDR and XDR platforms for enhanced cybersecurity, visibility, and incident response efficiency.
Read Article
SIEM
Explore how generative AI enhances SIEM and SOAR platforms, improving threat detection, automation, and security operations efficiency.
Read Article
SIEM
Explore effective integration of cloud security monitoring with SIEM for enhanced threat detection, compliance, and real-time visibility across environments.
Read Article
SIEM
Explore leading SIEM software brands enhancing compliance through automated reporting, real-time monitoring, and integration with key regulatory frameworks.
Read Article
SIEM
Explore how SIEM solutions with built-in compliance reporting enhance regulatory adherence, automate checks, and improve security governance for enterprises.
Read Article
We are committed to delivering cutting-edge cybersecurity solutions that empower organizations to stay ahead of threats
©Cybersilo 2026 - All Rights Reserved