What is the SAMA Cybersecurity Framework (CSF)?

The SAMA Cybersecurity Framework (CSF) is a mandatory regulatory standard issued by the Saudi Central Bank (SAMA) that applies to all banks, insurance companies, financing companies, and other SAMA-regulated financial institutions operating in Saudi Arabia. It defines cybersecurity governance, risk management, and operational controls that organisations must implement to protect customer data, financial systems, and critical infrastructure. Non-compliance can result in regulatory penalties, licence restrictions, and mandatory remediation orders.

Which organisations must comply with SAMA CSF?

SAMA CSF compliance is mandatory for all entities regulated by the Saudi Central Bank, including commercial banks, investment banks, insurance and reinsurance companies, financing companies, exchange houses, credit bureaus, payment service providers, and fintechs operating under SAMA supervision. This includes both Saudi-headquartered institutions and foreign banks with licensed branches in the Kingdom of Saudi Arabia.

How does SAMA CSF relate to NCA ECC compliance?

SAMA CSF and the National Cybersecurity Authority's Essential Cybersecurity Controls (NCA ECC) are complementary but distinct regulatory frameworks. NCA ECC applies broadly to all Saudi government entities and critical sector organisations, while SAMA CSF applies specifically to SAMA-regulated financial institutions. SAMA CSF requirements are generally more granular and sector-specific than NCA ECC. Financial institutions regulated by SAMA must satisfy both frameworks, and CyberSilo maps controls across both standards to eliminate duplicate effort and ensure unified compliance posture.

What is TIBER-SA and does it relate to SAMA CSF?

TIBER-SA (Threat Intelligence-Based Ethical Red Teaming Saudi Arabia) is SAMA's intelligence-led red team testing framework adapted from the European TIBER-EU standard. TIBER-SA assessments are an advanced component of SAMA CSF compliance, requiring sophisticated threat intelligence-led penetration testing against critical financial infrastructure. CyberSilo provides end-to-end TIBER-SA readiness support, including threat intelligence gathering, scoping, test execution coordination, and remediation planning.

How long does a SAMA CSF compliance assessment take?

A comprehensive SAMA CSF gap assessment typically takes 3–6 weeks depending on the organisation's size, complexity, and current maturity level. Initial readiness assessments can be scoped and delivered within 2–3 weeks for smaller financial institutions. Full remediation programmes — from gap assessment through audit-ready compliance — typically span 3–9 months depending on the number of control gaps identified and the organisation's remediation capacity.

Does CyberSilo support both Arabic and English compliance documentation?

Yes. CyberSilo's KSA compliance team delivers all documentation, reports, and compliance artefacts in both Arabic and English, ensuring your SAMA submission packages, board reports, and auditor-facing materials meet the language requirements of Saudi regulatory bodies and international stakeholders simultaneously.

SAMA CSF Compliance Services KSA

SAMA Cybersecurity Framework (CSF) Compliance Services

End-to-end SAMA CSF compliance for Saudi banks, insurance companies, and fintechs — from gap assessment and risk treatment to TIBER-SA red team readiness and continuous compliance monitoring. Built for Vision 2030's regulated financial sector.

SAMA Won't Wait — and Neither Can Your Compliance Posture

The Saudi Central Bank's Cybersecurity Framework is one of the most comprehensive mandatory cybersecurity standards issued by any financial regulator in the GCC. Covering governance, risk management, operational resilience, and third-party oversight, SAMA CSF applies to every bank, insurance company, and fintech operating under a SAMA licence — and non-compliance is not a theoretical risk.

SAMA supervisory reviews, on-site inspections, and mandatory self-assessments have exposed significant gaps across the Saudi financial sector. Organisations that fail to demonstrate continuous compliance face formal remediation requirements, regulatory penalties, and reputational consequences that no compliance budget can recover from after the fact.

CyberSilo's SAMA CSF compliance programme is purpose-built for Saudi-regulated financial institutions — combining deep regulatory expertise, AI-powered security tooling aligned to ThreatHawk SIEM, and a structured methodology that moves you from gap assessment to audit-ready posture in a defined, measurable timeline.

Full SAMA CSF gap assessment mapped to all five domains and 29 sub-domains

Integrated NCA ECC and PDPL compliance — one programme, three frameworks

TIBER-SA threat intelligence and red team exercise readiness

Arabic and English compliance documentation for SAMA submissions

Continuous compliance monitoring via Compliance Standards Automation

Board-ready risk reporting aligned to SAMA's supervisory expectations

Saudi-regulated financial institutions face overlapping obligations from SAMA, the NCA, and international standards. CyberSilo maps controls across all applicable frameworks, eliminating redundant effort and ensuring a single compliance programme satisfies every regulatory body you answer to.

Primary

SAMA Cybersecurity Framework

Saudi Central Bank · Mandatory for all SAMA-regulated entities

Mandatory — All SAMA Licensees

The SAMA CSF defines five cybersecurity domains: Cybersecurity Leadership and Governance, Cybersecurity Risk Management and Compliance, Cybersecurity Operations and Technology, Third-Party Cybersecurity, and Cybersecurity Resilience. CyberSilo delivers structured assessment, evidence collection, and remediation across all 29 sub-domains with regulatory-grade documentation for SAMA submissions and self-assessments.

Five SAMA CSF Domains Addressed

Domain 1: Cybersecurity Leadership & Governance Domain 2: Risk Management & Compliance Domain 3: Operations & Technology Domain 4: Third-Party Cybersecurity Domain 5: Cybersecurity Resilience

Linked Services

Gap Assessment Risk Treatment Audit Prep Monitoring

Schedule SAMA Review

29 sub-domains

National

NCA Essential Cybersecurity Controls

National Cybersecurity Authority · KSA

Mandatory — Government & Critical Sectors

The NCA ECC applies across Saudi Arabia's critical sectors and government entities, and financial institutions must demonstrate alignment alongside SAMA CSF. CyberSilo cross-maps NCA ECC controls to your SAMA CSF evidence base, delivering dual compliance without doubling your assessment workload. Learn more about the differences in our SAMA CSF vs NCA ECC comparison guide.

NCA ECC Control Domains

Cybersecurity Governance Cybersecurity Defence Cybersecurity Resilience Third-Party & Cloud Security Industrial Control Systems Security

Overlap with SAMA CSF

Control Mapping Unified Evidence Dual Reporting

Compare Frameworks

114 controls

Privacy

Saudi PDPL — Personal Data Protection Law

NDMO / SDAIA · Kingdom of Saudi Arabia

Fines up to SAR 5M per violation

Saudi Arabia's Personal Data Protection Law (PDPL), enforced by SDAIA, imposes binding obligations on organisations processing the personal data of Saudi residents — including financial institutions handling customer records, credit data, and transactional histories. CyberSilo integrates PDPL compliance controls directly into your SAMA CSF programme, covering data inventories, consent management, cross-border transfer restrictions, and breach notification obligations.

PDPL Obligations Addressed

Personal Data Classification & Mapping Consent & Lawful Processing Controls Data Subject Rights Management Cross-Border Transfer Compliance Breach Notification (72-hour window)

ISO 27001:2022 — Information Security Management

ISO / IEC · Global Standard

Strongly Recommended by SAMA

ISO 27001 certification is strongly aligned with SAMA CSF and increasingly expected by Saudi financial regulators, international correspondent banks, and institutional clients as evidence of structured information security management. CyberSilo maps ISO 27001:2022 Annex A controls to your SAMA CSF evidence base, accelerating certification while satisfying regulatory obligations simultaneously through our Compliance Standards Automation platform.

ISO 27001 Implementation Areas

ISMS Scope & Statement of Applicability Risk Assessment & Treatment Plans Annex A Control Implementation Internal Audit & Management Review Certification Body Liaison

Certification Timeline

Stage 1 Audit Stage 2 Audit Surveillance

Start ISO 27001 Journey

93 Annex A controls

Payments

PCI DSS v4.0 — Payment Card Industry Standard

PCI SSC · Banks · Fintechs · Payment Processors

Mandatory for card-processing entities

Saudi banks, payment aggregators, and fintech platforms processing Visa, Mastercard, or mada card transactions must maintain PCI DSS v4.0 compliance. CyberSilo provides cardholder data environment (CDE) scoping, network segmentation validation, SAQ automation, and QSA-assisted audit preparation — fully integrated with your SAMA CSF programme to prevent duplicate assessment effort across Saudi Arabia's payment infrastructure operators.

PCI DSS v4.0 Requirements Covered

CDE Scoping & Network Segmentation Vulnerability Management & Patching Access Control & IAM Compliance Log Monitoring & SIEM Integration SAQ & ROC Evidence Preparation

Compliance Levels

Level 1 Level 2 Level 3 SAQ

PCI DSS Assessment

12 requirements

International

SOC 2 Type II & NIST CSF Alignment

AICPA / NIST · Fintechs & Technology-Driven FSIs

Required by global enterprise clients

Saudi fintechs, cloud-native banks, and technology-forward financial institutions are increasingly required to present SOC 2 Type II reports to enterprise clients, international partners, and institutional investors. CyberSilo delivers continuous control monitoring mapped to AICPA Trust Services Criteria, automated evidence collection via ThreatHawk SIEM, and NIST CSF 2.0 maturity assessments that satisfy both international stakeholders and SAMA's operational resilience requirements.

Services Included

SOC 2 Type I Readiness Assessment Continuous Type II Evidence Collection NIST CSF Maturity Scoring Trust Services Criteria Mapping Auditor Liaison & Report Facilitation

TSC Categories

Security Availability Confidentiality Privacy

SOC 2 Readiness

NIST 2.0 aligned

Ready to Achieve SAMA CSF Compliance?

Whether you are preparing for your first SAMA CSF self-assessment, addressing gaps identified in a supervisory review, or building a continuous compliance programme to stay ahead of regulatory scrutiny, CyberSilo's team of Saudi regulatory compliance specialists is ready to help. Schedule a SAMA Readiness Review — a structured, no-obligation consultation that delivers an honest assessment of where your compliance posture stands today and a clear roadmap to where it needs to be.

SAMA Cybersecurity Framework (CSF) Compliance Services

SAMA Won't Wait — and Neither Can Your Compliance Posture

Every Compliance Framework Your Saudi Business Requires

SAMA Cybersecurity Framework

NCA Essential Cybersecurity Controls

Saudi PDPL — Personal Data Protection Law

ISO 27001:2022 — Information Security Management

PCI DSS v4.0 — Payment Card Industry Standard

SOC 2 Type II & NIST CSF Alignment

Why Compliance Matters in Saudi Arabia's Financial Sector

Maximum SAMA Penalty for Cybersecurity Non-Compliance

Rise in Cyberattacks Targeting GCC Financial Institutions Since 2020

Breach Notification Deadline Under Saudi PDPL — And SAMA's Expectations

Saudi Arabia's Digital Transformation Demands a Mature Cybersecurity Foundation

The Business Cost of SAMA CSF Non-Compliance

Financial Penalties

Licence Restrictions

Public Disclosure

Lost Partnerships

Breach Costs

SWIFT Exclusion Risk

PDPL Liability

Vision 2030 Exclusion

Our SAMA CSF Compliance Assessment Process

Scoping & Regulatory Mapping

SAMA CSF Gap Assessment

Risk Treatment & Remediation Planning

Technical Controls Implementation

TIBER-SA Readiness & Red Team Testing

Continuous Compliance & Audit Support

Why Saudi Financial Institutions Choose CyberSilo for SAMA CSF Compliance

Deep Saudi Regulatory Expertise

AI-Powered Compliance Technology

Multi-Framework Efficiency

Arabic-English Documentation

TIBER-SA Specialist Capability

Board-Level Risk Reporting

Deepen Your SAMA CSF Compliance Knowledge

SAMA CSF Readiness Assessment Services

SAMA CSF vs NCA ECC — Complete Comparison

TIBER-SA Red Team Testing Guide

Compliance Standards Automation Platform

ThreatHawk SIEM — AI-Powered Detection

Agentic SOC AI — Autonomous Security Operations

Ready to Achieve SAMA CSF Compliance?

SAMA CSF Compliance — Common Questions

Latest Articles

What Are the Best Alternatives to Traditional Siem Platforms for Cloud Environments

What Are the Best Siem Tools That Integrate With Edr and Xdr

What Platforms Combine Generative Ai With Siem or Soar Tools

Which Platform Integrates Cloud Security Monitoring With Siem

Which Siem Software Brands Are Known for Ensuring Strong Compliance

Who Offers Siem Software With Built-in Compliance Reporting