SAMA Cybersecurity Framework: A Guide for Saudi Banks & Fintechs

Saudi Arabia’s digital financial ecosystem is growing rapidly — from mobile-first banking to blockchain-driven payment apps. But with innovation comes risk, and the Saudi Central Bank (SAMA) has taken decisive steps to secure the country’s financial infrastructure.

The SAMA Cybersecurity Framework is a mandatory set of controls that banks, insurance companies, and fintechs in Saudi Arabia must follow to protect themselves and their customers from cyber threats.

In this article, we break down the framework, who it applies to, key components, and how businesses can comply in 2025.

2. What is the SAMA Cybersecurity Framework?

Launched in 2017 and updated periodically, the SAMA Cybersecurity Framework aims to:

• Establish a consistent and effective level of cybersecurity in financial institutions
  
  
• Ensure the protection of information assets
  
  
• Promote cyber resilience across the banking and fintech sector
  
  
• Align the Kingdom with international best practices
  
  

3. Who Must Comply with the Framework?

Mandatory for:

✅ Banks licensed by SAMA
✅ Insurance companies and brokers
✅ Finance companies
✅ Payment service providers and fintech startups
✅ Credit bureaus and microfinance institutions

If your business is regulated by SAMA, compliance with this framework is not optional.

4. Key Domains of the Framework

The framework is built around four main cybersecurity domains and includes over 100 control objectives.

✅ 1. Cybersecurity Governance

• Establish a Cybersecurity Committee
  
  
• Appoint a Chief Information Security Officer (CISO)
  
  
• Develop and implement a Cybersecurity Strategy
  
  
• Approve cybersecurity policies and procedures at board level
  
  

✅ 2. Risk Management

• Conduct regular risk assessments
  
  
• Define risk appetite and mitigation plans
  
  
• Classify data and assets based on sensitivity
  
  
• Monitor third-party vendor risks
  
  

✅ 3. Cybersecurity Operations

• Deploy technical security controls (firewalls, EDR, SIEM, etc.)
  
  
• Monitor network and application activity
  
  
• Conduct vulnerability scanning and penetration testing
  
  
• Secure remote access and mobile platforms
  
  

✅ 4. Third-Party and Cloud Security

• Evaluate third-party providers’ cybersecurity posture
  
  
• Include cybersecurity clauses in contracts
  
  
• Monitor third-party access and activities
  
  
• Ensure cloud providers meet national data protection requirements
  
  

5. How to Implement the Framework: Step-by-Step

✅ Step 1: Conduct a Gap Analysis

Compare your existing security setup with the SAMA framework. Identify where you fall short in governance, policy, risk, or operations.

✅ Step 2: Develop a Cybersecurity Strategy

Align your business goals with cybersecurity goals. Include:

• Risk priorities
  
  
• Resource planning
  
  
• Timeline for control implementation
  
  

✅ Step 3: Appoint a CISO

The CISO leads implementation and reports directly to top management. This is mandatory for most SAMA-regulated entities.

✅ Step 4: Implement Controls

Roll out or upgrade:

• Endpoint protection
  
  
• Encryption tools
  
  
• Network segmentation
  
  
• Access control systems
  
  

Document every control with clear evidence.

✅ Step 5: Train Employees

Train all staff on cybersecurity awareness. Run phishing simulations and provide specialized training for high-risk roles (finance, IT).

✅ Step 6: Conduct Penetration Testing and DR Drills

You must conduct:

• Annual penetration tests
  
  
• Disaster recovery and business continuity exercises
  
  
• Real-time response simulations
  
  

✅ Step 7: Monitor & Report

Maintain logs, alerts, and dashboards. Regularly review incidents and generate reports for internal stakeholders and SAMA.

6. Penalties for Non-Compliance

Non-compliance with the SAMA Cybersecurity Framework can lead to:

• Fines and sanctions
  
  
• Licensing issues
  
  
• Reputation damage
  
  
• Ineligibility for expansion or new service launches
  
  

In 2023, a fintech app in Riyadh was fined and barred from onboarding new users after failing to demonstrate an effective incident response system.

7. SAMA vs. Other Frameworks (NCA, ISO 27001, PDPL)

Most fintechs and banks combine ISO 27001 certification with SAMA-specific enhancements.

8. How Centre Systems Group Helps with SAMA Compliance

We offer end-to-end compliance support for SAMA-regulated entities, including:

✅ Cybersecurity gap assessments
✅ Cybersecurity strategy development
✅ Policy and procedure documentation
✅ CISO-as-a-Service
✅ Implementation of technical controls
✅ Penetration testing and disaster recovery drills
✅ Staff awareness and training
✅ SAMA audit readiness

We understand both the letter and the spirit of the SAMA Cybersecurity Framework — and help you build a compliance program that’s efficient, effective, and enduring.

The SAMA Cybersecurity Framework is more than a checklist — it’s a blueprint for building digital trust in Saudi Arabia’s financial ecosystem. For banks and fintechs, compliance isn’t just about avoiding penalties — it’s about securing your future.

At Centre Systems Group, we help you implement the framework in a way that’s practical, aligned, and sustainable.

📞 Let’s secure your SAMA compliance journey — book your first audit today.