SAMA Cyber Security Framework (CSF): The Complete Guide for Saudi Financial Institutions (2026)

July 7, 2026 · 10 min read · GHS Security Team

Quick Answer

The SAMA Cyber Security Framework (CSF) is the mandatory cybersecurity framework issued by the Saudi Central Bank (SAMA), applicable to banks, insurers, financing companies, payment service providers, and financial market infrastructure entities. First published in May 2017, it is organized into four core domains, each containing sub-domains and individual controls, and assessed through a 0–5 maturity model. Every domain must reach at least level 3 ("Defined") to be considered compliant.

Ahead of the 2026 audit cycle, SAMA issued updated guidance in Q4 2025 tightening residual-risk acceptance, making third-party assurance mandatory, moving Tier-1 board reporting to a semi-annual cadence, and aligning more closely with NCA's Essential Cybersecurity Controls to reduce duplicate reporting for dual-regulated institutions.