SAMA CSF · Financial Sector · Maturity Model
Quick Answer
The SAMA Cyber Security Framework (CSF) is the mandatory cybersecurity framework issued by the Saudi Central Bank (SAMA), applicable to banks, insurers, financing companies, payment service providers, and financial market infrastructure entities. First published in May 2017, it is organized into four core domains, each containing sub-domains and individual controls, and assessed through a 0–5 maturity model. Every domain must reach at least level 3 ("Defined") to be considered compliant.
Ahead of the 2026 audit cycle, SAMA issued updated guidance in Q4 2025 tightening residual-risk acceptance, making third-party assurance mandatory, moving Tier-1 board reporting to a semi-annual cadence, and aligning more closely with NCA's Essential Cybersecurity Controls to reduce duplicate reporting for dual-regulated institutions.
For every SAMA-regulated entity in the Kingdom, the Cyber Security Framework is not one compliance obligation among many — it is the primary lens through which the regulator views your cybersecurity posture. Understanding its structure, its maturity model, and what changed heading into the 2026 audit cycle is essential for CISOs, boards, and compliance leads across Saudi banks, insurers, and payment providers. This guide covers all three, plus a practical roadmap to reach and sustain the required maturity bar.
The SAMA Cyber Security Framework (CSF) is issued by the Saudi Central Bank (SAMA) — the regulator overseeing banks, insurance and reinsurance companies, financing companies, payment service providers, and financial market infrastructure entities across the Kingdom. Compliance is mandatory for every entity SAMA regulates, regardless of size, and forms a core part of the regulator's supervisory review process.
Unlike a voluntary best-practice guide, SAMA CSF functions as a baseline: it defines the minimum acceptable cybersecurity posture a regulated entity must demonstrate, and it gives SAMA a standardized way to compare maturity across the sector.
SAMA CSF was first published in May 2017 and has been periodically updated since to keep pace with the evolving threat landscape and with international standards it draws from. Most recently, SAMA issued updated framework guidance in Q4 2025, ahead of the 2026 audit and enforcement cycle — a signal that regulated entities should treat the framework as a living document requiring continuous monitoring, not a one-time reference implemented once and left unchanged.
The framework is organized hierarchically:
Every domain must be assessed as part of a compliance review — there is no partial-scope option. This structure is what makes SAMA CSF assessments comprehensive but also demanding: a strong score in one domain does not offset a weak score in another.
Rather than a binary pass/fail, SAMA CSF assesses every control on a maturity scale from 0 to 5. An organization must achieve a minimum maturity level of 3 ("Defined") across every domain to be considered compliant — reaching level 3 in most domains while falling short in even one is not sufficient.
| Level | Label | What It Means in Practice |
|---|---|---|
| 0 | Non-Existent | No documented process or control activity exists |
| 1 | Initial | Ad-hoc, inconsistent activity with no formal documentation |
| 2 | Repeatable | Activity follows a pattern but is not formally documented or standardized |
| 3 | Defined (minimum required) | Controls are formally documented, approved, and consistently applied across the organization |
| 4 | Managed | Controls are actively monitored, with metrics and periodic effectiveness reviews |
| 5 | Optimized | Controls are continuously improved using data-driven insight and embedded in the organization's risk culture |
Reaching level 3 satisfies the compliance floor. Levels 4 and 5 are not required for baseline compliance, but institutions with higher risk exposure — particularly Tier-1 banks — are increasingly expected to demonstrate progress toward level 4 as part of ongoing supervisory dialogue.
The Q4 2025 guidance introduced several changes that regulated entities should build into their 2026 compliance planning:
GHS Perspective
The mandatory third-party assurance requirement is the change most Saudi financial institutions are underprepared for heading into 2026. Many regulated entities have vendor risk questionnaires but no structured, independent assurance program capable of producing defensible evidence during a SAMA examination. Building that program now — rather than reacting during the next audit cycle — is the highest-leverage action a compliance team can take this year.
Reaching and sustaining a minimum maturity level of 3 across every domain requires a structured, ongoing program rather than a pre-audit scramble:
Because SAMA CSF, NCA ECC, and ISO 27001 controls overlap substantially, institutions that centralize evidence and control mapping across all three frameworks in a single system — such as ComplyOS — spend materially less time on duplicate audit preparation each cycle. GHS's GRC advisory team supports regulated entities through self-assessment, gap remediation, and third-party assurance program design specifically for the SAMA CSF maturity model.
GHS runs SAMA CSF maturity self-assessments across all four domains and helps regulated entities build the third-party assurance and board reporting programs required for the 2026 cycle.