Gray Hat Security (GHS) logo

SAMA CSF · Financial Sector · Maturity Model

SAMA Cyber Security Framework (CSF): The Complete Guide for Saudi Financial Institutions (2026)

July 7, 2026 · 10 min read · GHS Security Team SAMA CSF Maturity Model Financial Sector

Quick Answer

The SAMA Cyber Security Framework (CSF) is the mandatory cybersecurity framework issued by the Saudi Central Bank (SAMA), applicable to banks, insurers, financing companies, payment service providers, and financial market infrastructure entities. First published in May 2017, it is organized into four core domains, each containing sub-domains and individual controls, and assessed through a 0–5 maturity model. Every domain must reach at least level 3 ("Defined") to be considered compliant.

Ahead of the 2026 audit cycle, SAMA issued updated guidance in Q4 2025 tightening residual-risk acceptance, making third-party assurance mandatory, moving Tier-1 board reporting to a semi-annual cadence, and aligning more closely with NCA's Essential Cybersecurity Controls to reduce duplicate reporting for dual-regulated institutions.