GRC & Compliance
Capital Markets
Vision 2030
CMA Cybersecurity Guidelines Saudi Arabia
Complete Compliance Guide · 2025 · CMI · NCA ECC · SAMA · PDPL Aligned
Everything a Saudi Capital Market Institution needs to understand, implement, and maintain CMA Cybersecurity compliance — from the 4 domains and 26 subdomains to implementation steps, regulatory alignment, and GHS expert support.
📋 Quick Answer
The CMA Cybersecurity Guidelines are a mandatory compliance framework issued by Saudi Arabia’s Capital Market Authority (هيئة السوق المالية) for all licensed Capital Market Institutions (CMIs). The guidelines define 4 main domains and 26 subdomains covering cybersecurity governance, risk management, operational controls, and third-party security. While non-certifiable, compliance is compulsory — non-adherence carries regulatory and reputational consequences. GHS implements CMA cybersecurity compliance end-to-end for Saudi CMIs: gap assessment, policy development, controls implementation, and ongoing audit readiness.
4
Main Domains
26
Subdomains
188
Licensed CMIs as of 2025
100%
Mandatory for all CMIs
🏛️ What Is the CMA and Why Cybersecurity?
Saudi Arabia’s Capital Market Authority (CMA — هيئة السوق المالية) is the principal regulatory body overseeing the Kingdom’s capital markets — the Saudi Stock Exchange (Tadawul), investment funds, brokerage firms, asset managers, custodians, and securities intermediaries. As of early 2025, 188 licensed Capital Market Institutions operate under CMA supervision.
With Saudi Arabia’s ambitious Vision 2030 financial sector expansion and the kingdom’s digital transformation of capital markets, the attack surface for cyber threats targeting CMIs has grown exponentially. A single breach in a capital market institution can compromise investor assets, market integrity, and national financial stability.
The CMA responded by issuing the Cybersecurity Guidelines for Capital Market Institutions — a structured, mandatory framework designed to establish minimum cybersecurity standards across all regulated firms. The guidelines are aligned with international best practices and Saudi national frameworks including the NCA ECC and PDPL.
💡 Why This Matters for CMIs: The CMA has significantly increased its cybersecurity enforcement focus following Saudi Arabia’s PDPL (Personal Data Protection Law) entering full force in September 2024. Capital market institutions handling investor data now face overlapping obligations under CMA Guidelines, PDPL, and NCA ECC simultaneously.
🔐 The 4 CMA Cybersecurity Domains
The CMA Cybersecurity Guidelines are structured across 4 primary domains, each subdivided into specific subdomains with defined security controls. Every CMA-licensed institution must address all applicable domains.
Domain 01
Cybersecurity Governance
Establishes the organizational foundation for cybersecurity: leadership accountability, defined roles and responsibilities, board-level oversight, and the integration of cybersecurity into institutional strategy and culture. Without strong governance, all downstream controls lack direction and enforcement.
Cybersecurity Policy
Roles & Responsibilities
Compliance & Audit
Cybersecurity Department
Awareness & Training
Human Resources Security
Legal & Regulatory
Domain 02
Cybersecurity Risk Management
Requires CMIs to implement a systematic risk management process — identifying, assessing, treating, and monitoring information security risks. Risk management must be embedded in organizational decision-making and reviewed periodically against an evolving threat landscape.
Risk Assessment
Risk Treatment
Risk Acceptance
Risk Register
Risk Monitoring
Asset Classification
Domain 03
Cybersecurity Operations
The largest domain — 16 subdomains covering the full operational security lifecycle. From infrastructure hardening and access management to incident response, business continuity, and secure online trading services. Operational controls are where policy meets practice, and where most compliance gaps exist in practice.
Cybersecurity Structure
Infrastructure Security
Identity & Access Management
Asset Management
Change Management
Incident Management
Event Logs Management
Threat Management
Application Protection
Encryption
Vulnerability Management
Online Trading Services
Physical Security
Business Continuity
Safe Destruction
BYOD Controls
Domain 04
Third-Party Cybersecurity
As capital market institutions increasingly depend on technology vendors, cloud providers, and outsourced services, third-party cyber risk has become a primary threat vector. This domain mandates controls over the entire third-party lifecycle — from contract security requirements to cloud security standards and outsourcing oversight.
Contract & Supplier Management
Outsourcing Security
Cloud Computing Security
⚠️ Common Compliance Gap: Domain 3 (Cybersecurity Operations) contains 16 subdomains and is where the majority of CMIs have the most significant gaps. Infrastructure security, vulnerability management, and online trading service security are consistently under-implemented. GHS gap assessments reliably find the highest number of deficiencies in Domain 3.
🏢 Who Must Comply with CMA Cybersecurity Guidelines?
The CMA Cybersecurity Guidelines apply to all entities licensed and supervised by the Capital Market Authority in Saudi Arabia. This includes, but is not limited to:
Brokerage Firms
Asset Managers
Investment Banks
Custodians
Securities Dealers
Fund Managers
Private Equity Firms
Venture Capital Firms
Real Estate Investment
Financial Advisors
Foreign firms establishing Saudi operations as CMIs are equally subject to the guidelines. As of February 2025, there are 188 CMIs on the CMA’s register — all obligated to demonstrate cybersecurity compliance.
🇸🇦 CMA Cybersecurity & Saudi Regulatory Alignment
CMA Cybersecurity compliance does not exist in isolation. Saudi capital market institutions operate at the intersection of multiple regulatory frameworks. Understanding the overlaps and gaps is critical to building an efficient, non-duplicative compliance program.
| Saudi Framework | Alignment with CMA Guidelines | Efficiency |
|---|---|---|
| NCA ECC-2:2024 National Cybersecurity Authority |
CMA Cybersecurity Guidelines draw heavily from NCA ECC controls. An organization complying with NCA ECC satisfies the majority of CMA operational security requirements simultaneously. Documentation evidence required by both overlaps significantly. | Very High |
| PDPL Personal Data Protection Law |
CMA-regulated institutions handle substantial investor personal data. PDPL’s technical and organizational safeguards map directly onto CMA Governance and Operations domain requirements — especially around access control, encryption, and incident response. | High |
| SAMA CSF Saudi Central Bank Framework |
Some CMIs with banking relationships or SAMA-adjacent operations benefit from SAMA CSF governance alignment. CMA and SAMA share common risk management and operational security principles, reducing duplication for dual-regulated entities. | Medium-High |
| ISO 27001:2022 International ISMS Standard |
ISO 27001 certification provides the governance infrastructure, risk management documentation, and evidence framework that directly satisfies CMA Domains 1 and 2. Organizations with ISO 27001 enter CMA compliance with a significant head start across governance and risk controls. | High |
💡 Multi-Framework Strategy: GHS recommends pursuing CMA Cybersecurity compliance as part of a coordinated multi-framework program alongside NCA ECC and PDPL. Building once for multiple frameworks eliminates duplication, reduces cost, and accelerates time-to-compliance across all obligations.
Ready to Start Your CMA Compliance Journey?
GHS runs a rapid gap assessment across all 4 CMA domains and builds your complete cybersecurity compliance program — from policy development to controls implementation and audit readiness.
🗺️ CMA Cybersecurity Compliance Roadmap
Achieving CMA Cybersecurity compliance is a structured process — not a single audit event. Below is the step-by-step implementation roadmap GHS follows for Saudi capital market institutions.
1
Gap Assessment Across All 4 Domains
⏱ 2–3 weeks
Benchmark your current cybersecurity posture against all 26 CMA subdomains. Identify which controls are fully implemented, partially addressed, or absent. The output is a detailed gap report and risk-ranked implementation roadmap that forms the foundation of your compliance program.
2
Cybersecurity Governance Framework
⏱ 2–4 weeks
Develop Domain 1 compliance: cybersecurity policy suite, organizational roles and responsibilities documentation, board reporting structure, awareness training program, and HR security procedures. Governance is the prerequisite for all operational controls — auditors assess it first.
3
Risk Assessment & Risk Treatment Plan
⏱ 2–3 weeks
Conduct a formal risk assessment covering all information assets within scope. Rate each risk by likelihood and impact. Produce the Risk Treatment Plan mapping each risk to treatment decisions. The risk register is a living document required by Domain 2 and reviewed at every CMA audit.
4
Operational Controls Implementation (Domain 3)
⏱ 6–10 weeks
Deploy Domain 3 controls across all 16 subdomains — infrastructure hardening, identity and access management, vulnerability management program, incident response procedures, business continuity plans, encryption standards, log management, and online trading service security. This is the most resource-intensive phase and where GHS expertise is most critical.
5
Third-Party Security Program (Domain 4)
⏱ 2–3 weeks
Establish third-party cybersecurity requirements: vendor security questionnaires, contract security clauses, outsourcing oversight procedures, and cloud security standards. Map all critical third-party relationships and implement the monitoring controls required by Domain 4.
6
Internal Review & Evidence Portfolio
⏱ 2–3 weeks
Conduct an independent internal review across all 4 domains — verifying control implementation, collecting evidence of operational effectiveness, and identifying any remaining gaps before a CMA audit. Assemble the compliance evidence portfolio required for regulatory review.
7
CMA Audit Readiness & Ongoing Maintenance
⏱ Ongoing
CMA compliance is not a one-time achievement. Maintain audit readiness through periodic risk assessments, policy reviews, staff awareness training, vulnerability scanning, penetration testing, and third-party reassessments. GHS provides ongoing maintenance support to keep institutions CMA-ready at all times.
🏆 Why CMA Cybersecurity Compliance Matters
Saudi capital market institutions that treat cybersecurity compliance as a tick-box exercise expose themselves to significant risk. Here’s why proactive, well-implemented CMA compliance is strategically essential:
01
Regulatory Enforcement Is Increasing
The CMA has significantly intensified its cybersecurity oversight focus following Saudi Arabia’s digital transformation acceleration and PDPL enforcement. Institutions that cannot demonstrate cybersecurity controls face license consequences, operational restrictions, and public disclosure of non-compliance.
02
Capital Markets Are High-Value Targets
Financial institutions managing investor assets, trading systems, and sensitive market data are among the most targeted sectors for sophisticated cyber attacks — including ransomware, business email compromise, and insider threats. The cost of a breach in capital markets extends far beyond immediate financial loss to long-term reputational damage and investor confidence erosion.
03
Investor & Institutional Trust
Institutional investors, family offices, and international fund managers increasingly conduct cybersecurity due diligence on Saudi CMIs before committing capital. Demonstrated CMA compliance — backed by comprehensive controls evidence — is becoming a commercial prerequisite for managing sophisticated investor relationships.
04
Multi-Framework Efficiency
CMA compliance, implemented correctly, simultaneously advances NCA ECC, PDPL, and ISO 27001 objectives. A coordinated multi-framework approach eliminates duplicated effort and makes the total compliance investment far more efficient than treating each framework independently.
🛡️ GHS CMA Cybersecurity Implementation Services
GHS implements CMA Cybersecurity compliance end-to-end for Saudi capital market institutions — from initial gap assessment through full controls deployment and ongoing audit readiness. Our CISSP and CISM-certified team combines deep knowledge of the CMA framework with operational expertise in the technical and procedural controls Saudi CMIs require.
01
CMA Cybersecurity Gap Assessment
We assess your current cybersecurity posture against all 4 CMA domains and 26 subdomains. You receive a comprehensive gap report identifying what is compliant, what is partially addressed, and what is absent — with a risk-prioritized implementation roadmap and effort estimates for each gap. This is the essential first step for any CMI beginning or refreshing their compliance program.
02
Governance Framework & Policy Development
We develop every policy, procedure, and governance document your CMA compliance requires: Cybersecurity Policy, Risk Management Framework, Acceptable Use Policy, Incident Response Plan, Business Continuity Plan, Third-Party Security Policy, BYOD Policy, and all supporting standards. Policies are written for your organizational context — structured for auditability and designed to remain current, not abandoned after assessment.
03
Risk Assessment & Risk Treatment
We lead your formal CMA risk assessment — identifying and rating all information security risks across your capital market operations, producing the Risk Treatment Plan, and establishing the risk register your Domain 2 compliance requires. Risk documentation is produced in a format directly reviewable by CMA auditors and aligned with NCA ECC and PDPL risk obligations simultaneously.
04
Operational Controls Implementation
We implement Domain 3 controls — deploying technical and procedural measures across infrastructure security, identity and access management, vulnerability management, log management, encryption, application protection, and online trading service security. Every control is implemented with evidence documentation ready for regulatory review.
05
Penetration Testing & Vulnerability Management
CMA Domain 3 explicitly requires vulnerability management and regular security testing of systems — particularly online trading platforms. GHS provides CMA-aligned penetration testing and VAPT services, producing evidence-ready reports that directly satisfy Domain 3 technical security requirements. We conduct both internal and external assessments calibrated to the CMA’s operational security expectations.
06
Third-Party Security Program
We develop and implement your Domain 4 compliance program — third-party risk assessment questionnaires, contract security requirements, outsourcing security procedures, and cloud computing security standards. We assess your critical vendor relationships and implement the monitoring controls required to demonstrate ongoing third-party risk oversight to CMA auditors.
07
Security Awareness Training
Domain 1 requires documented security awareness training for all staff. GHS delivers role-appropriate training programs covering cybersecurity responsibilities, phishing awareness, data classification, incident reporting, and CMA-specific obligations. Training is delivered with completion records and effectiveness measurement as required by the guidelines.
08
Ongoing Compliance Maintenance & Multi-Framework Alignment
CMA compliance requires continuous maintenance — periodic risk assessments, policy updates, re-training, vulnerability scans, and third-party reassessments. GHS provides ongoing support to keep your institution CMA-ready at all times. We simultaneously map your CMA controls to NCA ECC, PDPL, and ISO 27001 — producing the supplementary documentation each framework requires from a single, coordinated engagement.
Start Your CMA Cybersecurity Compliance
GHS implements CMA Cybersecurity compliance from gap assessment to full controls deployment for Saudi capital market institutions. Begin with a free scoping call — no commitment required.
❓ Frequently Asked Questions
The CMA Cybersecurity Guidelines are a mandatory compliance framework issued by Saudi Arabia’s Capital Market Authority (هيئة السوق المالية) for all licensed Capital Market Institutions. They define 4 main domains and 26 subdomains covering cybersecurity governance, risk management, operational controls, and third-party security. The guidelines are based on international best practices and aligned with Saudi national frameworks including the NCA ECC and PDPL.
Yes. While the guidelines are non-certifiable (no third-party certificate is issued), compliance is mandatory for all CMA-licensed Capital Market Institutions. Non-compliance exposes institutions to regulatory penalties, license consequences, and reputational damage. The CMA actively reviews cybersecurity compliance as part of its supervisory activities.
The 4 domains are: (1) Cybersecurity Governance — organizational structure, policies, and awareness; (2) Cybersecurity Risk Management — risk assessment, treatment, and monitoring; (3) Cybersecurity Operations — 16 subdomains covering infrastructure security, access management, incident response, business continuity, and more; (4) Third-Party Cybersecurity — vendor management, outsourcing security, and cloud computing controls.
SAMA (Saudi Central Bank) regulates banking, insurance, and financial institutions — its Cybersecurity Framework (CSF) applies to banks and insurers. CMA regulates capital markets — its Cybersecurity Guidelines apply to brokerage firms, asset managers, custodians, and securities intermediaries. Both frameworks share common principles but are issued by different regulators and have distinct requirements. Some dual-regulated entities must comply with both.
For most Saudi capital market institutions, full CMA Cybersecurity compliance implementation takes 3–6 months depending on current maturity and organizational size. GHS typically delivers gap assessment to full compliance readiness in 8–16 weeks for mid-sized CMIs. Organizations with an existing ISO 27001 or NCA ECC program move significantly faster.
ISO 27001 certification provides a strong foundation for CMA compliance — particularly across Domains 1 and 2 (Governance and Risk Management). However, CMA Guidelines have capital-market-specific requirements (notably online trading services security in Domain 3) that go beyond ISO 27001’s scope. GHS recommends pursuing ISO 27001 as a foundation and building CMA-specific controls on top for the most efficient compliance posture.
CMA cybersecurity compliance implementation costs vary based on organization size, current maturity, and scope complexity. GHS provides scoped quotes after a free initial assessment. Most mid-sized Saudi CMIs with limited existing controls complete full implementation in the SAR 30,000–80,000 range. Organizations with existing ISO 27001 or NCA ECC programs benefit from significant cost reductions through control reuse.
