Saudi Central Bank (SAMA) Cyber Security Rules: Official Source
What is SAMA
The Saudi Central Bank (SAMA) is the monetary authority and financial regulator of the Kingdom of Saudi Arabia. SAMA regulates banks, insurance companies, finance companies, payment service providers, and other financial institutions operating in Saudi Arabia.
SAMA issues binding rules, instructions, and regulatory frameworks for entities under its supervision, including cybersecurity, technology governance, business continuity, and fraud risk management.
Why Source Matters
In regulated environments, compliance work is only as reliable as the source it is built on. Derived interpretations — such as vendor mappings, consultant checklists, or assessment tools — may be useful for implementation, but they can drift from the original regulatory text.
When controls are designed against derived sources rather than official SAMA documents, organizations often face rework: remediation activities that do not fully align with what SAMA actually requires.
Derived interpretations must always be traceable back to the original regulatory text.
Official Source
SAMA publishes all cybersecurity rules, instructions, and related frameworks under its official Rules & Instructions section:
https://www.sama.gov.sa/en-US/RulesInstructions/Pages/Cybersecurity.aspx
Only documents published through this portal (and the linked SAMA Rulebook) constitute official regulatory sources.
Official SAMA Cybersecurity Publications (as of 2025)
Cyber Security Framework (CSF)
Issuing Authority: Saudi Central Bank (SAMA)
Publication Date: May 2017
Official Link:
https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Cyber%20Security%20Framework.pdfScope / Purpose:
Core cybersecurity framework for SAMA-regulated financial institutions. Establishes baseline requirements across governance, risk management, operations, cloud computing, and third-party security.
Information Technology Governance Framework
Issuing Authority: Saudi Central Bank (SAMA)
Publication Date: 2021
Official Link:
https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/SAMA-IT_Governance_Framework.pdfScope / Purpose:
Defines IT governance, risk management, system development, and operational controls. Intended to be implemented alongside the Cyber Security Framework (CSF).
Business Continuity Management (BCM) Framework
Issuing Authority: Saudi Central Bank (SAMA)
Publication Date: 2021
Official Link:
https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Business%20Continuity%20Management%20Framework.pdfScope / Purpose:
Resilience, recovery, and continuity requirements for regulated financial entities.
Counter-Fraud Framework
Issuing Authority: Saudi Central Bank (SAMA)
Publication Date: 2022
Official Link:
https://www.sama.gov.sa/en-US/RulesInstructions/CyberSecurity/Counter_Fraud_Framework.pdfScope / Purpose:
Fraud risk management, detection, and prevention requirements aligned with cybersecurity controls.
Financial Sector Cyber Threat Intelligence Principles
Issuing Authority: Saudi Central Bank (SAMA)
Publication Date: 2022
Official Link:
https://rulebook.sama.gov.sa/en/financial-sector-cyber-threat-intelligence-principles-0Scope / Purpose:
Principles governing cyber threat intelligence sharing and coordination within the financial sector.
Financial Entities Ethical Red Teaming Framework
Issuing Authority: Saudi Central Bank (SAMA)
Publication Date: 2021
Official Link:
https://rulebook.sama.gov.sa/sites/default/files/ar_net_file_store/SAMA_AR_2898_VER1.pdfScope / Purpose:
Requirements for ethical red teaming and advanced security testing in regulated entities.
For Financial Institutions Regulated by SAMA
If you are a bank, insurance company, or financial institution regulated by SAMA, the Cyber Security Framework (CSF) is the core authoritative document for cybersecurity compliance.
Other frameworks (IT Governance, BCM, Counter-Fraud) complement the CSF and are intended to be implemented alongside it, but do not replace the CSF.
Cloud-Relevant Sections in the SAMA Cyber Security Framework
The SAMA Cyber Security Framework (CSF) uses an official 3.x.x clause numbering structure. The following sections are most relevant for cloud service usage and third-party arrangements.
Cloud Computing
Clause: 3.3.4
Relevance: Primary cloud control
Description:
Defines requirements for cloud usage by regulated financial institutions, including governance, risk management, and security expectations.
Third Party Cyber Security
Clause: 3.4
Relevance: Outsourcing and cloud service provider controls
Description:
Covers assessment, contracting, monitoring, audit rights, and ongoing oversight of third-party providers, including cloud service providers.
Cyber Security Operations & Technology
Clause: 3.3
Relevance: Technical safeguards
Description:
Operational and technical cybersecurity controls applicable to both on-premises and cloud environments.
Cyber Security Governance & Strategy
Clause: 3.1
Relevance: Governance foundation
Description:
Governance and strategy requirements underpinning all cybersecurity activities, including cloud adoption.
Scope Note
This page references only official SAMA regulatory publications as published under the SAMA Rules & Instructions portal and the SAMA Rulebook. Vendor documents, cloud provider guides, and consulting materials are derived artifacts and should not be treated as regulatory sources.
