SAMA Cybersecurity Framework(SAMA-CSF)

Strengthening Cybersecurity Compliance in Saudi Arabia’s Financial Sector.

What is SAMA-CSF?

The SAMA Cybersecurity Framework (CSF), issued by the Saudi Arabian Monetary Authority (SAMA), is a mandatory regulatory framework designed to strengthen the cybersecurity posture and resilience of financial institutions and regulated entities across the Kingdom.

It outlines a comprehensive set of principles, objectives, and control requirements to establish a strong baseline for cybersecurity risk management across the Saudi financial sector.

Beyond regulatory compliance, SAMA-CSF establishes a structured approach that enhances institutional resilience and reinforces stakeholder trust.

At DBT, we don’t just check boxes, we craft cyber strategies that deliver real results. We are talking about trust your customers can feel, a resilient digital foundation and a trusted operational environment.

Why Choose DBT for SAMA-CSF?

At DBT, we combine deep regulatory knowledge with practical cybersecurity expertise to help you navigate SAMA-CSF compliance efficiently and confidently.

Proven Domain Expertise

Extensive experience with SAMA regulations and Saudi financial sector requirements.

Tailored Compliance Roadmaps

Custom solutions based on your organization’s risk profile and maturity.

End-to-End Support

From initial assessment to continuous monitoring and improvement.

Trusted Partner

Supporting financial institutions in achieving compliance, operational resilience, and long-term security governance.

SAMA Maturity Levels

SAMA-CSF encourages organizations to measure and improve cybersecurity capabilities through structured maturity levels:

Level 0 – Non-Existent

No documentation or awareness of cybersecurity controls.

Level 1 – Ad Hoc

Some controls exist but are inconsistent and poorly defined.

Level 2 – Repeatable but Informal

Controls are in place and repeatable but lack formal documentation or standardization.

Level 3 – Structured & Formalized

Cybersecurity controls are well-defined, formally approved, documented, and consistently implemented.

Level 4 – Managed & Measurable

Controls are regularly assessed for effectiveness, with performance indicators defined, and refined based on measurements.

Level 5 – Adaptive

Controls are continuously improved, integrated into enterprise-wide risk management frameworks, and performance is evaluated using peer and sector data.

DBT helps you assess your current maturity level and design a roadmap to achieve higher levels, ensuring both compliance and operational excellence.

SAMA-CSF Structure

Cybersecurity Governance

Subdomains: 6 — Controls: 25

Risk Mgmt & Compliance

Subdomains: 3 — Controls: 12

Operations & Technology

Subdomains: 11 — Controls: 35

Cybersecurity Resilience

Subdomains: 5 — Controls: 15

Third Party & Outsourcing

Subdomains: 3 — Controls: 7

Our SAMA-CSF Consulting Services

We provide strategic guidance and hands-on support to make your compliance journey smooth and effective.

Benchmark your current posture and define a step-by-step plan.

Establish leadership structures, risk frameworks, and accountability.

Deploy technical and procedural controls aligned with SAMA-CSF.

Secure supply chains and partner interactions.

Empower employees through workshops, e-learning, and certifications.

Ensure sustained compliance with ongoing monitoring and optimization.

Why NCA-ECC Matters ?

  • Mandatory Compliance: Required for all entities regulated by SAMA.

  • Saudi-Specific Focus: Tailored to the Kingdom’s cybersecurity landscape.

  • Global Alignment: Incorporates best practices from NIST CSF and ISO 27001.

  • Operational Protection: Safeguards data, trust, and continuity.

Our SAMA-CSF Process Approach

  • Kickoff & Scope Definition: Align leadership and define regulatory scope.

  • Gap Analysis & Maturity Mapping: Identify gaps against SAMA-CSF controls and assess maturity.

  • Governance & Risk Framework: Build policies, accountability, and risk management processes.

  • Control Deployment: Implement technical and procedural controls.

  • Third-Party Assurance: Integrate vendor and partner cybersecurity requirements.

  • Training & Capability Building: Build security awareness and readiness across the organization.

  • Audit & Maturity Monitoring: Track compliance, identify improvements, and sustain operational resilience.

Industries Applied

  • Banking & Retail Finance

  • Insurance & Reinsurance

  • Financing & Credit Agencies

  • Exchanges & Bureaus

  • Fintech & Digital Payments

  • All SAMA-Regulated Financial Entities