What Is SAMA Compliance? A Complete Guide

When SAMA penalized 30 financial institutions simultaneously for compliance violations, it sent a clear signal: non-compliance is not a theoretical risk. For compliance professionals making the case to executive leadership, that enforcement action is exactly the business case language you need.

So what does SAMA compliance mean, and what does it actually require? At its core, SAMA compliance refers to adhering to the Saudi Central Bank's Cybersecurity Framework (SAMA CSF), a mandatory standard issued in 2017 that governs cybersecurity practices across every regulated financial institution in Saudi Arabia.

This is not a voluntary standard or a best-practice guide. All Member Organizations must achieve at least Level 3 maturity across four control domains. SAMA reviews self-assessments and conducts supervisory audits to verify those claims.

This article covers who must comply, the four control domains, the six maturity levels, the step-by-step compliance process, how SAMA CSF relates to PDPL, and what changed in 2026.

TL;DR

What Is the SAMA Cybersecurity Framework?

If you're already familiar with the SAMA CSF's origin and purpose, skip ahead to the domains and maturity levels below.

SAMA compliance begins with understanding what the SAMA compliance framework actually is. SAMA, formally the Saudi Arabian Monetary Authority, now operating as the Saudi Central Bank, issued Version 1.0 of the Cybersecurity Framework on May 1, 2017. It is the primary cybersecurity regulatory framework for the Saudi financial sector, and for any organization regulated by SAMA Saudi Arabia, this framework is your primary cybersecurity obligation.

The framework's purpose is to build measurable cyber resilience across the financial sector by establishing a structured baseline for cybersecurity controls. It is not a Saudi-only invention. The SAMA CSF aligns with internationally recognized standards including NIST, ISO 27001/27002, ISF, PCI DSS, and Basel Committee principles, Saudi-specific mandatory enforcement applied on top of a globally coherent foundation.

Version 1.0 remains the current core document. SAMA doesn't issue versioned rewrites; instead, it adds requirements through separate circulars. The Payment Systems Oversight Framework was updated March 8, 2026, adding clarified supervisory scope for payment operators, a recent example of how the framework stays current through circulars rather than core document revisions.

Like other IT compliance frameworks, the SAMA CSF establishes defined control areas, maturity thresholds, and reporting obligations. Trio MDM, for instance, functions as the device management layer of a broader IT compliance program, enforcing the technical configurations SAMA requires on managed endpoints.

Who Must Comply With SAMA?

Is SAMA compliance mandatory? Yes, unambiguously. Any organization regulated by the Saudi Central Bank is a "Member Organization" under the framework, and Member Organizations must comply. SAMA compliance in Saudi Arabia covers a broader set of institution types than many IT teams initially expect.

The following institution types are within scope:

• Commercial banks
• Islamic banks
• Insurance companies
• Reinsurance companies
• Finance companies
• Payment service providers
• Digital banks
• Fintech companies under SAMA oversight
• Capital market institutions
• Credit bureaus
• Investment firms
• Third-party service providers to Member Organizations

One question practitioners raise consistently: what about a technology vendor providing services to a SAMA-regulated bank? If that vendor touches a Member Organization's data or systems, Domain 4 applies. The Member Organization is responsible for flowing SAMA cybersecurity requirements down to its vendors through contracts, there is no carve-out for being a technology supplier rather than a financial institution itself.

A second-order consequence worth flagging early: once a financial institution is required to comply, all of its technology vendors face contractual SAMA requirements flowing downstream. This scope expansion, from internal IT to the full vendor ecosystem, is often the first surprise in a SAMA compliance project.

Getting vendor contracts updated to include SAMA-specific cybersecurity requirements is cross-functional work spanning legal, procurement, and IT, and it is often the slowest phase of any compliance program.

The minimum compliance threshold is Level 3 maturity across all four domains. Organizations below Level 3 are in violation, regardless of size. Banks must submit semiannual compliance reports: the second half-year report is due March 31, and the first half-year report is due August 31.

The Four Control Domains of the SAMA CSF

The SAMA compliance standards are organized into four domains, defined in Sections 3.1–3.4 of the official SAMA Rulebook. Each domain covers a distinct area of cybersecurity governance and operations. Some secondary sources describe five domains, the official Rulebook confirms four; use the official structure.

Domain 1, Cyber Security Leadership and Governance

This domain covers cybersecurity strategy, policies, roles and responsibilities, executive risk ownership, and awareness programs. In practical terms, this is where the CISO role, board-level cyber risk reporting, and mandatory staff cybersecurity training live.

• Cybersecurity strategy and policy documentation
• Defined executive accountability for cyber risk
• Ongoing cybersecurity awareness programs for all staff

Domain 2, Cyber Security Risk Management and Compliance

Domain 2 covers risk assessment processes, risk treatment, compliance monitoring, and internal audit. Risk management must extend to all information assets, including those managed by third parties.

• Maintained risk register covering all information assets
• Compliance monitoring calendar
• Gap assessment findings and treatment plans

Domain 3, Cyber Security Operations and Technology

Domain 3 is where implementation effort concentrates. It covers access controls, intrusion detection, incident response, encryption, physical security, vulnerability management, and security monitoring. Level 3 maturity explicitly requires a GRC tool to be in place, organizations tracking compliance on spreadsheets cannot claim Level 3.

SAMA requires whole disk encryption for devices at risk of theft or loss. Organizations must define, approve, and implement their cryptographic solutions, not simply acknowledge encryption as a concept.

• Identity and access management (IAM) controls
• Defined and tested incident response procedures
• Encryption enforcement across endpoints
• Vulnerability management and security monitoring

Practitioner tip: Map SAMA controls to specific control IDs before building your IAM stack. This creates audit-ready documentation that SAMA reviewers can verify directly, it is far easier to defend your implementation when each control traces back to a numbered requirement.

Device-level technical controls, like encryption enforcement, password policy management, and continuous compliance monitoring, can be automated through an MDM platform like Trio MDM, reducing the manual effort of satisfying Domain 3 at scale.

If your Domain 3 self-assessment scores well but controls fail during SAMA's supervisory review, check whether each technical control has been independently tested through penetration testing or VAPT. Documentation without validated test results is the most common audit failure mode.

For a control-by-control breakdown across all four domains, see our SAMA compliance checklist.

Domain 4, Third-Party Cyber Security

Domain 4 covers contract and vendor management (3.4.1) and outsourcing (3.4.2). Member Organizations must flow SAMA cybersecurity requirements down to cloud providers and all outsourced vendors.

Major cloud providers like Google Cloud have published explicit SAMA outsourcing compliance mapping documents. These are useful starting points for due diligence, but they do not satisfy Domain 4 on their own. The Member Organization remains responsible for assessing each provider, updating contracts, and monitoring vendor controls on an ongoing basis.

SAMA updated its Payment Systems Oversight Framework in March 2026, adding clarified supervisory scope for payment operators, which intersects directly with Domain 4 requirements for payment service providers. Once Domain 4 requirements are applied across your program, every new vendor onboarding must include a SAMA cybersecurity assessment. This changes procurement timelines and contract templates organization-wide.

The Six Maturity Levels (And What Level 3 Actually Means)

SAMA requirements in Saudi Arabia set Level 3 as the minimum for all Member Organizations, measured against a six-level maturity model (Levels 0–5). Organizations below this threshold are in violation, regardless of their size or how recently they received their SAMA license.

The six levels are:

• Level 0, Incomplete/Non-Existent: No controls in place
• Level 1, Performed Informally: Controls exist but are undocumented
• Level 2, Planned and Tracked: Controls are documented and tracked
• Level 3, Structured and Formalized: Controls formally defined, board-approved, adopted at scale; GRC tool in use; performance indicators defined; controls regularly evaluated
• Level 4, Managed and Measurable: Quantitative measurement using peer and sector benchmarks
• Level 5, Optimizing: Continuous improvement with leading-edge controls

Level 3 has a precise operational meaning that gets lost in summary descriptions. "Formally approved" means board or senior management sign-off on cybersecurity policies, not IT-team documentation sitting in a shared drive. "Adopted at scale" means controls are implemented across the organization, not just in the CISO's test environment.

A GRC tool must be in place, this is an explicit Level 3 requirement. Defined KPIs for cybersecurity controls must be reported on. And controls must be actively monitored, not just assessed periodically when an audit approaches.

In 2026, SAMA supervisory reviews increasingly focus on demonstrated control effectiveness, penetration testing results, incident response drill outcomes, rather than questionnaire completion. Demonstrated control effectiveness is what separates compliant organizations from those that merely have policies written down. Achieving Level 3 means your controls are tested and verified, which is what makes compliance meaningful rather than performative.

Comparison Table, SAMA CSF vs. PDPL

Saudi financial institutions don't navigate SAMA compliance in isolation. The framework sits alongside two other major regulatory obligations, PDPL and NCA ECC-2, each with its own regulator, scope, and enforcement timeline.

How to Achieve SAMA Compliance: The Eight-Step Process

Achieving SAMA compliance is a continuous program, not a one-time project, there is no single "go live" moment. The technical steps are only half the work: securing executive budget approval and getting vendor contracts updated are often what actually slow a SAMA compliance program down.

That said, the path from gap to Level 3 follows a consistent pattern. SAMA regulations require periodic self-assessments and ongoing control maintenance, so the process below is a starting structure, not a one-off checklist.

1. Perform a gap assessment. Evaluate your current posture against all four domains before writing a single policy. The gap assessment is the universal first step recommended by every practitioner source, it tells you what actually needs to be built, which prevents wasted effort on controls you already have or policies you don't yet need.
2. Define and document cybersecurity policies. Only after the gap assessment identifies what's missing. Policy documentation without prior gap analysis tends to miss the areas SAMA reviewers actually scrutinize.
3. Implement controls across all four domains. Domain 3 is where implementation effort concentrates. Prioritize access controls, encryption, and incident response. Domain 3 is where it gets real, this is the domain where organizations must build and validate technical controls, not just describe them.
4. Conduct staff training and awareness programs. This is a Domain 1 requirement, not a checkbox. SAMA reviewers look for evidence of ongoing programs, not a one-time training session completed before the audit.
5. Implement third-party risk management processes. Domain 4. Update vendor contracts from the start, do not treat this as a later phase. Every new vendor must clear a SAMA cybersecurity assessment before onboarding.
6. Establish incident response procedures. Documented, tested, and evidenced. An incident response plan that has never been drilled does not satisfy Level 3's "controls regularly evaluated" requirement.
7. Select and deploy a GRC tool. Level 3 explicitly requires one. Automated compliance software can accelerate control testing and evidence collection for SAMA self-assessments, reducing the time between control implementation and audit-ready documentation.
8. Conduct periodic self-assessments and report to SAMA. Banks submit semiannual reports. All Member Organizations undergo SAMA-audited self-assessments. SAMA regulations set firm deadlines, treat the reporting calendar as non-negotiable.

If your Domain 3 self-assessment scores well but controls fail during supervisory review, check whether each control has a corresponding test result. SAMA increasingly expects demonstrated effectiveness, not just documented intent.

SAMA Compliance in the Context of Vision 2030

SAMA compliance Saudi Arabia sits within Vision 2030's digital transformation agenda. The regulatory environment is not tightening arbitrarily, it is part of a deliberate national strategy to position Saudi Arabia as a financially secure digital economy.

The results are measurable. Saudi Arabia's cybersecurity sector contributed SAR 18.5 billion (~$4.9 billion) to GDP in 2024, a 19% year-on-year increase. The country ranked first in global cybersecurity in the IMD World Competitiveness Yearbook 2025. The cybersecurity workforce surpassed 21,000 professionals in 2024, with 9% growth recorded that year.

SAMA's compliance mandate is a significant part of why Saudi Arabia holds this position. The framework creates a regulated environment where financial sector cybersecurity becomes a national competitive advantage, not just a cost center.

SAMA's influence also extends regionally. Neighboring GCC central banks have aligned portions of their own cybersecurity frameworks with SAMA's model, creating compliance pressure for multinational financial institutions operating across Gulf markets.

One staffing obligation worth noting: both the SAMA CSF and NCA ECC-2 require the employment of qualified Saudi nationals in cybersecurity roles, a requirement with no technical workaround. Organizations that treat SAMA compliance as purely a defensive obligation miss the strategic picture. It is an entry ticket to Saudi Arabia's regulated financial market.

How Trio MDM Helps With SAMA Compliance

A SAMA compliance program spans governance, risk management, operations, and third-party security. Trio MDM addresses the technical device management layer of Domain 3, which is where implementation effort concentrates for most organizations.

Trio MDM is the device management layer of your SAMA compliance program, enforcing the technical configurations Domain 3 requires and generating the evidence your self-assessment depends on. It is not a full GRC platform, but for organizations that need technical control enforcement at the device layer, it covers the controls SAMA reviewers actually test. Here is what it covers:

• Encryption enforcement: Trio MDM enforces disk encryption and password policies on managed devices, directly satisfying SAMA's cryptographic and access control requirements in Domain 3.
• Automated control testing and continuous monitoring: Level 3 maturity requires that controls be regularly evaluated. Trio MDM's automated control testing provides a continuous evidence trail of security control states across managed endpoints, verified controls, not just documented ones.
• Automated remediation: One-click fixes for most compliance issues keep devices in a compliant state between self-assessment cycles, reducing the risk of configuration drift.
• Compliance reporting: Trio MDM generates compliance reports useful for SAMA self-assessment documentation and supervisory review preparation.
• Audit device configurations: Organizations can audit device configurations directly, supporting the evidence collection requirement for SAMA self-assessments.
• Multi-platform support: Trio MDM supports Windows 11, macOS, iOS, Android, and Linux, relevant for financial institutions running mixed device fleets across offices and remote endpoints. Support depth varies by platform; contact the team to confirm coverage for your specific device fleet.

For organizations building out their Domain 3 controls, compliance automation at the device layer reduces the manual effort of configuration enforcement and evidence collection. You can also read more about SAMA compliance automation to see how MDM fits into a broader SAMA compliance program.

Ready to see how it works for your organization? Start your free trial or book a demo to walk through Trio MDM's Domain 3 capabilities with the team.