SAMA CSF 1.0 vs Cyber Security Framework: 2026 Compliance Checklist for Saudi Banks

Jun 16, 2026 | Blog | 0 comments

SAMA CSF 2026 compliance checklist for Saudi banks - original cover with Riyadh skyline silhouette and 9-domain shield

The Saudi Central Bank (SAMA) issued its updated Cyber Security Framework guidance in Q4 2025, and the 2026 audit cycle now reaches its enforcement peak. For Saudi banks, insurance firms, and finance companies, alignment with the SAMA CSF is no longer a “best effort” — it is the entry ticket to retaining your operating licence and your correspondent banking relationships.

This article breaks down what changed between SAMA CSF 1.0 and the current Cyber Security Framework, the nine control domains every regulated entity must map, the 2026 audit timeline, and a practical gap-assessment checklist your CISO can run this quarter.

Why SAMA tightened the framework

Three pressures converged on Saudi financial institutions in late 2025:

  1. Cross-border exposure — Vision 2030 transactions now route through Saudi banks at unprecedented volume, and foreign regulators demand demonstrable cyber maturity from counterparties.
  2. Ransomware on Gulf banking — five disclosed incidents in 2025 targeted Saudi or UAE banks. Recovery cost on a Tier-1 bank exceeded SAR 280 million in one case.
  3. Saudi National Cybersecurity Authority (NCA) overlap — SAMA aligned its CSF with NCA’s Essential Cybersecurity Controls (ECC) to reduce duplicate reporting for banks that fall under both regulators.

The 2026 framework is not a rebrand. It is a tightening: residual-risk acceptance language is stricter, third-party assurance is now mandatory (was advisory), and board-level reporting cadence dropped from annual to semi-annual for Tier-1 institutions.

The nine SAMA CSF control domains

Every regulated entity must map evidence to all nine. Gaps in any single domain are reported as findings.

  1. Cyber Security Governance — board and senior management accountability, CISO independence, written cyber strategy with measurable outcomes
  2. Cyber Security Risk Management — risk register, residual-risk treatment, integration with enterprise risk
  3. Cyber Security Compliance — alignment with NCA ECC, ISO 27001, PCI DSS where applicable; mapping documented
  4. Cyber Security Architecture — defence-in-depth, segmentation, zero-trust roadmap (now expected, was optional)
  5. Cyber Security Operations — 24/7 SOC capability (in-house or outsourced under SLA), incident response runbooks
  6. Cyber Security Awareness — quarterly training, phishing simulation cadence, role-based curricula
  7. Cyber Security Technology — endpoint, identity, data, cloud control set with named tooling
  8. Third-Party Cyber Security — supplier due diligence, contractual security clauses, ongoing assurance evidence
  9. Cyber Security Reporting — semi-annual to SAMA, immediate breach reporting under defined thresholds

What changed from SAMA CSF 1.0

If you completed a SAMA CSF 1.0 self-assessment in 2024, you are not done. Re-baseline against these specific deltas:

Domain 1.0 expectation 2026 expectation
Governance Annual board report Semi-annual for Tier-1, with named cyber director
Risk Risk acceptance allowed Residual-risk justification required, signed by CEO
Architecture Zero-trust “considered” Zero-trust roadmap with milestones
Operations SOC “as appropriate” 24/7 SOC mandatory
Third-Party DD on critical vendors DD on all vendors handling data or accessing networks
Reporting Annual cycle Semi-annual + immediate breach notification

The 2026 audit timeline

For Saudi banks operating under SAMA supervision:

  • Q1 2026 — self-assessment refreshed against current framework version
  • Q2 2026 — external assurance engagement begins (independent third party)
  • Q3 2026 (now) — SAMA on-site review windows open; expect questionnaire by end of August
  • Q4 2026 — findings remediation period, semi-annual report due before year-end

If your institution has not started the Q2 assurance engagement, you are already behind the curve. Q3 SAMA reviewers will note “no third-party assurance engagement in progress” as an immediate finding.

Gap-assessment checklist your CISO can run this quarter

This is the practical 12-point list our consultants use when InfoSec4TC clients engage us for SAMA CSF gap assessment. Run it against your current control set:

  1. Is your written cyber strategy current, signed by the CEO, and referenced in the most recent board minutes?
  2. Does your risk register treat residual risk explicitly, with each acceptance signed off at CEO level?
  3. Have you mapped the SAMA CSF to NCA ECC and any other applicable frameworks (ISO 27001, PCI DSS)?
  4. Does your architecture documentation describe a zero-trust target state with named milestones?
  5. Is your 24/7 SOC capability evidenced — either in-house headcount or outsourced SLA with breach-detection KPIs?
  6. Have all employees completed cyber training in the last 12 months, with phishing simulation results logged?
  7. Is your endpoint, identity, and data tooling inventory current and reconciled to your asset register?
  8. Have you collected current security questionnaires or SOC 2 reports from all suppliers who handle data or have network access?
  9. Are contractual security clauses present in all vendor agreements active as of 1 January 2026?
  10. Is your incident response runbook tested in the last six months via tabletop exercise?
  11. Does your board governance pack include cyber risk as a standing agenda item with measurable indicators?
  12. Are breach reporting thresholds defined, with named CFO/CISO sign-off path to SAMA within the required hours?

If you answered “no” or “not sure” to three or more items, your institution is exposed to findings in the Q3 SAMA review.

What InfoSec4TC delivers

Our SAMA CSF compliance practice typically delivers a Saudi bank gap assessment in 4–6 weeks, mapped to all nine domains, with prioritised remediation roadmap and board-ready summary deck. We have run this engagement for Tier-1 and Tier-2 Saudi banks since the 2021 SAMA CSF launch.

The work product includes:

  • Gap report — current state vs SAMA 2026 expectations per domain
  • Control mapping matrix — SAMA CSF ↔ NCA ECC ↔ ISO 27001 cross-walk
  • Remediation roadmap — 90-day, 180-day, 365-day horizons
  • Board deck — semi-annual reporting template you can re-use
  • External assurance prep — evidence pack to streamline your Q2 assurance engagement

Next step

If Q3 SAMA review is on your calendar and your gap assessment is not closed, the window to remediate before findings is roughly eight weeks. Reach out via our SAMA CSF Saudi Arabia hub to discuss a fixed-scope assessment and let our consultants tell you honestly whether your current posture survives a SAMA on-site visit.

Submit a Comment

Your email address will not be published. Required fields are marked *

Chat WhatsApp
+971501254773