SAMA Cybersecurity Framework
SAMA's Cybersecurity Framework for Saudi banks, insurers, and fintech.
All SAMA-regulated financial institutions.
Continuous evidence pipeline available; audit support included for all customers.
What SAMA actually requires.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Four levels of maturity (Initial → Repeatable → Defined → Managed → Adaptive).
ICT third-party risk management.
Incident reporting to SAMA.
Pre-mapped controls. Continuous evidence.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
SAMA maturity assessment with continuous evidence.
Third-party risk register with SAMA-specific overlays.
Artifacts your auditor accepts.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
SAMA maturity self-assessment.
Third-party risk register.
One evidence base. Many regulators.
These frameworks share substantial control overlap with SAMA. Customers running one assessment typically satisfy the others with the same evidence base.
Saudi NCA ECC
Middle East
Saudi Arabia's Essential Cybersecurity Controls — the national cyber baseline for the Kingdom.
DORA
European Union
The EU Digital Operational Resilience Act — applies directly to financial entities and designates critical ICT third-party providers as supervised.
RBI Cybersecurity Framework
India
RBI's cybersecurity framework spanning circulars for banks, urban co-operatives, NBFCs, and payment system operators.
Ready for SAMA?
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.