Third-Party Risk Assessment in Saudi Arabia: SAMA & PDPL

Third-party risk assessment is the discipline of understanding — before and throughout a relationship — how much risk a supplier, vendor or outsourcing provider introduces, and managing it down to an acceptable level. For Saudi organisations in 2026 it is no longer discretionary good practice: it is an explicit, assessable obligation under the SAMA frameworks, the NCA Essential Cybersecurity Controls and the Personal Data Protection Law.

The fastest-growing source of risk in a Saudi organisation is rarely inside its own perimeter. It is in the cloud provider hosting the core system, the managed SOC watching the network, the payment processor moving the money, the marketing agency holding the customer list, and the dozens of smaller suppliers that have quietly accumulated access to systems and data over the years. Each one is a door. Third-party risk assessment is the discipline of knowing how many doors you have, who holds the keys, and whether the locks work.

For Saudi organisations the stakes are higher than the commercial risk alone, because the regulators have made third-party risk an explicit, assessable obligation. A bank cannot point at its cloud provider when customer data leaks. A government entity cannot blame its outsourced IT contractor for a breach of national systems. The principle that runs through every Saudi framework is the same: you can outsource the activity, but not the accountability. This guide is the practitioner's walkthrough of how to build a third-party risk assessment programme that satisfies that principle.

Why third-party risk is a regulated obligation in KSA

Three regulatory regimes converge on third-party risk for Saudi organisations, and most regulated entities sit under at least two of them at once.

SAMA — CSF Domain 3.4 and the Outsourcing Rules

SAMA (the Saudi Central Bank) supervises banks, insurers, finance companies and payment service providers. Its Cyber Security Framework (CSF) Domain 3.4 — Third Party Cyber Security — and its Rules on Outsourcing (December 2019) set explicit third-party assessment, contracting and monitoring requirements, and hold the regulated institution fully accountable for a vendor's failure.

NCA — Essential Cybersecurity Controls

The NCA Essential Cybersecurity Controls (ECC) govern government entities and critical national infrastructure, and carry their own third-party and outsourcing cybersecurity provisions that parallel the SAMA requirements.

SDAIA — PDPL Article 14

Under the Personal Data Protection Law (PDPL), SDAIA regulates how personal data is shared with processors. Article 14 requires controllers to bind third-party processors with strict data-handling agreements covering security, purpose limitation and onward processing.

The common requirement across all three is not "have a vendor list." It is a demonstrable, risk-based, lifecycle process: assess before you engage, contract for the controls you need, monitor through the relationship, and exit cleanly. An assessor — whether SAMA, NCA or an internal auditor — expects to see evidence at each stage.

The third-party risk lifecycle

A defensible programme treats every third party as a relationship with a beginning, a middle and an end — and assesses risk at each stage. Five stages, run consistently, are what separates a real programme from a spreadsheet of logos.

Stage 1 — Identify and tier your third parties

You cannot assess what you have not inventoried, and the inventory is almost always incomplete on the first pass. Shadow vendors — the SaaS tool a business unit expensed, the contractor a project manager onboarded — are exactly the ones that escape assessment and cause incidents. The first deliverable of any programme is a single, authoritative third-party register.

Once you have the inventory, tiering is the decision that makes the rest of the programme proportionate. Tiering answers one question: how much does this relationship matter, and how much could it hurt us? A pragmatic Saudi-aligned model uses three tiers driven by data sensitivity, system access and service criticality:

The discipline tiering enforces is not assessing everything to the same depth. Teams that try to run an enhanced assessment on every supplier burn out and assess none of them well. Teams that match assessment depth to tier concentrate their scrutiny where the residual risk actually sits.

Stage 2 — Due diligence proportional to risk

Due diligence is the assessment itself, and the cardinal rule under both SAMA and NCA is that it happens before engagement — before the contract is signed and the access is granted, not after the first incident. The assessment scales with the tier.

For a critical third party, due diligence should establish, with evidence rather than assertion:

• Security posture — certifications (ISO 27001, SOC 2), the results of the supplier's own control assessments, penetration test summaries, and how they segregate your data from other clients.
• Data handling and residency — where your data physically lives, who can access it, and whether the arrangement satisfies PDPL data-residency and cross-border-transfer expectations.
• Resilience — the supplier's business continuity and disaster recovery capability, and its own dependence on fourth parties (the sub-contractors behind your contractor).
• Financial and reputational standing — adverse media, sanctions screening, and financial stability for any supplier you would struggle to replace quickly.

The goal of due diligence is not a completed questionnaire. It is a documented, evidenced judgement about whether a third party's controls are good enough for the access you are about to grant — and a record of that judgement you can show an assessor.

The most common failure here is accepting a self-completed questionnaire at face value for a critical vendor. A questionnaire is a starting point; for critical tiers it must be backed by evidence — the certificate, the audit report, the test summary — and a reviewer who reads it.

Stage 3 — Contract for the controls you need

The contract is where third-party risk assessment becomes enforceable. Findings from due diligence mean little if the agreement does not give you the rights to act on them. Saudi regulators are specific about what the contract must contain, and the right to audit is the clause they care about most.

For critical and important third parties, the contract should embed:

• Data protection obligations aligned to PDPL Article 14 — purpose limitation, security requirements, breach handling, and restrictions on onward processing.
• Incident reporting — the supplier must notify you of a security incident within a defined window short enough that you can still meet your own regulatory notification deadlines to SAMA, NCA or SDAIA.
• Right to audit — the contractual right for you (or SAMA) to assess the supplier's controls, on-site or through evidence, during the relationship. SAMA's CSF makes this an expectation, not a nicety.
• Sub-contracting controls — notification and approval rights over the fourth parties your supplier relies on, so concentration and chained risk are visible.
• Exit and data-return clauses — what happens to your data and access when the relationship ends.

Stage 4 — Monitor through the relationship

Third-party risk is not a point-in-time gate; a supplier that was secure at onboarding can degrade, get acquired, suffer a breach, or quietly move your data offshore. Continuous monitoring is the difference between a programme that assessed its vendors and one that manages them.

Effective monitoring combines a scheduled cadence with trigger-based re-assessment:

• Cadence by tier — critical suppliers re-assessed annually, important suppliers every one to two years, low-tier on a lighter periodic cycle.
• Trigger events — a supplier breach or incident, a change of ownership, adverse media, a sanctions hit, a material change in the service, or the supplier moving to a new sub-processor. Any of these should force a fresh assessment regardless of the calendar.
• Performance and control drift — track delivery against SLAs and watch for signals that the control environment is slipping (missed reports, staff turnover in key roles, expired certifications).

This is also where concentration risk becomes visible. If five of your critical services depend on the same cloud region, or three suppliers all sub-contract to the same fourth party, a single failure cascades. Monitoring at the portfolio level — not just vendor by vendor — is what surfaces that exposure before it becomes an outage.

Stage 5 — Offboard cleanly

Offboarding is the most-skipped stage and the one that leaves the largest hidden residual risk. When a relationship ends, dormant access frequently remains: an API key that still works, a service account no one disabled, a copy of data sitting in the supplier's backups long after the contract closed.

A disciplined exit confirms three things and records the evidence for each: access revoked (every account, key and integration disabled), data returned or destroyed (with the supplier's written confirmation), and dependencies closed (no orphaned integrations still calling the supplier's systems). For critical suppliers, the offboarding plan should have been drafted at onboarding — because the moment you most need a clean exit is rarely the moment you have time to design one.

The evidence an assessor asks for

Whether the reviewer is SAMA, NCA, or your own internal audit function, the third-party risk programme is judged on operational evidence, not policy documents. The artefacts most commonly requested are:

1. The third-party register — complete, tiered, and current, with no obvious gaps where business units have onboarded suppliers outside the process.
2. Due-diligence records for a sample of critical vendors — the assessment, the evidence behind it, and the documented decision to engage.
3. Executed contracts showing the required clauses, especially right-to-audit and incident reporting, for critical and important tiers.
4. Re-assessment history — proof that monitoring actually happens on cadence and on trigger, not just on paper.
5. Offboarding evidence for recently exited suppliers — access revocation and data-destruction confirmation.

A register that lists only the obvious large vendors, contracts missing audit rights, or a monitoring cadence that exists in the policy but not in the records — these are the findings that recur in Saudi third-party reviews.

Building the programme: practical sequencing

For an organisation starting from an incomplete spreadsheet, the order that works is:

1. Build the authoritative register. Pull from procurement, finance (who is being paid?), and IT (who has access?) to find the shadow vendors. This single step usually surfaces 20–40% more suppliers than anyone expected.
2. Tier the portfolio. Classify every supplier into critical / important / low so effort is proportionate from day one.
3. Assess the critical tier first. Run enhanced due diligence on the handful of suppliers that carry the most risk before touching the long tail.
4. Remediate contracts. Add the missing clauses — right to audit, incident reporting, data protection, exit — at the next renewal for important suppliers and immediately for critical ones.
5. Stand up monitoring. Set the re-assessment cadence by tier and wire the trigger events into the process.
6. Centralise it. Move the register, assessments, contracts and re-assessment schedule into one platform so the evidence chain is end-to-end and inspection-ready.

How GRC Vantage runs third-party risk for Saudi organisations

GRC Vantage's risk management module gives you a single third-party register with built-in tiering, so every supplier carries its risk classification, assessment history and contract status in one place. Due-diligence questionnaires are mapped to SAMA CSF Domain 3.4, the SAMA Rules on Outsourcing and PDPL Article 14, so one assessment satisfies several regulatory obligations rather than being repeated for each. Re-assessment cadences fire automatically by tier, and trigger-based reviews kick off on adverse media, ownership change or supplier incident.

Because the third-party register connects to the compliance module and the broader risk register, a vendor finding links directly to the control it weakens and the regulatory obligation it touches — the end-to-end evidence chain that assessors increasingly ask to see. The platform is deployed inside Saudi Arabia to meet PDPL and SAMA data-residency expectations, with Riyadh and Dammam teams who pre-populate the assessment content for the Saudi regulatory landscape.

For the wider SAMA framework family — including the Outsourcing Rules and Cyber Security Framework that govern third-party obligations — read our SAMA frameworks pillar guide. If you are building a third-party risk programme from an incomplete vendor list, or preparing for a SAMA or NCA review, book a session with our team and we will show you how Saudi organisations use GRC Vantage to run vendor risk that holds up at inspection.

Frequently asked questions

What is third-party risk assessment?

Third-party risk assessment is the process of evaluating the risk a supplier, vendor or outsourcing provider introduces to your organisation — across security, data protection, resilience and financial stability — before you engage them and on an ongoing basis throughout the relationship. The goal is a documented, evidenced judgement about whether a third party's controls are adequate for the access you are granting.

Is third-party risk assessment mandatory in Saudi Arabia?

For regulated entities, yes. SAMA (CSF Domain 3.4 and the Rules on Outsourcing), the NCA (Essential Cybersecurity Controls) and the PDPL (Article 14) all impose third-party assessment, contracting and monitoring obligations. The regulated institution remains fully accountable for a third party's control failure.

How do you tier third-party vendors?

A practical model uses three tiers driven by data sensitivity, system access and service criticality: critical (regulated/personal data, privileged access or business-stopping services) gets enhanced due diligence and annual re-assessment; important vendors get a standard questionnaire with evidence sampling; low vendors get lightweight self-attestation. Assessment depth is matched to tier so effort is concentrated where residual risk sits.

What is a right-to-audit clause?

A right-to-audit clause gives your organisation (and, where relevant, SAMA) the contractual right to assess a third party's controls — on-site or through evidence — during the relationship. The SAMA Cyber Security Framework treats it as an expectation for material third parties. If a critical vendor refuses the clause, that refusal is itself a risk finding.

How often should third parties be re-assessed?

Re-assessment combines a tier-based cadence (critical annually, important every one to two years, low on a lighter cycle) with trigger-based reviews that fire on a supplier breach, change of ownership, adverse media, a sanctions hit, or a material change in the service or sub-processors — regardless of the calendar.