SAMA Rulebook · Version 1 · January 2022

Cyber Resilience Fundamental Requirements

SAMA's mandatory cyber security baseline for fintechs, sandbox participants and entities applying for a new Saudi financial-sector licence. 24 controls across 3 domains — the minimum threshold before SAMA will grant a licence or approve sandbox graduation.

24
Total controls
3
Domains
Jan 2022
Effective date
Self-assessment
Compliance model
View all 24 controlsBook a CRFR demo
Overview

What is SAMA CRFR?

The SAMA Cyber Resilience Fundamental Requirements is a cyber security framework issued by the Saudi Central Bank (SAMA) in January 2022. It establishes the minimum cyber security and resilience controls that new financial sector entrants must demonstrate before SAMA will approve sandbox graduation or grant a licence to operate.

Unlike the full SAMA Cyber Security Framework (CSF) — which has 250 controls assessed on a five-level maturity scale — the CRFR is a binary self-assessment against 24 controls. It is explicitly designed as a catalyst for early-stage entities to achieve minimum licensing requirements, with the expectation that they progress toward full CSF alignment once licensed and operational.

The framework covers three domains: governance and leadership, operations and technology (the largest domain at 16 controls), and resilience. It targets senior management, information asset owners and heads of cyber security at fintech entities, payment service providers and sandbox participants.

At a glance
Issuer
Saudi Central Bank (SAMA)
Version
1.0 — January 2022
Applies to
Fintech · Sandbox · New licences
Controls
24 across 3 domains
Assessment
Self-assessment + SAMA audit rights
Compliance
Mandatory for licence / sandbox exit
Next step
SAMA CSF (post-licence)
Official SAMA Rulebook ↗
Scope

Who must comply with SAMA CRFR?

SAMA Regulatory Sandbox entities

Any entity accepted into the SAMA Regulatory Sandbox must demonstrate CRFR compliance as part of the sandbox programme requirements.

New licence applicants

Entities applying for a new SAMA licence — fintech, payment services, money exchange — must satisfy CRFR before a licence will be granted.

Fintech companies

Saudi-based and foreign fintechs entering the Saudi financial market who require SAMA authorisation to operate payment or lending services.

Payment service providers

PSPs seeking initial authorisation under SAMA's payment services regulations must clear the CRFR baseline as a licensing prerequisite.

Money exchange entities

New entrants to Saudi Arabia's money exchange sector who are in the licensing pipeline and have not yet received a full SAMA licence.

Not: established SAMA licensees

Entities already holding a SAMA licence and subject to the full supervisory framework are governed by SAMA CSF — not CRFR.

Control library

All 24 CRFR controls

The complete CRFR control set across all three domains. References are from the official SAMA Rulebook (Ver 1, 2022).

Domain 3.1

Cyber Security Leadership and Governance

6 controls
3.1.1Governance structure

Establish a governance structure with clear roles, responsibilities and resource allocation for cyber security and resilience.

3.1.2Policies and procedures

Develop, approve and communicate cyber security policies and procedures that align with SAMA requirements and the entity's risk appetite.

3.1.3Periodic policy review

Review and update policies periodically — and whenever there is a material change in the threat landscape or business operating model.

3.1.4Cyber integration into business

Integrate cyber security into business operating models, product development lifecycles and outsourcing arrangements.

3.1.5Password policy

Implement and enforce a strong password policy covering complexity, length, rotation, history and prohibition of shared credentials.

3.1.6IT / cyber risk assessments

Conduct comprehensive IT and cyber risk assessments with centralised documentation, and review findings against the entity's risk appetite.

Domain 3.2

Cyber Security Operations and Technology

16 controls
3.2.1Identity and access management

Implement identity and access management processes based on least-privilege and need-to-know principles, including privileged access controls.

3.2.2Change management

Establish a change management process that includes security requirements, testing, approval and rollback procedures for all system changes.

3.2.3Network architecture and segmentation

Design and maintain a secure network architecture with appropriate segmentation to isolate sensitive systems and limit lateral movement.

3.2.4Cryptography

Apply cryptography and encrypted communications for data at rest and in transit, using industry-standard protocols and key management practices.

3.2.5Vulnerability assessments

Conduct periodic vulnerability assessments across infrastructure, applications and third-party components, and remediate findings within defined timelines.

3.2.6Penetration testing

Perform penetration testing at minimum twice annually across all critical systems and customer-facing applications.

3.2.7Patch management

Implement a patch management process with defined timelines for critical, high and medium-severity patches across all systems and software.

3.2.8Secure SDLC

Embed security into the software development lifecycle — including threat modelling, secure coding standards and application shielding techniques.

3.2.9Brand protection monitoring

Monitor for brand abuse, phishing domains, impersonation and fraudulent use of the entity's name, logo or products.

3.2.10Endpoint security

Deploy antivirus, anti-malware and mobile device encryption on all endpoints, with centralised management and automated signature updates.

3.2.11Security log collection and retention

Collect security logs from all critical systems and retain them for a minimum of one year to support incident investigation and forensic analysis.

3.2.12SIEM integration

Integrate log sources into a Security Information and Event Management (SIEM) system to enable correlation, alerting and threat detection.

3.2.13Continuous security monitoring

Operate continuous security monitoring with defined detection use-cases, alert thresholds and escalation paths for security events.

3.2.14Incident management

Establish and test an incident management process covering detection, containment, eradication, recovery, lessons-learned and post-incident review.

3.2.15Session management

Configure session timeouts so that inactive sessions do not exceed five minutes, and enforce re-authentication after session expiry.

3.2.16Mandatory SAMA incident reporting

Report medium-severity and above cyber, fraud and disruptive incidents to SAMA within defined notification timelines.

Domain 3.3

Resilience

2 controls
3.3.1BCP and DRP

Define, document and periodically test a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) covering critical systems and services.

3.3.2Backup and restoration

Implement encrypted backups with offline storage capability, and regularly test restoration procedures to verify recovery point and time objectives are met.

Framework comparison

SAMA CRFR vs SAMA CSF

CRFR is the entry point; CSF is the destination. Understanding the relationship is essential for fintechs planning their compliance roadmap.

DimensionSAMA CRFRSAMA CSF
ScopeFintechs, sandbox entities, new licence applicantsAll SAMA-supervised entities (licensed)
When it appliesPre-licence / during sandbox periodPost-licence, ongoing supervision
Controls24 controls across 3 domains250 controls across 4 domains
Assessment modelBinary: compliant or notFive-level maturity scale (0–5)
Assessment methodSelf-assessment + SAMA audit rightsSelf-assessment + SAMA inspection
EnforcementSAMA can refuse licence / sandbox graduationSAMA supervisory action, findings, ratings
Third-party scopeBasic outsourcing referencesDedicated Third-Party Security domain
ResilienceBCP, DRP and backup (2 controls)Full BCMS and DR within Operations domain
ProgressionStarting point — minimum thresholdDestination — ongoing maturity improvement
Official documentSAMA Rulebook Ver 1 (2022)SAMA CSF Ver 1.0 (2017, updated)

Most SAMA-supervised fintechs will operate CRFR controls for 12–24 months before undertaking a formal SAMA CSF gap assessment. GRC Vantage maps CRFR controls to their SAMA CSF equivalents so evidence collected under CRFR is reused — not duplicated — when you progress.

Platform

How GRC Vantage helps with SAMA CRFR

01

Pre-built CRFR control library

All 24 CRFR controls are pre-loaded with requirement text, evidence prompts and ownership templates. Assign controls to team members and track completion status in real time.

02

Self-assessment workflow

Generate the SAMA CRFR self-assessment questionnaire directly from your control status. One-click export to the submission format SAMA expects from sandbox and licence applicants.

03

CRFR → CSF progression map

Every CRFR control is pre-mapped to its SAMA CSF equivalent. Evidence you collect during CRFR automatically carries forward — so your CSF gap assessment starts from a running position, not zero.

FAQ

Frequently asked questions

What is the SAMA Cyber Resilience Fundamental Requirements (CRFR)?

The SAMA CRFR is a cyber security framework issued by the Saudi Central Bank in January 2022. It sets the minimum cyber resilience controls that fintech entities, SAMA Regulatory Sandbox participants and entities seeking a new SAMA licence must demonstrate before they can graduate from the sandbox or receive a licence to operate in Saudi Arabia's financial sector.

Who is required to comply with SAMA CRFR?

The CRFR applies specifically to entities in the SAMA Regulatory Sandbox and entities applying for a new licence to operate in Saudi Arabia's financial sector — including fintechs, payment service providers, money exchange companies and other SAMA-supervised start-ups. Established entities already licensed under SAMA's full supervisory framework are governed by the SAMA Cyber Security Framework (CSF) instead.

How does SAMA CRFR differ from SAMA CSF?

CRFR is the on-ramp; CSF is the destination. CRFR has 24 controls across 3 domains and uses a binary self-assessment model. It is the minimum threshold new entities must clear to obtain a SAMA licence. SAMA CSF has 250 controls across 4 domains and uses a five-level maturity model. Once a CRFR entity is fully licensed and operational, it is expected to progress toward full CSF compliance.

How is compliance with SAMA CRFR assessed?

SAMA CRFR uses a self-assessment model. Entities complete a questionnaire against each of the 24 controls and submit it to SAMA. SAMA reserves the right to review the self-assessment and to conduct independent audits at any time. Failure to demonstrate compliance can result in SAMA refusing the sandbox graduation or licence application.

What happens after CRFR — do I need to move to SAMA CSF?

Yes. CRFR is explicitly described as a foundational baseline to enable entities to meet minimum licensing requirements, with the expectation that entities progress toward full SAMA CSF alignment as they mature. Most entities transitioning from sandbox to full licence are expected to begin their CSF maturity roadmap within the first year of operation.

Does CRFR overlap with NCA ECC?

Some controls overlap — particularly in identity and access management, network security, logging and incident response — but the frameworks serve different regulators and populations. NCA ECC is issued by the National Cybersecurity Authority and applies to government entities and critical national infrastructure. SAMA CRFR is issued by the Saudi Central Bank and applies exclusively to SAMA-supervised financial-sector entities. A Saudi fintech may be subject to both if it is also designated as critical infrastructure.

Get started

Clear SAMA CRFR. Progress to CSF. One platform.

GRC Vantage is built for Saudi fintechs navigating SAMA's compliance journey — from CRFR self-assessment through to full CSF maturity. Saudi data residency, Arabic and English support, Riyadh and Dammam offices.

Book a demoView SAMA CSF →All frameworks