SAMA CSF Compliance Requirements for Business Continuity in 2026

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF) has been the regulatory backbone of cybersecurity governance for financial institutions in the Kingdom since its introduction. But the events of March 2026, when drone strikes physically destroyed AWS data centers in the UAE and Bahrain, have fundamentally changed what "business continuity compliance" means for every bank, insurer, and fintech operating under SAMA's jurisdiction.

This guide breaks down the specific SAMA CSF requirements that apply to business continuity and disaster recovery, explains what regulators are expected to tighten in the wake of the March 2026 attacks, and provides a practical roadmap for financial institutions that need to move from compliance on paper to resilience in practice. For the full technical context, read our comprehensive guide to cloud disaster recovery in the Middle East.

What SAMA CSF Requires for Business Continuity

SAMA CSF is organized around cybersecurity domains that span the full lifecycle of information security governance. The business continuity requirements are distributed across several domains, but the core mandates can be distilled into four obligations.

Annual BCM Testing

SAMA CSF requires financial institutions to conduct annual Business Continuity Management (BCM) testing. This is not a suggestion or a best practice recommendation. It is a binding regulatory requirement. The testing must include tabletop exercises with executive participation and technical simulations that validate actual recovery capabilities. Organizations that conduct only discussion-based walkthroughs without technical failover validation are not meeting the spirit of the requirement.

Board-Level Governance

Business continuity is not an IT function under SAMA CSF. It is a board-level governance obligation. The framework requires that the board of directors is directly involved in approving business continuity strategies, reviewing test results, and overseeing the organization's overall resilience posture. Board members must be able to demonstrate that they understand the organization's exposure and have approved the mitigation strategy.

Incident Response and Recovery

SAMA CSF mandates documented incident response procedures that cover detection, containment, eradication, and recovery. Financial institutions must demonstrate that they can detect a cyber incident, contain its spread, eliminate the threat, and restore normal operations within defined timeframes. The framework requires that these procedures are tested regularly and updated based on lessons learned.

Third-Party Risk Management

Financial institutions that rely on cloud service providers, SaaS platforms, or managed service providers must extend their business continuity requirements to those third parties. SAMA CSF requires that organizations assess the resilience of their critical third-party dependencies and ensure that contractual agreements include business continuity commitments. After March 2026, this extends to understanding what happens when the cloud provider's physical infrastructure is destroyed.

What Changes After March 2026

The March 2026 strikes did not violate any existing SAMA CSF requirements because the framework was written before kinetic attacks on cloud infrastructure were a realistic scenario. However, regulators across the GCC are expected to accelerate updates to their business continuity mandates. For Saudi financial institutions, this means several likely changes.

Multi-Region DR Will Become Mandatory

Current SAMA CSF requirements do not explicitly mandate multi-region disaster recovery. They require "adequate" recovery capabilities, which most institutions have interpreted as multi-AZ deployments within a single cloud region. After March 2026 demonstrated that multi-AZ provides zero protection against regional physical destruction, regulators are expected to require geographic dispersion beyond a single cloud region. Financial institutions should begin planning multi-region architectures now rather than waiting for the regulatory update.

Kinetic Threat Modeling Will Be Expected

Traditional SAMA CSF compliance testing has focused on cyber scenarios: ransomware, data breaches, DDoS attacks, and insider threats. Going forward, regulators are expected to require that business continuity tests include physical infrastructure scenarios, such as the total loss of a primary cloud region. Organizations that can demonstrate they have already conducted Level 4 Chaos + Conflict simulations will be ahead of the compliance curve.

Data Residency Exception Frameworks

Saudi data residency requirements create a tension with geographic dispersion: data must remain in the Kingdom, but the Kingdom's cloud infrastructure may be physically destroyed. Financial institutions will need to work with SAMA to establish pre-approved exception frameworks that permit emergency cross-border data migration during a declared crisis. This is a legal and regulatory exercise, not a technical one, and it must be completed before a crisis occurs.

How to Achieve Compliance That Actually Protects You

There is a meaningful difference between SAMA CSF compliance on paper and resilience in practice. Many financial institutions have documented business continuity plans that technically satisfy the regulatory checklist but would fail catastrophically under real-world conditions. The gap between documented compliance and actual survival capability is where risk lives.

Start with a Business Impact Analysis

A proper Business Impact Analysis (BIA) quantifies the financial and operational consequences of disruption to each business process. The BIA output determines which systems are Tier 0 (zero downtime tolerance), Tier 1 (hours of downtime acceptable), and Tier 2 (days of downtime acceptable). This classification drives every subsequent architecture decision and ensures that resilience investment is concentrated where it matters most.

Match Architecture to Tier

Once workloads are classified, match each tier to the appropriate disaster recovery architecture pattern. Tier 0 core banking and payment systems require active-active multi-region architecture with synchronous replication and sub-minute RTO. Tier 1 systems can use hub-and-spoke DR with immutable backups and 4-hour RTO. Tier 2 systems need basic cross-region backup with longer recovery windows.

Test Beyond the Checklist

Annual BCM testing should go beyond the minimum SAMA CSF requirement. Financial institutions should aim for at least Level 2 (Component Failover) testing annually, with Level 3 (Full Region Failover) every two years and Level 4 (Chaos + Conflict Simulation) at least once. The organizations that have completed Level 4 testing are the ones that will survive the next March 2026 scale event.

Document for the Board

Board-level governance requires that test results, risk assessments, and resilience strategies are documented in language that directors can understand and act on. This means translating technical RTO and RPO metrics into business impact terms: "If our payment gateway goes down for 4 hours, we lose an estimated X million in transactions and face Y regulatory penalties." The board must be able to make informed decisions about resilience investment based on quantified risk.

NCA ECC-2: The Broader Context

SAMA CSF applies specifically to financial institutions, but Saudi Arabia's National Cybersecurity Authority Essential Cybersecurity Controls (NCA ECC-2) applies to all government entities and critical infrastructure operators. Organizations that fall under both SAMA CSF and NCA ECC-2 must satisfy the more stringent requirement in each domain. ECC-2 is broader in scope and includes additional requirements around supply chain security, operational technology protection, and national critical infrastructure resilience.

For organizations navigating the intersection of SAMA CSF and NCA ECC-2, the practical approach is to build a unified resilience program that meets the highest standard across both frameworks rather than maintaining separate compliance tracks.

Getting Started

Dataring's BCDR consulting practice works with financial institutions across the GCC to build business continuity programs that exceed SAMA CSF requirements while delivering actual resilience against the post-March 2026 threat landscape. Our engagements begin with a complimentary Readiness Assessment that maps your current compliance posture against both the existing framework and the expected regulatory tightening.

Get in touch to schedule your assessment. For definitions of the technical terms used in this guide, see our BCDR glossary.