What is the primary objective of DORA?

The primary objective of DORA is to strengthen the digital operational resilience of the EU financial sector against ICT disruptions, including cyberattacks, system failures, and third-party risks. Regulation (EU) 2022/2554 mandates proactive ICT risk management, incident reporting, resilience testing, and third-party oversight for 20 types of financial entities and critical ICT third-party providers (CTPPs), applying fully from January 17, 2025.

Who is legally or professionally required to comply with DORA?

DORA legally requires compliance from approximately 22,000 EU-regulated financial entities across 20 types, including credit institutions, insurance undertakings, investment firms, payment institutions, and crypto-asset service providers, plus designated CTPPs. It targets entities with significant ICT dependencies, with proportionality based on size, complexity, and risk exposure.

Does DORA require an external audit or third-party certification?

DORA does not mandate external audits or third-party certification but requires independent digital operational resilience testing, including annual basic tests and triennial threat-led penetration testing (TLPT) for critical entities. Results must be reported to authorities, with testing executable internally or externally, per Batch 2 RTS/ITS published July 17, 2024.

How often should an assessment for DORA be performed?

DORA mandates annual basic ICT resilience testing, such as vulnerability assessments, and triennial advanced TLPT for designated critical entities. ICT risk management frameworks must undergo annual reviews, with testing frequency risk-based and proportional to entity size and criticality.

What are the consequences of non-compliance with DORA?

Non-compliance with DORA incurs administrative fines up to 2% of total global annual turnover for firms or €5 million (or 10% of annual salary) for individuals, imposed by ESAs or competent authorities. Additional remedies include remediation orders, with oversight fees for CTPPs reaching €1 million annually.

Can DORA be mapped to other international frameworks?

Yes, DORA's ICT risk management, incident reporting, testing, and third-party oversight elements can be mapped to other international frameworks, facilitating gap analyses and integrated compliance strategies. Financial entities often align DORA with pre-existing guidelines through structured mappings focused on shared resilience controls.

What is the first step to begin implementing DORA?

The first step to implement DORA is conducting a gap analysis against the ICT risk management framework RTS published January 17, 2024, to identify deficiencies in strategies, policies, and controls. This establishes a comprehensive framework overseen by the management body, tailored proportionally to the entity's size, complexity, and risk profile.

Who is legally or professionally required to comply with SAMA CSF?

SAMA CSF is mandatory for all SAMA-regulated financial institutions in Saudi Arabia. This includes banks, insurance/reinsurance companies, financing companies, credit bureaus, and financial market infrastructure providers. All domains apply fully to banks; non-banks have tailored exceptions (e.g., excluding payment systems unless handling cards/SWIFT). Boards, senior management, CISOs, and compliance officers bear accountability, with third-party providers required to enable customer compliance via contracts.

Does SAMA CSF require an external audit or third-party certification?

No, SAMA CSF does not require external audits or third-party certification. Compliance relies on periodic self-assessments using SAMA-provided questionnaires, internal audits by internal audit functions, and SAMA supervisory reviews. Institutions must maintain evidence portfolios (policies, KRIs, maturity assessments) for SAMA audits, with waivers possible via formal processes but no ISO-like certification regime.

How often should an assessment for SAMA CSF be performed?

SAMA CSF requires periodic self-assessments using SAMA questionnaires, typically annually or as triggered by changes. Assessments evaluate maturity (targeting Level 3+), control effectiveness via KPIs/KRIs, and gaps across domains. Additional reviews occur for critical assets (annual), projects, outsourcing, and post-incidents, with results submitted to SAMA for benchmarking and supervisory action.

What are the consequences of non-compliance with SAMA CSF?

Non-compliance with SAMA CSF triggers regulatory enforcement, including remediation demands, elevated scrutiny, and potential operational restrictions. As a SAMA mandate, violations invoke broader supervisory powers: audit findings, mandated remediation plans, business conditions, fines, and reputational damage. High-impact incidents from weak controls risk financial losses, liabilities, and systemic interventions, with boards/senior management accountable.

Can SAMA CSF be mapped to other international frameworks?

Yes, SAMA CSF conceptually aligns with international frameworks like NIST CSF, ISO 27001, PCI-DSS, and BASEL. Its domains map to NIST functions (Identify-Protect-Detect-Respond-Recover), ISO 27001's ISMS, and PCI/SWIFT for payments. No official SAMA mappings exist, but vendor tools enable integrated control sets, reducing duplication for dual-compliance while addressing Saudi-specific requirements (e.g., data residency, e-banking MFA).

What is the first step to begin implementing SAMA CSF?

The first step is securing Board/senior management sponsorship and conducting a gap analysis/maturity assessment. Form a program team, inventory assets, and baseline against SAMA controls and maturity model (Levels 0-5), producing a gap register. This initiation phase (Phase 1) defines scope, RACI, and roadmap, targeting Level 3 minimum via the cyber security documentation pyramid (policy-standards-procedures).

Standards Comparison

DORA vs SAMA CSF

DORA

Mandatory

2023

EU regulation for digital operational resilience in finance

SAMA CSF

Mandatory

2017

Saudi regulatory framework for financial cybersecurity.

Quick Verdict

DORA mandates ICT resilience for EU finance via testing and oversight, while SAMA CSF requires maturity-based cybersecurity controls for Saudi banks. Organizations adopt DORA for regulatory compliance amid cyber threats; SAMA CSF for risk management and Vision 2030 digital resilience.

Digital Operational Resilience

DORA

Regulation (EU) 2022/2554 - Digital Operational Resilience Act

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Mandates comprehensive ICT risk management frameworks
Enforces 4-hour major incident reporting timelines
Requires triennial threat-led penetration testing (TLPT)
Oversees critical third-party ICT providers (CTPPs)
Harmonizes resilience rules across 27 EU states

Cybersecurity

SAMA CSF

SAMA Cyber Security Framework Version 1.0

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Six-level maturity model with Level 3 minimum
Four domains including third-party security
Principle-based risk management controls
Mandatory for Saudi financial institutions
Board-level governance and CISO requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

DORA Details

What It Is

Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is an EU-wide regulation enhancing digital resilience against ICT disruptions like cyberattacks for the financial sector. It targets 20 financial entity types and critical ICT third-party providers (CTPPs), using a proactive, risk-based approach to replace fragmented national rules.

Key Components

**ICT Risk Management FrameworksIdentify, mitigate risks with annual reviews and proportionality.
**Incident Reporting4-hour initial notifications, 72-hour updates for major incidents (>5% users or €100k losses).
**Resilience TestingAnnual basic tests; triennial threat-led penetration testing (TLPT).
**Third-Party OversightContractual clauses, monitoring, ESAs supervision of CTPPs. Compliance via reporting, fines up to 2% global turnover.

Why Organizations Use It

Legally mandated for ~22,000 EU entities to mitigate systemic risks, harmonize practices, boost cyber defenses. Drives resilience, stakeholder trust, innovation in tools amid rising threats like ransomware (74% affected).

Implementation Overview

Gap analyses, framework builds, testing programs, vendor due diligence. Applies EU-wide; full effect January 17, 2025. Tailored by size; involves RTS compliance, no formal certification but regulatory oversight.

SAMA CSF Details

What It Is

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF), Version 1.0 (May 2017), is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia. It prescribes principle-based, outcome-oriented controls across governance and operations to detect, resist, respond to, and recover from cyber threats, using a risk-based maturity model.

Key Components

Four main domains: Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, Third-Party Cyber Security.
Numerous subdomains with principles, objectives, and control considerations.
Six-level maturity model (Level 0-5), minimum Level 3 baseline.
Aligned with NIST, ISO 27001, PCI-DSS; self-assessment and SAMA audits.

Why Organizations Use It

Mandatory compliance for banks, insurers, finance firms to avoid penalties.
Enhances resilience, reduces incidents, improves efficiency.
Builds trust, enables partnerships, supports Vision 2030 digital growth.

Implementation Overview

Phased: gap analysis, risk assessment, deployment, monitoring.
Targets financial sector in Saudi Arabia; board-level governance key.
Periodic self-assessments; no external certification but SAMA reviews.

Key Differences

Aspect	DORA	SAMA CSF
Scope	ICT risk mgmt, incidents, testing, third-party oversight	Governance, risk mgmt, operations/tech, third-party security
Industry	EU financial entities (20 types), critical ICT providers	Saudi financial institutions (banks, insurance, fintech)
Nature	Mandatory EU regulation, enforced by ESAs	Mandatory framework, enforced via self-assess/audits
Testing	Annual basic + triennial TLPT for critical entities	Periodic self-assessments, maturity model levels 0-5
Penalties	Up to 2% global turnover fines	Supervisory actions, remediation, operational restrictions

Scope

DORA

ICT risk mgmt, incidents, testing, third-party oversight

SAMA CSF

Governance, risk mgmt, operations/tech, third-party security

Industry

DORA

EU financial entities (20 types), critical ICT providers

SAMA CSF

Saudi financial institutions (banks, insurance, fintech)

Nature

DORA

Mandatory EU regulation, enforced by ESAs

SAMA CSF

Mandatory framework, enforced via self-assess/audits

Testing

DORA

Annual basic + triennial TLPT for critical entities

SAMA CSF

Periodic self-assessments, maturity model levels 0-5

Penalties

DORA

Up to 2% global turnover fines

SAMA CSF

Supervisory actions, remediation, operational restrictions

Frequently Asked Questions

Common questions about DORA and SAMA CSF

DORA FAQ

SAMA CSF FAQ

You Might also be Interested in These Articles...

You Guide on how to Start Implementing NIST CSF in Your Organization

Master NIST CSF implementation in your organization with this detailed guide. Learn core functions, key steps, best practices, and tips for cybersecurity succes

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

Discover 5 ways modern compliance software turns evolving regulations into strategic advantage. Automate monitoring, cut 3x non-compliance costs, stay audit-rea

The Service-Oriented SOC: Leveraging Maturity Assessments to Guarantee SLOs and Operational Predictability

Transform your SOC into a service provider using maturity assessments to standardize workflows, guarantee SLOs, and ensure predictability amid turnover and risi

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how DORA and SAMA CSF compare against other standards

Other DORA Comparisons

Other SAMA CSF Comparisons

What It Is

Key Components

**ICT Risk Management FrameworksIdentify, mitigate risks with annual reviews and proportionality.

**Incident Reporting4-hour initial notifications, 72-hour updates for major incidents (>5% users or €100k losses).

**Resilience TestingAnnual basic tests; triennial threat-led penetration testing (TLPT).

**Third-Party OversightContractual clauses, monitoring, ESAs supervision of CTPPs. Compliance via reporting, fines up to 2% global turnover.

What It Is

Key Components

Four main domains: Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, Third-Party Cyber Security.

Numerous subdomains with principles, objectives, and control considerations.

Six-level maturity model (Level 0-5), minimum Level 3 baseline.

Aligned with NIST, ISO 27001, PCI-DSS; self-assessment and SAMA audits.

Aspect

DORA

SAMA CSF

Scope

ICT risk mgmt, incidents, testing, third-party oversight

Governance, risk mgmt, operations/tech, third-party security

Industry

EU financial entities (20 types), critical ICT providers

Saudi financial institutions (banks, insurance, fintech)

Nature

Mandatory EU regulation, enforced by ESAs

Mandatory framework, enforced via self-assess/audits

Testing

Annual basic + triennial TLPT for critical entities

Periodic self-assessments, maturity model levels 0-5

Penalties

Up to 2% global turnover fines

Supervisory actions, remediation, operational restrictions

DORA vs SAMA CSF

DORA

SAMA CSF

Quick Verdict

DORA

Key Features

SAMA CSF

Key Features

Detailed Analysis

DORA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

SAMA CSF Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

DORA FAQ

What is the primary objective of DORA?

Who is legally or professionally required to comply with DORA?

Does DORA require an external audit or third-party certification?

How often should an assessment for DORA be performed?

What are the consequences of non-compliance with DORA?

Can DORA be mapped to other international frameworks?

What is the first step to begin implementing DORA?

SAMA CSF FAQ

What is the primary objective of SAMA CSF?

Who is legally or professionally required to comply with SAMA CSF?

Does SAMA CSF require an external audit or third-party certification?

How often should an assessment for SAMA CSF be performed?

What are the consequences of non-compliance with SAMA CSF?

Can SAMA CSF be mapped to other international frameworks?

What is the first step to begin implementing SAMA CSF?

You Might also be Interested in These Articles...

You Guide on how to Start Implementing NIST CSF in Your Organization

5 Ways Modern Compliance Software Makes Evolving Regulations Your Strategic Advantage

The Service-Oriented SOC: Leveraging Maturity Assessments to Guarantee SLOs and Operational Predictability

Run Maturity Assessments with GRADUM

Explore More Comparisons

Other DORA Comparisons

Other SAMA CSF Comparisons

DORA vs SAMA CSF

DORA

SAMA CSF

Quick Verdict

DORA

Key Features

SAMA CSF

Key Features

Detailed Analysis

DORA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

SAMA CSF Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

DORA FAQ

What is the primary objective of DORA?

Who is legally or professionally required to comply with DORA?

Does DORA require an external audit or third-party certification?