DORA vs SAMA CSF
DORA
EU regulation for digital operational resilience in finance
SAMA CSF
Saudi regulatory framework for financial cybersecurity.
Quick Verdict
DORA mandates ICT resilience for EU finance via testing and oversight, while SAMA CSF requires maturity-based cybersecurity controls for Saudi banks. Organizations adopt DORA for regulatory compliance amid cyber threats; SAMA CSF for risk management and Vision 2030 digital resilience.
DORA
Regulation (EU) 2022/2554 - Digital Operational Resilience Act
Key Features
- Mandates comprehensive ICT risk management frameworks
- Enforces 4-hour major incident reporting timelines
- Requires triennial threat-led penetration testing (TLPT)
- Oversees critical third-party ICT providers (CTPPs)
- Harmonizes resilience rules across 27 EU states
SAMA CSF
SAMA Cyber Security Framework Version 1.0
Key Features
- Six-level maturity model with Level 3 minimum
- Four domains including third-party security
- Principle-based risk management controls
- Mandatory for Saudi financial institutions
- Board-level governance and CISO requirements
Detailed Analysis
A comprehensive look at the specific requirements, scope, and impact of each standard.
DORA Details
What It Is
Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is an EU-wide regulation enhancing digital resilience against ICT disruptions like cyberattacks for the financial sector. It targets 20 financial entity types and critical ICT third-party providers (CTPPs), using a proactive, risk-based approach to replace fragmented national rules.
Key Components
- **ICT Risk Management FrameworksIdentify, mitigate risks with annual reviews and proportionality.
- **Incident Reporting4-hour initial notifications, 72-hour updates for major incidents (>10% of clients or €100k losses).
- **Resilience TestingAnnual basic tests; triennial threat-led penetration testing (TLPT).
- **Third-Party OversightContractual clauses, monitoring, ESAs supervision of CTPPs. Compliance via reporting, with penalties determined by Member States and up to 1% daily turnover fines for CTPPs.
Why Organizations Use It
Legally mandated for ~22,000 EU entities to mitigate systemic risks, harmonize practices, boost cyber defenses. Drives resilience, stakeholder trust, innovation in tools amid rising threats like ransomware (74% affected).
Implementation Overview
Gap analyses, framework builds, testing programs, vendor due diligence. Applies EU-wide; in full effect since January 17, 2025. Tailored by size; involves RTS compliance, no formal certification but regulatory oversight.
SAMA CSF Details
What It Is
The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF), Version 1.0 (May 2017), is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia. It prescribes principle-based, outcome-oriented controls across governance and operations to detect, resist, respond to, and recover from cyber threats, using a risk-based maturity model.
Key Components
- Four main domains: Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, Third-Party Cyber Security.
- Numerous subdomains with principles, objectives, and control considerations.
- Six-level maturity model (Level 0-5), minimum Level 3 baseline.
- Aligned with NIST, ISO 27001, PCI-DSS; self-assessment and SAMA audits.
Why Organizations Use It
- Mandatory compliance for banks, insurers, finance firms to avoid penalties.
- Enhances resilience, reduces incidents, improves efficiency.
- Builds trust, enables partnerships, supports Vision 2030 digital growth.
Implementation Overview
- Phased: gap analysis, risk assessment, deployment, monitoring.
- Targets financial sector in Saudi Arabia; board-level governance key.
- Periodic self-assessments; no external certification but SAMA reviews.
Key Differences
| Aspect | DORA | SAMA CSF |
|---|---|---|
| Scope | ICT risk mgmt, incidents, testing, third-party oversight | Governance, risk mgmt, operations/tech, third-party security |
| Industry | EU financial entities (20 types), critical ICT providers | Saudi financial institutions (banks, insurance, fintech) |
| Nature | Mandatory EU regulation, enforced by ESAs | Mandatory framework, enforced via self-assess/audits |
| Testing | Annual basic + triennial TLPT for critical entities | Periodic self-assessments, maturity model levels 0-5 |
| Penalties | Up to 2% global turnover fines | Supervisory actions, remediation, operational restrictions |
Scope
Industry
Nature
Testing
Penalties
Frequently Asked Questions
Common questions about DORA and SAMA CSF
DORA FAQ
SAMA CSF FAQ
You Might also be Interested in These Articles...
Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption
Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris
Image this: What if GDPR would have NOT been implemented by the EU
What if the EU never implemented GDPR? Explore this hypothetical: consumer data protection in Dec 2025, key differences, pros/cons for users & companies. Read t
DORA Third-Party Risk Management: A Consultant’s Guide to Mapping Critical ICT Service Providers in 2026
Navigate DORA's complex third-party risk pillar. Step-by-step consultant guide to identify critical ICT providers, remediate Article 30 contracts, and build the
Run Maturity Assessments with GRADUM
Transform your compliance journey with our AI-powered assessment platform
Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.
Explore More Comparisons
See how DORA and SAMA CSF compare against other standards