How to Run LLMs Inside Saudi Arabia: A Complete Technical and Compliance Guide
May 16, 2026
SAMA Cloud Compliance Checklist for Financial Institutions 2026
By the MomentumX Compliance Team · Updated May 2026 · 15 min read
Why This Checklist Matters in 2026
SAMA’s Cloud Framework has been in force for several years, but 2026 marks a significant escalation in enforcement intensity. SAMA’s supervisory teams are conducting cloud infrastructure audits with greater frequency, requesting detailed technical evidence of compliance controls, and scrutinizing the data residency and vendor management practices of licensed financial institutions at a level of depth not seen in previous audit cycles.
Several factors drive this escalation:
- Digital banking growth: The rapid expansion of Saudi neobanks, open banking APIs, and BNPL services has created significant new cloud infrastructure deployed without rigorous compliance frameworks.
- AI adoption: Financial institutions are deploying AI for credit scoring, fraud detection, and customer service automation. SAMA is now specifically examining whether AI workloads comply with the same data residency and vendor management requirements as traditional cloud services.
- Cross-border data flow scrutiny: SAMA has increased focus on identifying financial data processed on infrastructure outside the Kingdom, including management plane data, telemetry, and analytics pipelines that may route through non-Saudi infrastructure.
- Vision 2030 digitization: As more critical financial services move to digital-first delivery models, the risk surface of non-compliant cloud deployments has grown proportionally.
How to Use This Checklist
For each control area, assess your organization’s current status: Compliant (controls implemented and documented), Partial (controls partially implemented or evidence incomplete), or Gap (controls not yet implemented). For items marked Gap or Partial, the recommended action column identifies the specific remediation required.
The 12-Area SAMA Cloud Compliance Checklist
1. Cloud Strategy and Governance
| Control Requirement | Status | Notes |
|---|---|---|
| Formal cloud strategy approved by board or senior management | ☐ Compliant ☐ Partial ☐ Gap | SAMA requires documented board-level approval of cloud strategy |
| Cloud risk appetite defined and integrated into enterprise risk framework | ☐ Compliant ☐ Partial ☐ Gap | Risk appetite must address data residency, concentration, and third-party risks |
| Cloud services inventory maintained and kept current | ☐ Compliant ☐ Partial ☐ Gap | All cloud services including AI/SaaS must be catalogued with risk classification |
| Cloud committee or governance body with defined mandate | ☐ Compliant ☐ Partial ☐ Gap | Must include representatives from IT, Risk, Compliance, and Business |
2. Data Classification and Residency
| Control Requirement | Status | Notes |
|---|---|---|
| Data classification policy covers all cloud-processed data | ☐ Compliant ☐ Partial ☐ Gap | Must classify: Customer PII, Financial transaction data, Credential data, Internal operational data |
| Sensitive financial data stored exclusively within the Kingdom of Saudi Arabia | ☐ Compliant ☐ Partial ☐ Gap | Bahrain, UAE, and other Gulf states do NOT satisfy this requirement |
| Data residency verified at storage, compute, and management plane levels | ☐ Compliant ☐ Partial ☐ Gap | Management plane (e.g., cloud console, monitoring) must also reside in-Kingdom |
| Data residency contractually guaranteed by cloud provider | ☐ Compliant ☐ Partial ☐ Gap | SLA and contract must explicitly commit to in-Kingdom data processing |
| Cross-border data transfer restrictions documented and enforced | ☐ Compliant ☐ Partial ☐ Gap | Any approved transfers must have documented legal basis and SAMA notification |
3. Cloud Provider Due Diligence
| Control Requirement | Status | Notes |
|---|---|---|
| Pre-engagement due diligence completed for all cloud providers | ☐ Compliant ☐ Partial ☐ Gap | Must cover: financial stability, security certifications, data residency capabilities, regulatory compliance posture |
| Cloud provider’s security certifications reviewed (ISO 27001, SOC 2, CSA STAR) | ☐ Compliant ☐ Partial ☐ Gap | Certificates must be current and cover the specific services in use |
| Annual due diligence refresh process in place | ☐ Compliant ☐ Partial ☐ Gap | Provider risk must be reassessed at least annually and upon material changes |
| Concentration risk assessed across cloud providers | ☐ Compliant ☐ Partial ☐ Gap | SAMA requires assessment of systemic risk from over-reliance on a single provider |
4. Contractual Requirements
| Control Requirement | Status | Notes |
|---|---|---|
| Cloud service agreements include SAMA-required clauses | ☐ Compliant ☐ Partial ☐ Gap | Required clauses: data residency, audit rights, incident notification, exit provisions |
| Right to audit contractually guaranteed | ☐ Compliant ☐ Partial ☐ Gap | SAMA must be able to audit provider; institution must have audit rights |
| Incident notification SLA defined in contract | ☐ Compliant ☐ Partial ☐ Gap | SAMA requires timely notification of security incidents affecting regulated data |
| Exit and data portability provisions included | ☐ Compliant ☐ Partial ☐ Gap | Must allow data recovery and migration within defined timeframes upon contract termination |
5. Identity and Access Management
| Control Requirement | Status | Notes |
|---|---|---|
| Multi-factor authentication enforced for all cloud administrative access | ☐ Compliant ☐ Partial ☐ Gap | MFA must cover both institutional admin users and cloud provider admin access |
| Privileged access management (PAM) implemented for cloud environments | ☐ Compliant ☐ Partial ☐ Gap | All privileged cloud access must be session-recorded and time-limited |
| Cloud provider personnel have zero standing access to customer environments | ☐ Compliant ☐ Partial ☐ Gap | Provider engineers should not have persistent access; access should be just-in-time with customer approval |
| User access reviews conducted quarterly for all cloud environments | ☐ Compliant ☐ Partial ☐ Gap | Access certifications must be documented and retained for audit |
6. Encryption and Key Management
| Control Requirement | Status | Notes |
|---|---|---|
| All regulated financial data encrypted at rest and in transit | ☐ Compliant ☐ Partial ☐ Gap | AES-256 for data at rest; TLS 1.2+ for data in transit minimum |
| Customer-managed encryption keys implemented (BYOK) | ☐ Compliant ☐ Partial ☐ Gap | Provider-managed keys are a common gap — SAMA requires customer key control for sensitive data |
| Hardware Security Module (HSM) used for key storage | ☐ Compliant ☐ Partial ☐ Gap | HSM must be in-Kingdom; HSM-as-a-service on foreign infrastructure does not qualify |
| Encryption key rotation policy implemented | ☐ Compliant ☐ Partial ☐ Gap | Annual rotation minimum; automated rotation preferred |
7. Security Monitoring and Incident Response
| Control Requirement | Status | Notes |
|---|---|---|
| 24/7 security monitoring of all cloud environments | ☐ Compliant ☐ Partial ☐ Gap | SIEM integration with cloud environment logs mandatory |
| Cloud incident response plan documented and tested | ☐ Compliant ☐ Partial ☐ Gap | Tabletop exercise at minimum annually; live drill preferred |
| Immutable audit logs retained for minimum 5 years | ☐ Compliant ☐ Partial ☐ Gap | Logs must be tamper-evident and stored in-Kingdom |
| SAMA notification process defined for material security incidents | ☐ Compliant ☐ Partial ☐ Gap | Notification within 72 hours for significant incidents |
8. Business Continuity and Disaster Recovery
| Control Requirement | Status | Notes |
|---|---|---|
| BCP/DR plan covers cloud environment failure scenarios | ☐ Compliant ☐ Partial ☐ Gap | Cloud-specific scenarios must be explicitly addressed in BCP |
| RTO and RPO defined for all critical cloud-hosted systems | ☐ Compliant ☐ Partial ☐ Gap | Core banking: RTO typically 4 hours or less; RPO typically 1 hour or less |
| DR environment physically located within Saudi Arabia | ☐ Compliant ☐ Partial ☐ Gap | DR replication to foreign regions is subject to same data residency rules as primary |
| Annual BCP/DR test with cloud failover scenario documented | ☐ Compliant ☐ Partial ☐ Gap | Test evidence required for audit |
9. AI and Emerging Technology Controls
| Control Requirement | Status | Notes |
|---|---|---|
| AI workloads inventoried and risk-classified | ☐ Compliant ☐ Partial ☐ Gap | AI services often overlooked in cloud inventory reviews |
| AI workloads processing regulated data run on in-Kingdom infrastructure | ☐ Compliant ☐ Partial ☐ Gap | ChatGPT, Azure OpenAI, AWS Bedrock do not satisfy this requirement for regulated financial data |
| AI model governance policy in place | ☐ Compliant ☐ Partial ☐ Gap | Must address model risk, explainability requirements, and regulatory disclosure |
| Training data for fine-tuned models stored and processed in-Kingdom | ☐ Compliant ☐ Partial ☐ Gap | Fine-tuning on foreign infrastructure using regulated data is a SAMA violation |
10. Exit and Portability
Ensure your cloud architecture supports exit without vendor lock-in. Key requirements: documented exit plan with timeline and data recovery procedures, data portability in open formats contractually guaranteed, and annual exit plan review and testing.
11. Staff Awareness and Training
Cloud security training for all staff with cloud access (annual minimum), specialized training for cloud administrators and security teams, and training records maintained for audit purposes.
12. Regulatory Reporting
Documented process for notifying SAMA of material cloud adoption changes, new cloud providers added to the inventory reported through appropriate channels, and annual cloud risk assessment results available for regulatory review.
How MomentumX Addresses These Requirements
MomentumX’s sovereign cloud platform is purpose-designed to help Saudi financial institutions satisfy the most critical and difficult SAMA Cloud Framework requirements:
- In-Kingdom data residency guaranteed by contract and architecture: All data — stored, computed, and managed — remains within Saudi Arabia’s borders. MomentumX provides contractual data residency commitments for SAMA audit documentation.
- BYOK with in-Kingdom HSM: MomentumX supports customer-managed encryption keys with Hardware Security Modules physically located within Saudi Arabia, satisfying the encryption and key management requirements that most cloud providers cannot meet for KSA.
- Zero standing access architecture: MomentumX operations staff follow just-in-time access procedures with session recording, satisfying SAMA’s privileged access management requirements.
- In-Kingdom AI infrastructure: MomentumX HyperAI provides GPU AI compute within Saudi Arabia, enabling financial institutions to deploy AI for fraud detection, credit scoring, and customer analytics without routing regulated data outside the Kingdom.
- Audit rights and compliance documentation: MomentumX provides the contractual audit rights, compliance evidence packages, and architectural documentation that SAMA assessments require.
- In-Kingdom DR: MomentumX’s DRaaS platform provides disaster recovery infrastructure physically located within Saudi Arabia, satisfying SAMA’s requirement that DR environments meet the same data residency standards as primary environments.
Frequently Asked Questions
What is the SAMA Cloud Framework and who does it apply to?
The SAMA Cloud Framework is a regulatory guideline issued by the Saudi Arabian Monetary Authority that governs how licensed financial institutions in Saudi Arabia adopt and manage cloud services. It applies to all SAMA-licensed entities including banks, insurance companies, exchange houses, payment service providers, fintechs, and investment firms. The framework covers cloud strategy governance, vendor due diligence, data classification and residency, security controls, business continuity, and exit requirements.
Does AWS or Azure satisfy SAMA Cloud Framework requirements?
For workloads involving sensitive Saudi financial data, global hyperscalers face significant structural challenges in satisfying SAMA requirements. AWS’s nearest region is Bahrain — a separate sovereign jurisdiction that does not satisfy Saudi in-Kingdom data residency requirements. Azure’s nearest region is in Dubai. Neither AWS nor Azure operates infrastructure physically within the Kingdom of Saudi Arabia. For SAMA-compliant cloud, Saudi financial institutions require providers with in-Kingdom infrastructure, such as MomentumX, which operates sovereign cloud and AI infrastructure physically located in Saudi Arabia.
What are the most common SAMA cloud compliance gaps?
Based on industry experience, the most common SAMA compliance gaps in 2026 are: (1) data residency verification — particularly for management plane and AI workloads; (2) provider-managed encryption keys rather than customer BYOK with in-Kingdom HSM; (3) AI workloads using foreign-hosted APIs without SAMA review; (4) inadequate audit rights provisions in cloud service agreements; (5) DR environments located outside Saudi Arabia.
How quickly can MomentumX help a financial institution achieve SAMA compliance?
MomentumX’s sovereign cloud infrastructure is pre-configured to align with SAMA Cloud Framework requirements. Enterprises migrating from non-compliant cloud infrastructure to MomentumX typically achieve the core data residency, encryption, and access control requirements within 30–60 days of deployment, with full compliance documentation available within 90 days. MomentumX’s 14-day POC allows technical and compliance teams to validate the platform against their specific SAMA requirements before commitment.
Ready to Close Your SAMA Cloud Compliance Gaps?
MomentumX delivers sovereign cloud infrastructure purpose-built for Saudi financial institutions — in-Kingdom data residency, BYOK with HSM, zero standing access, and AI infrastructure that stays within the Kingdom. Talk to our compliance team today.
Ready to move to sovereign cloud?
MomentumX provides sovereign cloud infrastructure across Egypt, KSA, and UAE with full SAMA, NCA, and PDPL compliance. Your data stays in your country.
Enterprise Private CloudHyperAI
GPU Compute for AIHyper Private Cloud
Managed Private Cloud
