The Saudi Arabian Monetary Authority has made its position clear. Financial institutions operating in the Kingdom that want to use cloud computing must do so under a specific set of rules. Those rules are not suggestions. They are enforceable requirements that carry real consequences for non-compliance.

The Origin and Scope of the SAMA Cloud Framework

SAMA issued its Cloud Computing Regulatory Framework as part of a broader push to modernize financial infrastructure while maintaining strict oversight of data handling in the financial sector. The framework applies to all entities supervised by SAMA, including commercial banks, insurance companies, finance companies, payment service providers, credit bureaus, and fintech firms.

The Five Core Requirements

Data Classification and Residency. SAMA requires institutions to classify their data according to sensitivity levels. Highly sensitive data must remain within the borders of the Kingdom. This is not a preference. It is a mandate.

Risk Assessment and Due Diligence. Before engaging any cloud service provider, institutions must conduct a thorough risk assessment covering security posture, operational resilience, financial stability, and jurisdictional exposure.

Contractual Safeguards. The framework mandates specific contractual provisions including the right to audit, data breach notification requirements, clear data ownership clauses, and exit strategy provisions.

Operational Resilience. Cloud infrastructure serving financial workloads must meet SAMA’s business continuity and disaster recovery requirements — all within the Kingdom’s borders.

Ongoing Monitoring and Reporting. Institutions must continuously monitor their cloud environments and report material incidents to SAMA within prescribed timeframes.

Where Most Institutions Fall Short

The first gap is jurisdictional exposure through technology partnerships. An institution may contract with a provider that has servers in Riyadh, but if that provider operates on a platform incorporated in a foreign jurisdiction, cross-border legal frameworks could create compliance exposure for sensitive financial data.

The second is incomplete data classification. Many institutions have classified their data at a high level but have not mapped that classification to specific cloud storage locations.

The third is inadequate exit planning. SAMA requires institutions to have a viable exit strategy from their cloud provider.

What a SAMA-Compliant Cloud Architecture Looks Like

The infrastructure operator is not subject to foreign data access laws. The platform is built on open-source technology with no proprietary lock-in. NCA CCC-2 controls are pre-configured. All backup and DR mechanisms operate within the Kingdom. The provider supports full audit transparency.

The Timeline for Action

Financial institutions that have not yet aligned their cloud infrastructure with SAMA’s framework are operating on borrowed time. The framework is not ambiguous. The requirements are published. The enforcement is real.

MomentumX delivers SAMA-compliant sovereign cloud infrastructure for financial institutions in KSA. Our HyperEdge 500 platform is built on OpenStack, operated outside foreign jurisdiction, and pre-configured with NCA CCC-2 controls. Schedule a compliance assessment.