Risk Management Regulations in the GCC

DFSA Cyber Risk Management Guidelines

The DFSA Cyber Risk Management Guidelines provide best practices for firms to establish a robust cyber risk management framework and strengthen system security, reliability, resiliency, and recoverability. These guidelines are principle-based and encourage firms to implement a framework consistent with the G7 Fundamental Elements of Cybersecurity for the Financial Sector. The DFSA will consider these guidelines in future risk assessments.

Guidance on Digital Identification for Customer Due Diligence

This CBUAE guidance assists licensed financial institutions (LFIs) in understanding and performing their obligations related to Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) when using digital identification for Customer Due Diligence (CDD). It outlines the use of digital ID systems for CDD, associated risks, and how to assess the reliability of these systems.

Guidance on Risks Related to Virtual Assets and Virtual Asset Providers

This CBUAE guidance outlines the risks associated with virtual assets (VAs) and virtual asset service providers (VASPs) and provides instructions for Licensed Financial Institutions (LFIs) on mitigating money laundering and terrorist financing (ML/TF) risks. It details the process for LFIs to obtain CBUAE's non-objection for opening new accounts for VASPs and managing VA-related customer transactions.

Information Technology Risk Management Guidance 20241120

This ADGM guidance outlines principles for effective Information Technology Risk Management. It provides a framework for establishing a strong IT control environment, covering governance, risk management, third-party oversight, compliance, and system lifecycle management. The guidance aims to help organizations manage IT risks and ensure alignment with business objectives.

Effective Management of Climate-related Financial Risks Guidance 20231004

This guidance from the UAE Sustainable Finance Working Group, issued by ADGM, outlines principles for the effective management of climate-related financial risks. It aims to support the UAE's economic transition and the adoption of sustainable finance, aligning with national initiatives like the UAE Green Agenda and the Net Zero by 2050 Strategic Initiative. The guidance provides a framework for financial institutions to integrate climate considerations into their operations.

Model Management Guidance — AI/ML Model Risk

This CBUAE guidance outlines principles for managing risks associated with AI/ML models used by financial institutions. It provides specific guidance on various model types, including rating, PD, LGD, macro, interest rate risk, and net present value models. The document emphasizes governance, data analysis, model construction, validation, and monitoring.

VARA Compulsory Rulebook — Lending and Borrowing Services

This document, issued by the Dubai Virtual Assets Regulatory Authority (VARA), outlines the rules for Virtual Asset Service Providers (VASPs) licensed to conduct Lending and Borrowing Services in Dubai. It supplements the Virtual Assets and Related Activities Regulations 2023 and other VARA rulebooks, establishing specific requirements for these services.

Cloud Cybersecurity Controls Implementation Guide for CSPs

This document, the "Cloud Cybersecurity Controls Implementation Guide for CSPs (GCCC-CSP)", provides guidance to Cloud Service Providers (CSPs) on implementing cybersecurity controls. It outlines a structure of cybersecurity domains and subdomains, offering implementation guidance to enhance the security posture of CSPs operating within Saudi Arabia.

Cloud Cybersecurity Controls Implementation Guide for CSTs

This document, titled "Cloud Cybersecurity Controls Implementation Guide for CSTs (GCCC-CST)," provides guidance on implementing cloud cybersecurity controls for cloud service tenants in Saudi Arabia. It outlines objectives, scope, and applicability, covering various cybersecurity domains and their structure to ensure a secure cloud environment. The guide aims to help tenants understand and implement necessary security measures.

Critical Systems Cybersecurity Controls Implementation Guidelines

This document provides guidelines for implementing cybersecurity controls for critical systems in Saudi Arabia. It outlines general guidelines and specific controls related to cybersecurity governance, risk management, and resilience. The document aims to help organizations protect their critical systems from cyber threats and ensure business continuity.

Essential Cybersecurity Controls (ECC-2: 2024)

The Essential Cybersecurity Controls (ECC-2: 2024) framework, issued by the National Cybersecurity Authority (NCA) of Saudi Arabia, provides a set of cybersecurity controls. It aims to protect organizations from cyber threats and ensure compliance with national cybersecurity standards. The Arabic version of the document is the binding language.

Guide to Essential Cybersecurity Controls (ECC) Implementation

This document, issued by the National Cybersecurity Authority (NCA) of Saudi Arabia, provides guidance for organizations on implementing the Essential Cybersecurity Controls (ECC). It serves as an illustrative model to help organizations meet ECC requirements, while emphasizing the need to consider their unique environments. The document outlines the ECC domains and structure to aid in implementation.

Operational Technology Cybersecurity Controls (OTCC-1: 2022)

The Operational Technology Cybersecurity Controls (OTCC-1: 2022) framework, issued by the National Cybersecurity Authority (NCA) in Saudi Arabia, establishes cybersecurity controls for Industrial Control Systems (ICS). It aims to address the increasing cyber threats targeting these systems and provides a structured approach to implementing and monitoring cybersecurity measures within the Kingdom.

SAMA Cyber Security Framework

The SAMA Cyber Security Framework provides guidance and controls for regulated entities in Saudi Arabia to establish robust cyber security governance, infrastructure, and detective/preventive controls. It aims to ensure that the Saudi Arabian Banking, Insurance, and Financing Companies sectors can effectively manage and withstand cyber security threats through a common approach and maturity assessment.

Telework Cybersecurity Controls (TCC-1: 2021)

The Telework Cybersecurity Controls (TCC-1: 2021) framework, issued by the NCA in Saudi Arabia, establishes cybersecurity requirements for telework systems to mitigate increasing threats and cyber risks associated with remote work environments. It aims to promote economic development and productivity by enabling secure telework practices in accordance with Saudi Arabian laws. The Arabic version of the document is the binding version.

Bahrain National Cybersecurity Strategy 2025–2028

The Bahrain National Cybersecurity Strategy 2025-2028 outlines the Kingdom's approach to strengthening its cybersecurity landscape. It aims to support national development and enhance global competitiveness by addressing cybersecurity threats and promoting digital transformation. The strategy focuses on building cyber resilience, governance, collaboration, awareness, workforce development, research, and innovation.

CBB Rulebook Vol. 6 — Crypto-Asset Module (CRA) 2024

The CBB Rulebook Vol. 6, Crypto-Asset Module (CRA) 2024, outlines the regulatory framework for crypto-asset services in Bahrain. It covers licensing requirements, minimum capital, business standards, technology governance, cybersecurity, risk management, and reporting obligations for entities engaged in crypto-asset activities. The module aims to ensure the stability and integrity of the crypto-asset market and protect consumers.

Bahrain NCSC National Cybersecurity Risk Management Framework 2023

The Bahrain National Cybersecurity Risk Management Framework (NCSC-RMF-0001) by the National Cybersecurity Center (NCSC) provides a structured approach to managing information security risks across the nation. It outlines a comprehensive methodology for risk assessment, treatment, monitoring, and governance, aiming to enhance cybersecurity posture. The framework serves as the authoritative reference for risk management in Bahrain.

Bahrain PDPA Order No. 43 of 2022 — Technical and Organisational Measures

Bahrain's Order No. 43 of 2022 outlines the technical and organizational measures required to ensure the protection of personal data, as mandated by the Personal Data Protection Law No. 30 of 2018. It details specific actions data controllers must take to maintain an adequate level of data security during processing activities. The order emphasizes proactive privacy measures and risk mitigation.

CBB Rulebook Vol. 4 — Cyber Security Risk Management Module

This Central Bank of Bahrain (CBB) regulation outlines requirements for cyber security risk management for investment firms. It mandates a robust framework to manage cyber security risks and vulnerabilities, including a cyber security strategy, policy, and risk management approach. The regulation aims to ensure the protection of financial institutions and their customers from cyber threats.

The Anti-Money Laundering and Combating the Financing of Terrorism Rules 2019

The Anti-Money Laundering and Combating the Financing of Terrorism Rules 2019 (AML/CFTR) outlines the obligations of firms in Qatar to establish and maintain robust AML/CFT programs. These rules are designed to prevent financial institutions and other designated businesses from being used for money laundering or terrorist financing activities, ensuring compliance with Law No. (20) of 2019.

The Anti-Money Laundering and Combating the Financing of Terrorism Rules 2019

The Anti-Money Laundering and Combating the Financing of Terrorism Rules 2019 (AML/CFTR) outlines the obligations of firms in Qatar Financial Centre (QFC) to combat money laundering and terrorism financing. It establishes key AML/CFT principles, defines key terms, and specifies the responsibilities of firms, senior management, and the Money Laundering Reporting Officer (MLRO). The rules also emphasize a risk-based approach to AML/CFT.

the Anti-Money Laundering and Combating the Financing of Terrorism (General Insurance) Rules 2019

The Anti-Money Laundering and Combating the Financing of Terrorism (General Insurance) Rules 2019 (AMLG) outlines the obligations of general insurance firms operating within the Qatar Financial Centre (QFC) regarding AML/CFT. It establishes key principles, responsibilities, and procedures for firms to detect, prevent, and report money laundering and terrorist financing activities.

the Anti-Money Laundering and Combating the Financing of Terrorism (General Insurance) Rules 2019

The Anti-Money Laundering and Combating the Financing of Terrorism (General Insurance) Rules 2019 (AMLG) outlines the obligations of general insurance firms operating within the Qatar Financial Centre (QFC) regarding AML/CFT. It establishes key principles and responsibilities for firms, senior management, and the Money Laundering Reporting Officer (MLRO) to prevent financial crime.

CBK Cybersecurity Framework for the Kuwaiti Banking Sector 2020

The CBK Cybersecurity Framework for the Kuwaiti Banking Sector 2020 outlines requirements for regulated entities to improve their cyber resilience and manage cyber risks. It aims to protect information and financial assets, promote cooperation, and standardize information sharing within the banking sector. The framework is intended to guide the banking sector in effectively managing imminent cyber risks.

Kuwait National Cybersecurity Strategy 2017–2020

The Kuwait National Cybersecurity Strategy 2017-2020, issued by CITRA, outlines Kuwait's approach to cybersecurity, acknowledging the increasing cyber risks and threats facing the country. It aims to promote the security of national critical infrastructure and information, reduce cyber risks, and ensure a reliable and secure cyber environment for the government, private sector, and individuals.