[OR] [R] Operational Resilience Related Regulations for Middle East FSI

Operational Resilience Related Regulations for Middle East FSI

Introduction

The following are the most significant and explicit operational resilience-related policies and frameworks.

Saudi Arabia – SAMA

SAMA Business Continuity Management Framework

Issued by the Saudi Central Bank (SAMA).

This is currently one of the most comprehensive resilience-related frameworks in the Middle East.

Key Operational Resilience Requirements

• Critical business services identification
• Business Impact Analysis (BIA)
• Recovery strategies
• Crisis management structure
• Recovery time objectives (RTO)
• Recovery point objectives (RPO)
• Third-party resilience
• Alternate processing sites
• Annual testing and exercising
• Continuous improvement

The framework requires financial institutions to maintain the ability to continue critical operations during disruptions and recover within acceptable timeframes. It effectively moves beyond traditional disaster recovery into operational resilience principles.

United Arab Emirates – Central Bank of UAE (CBUAE)

Operational Risk Regulation

Issued by the Central Bank of the United Arab Emirates.

Operational Resilience Elements

Requires banks to:

• Establish operational risk governance
• Define risk appetite and tolerance
• Manage operational disruptions
• Monitor operational losses
• Conduct scenario analysis
• Maintain resilience against operational failures

The regulation establishes minimum standards for operational risk management to ensure financial sector stability.

Operational Risk Standards

This is the most operational resilience-focused document issued by CBUAE.

Requirements

Banks must:

• Identify critical processes and systems
• Assess operational vulnerabilities
• Monitor resilience capabilities
• Implement the Three Lines of Defence model
• Conduct operational risk assessments
• Evaluate third-party concentration risks
• Review resilience when introducing new products and technologies

The standards specifically require institutions to assess dependencies on external service providers and technology infrastructure.

Technology Risk and Information Security Regulation

Operational Resilience Requirements

Financial institutions must establish:

• Cyber resilience frameworks
• Incident response plans
• Technology risk management programmes
• Penetration testing
• Cyber-attack simulation testing
• Service recovery capabilities
• Recovery strategies for critical services

The regulation explicitly requires institutions to identify, protect, detect, respond to, and recover from cyber incidents.

Technology and Specific Risk Management Regulation

Key Resilience Controls

Requires:

• Technology governance
• Cyber resilience
• Incident management
• Technology risk oversight
• Independent technology audit

This regulation is closely aligned with international operational resilience principles.

UAE – Payment Services Sector

Retail Payment Services Regulation

Explicit Operational Resilience Controls

The regulation requires payment service providers to maintain:

• Business continuity programmes
• Recovery strategies
• Alternate recovery sites
• Crisis management protocols
• Customer communication plans
• Annual resilience testing
• Cloud resilience controls
• Third-party resilience management

Institutions must demonstrate the ability to restore critical payment services during severe disruptions.

Bahrain – Central Bank of Bahrain (CBB)

CBB Rulebook – Business Continuity and Disaster Recovery Requirements

Issued by the Central Bank of Bahrain.

Operational Resilience Requirements

The CBB requires licensees to:

• Establish BCM programmes
• Maintain business continuity policies
• Develop disaster recovery plans
• Conduct risk identification and reporting
• Maintain operational recovery capabilities
• Recover critical services within defined timelines

The rulebook emphasises minimising operational, financial, legal, and reputational impacts arising from disruptions.

Arab Monetary Fund (AMF)

Cyber Resilience Oversight Guidelines for the Arab Financial Sector

Issued by the Arab Monetary Fund.

This is the closest regional framework supporting operational resilience across Arab central banks.

Coverage

• Cyber resilience governance
• Resilience oversight
• Incident management
• Threat intelligence
• Crisis response
• Recovery capabilities
• Supervisory expectations
• Third-party risk management

The guidelines encourage Arab regulators and financial institutions to strengthen operational resilience through cyber resilience programmes.

Dubai Financial Services Authority (DFSA)

Operational Efficiency and Resilience Requirements (AMI 5.5)

Issued by the Dubai Financial Services Authority.

Requirements

• Operational resilience governance
• Technology risk management
• Cyber resilience
• Service continuity
• Recovery capability
• Market infrastructure resilience

Applies particularly to financial market infrastructures and regulated entities operating within the DIFC.

Mapping Middle East Policies to Operational Resilience Components

Most Mature Operational Resilience Regulators in the Middle East

The current leaders in operational resilience regulation are:

1. Saudi Central Bank (SAMA)
2. Central Bank of the United Arab Emirates (CBUAE)
3. Central Bank of Bahrain (CBB)
4. Dubai Financial Services Authority (DFSA)
5. Arab Monetary Fund (AMF)

These regulators are increasingly adopting concepts similar to those used by the UK, Singapore, Australia, and the Basel Committee, including critical service identification, dependency mapping, cyber resilience, severe-but-plausible scenario testing, and enterprise-wide operational resilience governance.