List of Major Guidelines, Policies, Frameworks, Regulations, and Standards issued by Central Banks and Monetary Authorities in the Middle East
Business Continuity Management (BCM), Operational Resilience (OR), Cybersecurity, Technology Risk Management (TRM), Operational Risk, and Crisis Management.
Introduction
Below is a consolidated list of major guidelines, policies, frameworks, regulations, and standards issued by Central Banks and Monetary Authorities in the Middle East, particularly those related to Business Continuity Management (BCM), Operational Resilience (OR), Cybersecurity, Technology Risk Management (TRM), Operational Risk, and Crisis Management.
Saudi Arabia
Saudi Central Bank (SAMA)
Business Continuity Management Framework (BCM Framework)
Issued by SAMA for all regulated financial institutions.
Key areas:
- BCM Governance
- Business Impact Analysis (BIA)
- Risk Assessment
- Recovery Strategies
- Crisis Management
- BCM Testing and Exercising
- Third-Party Resilience
- Continuous Improvement
The framework establishes minimum BCM requirements for all member organizations.
Cyber Security Framework
Key domains include:
- Cyber Governance
- Cyber Defense
- Cyber Resilience
- Third-Party Security
- Security Operations Centres (SOC)
- Incident Management
Operational Risk Management Requirements
Aligned with:
- Basel II
- Basel III
- Basel Committee Principles
United Arab Emirates (UAE)
Central Bank of the UAE
Operational Risk Regulation
Establishes minimum standards for operational risk management.
Focus areas:
- Operational Risk Governance
- Risk Appetite
- Risk Identification
- Monitoring and Reporting
- Loss Event Management
- Scenario Analysis
Operational Risk Standards
Requirements include:
- Business Continuity Policies
- Recovery Time Objectives (RTO)
- Recovery Point Objectives (RPO)
- Annual Testing Requirements
- Board Oversight
Technology Risk and Information Security Regulation
Covers:
- Technology Risk Management
- Cybersecurity Governance
- Information Security
- API Security
- Incident Response
- Cyber Resilience
Disaster Recovery and Business Continuity Management Requirements
Key requirements:
- Business Impact Analysis
- Alternate Recovery Sites
- Recovery Strategies
- Crisis Management
- Annual BCP Testing
- Management Review
Cyber Risk and Operational Resilience Framework
Major domains:
- Cyber Governance
- Cyber Risk Management
- Security Operations
- Incident Management
- Third-Party Risk
- Operational Resilience
- Regulatory Reporting
Retail Payment Services and Card Schemes Regulation
Includes:
- Technology Risk Management
- Cyber Incident Response
- BCM Requirements
- Disaster Recovery
- Penetration Testing
- Cyber-Attack Simulation Testing
Qatar
Qatar Central Bank
Information Security Risk Management Framework
Key requirements:
- Cybersecurity Governance
- Data Protection
- Security Operations
- Incident Response
- Vendor Risk Management
Business Continuity Management Guidelines
Focus areas:
- BCM Governance
- BIA
- Disaster Recovery
- Crisis Management
- Testing and Exercising
Operational Risk Management Framework
Aligned with:
- Basel Standards
- Enterprise Risk Management
- Operational Risk Reporting
Bahrain
Central Bank of Bahrain
Operational Risk Module (OM)
Part of the CBB Rulebook.
Includes:
- Operational Risk Governance
- Internal Controls
- Risk Reporting
- Outsourcing Risk
- Business Continuity
Cybersecurity and Information Security Requirements
Focus:
- Cyber Risk Management
- Security Governance
- Incident Reporting
- Third-Party Security
Business Continuity and Disaster Recovery Requirements
Key elements:
- BCM Programme
- Crisis Management
- Recovery Planning
- Testing and Validation
Oman
Central Bank of Oman
Risk Management Guidelines
Includes:
- Operational Risk
- Technology Risk
- Information Security
- Business Continuity
Cybersecurity Framework for the Banking Sector
Focus areas:
- Cyber Governance
- Threat Intelligence
- Incident Management
- Security Monitoring
BCM and Disaster Recovery Guidelines
Requirements include:
- BIA
- Recovery Strategies
- Alternate Sites
- Crisis Communications
Kuwait
Central Bank of Kuwait
Information Security and Cybersecurity Framework
Key domains:
- Cyber Governance
- Cyber Defense
- Security Monitoring
- Incident Response
Operational Risk Management Instructions
Coverage:
- Operational Risk Governance
- Key Risk Indicators (KRIs)
- Risk Reporting
- Loss Event Management
Business Continuity Management Requirements
Includes:
- BCP Development
- Testing and Exercising
- Recovery Site Management
- Crisis Management
Jordan
Central Bank of Jordan
Cybersecurity Framework
Key requirements:
- Security Governance
- Security Operations
- Cyber Resilience
- Third-Party Risk Management
BCM and Disaster Recovery Regulations
Areas covered:
- BCM Governance
- BIA
- Recovery Objectives
- Testing Programmes
Egypt
Central Bank of Egypt
Cybersecurity Framework for Banks
Focus:
- Information Security Governance
- Security Operations
- Incident Response
- Cyber Resilience
Operational Risk Framework
Requirements:
- Operational Risk Policies
- Scenario Analysis
- Risk Monitoring
- Internal Controls
Business Continuity and Disaster Recovery Guidelines
Coverage:
- BCM Governance
- Recovery Strategies
- Crisis Management
- Testing and Exercising
Regional Arab Banking Guidance
Arab Monetary Fund
Cyber Resilience Oversight Guidelines for the Arab Financial Sector
A regional guideline supporting Arab central banks and financial institutions.
Key areas:
- Cyber Governance
- Cyber Resilience
- Incident Response
- Threat Intelligence
- Third-Party Risk
- Supervisory Oversight
Common Regulatory Themes Across Middle East Central Banks
Most Middle East regulators are increasingly aligning with:
- Basel Committee on Banking Supervision Operational Risk Principles
- Financial Stability Board Operational Resilience Principles
- International Organisation for Standardisation ISO 22301 (Business Continuity Management)
- International Organisation for Standardisation ISO 27001 (Information Security)
- National Institute of Standards and Technology Cybersecurity Framework
- CPMI-IOSCO Principles for Financial Market Infrastructures (PFMI)
Increasingly, regulators are requiring institutions to:
- Identify Critical Business Services (CBS).
- Map interdependencies and interconnections.
- Establish impact tolerances.
- Conduct severe-but-plausible scenario testing.
- Strengthen cyber resilience.
- Manage third-party and cloud risks.
- Demonstrate operational resilience rather than only disaster recovery capabilities.
For operational resilience benchmarking, the most mature and detailed regulatory frameworks in the Middle East currently come from the Saudi Central Bank (SAMA) and the Central Bank of the UAE, particularly in BCM, cyber resilience, operational risk, and technology risk management.
Learn more about Blended Learning OR-300 [BL-OR-3] and OR-5000 [BL-OR-5]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
