The CMA Digital Assets Sandbox processed its 19th applicant in February 2026, with a cumulative graduation rate of 37% and an average time-to-license of 14 months. Launched in January 2024 as part of the broader CMA Digital Assets Regulatory Framework, the sandbox has become the primary entry point for domestic and international firms seeking to offer tokenized securities services in Saudi Arabia. The SAR 1M minimum capital requirement — roughly one-tenth of the full licensing threshold — has attracted applicants ranging from Saudi fintech startups to global financial institutions.
Eligibility Criteria
The CMA evaluates sandbox applications against five core criteria:
Innovation Criterion: The proposed product or service must demonstrate genuine innovation in Saudi capital markets. The CMA defines innovation as either a new product not currently available in the Kingdom, a significant improvement over existing services, or the application of technology (specifically distributed ledger technology) to reduce costs or improve access. Me-too products with minimal differentiation from licensed incumbents are rejected at the pre-screening stage.
Regulatory Need: The applicant must explain why existing CMA licenses are insufficient for the proposed activity. This requirement filters out entities that could operate under conventional securities licenses but seek to use the sandbox as a faster licensing path.
Consumer Benefit: A documented assessment of how Saudi investors or capital market participants will benefit from the proposed service. The CMA has rejected applications where benefits accrue primarily to the applicant rather than to market participants.
Technical Readiness: A working prototype or minimum viable product must be demonstrated. The CMA does not accept applications based solely on business plans or concept papers. The prototype must demonstrate core functionality on an approved blockchain protocol or present a credible plan for protocol approval.
Risk Management: A comprehensive risk assessment covering technology risk, operational risk, financial crime risk, and investor protection risk. The assessment must include specific mitigation strategies for each identified risk.
Pre-Screening Process
Before formal application, prospective sandbox participants undergo a pre-screening meeting with CMA’s Digital Assets Division. This 2-hour session covers:
- Presentation of the proposed digital asset product or service
- Preliminary assessment of regulatory fit
- Identification of any immediate disqualifying factors
- Discussion of the expected sandbox timeline and resource requirements
The pre-screening has an approximately 60% pass-through rate. Common reasons for pre-screening failure include insufficient technical readiness, lack of clear innovation differentiation, and proposed activities that fall outside CMA’s digital asset jurisdiction (for example, payment tokens that belong under SAMA’s regulatory remit). The CMA Digital Assets Sandbox operates alongside the longer-established CMA FinTech Lab, which has issued 68 experimental permits since its 2017 launch, with 36 companies currently operational and 5 graduated to full licensing. Meanwhile, SAMA’s separate Regulatory Sandbox has permitted 50 fintechs to date with 25 currently enrolled, using an “Always Open” model since 2022 that accepts applications year-round rather than in fixed cohorts.
Application Documentation
Formal sandbox applications require:
- Business Plan — 3-year financial projections, market analysis, and competitive positioning within the Saudi digital asset landscape
- Technology Architecture Document — Detailed technical specifications including blockchain protocol selection, smart contract design, infrastructure topology, and security architecture
- Governance Framework — Board composition, management structure, compliance function design, and conflict of interest policies
- Risk Management Framework — Comprehensive risk register with mitigation strategies, incident response plans, and business continuity procedures
- Testing Plan — Detailed plan for the three sandbox phases including test scenarios, success criteria, user recruitment strategy, and reporting commitments
- Financial Resources Evidence — Proof of SAR 1M minimum capital and projections for meeting full licensing capital requirements upon graduation
- Key Personnel CVs — Qualifications and experience of all senior management, technology leads, and compliance officers
- Legal Opinions — Saudi legal counsel opinion on the regulatory classification of the proposed digital asset, and where applicable, Sharia compliance assessment
The CMA processes formal applications within 60 business days of receipt of complete documentation. Approximately 40% of applications require additional information requests, extending the timeline by 20-30 days on average.
Three-Phase Sandbox Structure
Phase 1: Controlled Testing (6-12 months)
Operating parameters:
- Maximum 100 end users
- Maximum SAR 5M in cumulative transaction volume
- Weekly reporting to CMA including: transaction volumes, user feedback, technology incidents, compliance metrics
- CMA observer rights to all platform data and user interactions
- Mandatory exit interviews with all test users upon phase completion
Phase 1 success criteria:
- Zero critical security incidents
- User satisfaction score above 70% (measured by CMA-standardized survey)
- Full compliance with all sandbox conditions
- Demonstration of core product functionality as described in the application
Phase 2: Expanded Operations (6-12 months)
Operating parameters:
- Maximum 1,000 end users
- Maximum SAR 50M in cumulative transaction volume
- Monthly reporting (replacing weekly)
- CMA audit rights exercisable with 48-hour notice
- Requirement to demonstrate compliance with full licensing standards on a best-efforts basis
Phase 2 success criteria:
- Scalability demonstration under increased volume
- Operational resilience during at least one CMA-simulated stress scenario
- Compliant AML/CFT monitoring with zero unresolved suspicious activity reports
- Audited financial statements demonstrating path to profitability or sustainable funding
Phase 3: Pre-License Assessment (3-6 months)
Operating parameters:
- No user or volume restrictions
- Enhanced CMA monitoring including real-time data feeds
- Full compliance with all applicable CMA regulations required
- Comprehensive CMA assessment against license criteria
Phase 3 assessment covers:
- Complete technology audit by CMA-appointed assessors
- Governance and compliance framework review
- Financial sustainability assessment
- Custody arrangements review (if applicable)
- Sharia compliance verification (for Islamic digital asset products)
- Client onboarding and KYC/AML process review
Graduation to Full License
Sandbox entities that successfully complete all three phases receive a recommendation from CMA’s Digital Assets Division for full license issuance. The full license application — submitted during Phase 3 — is expedited compared to direct license applications, with typical processing time of 2-3 months versus 6-12 months for non-sandbox applicants.
Key transitions from sandbox to full license:
- Capital must be increased to the full licensing minimum (varies by license category from SAR 2M to SAR 100M)
- Insurance coverage must be obtained per CMA requirements
- Technology infrastructure must be scaled to production standards with full disaster recovery capabilities
- All sandbox testing restrictions are removed
- Regular CMA supervision replaces enhanced sandbox monitoring
Sandbox Exit Without License
Three entities have exited the sandbox without proceeding to full license:
Voluntary Withdrawal (2 entities): Both withdrew during Phase 1 after determining that the full licensing capital requirements exceeded their fundraising capacity. One entity subsequently obtained a license in Bahrain as an alternative.
CMA-Directed Exit (1 entity): Removed from the sandbox during Phase 2 for persistent AML/CFT compliance failures. The entity’s digital asset activities in Saudi Arabia are permanently prohibited under current CMA rules.
International Applicant Considerations
International firms applying to the CMA sandbox must:
- Establish a Saudi-domiciled legal entity (or commit to do so within 90 days of sandbox admission)
- Appoint at least one Saudi-national senior executive
- Demonstrate that Saudi user data will be processed and stored within the Kingdom
- Provide home-jurisdiction regulatory references
- Accept CMA jurisdiction for all disputes arising from sandbox activities
Seven of the 19 sandbox participants to date have been international firms, primarily from the UAE, Singapore, and the United Kingdom. The CMA has noted that international applicants generally have shorter Phase 1 durations (averaging 7 months versus 10 months for domestic firms) due to prior regulatory experience, but similar Phase 2 and Phase 3 timelines.
Fees and Costs
| Fee Category | Amount |
|---|---|
| Pre-Screening Meeting | Free |
| Sandbox Application Fee | SAR 50,000 |
| Annual Sandbox Participation Fee | SAR 100,000 |
| Phase Transition Assessment | SAR 25,000 per phase |
| Full License Application (post-sandbox) | SAR 200,000 |
| Protocol Approval Assessment | SAR 500,000 (if new protocol required) |
Total cost from application to full license, excluding capital requirements and insurance: approximately SAR 500,000-700,000 over 14-18 months. When combined with technology development, staff, and legal costs, total sandbox-to-license investment typically ranges from SAR 3M to SAR 8M.
The CMA has indicated plans to introduce a reduced-fee pathway for Saudi-domiciled startups backed by Fintech Saudi accelerator programs, expected to launch in Q3 2026.
FATF Compliance Integration
Saudi Arabia’s FATF membership, secured in 2019, directly shapes sandbox requirements. All sandbox participants must demonstrate FATF-compliant AML/CFT procedures from Phase 1 onward, including beneficial ownership verification, transaction monitoring, and suspicious transaction reporting. The FATF’s 2024 mutual evaluation of Saudi Arabia rated the Kingdom’s digital asset regulatory framework as “largely compliant,” providing international validation of the sandbox’s compliance standards.
Sandbox participants testing tokenized securities with cross-border elements must additionally demonstrate compliance with the FATF travel rule, using CMA-approved infrastructure such as TRISA or OpenVASP. The CMA’s bilateral cooperation agreements with 11 international regulators enable real-time information sharing about sandbox participants’ compliance performance, creating a cross-border supervisory network that strengthens the sandbox’s integrity.
Sandbox Performance Metrics
The CMA publishes aggregate sandbox performance data quarterly, providing market transparency:
| Metric | Q1 2025 | Q2 2025 | Q3 2025 | Q4 2025 | Q1 2026 |
|---|---|---|---|---|---|
| Active participants | 14 | 16 | 17 | 18 | 19 |
| New admissions | 3 | 2 | 2 | 1 | 1 |
| Graduations | 0 | 1 | 2 | 2 | 2 |
| Test transactions (SAR M) | 45 | 120 | 280 | 450 | 580 |
| Test investors | 85 | 210 | 380 | 520 | 640 |
The acceleration in test transaction volume — from SAR 45 million in Q1 2025 to SAR 580 million in Q1 2026 — reflects both the growing sophistication of sandbox participants and the CMA’s progressive expansion of testing parameters as entities advance through phases.
Strategic Significance
The sandbox serves a dual function in Saudi Arabia’s tokenization ecosystem. First, it provides a controlled environment for innovation, allowing fintech firms and existing financial institutions to test digital asset products without full regulatory burden. Second, it generates the operational data and regulatory experience that the CMA uses to refine the broader Digital Assets Regulatory Framework.
The 7 sandbox graduates have collectively deployed SAR 2.1 billion in tokenized securities — demonstrating that the sandbox pathway produces viable market participants. Each graduated entity’s operational experience informs subsequent sandbox cohorts, creating a learning loop that accelerates the ecosystem’s maturation. The CMA has published anonymized case studies from graduated entities, providing practical guidance for prospective applicants on technology selection, Sharia structuring, investor onboarding, and custody arrangements.
The sandbox model also supports Vision 2030 objectives by creating a pathway for Saudi nationals to build careers in digital asset regulation. Each sandbox entity typically employs 15-30 professionals, and the 19 current participants collectively employ approximately 400 people in Saudi Arabia — contributing to the Kingdom’s financial sector employment and talent development goals.
The Fintech Saudi-CMA Digital Asset Accelerator provides a dedicated pre-sandbox preparation track, with 14 startups supported across two cohorts and a 71% sandbox application conversion rate. The accelerator’s 6-month program includes regulatory classification assessment, R3 Corda development environment access, Edaa sandbox API testing, and AML/CFT compliance framework design — substantially reducing the time and risk associated with standalone sandbox applications. The Saudi Digital Academy and Saudi Blockchain Lab contribute technical training resources, while Elm Company’s digital identity infrastructure supports the KYC and investor verification capabilities that sandbox participants must demonstrate.
The CMA FinTech Lab — the regulatory division responsible for sandbox oversight — maintains 12 dedicated staff members processing sandbox applications and monitoring active participants. The Lab’s capacity has scaled from 4 staff at the sandbox’s January 2024 launch to the current 12, reflecting both the growing application volume and the CMA’s commitment to maintaining responsive review timelines despite increasing complexity. The CMA’s target of 75 licensed digital asset entities by 2028 implies a sustained pipeline of 8-10 sandbox graduations annually, requiring continued investment in regulatory capacity and supervisory infrastructure aligned with the Kingdom’s capital markets development roadmap.
For sandbox application inquiries: info@sauditokenisation.com