The CMA published its Securities Tokenization Standards (STS) in November 2024, establishing the technical baseline for all tokenized securities issued under Saudi jurisdiction. These standards operate within the CMA’s broader regulatory architecture that encompasses over 20 implementing regulations — from the Capital Market Law (2003) through the recently approved Netting Regulations (July 2025) and Guidelines for Issuing Green, Social, Sustainable, and Sustainability-Linked Debt Instruments (May 2025). The standards cover blockchain protocol requirements, smart contract governance, token metadata specifications, and ongoing disclosure obligations. Eight entities currently hold CMA authorization for digital asset issuance under these standards.
Approved Blockchain Protocols
The CMA does not mandate a single blockchain but maintains an Approved Protocol Registry. As of March 2026, five protocols have received CMA technical certification:
- Ethereum (ERC-3643 compliant) — Permissioned deployments only, with KYC/AML identity layers mandatory
- Hyperledger Fabric — Preferred for institutional-grade private deployments, particularly for tokenized sukuk structures
- R3 Corda — Approved for inter-bank digital securities settlement, used by Edaa’s pilot programs
- Polygon (zkEVM) — Approved in Q1 2026 for scalable retail-facing tokenized securities
- Hedera Hashgraph — Approved for specific use cases involving high-throughput micro-transactions
Each protocol must undergo a CMA Technical Assessment covering consensus mechanism security, transaction finality guarantees, smart contract audit capabilities, and data residency compliance. The assessment process takes 4-8 months and costs approximately SAR 500,000 in assessment fees.
Protocol Selection Criteria
The CMA evaluates protocols against 42 technical criteria grouped into five domains:
Security Architecture (12 criteria): Consensus mechanism resilience, cryptographic standard compliance (must meet NIST or equivalent), network partition tolerance, key management infrastructure, and vulnerability disclosure processes.
Performance and Scalability (8 criteria): Transaction throughput minimums (500 TPS for trading platforms, 50 TPS for issuance platforms), finality time maximums (30 seconds for settlement, 5 minutes for issuance), and demonstrated capacity under load testing.
Regulatory Compliance (10 criteria): Identity layer integration capability, transaction monitoring hooks, asset freeze/seizure functionality, data residency controls (Saudi data must remain in Kingdom-based nodes), and Sharia compliance verification integration points.
Interoperability (7 criteria): Cross-chain bridge capabilities, Tadawul system integration readiness, SWIFT/ISO 20022 messaging compatibility, and API standardization.
Governance (5 criteria): Protocol upgrade procedures, node operator requirements, dispute resolution mechanisms, and long-term viability assessment.
Smart Contract Governance
All smart contracts governing tokenized securities must undergo a three-stage review process:
Stage 1: Independent Security Audit
A CMA-approved auditing firm must conduct a comprehensive security audit covering:
- Formal verification of core contract logic
- Vulnerability assessment against the OWASP Smart Contract Top 10
- Gas optimization and denial-of-service resistance
- Access control and permission model review
- Upgrade mechanism safety analysis
The CMA maintains a registry of 6 approved smart contract auditing firms, including 3 international firms (OpenZeppelin, Trail of Bits, and Quantstamp) and 3 regional firms with CMA certification.
Stage 2: Sharia Compliance Review
Smart contract logic must be reviewed by a CMA-approved Sharia board to verify:
- The automated execution of contract terms complies with Islamic contract law principles
- No automated interest calculation or distribution functions exist
- Asset-backing requirements are enforced at the protocol level
- Gharar (excessive uncertainty) is minimized through transparent, deterministic contract behavior
Stage 3: CMA Technical Registration
Following both audits, the smart contract is registered with the CMA Digital Assets Registry, receiving a unique registration number that must be disclosed in all offering documents and marketing materials.
Registered smart contracts are subject to annual re-audit requirements and must undergo emergency review following any protocol upgrade that affects contract execution.
Token Metadata Standards
The CMA has established mandatory metadata standards for all tokenized securities, requiring on-chain and off-chain data elements:
On-Chain Mandatory Fields
| Field | Description | Standard |
|---|---|---|
| Token Name | Full legal name of the security | UTF-8, max 128 characters |
| Token Symbol | Trading symbol | Alphanumeric, 3-8 characters |
| CMA Registration Number | Unique CMA registry identifier | CMA-DA-YYYY-XXXX format |
| Issuer Identifier | CMA-registered issuer code | LEI format preferred |
| Token Type | Security classification | CMA taxonomy code |
| Total Supply | Maximum authorized tokens | Uint256 |
| Decimals | Fractional precision | Maximum 18 |
| Sharia Status | Compliance certification | Boolean + certificate hash |
Off-Chain Mandatory Data
All tokenized securities must maintain an off-chain data repository containing the full offering prospectus, Sharia compliance certificate, audited financial statements of the issuer, ongoing material event disclosures, and quarterly performance reports.
The off-chain repository must be accessible via a standardized API conforming to the CMA Digital Assets Data Standard (DADS), enabling automated compliance monitoring and integration with Tadawul’s surveillance systems.
Disclosure Obligations for Tokenized Securities
Issuers of tokenized securities face disclosure obligations at three stages:
Pre-Issuance: A Digital Asset Prospectus must be filed with the CMA at least 30 days before the token generation event. The prospectus must include all standard securities disclosures plus specific digital asset disclosures: smart contract audit results, blockchain protocol selection rationale, token economics model, and custody arrangements.
Ongoing: Quarterly reports on token holder demographics, secondary market activity, smart contract upgrade history, and custody provider audit results. Material events (smart contract vulnerabilities, protocol forks, significant token holder changes) must be disclosed within 24 hours.
Redemption/Termination: A 90-day notice period for planned token redemption or decommissioning, with mandatory buyback provisions at independently assessed fair value for tokens that cannot be freely traded on secondary markets.
Capital and Insurance Requirements
Issuers must maintain specific capital and insurance provisions:
- Minimum capital: SAR 10M for issuers of digital asset securities, maintained throughout the token’s lifetime
- Professional indemnity insurance: Minimum SAR 25M coverage for smart contract failures, cyber attacks, and operational errors
- Investor protection fund contribution: 0.1% of total token issuance value, deposited with the CMA Investor Protection Fund
- Technology failure reserve: SAR 2M or 5% of outstanding token value (whichever is higher) held in liquid assets to cover blockchain infrastructure failures
These requirements exceed those in most competing jurisdictions. The insurance mandate alone creates an additional cost layer that has led some potential issuers to consider Bahrain or UAE alternatives, though the access to Saudi Arabia’s SAR 11 trillion ($2.7T) capital market often justifies the premium.
Implementation Timeline and Adoption
Since the STS publication in November 2024:
- Q4 2024: 3 entities received initial issuance authorization
- Q1 2025: First tokenized sukuk issued under the framework (SAR 100M by a CMA-licensed investment bank)
- Q2 2025: 5 additional entities authorized; CMA expanded the Approved Protocol Registry
- Q3 2025: First equity token offering completed under full STS compliance
- Q1 2026: 8 authorized issuers operating, with SAR 2.1B in tokenized securities outstanding
The CMA projects SAR 10B in tokenized securities outstanding by end of 2027, driven by sovereign sukuk tokenization and institutional adoption of tokenized equity instruments.
Compliance Monitoring and Enforcement
The CMA has deployed automated compliance monitoring infrastructure that connects directly to approved blockchain protocols, providing:
- Real-time transaction monitoring for AML/CFT compliance
- Automated detection of unauthorized token transfers or modifications
- Smart contract state monitoring for compliance with registered parameters
- Cross-chain tracking for multi-protocol token deployments
Three enforcement actions have been taken under the STS as of March 2026: one for unauthorized smart contract modification without CMA notification, one for failure to maintain the required technology failure reserve, and one for non-compliant token metadata.
Future Standards Development
The CMA has announced planned extensions to the Securities Tokenization Standards for 2026-2027:
NFT Securities Standards: Guidance on when non-fungible tokens constitute securities under Saudi law, with specific standards for tokenized real estate, tokenized intellectual property, and fractional NFT structures. The consultation paper is expected in Q3 2026.
Cross-Chain Standards: Technical standards for tokenized securities that operate across multiple blockchain protocols, addressing interoperability requirements, cross-chain settlement mechanics, and regulatory reporting obligations for multi-chain deployments.
Decentralized Exchange Integration: Preliminary standards for how CMA-regulated tokenized securities may interact with decentralized exchange protocols, balancing the DeFi innovation potential against regulatory requirements for AML/CFT compliance and investor protection.
Smart Contract Formal Verification: The CMA is evaluating a requirement for formal mathematical verification of critical smart contract functions (distribution calculations, access control logic, upgrade mechanisms) in addition to the existing security audit requirement. Formal verification would provide mathematical proof of contract correctness, significantly reducing the risk of logic errors that could affect investor assets.
Quantum-Safe Cryptography: In coordination with the Saudi Blockchain Lab and the National Cybersecurity Authority, the CMA is developing standards for quantum-resistant cryptography in tokenized securities infrastructure. These standards, expected by 2028, would require migration to post-quantum cryptographic algorithms for all key management and digital signature operations.
The Securities Tokenization Standards represent the technical foundation upon which Saudi Arabia’s entire tokenized securities market operates. Their rigor — covering protocol selection, smart contract governance, metadata standards, and disclosure obligations — ensures that tokenized securities issued under Saudi jurisdiction meet institutional-grade quality standards. The standards’ continuous evolution reflects the CMA’s commitment to maintaining technical currency as blockchain technology and digital asset markets develop.
FATF Alignment and International Standards Integration
The Securities Tokenization Standards incorporate Saudi Arabia’s FATF membership obligations (since 2019) at the technical level. All approved blockchain protocols must support FATF-compliant travel rule implementation, meaning that token transfer functionality must include the capability to transmit originator and beneficiary information alongside value transfers exceeding SAR 3,750.
This FATF alignment is embedded in the protocol approval criteria. R3 Corda’s enterprise architecture natively supports identity-attached transactions, which contributed to its selection as Tadawul’s primary protocol. ERC-3643’s identity-layer extensions meet the same requirement for Ethereum-based deployments. Protocols that do not support identity-linked transactions are ineligible for CMA approval, regardless of their technical merits in other dimensions.
The standards also align with IOSCO principles for financial market infrastructure, particularly Principle 8 (settlement finality), Principle 11 (central securities depository), and Principle 17 (operational risk management). This alignment ensures that Saudi tokenized securities meet the same infrastructure standards as conventional securities, supporting the CMA’s convergence roadmap that targets unified treatment of all securities regardless of settlement technology by 2028.
Industry Adoption and Compliance Metrics
Since the STS took effect in November 2024, compliance metrics demonstrate strong industry adoption:
Protocol Distribution: Of the 8 authorized issuers, 5 deploy on R3 Corda (primarily for Tadawul-listed securities), 2 on ERC-3643, and 1 on Hyperledger Fabric. No issuers have selected Polygon zkEVM or Hedera Hashgraph to date, though the CMA expects adoption of these protocols as commodity tokenization and DeFi-adjacent products enter the pipeline.
Audit Compliance: All 8 issuers have completed initial smart contract audits, with 3 having completed at least one annual re-audit. The CMA’s on-chain monitoring has detected zero unauthorized smart contract modifications since the STS took effect — a compliance rate that reflects both the effectiveness of the governance requirements and the severity of CMA enforcement for violations.
Token Standards: Issuers have converged on consistent token metadata structures, with the CMA’s standardized fields (issuer, asset class, Sharia status, investor eligibility, and regulatory status) uniformly implemented. This standardization enables automated compliance checking by Tadawul, Edaa, and third-party service providers.
The Saudi Blockchain Lab’s protocol evaluation research — conducted by 35 researchers including 18 at PhD level across 8 university partnerships — provides the technical foundation for the CMA’s Approved Protocol Registry decisions. The Lab’s 2023 comparative analysis of 7 DLT protocols against the 42 CMA evaluation criteria directly determined R3 Corda’s selection as Tadawul’s primary platform protocol. The Saudi Digital Academy’s “Blockchain for Capital Markets” certification program has trained 85 professionals in the STS requirements, spanning smart contract development, security auditing, and regulatory compliance engineering — addressing the talent pipeline that the growing number of CMA-authorized issuers requires.
The CMA FinTech Lab has coordinated with the SEC and ESMA on security token technical standards through IOSCO working groups, contributing Saudi perspectives on Sharia-compliant smart contract architectures and privacy-preserving disclosure mechanisms that have influenced emerging international tokenization standards. The Kingdom’s FATF membership since 2019 ensures that all approved protocols meet international AML/CFT transaction monitoring requirements, with identity-linked transaction capability serving as a mandatory protocol approval criterion.
For technical inquiries regarding CMA tokenization standards: info@sauditokenisation.com