CMA Sandbox Application Guide: Step-by-Step Process for Digital Asset Testing Authorization

Comprehensive application guide for the CMA digital asset sandbox — covering eligibility assessment, documentation requirements, three-phase testing structure, and the pathway from sandbox participation to full CMA licensing for tokenized securities activities.

Introduction

The CMA sandbox is the primary entry pathway for new market participants seeking to offer tokenized securities services in Saudi Arabia. Since its establishment in 2024, the sandbox has processed 43 participants with a 37% graduation rate (16 entities proceeding to full CMA licensing). This guide provides step-by-step instructions for navigating the application process, based on published CMA requirements and industry experience.

All guidance should be validated against the latest CMA and SAMA regulatory releases before reliance. Firms should engage Saudi-qualified legal counsel with digital asset regulatory expertise.

Phase 1: Pre-Application Preparation

Step 1: Determine License Category

The CMA Digital Assets Regulatory Framework establishes 7 license categories. Identify which category (or categories) applies to your proposed activity:

Firms whose activities span both CMA-regulated securities and SAMA-regulated payment services (e.g., a platform integrating payment token settlement with tokenized securities trading) should consult the Joint Digital Assets Committee for coordinated licensing guidance.

Step 2: Assess ELDAP Eligibility

If your firm already holds a CMA license (e.g., existing broker-dealer, asset manager, custody provider), the Existing Licensee Digital Asset Pathway (ELDAP) offers an accelerated 8-month timeline versus the sandbox’s 14-month average. ELDAP requires technology assessment, incremental capital, and staff competency verification rather than full sandbox testing. Four Saudi banks have used ELDAP to add digital asset capabilities.

Step 3: Engage Fintech Saudi

Fintech Saudi provides pre-application advisory services including regulatory classification guidance, documentation review, and introductions to CMA Digital Assets Division staff. The Fintech Saudi-CMA Digital Asset Accelerator provides a structured 6-month program with SAR 100,000-500,000 in non-dilutive grants and fast-track sandbox access (60-day accelerated review versus 90-day standard).

Step 4: Prepare Documentation Package

The sandbox application requires:

Business Plan:

• Executive summary of proposed digital asset activities
• Target market analysis (Saudi investor demographics, addressable market)
• Revenue model with 3-year financial projections
• Competitive positioning versus existing CMA-licensed entities
• Staffing plan including key personnel qualifications

Technology Architecture:

• DLT protocol selection rationale (must be one of 5 CMA-approved protocols: R3 Corda, Ethereum ERC-3643, Hyperledger Fabric, Polygon zkEVM, Hedera Hashgraph)
• Smart contract design documentation
• Infrastructure architecture including data residency compliance (all nodes hosted in Saudi Arabia)
• Integration plan with Tadawul’s digital platform and Edaa settlement
• Cybersecurity assessment and penetration testing plan

Compliance Framework:

• AML/CFT program design including blockchain analytics tooling, Travel Rule compliance (SAR 3,750 threshold aligned with FATF standards — Saudi Arabia has been a FATF member since 2019), and STR filing procedures
• Investor protection procedures including investor classification (QI, SQI, retail), suitability assessment, and complaint handling
• Sharia compliance framework (if offering Sharia-certified products) including Sharia board engagement
• Disclosure document templates for proposed products
• Data protection impact assessment under PDPL (data privacy compliance)

Financial Resources:

• SAR 1M minimum capital deposit for sandbox entry
• Evidence of access to full license category capital requirements
• SAR 50,000 non-refundable application fee

Phase 2: Application and Review

Step 5: Submit Formal Application

Applications are submitted to the CMA Digital Assets Division through the CMA’s online regulatory portal. The application package includes all documentation from Step 4 plus:

• Saudi commercial registration (or application for registration)
• Key personnel background checks and fitness-and-propriety declarations
• Declaration of beneficial ownership
• Conflicts of interest disclosure

Step 6: CMA Review Process

The CMA review follows a structured timeline:

The CMA may request additional information during any review stage, which pauses the review clock. Common information requests relate to technology architecture details, AML/CFT program specifics, and capital adequacy documentation.

Step 7: Conditional Approval

Successful applicants receive conditional sandbox approval specifying:

• Permitted activities (aligned with target license category)
• Customer base limits (typically 50-500 users during sandbox)
• Transaction volume caps
• Duration (12-24 months)
• Enhanced reporting requirements (monthly versus quarterly)
• Specific conditions to be satisfied before sandbox commencement

Phase 3: Sandbox Operation and Graduation

Step 8: Technical Deployment

Upon conditional approval:

• Deploy technology infrastructure on CMA-approved protocol
• Complete smart contract security audit through one of 6 CMA-approved auditors
• Integrate AML/CFT blockchain analytics
• Establish custody arrangements (either own custody license or partnership with licensed custodian)
• Connect to Tadawul sandbox environment and Edaa sandbox API
• Complete penetration testing and disaster recovery testing

Step 9: Sandbox Operations

During the 12-24 month sandbox period:

• Onboard customers within authorized limits
• Process transactions within volume caps
• Submit monthly compliance reports to CMA
• Participate in quarterly CMA review meetings
• Address CMA observations and recommendations within specified timeframes
• Maintain capital adequacy throughout the sandbox period

The CMA assigns a dedicated relationship manager to each sandbox participant. Relationship managers provide ongoing regulatory guidance and serve as the primary contact for questions and reporting.

Step 10: Graduation Assessment

Graduation from sandbox to full license requires demonstrating:

• Operational stability: No material technology failures or outages during sandbox
• Compliance effectiveness: Zero material AML/CFT breaches, investor protection complaints resolved satisfactorily
• Financial sustainability: Revenue trajectory supporting ongoing operations
• Technology resilience: Successful disaster recovery test
• Capital adequacy: Full license capital requirement deposited

Step 11: Full License Issuance

Upon successful graduation:

• CMA issues full digital asset license in the approved category
• Customer base limits removed
• Transaction volume caps removed
• Reporting transitions from monthly to quarterly
• Entity listed on CMA licensed entities register
• Integration with Tadawul production platform and Edaa production settlement

Common Pitfalls

Based on CMA enforcement actions and industry experience:

1. Underestimating capital requirements: Sandbox entry requires SAR 1M; full licensing requires SAR 2M-100M depending on category
2. Inadequate AML/CFT infrastructure: Manual compliance processes are insufficient — blockchain analytics tooling is mandatory
3. Smart contract governance failures: Unauthorized modifications trigger CMA enforcement
4. Incomplete disclosure: All 14 digital-asset-specific disclosure categories are mandatory
5. Data residency violations: All infrastructure must be hosted within Saudi Arabia
6. Insufficient Sharia engagement: Engaging Sharia board late in the process delays launch
7. Overambitious scope: Starting with a single product/license category improves graduation probability

Cost Estimates

The Fintech Saudi accelerator provides SAR 100,000-500,000 in non-dilutive grants to partially offset these costs. Saudi fintech venture capital (SAR 1.2B invested in 2025) provides additional funding for qualified startups.

Resources

• CMA Sandbox Application Process — Detailed regulatory requirements
• CMA Digital Assets Regulatory Framework — License categories and requirements
• ELDAP Pathway — Accelerated route for existing licensees
• Fintech Saudi-CMA Accelerator — Accelerator program details
• CMA Licensing FAQ — Common questions
• GCC Regulatory Comparison — Cross-jurisdictional context

Related network sites: Saudi Tokenized Real Estate | Dubai Tokenisation | UAE Tokenization Regulations | Capital Tokenization

Saudi FinTech Strategy 2025 and Sandbox Pipeline Development

The CMA sandbox operates within the institutional framework established by the Saudi FinTech Strategy 2025 — the joint SAMA-CMA policy initiative targeting 150 licensed fintech entities by 2030. The sandbox’s 37% graduation rate (16 of 43 participants) has produced entities across all 7 license categories, with broker-dealer and advisory licenses representing the highest-volume category.

The Fintech Saudi accelerator pipeline feeds directly into the sandbox — 71% of recent sandbox applicants participated in a Fintech Saudi program before applying. The accelerator’s SAR 100,000-500,000 non-dilutive grants partially offset the SAR 3-10 million Year 1 costs documented above, making sandbox participation viable for earlier-stage firms. Fintech Saudi’s international partnership programs have attracted applicants from 8 countries, contributing to the ecosystem’s diversity.

The CMA FinTech Lab — a 12-person specialized team within the CMA’s Technology and Innovation Division — provides pre-application consultations that reduce the rejection rate significantly. The Lab’s Implementation Guide covers technology architecture requirements in detail, addressing common application deficiencies around smart contract governance, AML/CFT program design, and data residency compliance that have historically caused application rejection.

PIF’s exploration of tokenization for portfolio company equity creates strategic demand for sandbox participants capable of building institutional-grade tokenized securities infrastructure. PIF portfolio companies — including Saudi banks, industrial conglomerates, and technology firms — represent potential issuers and investors on Tadawul’s digital platform, creating commercial opportunity for sandbox graduates with exchange, broker-dealer, or custodian licenses.

Elm Company’s Nafath digital identity platform integrates into sandbox participant KYC infrastructure from day one, providing the identity verification layer that CMA investor protection standards require. The Saudi Digital Academy’s “Capital Markets Digital Infrastructure” certification program has trained 120 professionals across the skills needed for sandbox operations — including custody key management, AML/CFT blockchain analytics, and Sharia compliance automation.

The Saudi Blockchain Lab’s protocol evaluation framework — 42 criteria across performance, security, regulatory compliance, and Sharia compatibility — directly informs the sandbox’s technology architecture review. Applicants selecting from the 5 CMA-approved protocols benefit from the Lab’s published evaluation data, which provides performance benchmarks and configuration guidance specific to Saudi market conditions.

Saudi Arabia’s FATF membership (since 2019) ensures that sandbox participants develop AML/CFT programs meeting international standards from the outset. The FATF’s 2024 mutual evaluation rated Saudi Arabia “largely compliant,” validating the CMA’s sandbox compliance requirements against global benchmarks and providing sandbox graduates with international regulatory credibility.

The GCC regulatory comparison shows that the CMA sandbox’s 37% graduation rate is lower than SAMA’s fintech sandbox (65%) but reflects the higher complexity of securities-related digital asset activities compared to payment services. Compared to UAE VARA’s licensing process, the CMA sandbox provides a more structured testing environment with dedicated relationship managers and phased graduation requirements. International applicants benefit from the CMA’s cooperation agreements with 11 regulators, which streamline information sharing during the sandbox review process. The Fintech Saudi ecosystem’s international partnership programs have attracted sandbox applicants from 8 countries, demonstrating the Kingdom’s success in positioning the sandbox as a gateway for international digital asset firms seeking to establish regulated operations in Saudi Arabia’s $2.7 trillion capital market. The IOSCO principles for securities regulation inform the CMA sandbox’s testing requirements, ensuring that graduated entities meet international standards for market integrity, investor protection, and operational resilience from day one of full licensing. Applicants should allocate 4-6 weeks for pre-application preparation — including technology architecture documentation, compliance framework design, and business model validation — before submitting the formal sandbox application to maximize the probability of Phase 1 approval within the CMA’s standard 6-8 week review timeline.

For guide-related inquiries: info@sauditokenisation.com