On 3rd December 2025, the Central Bank of Kuwait (CBK) announced a pivotal shift in the cybersecurity resilience regulatory landscape, evolving the 2020 Cybersecurity Framework (CSF) into the Cybersecurity and Operational Resilience Framework (CORF).

This comprehensive and enhanced framework is designed to strengthen cybersecurity and operational resilience, and third party risk management capabilities  across the banking and financial sector in Kuwait in response to evolving threats, technologies, and evolving global expectations.

Key Updates at a Glance:

The new CORF represents a significant increase in scope and rigor compared to the previous framework:

Three Strategic Baselines

The framework is categorized into three baselines:Cyber Resilience, Operational Resilience and Third-Party Risk Management (TPRM).

Expanded Control Landscape

The framework is structured into a four-level hierarchy of 27 Domains, 93 Sub-Domains, 200 Control Areas and 876 Controls.

Dynamic Assessment Model

A 3-tier risk-based assessment model, alongside a 5-level Maturity Model to evaluate how well capabilities are institutionalized and automated.

Download the Full Report (PDF) 

Download RSM’s "Point of View" to get an overview of the latest framework and key changes compared to the 2020 CBK CSF, which the regulated entities need to consider going forward.

How RSM in Kuwait Can Help

RSM Kuwait Cybersecurity Consulting can provide the following support to to assist Regulated Entities in navigating this transition to the CBK CORF journey:

Proactively conduct CORF gap assessment and identify areas to improve the maturity.

Implement and enhance existing cyber resilience and Third-Party Risk Management (TPRM) framework and capabilities.

Identify technology-driven solutions with real-time capabilities to continuously enhance cyber and resilience posture - like GRC/IRM platform.