Competency frameworks in the Saudi market — a concise guide

Competency frameworks in Saudi Arabia have multiplied in the last decade, and the result is genuine confusion among HR leaders. Procurement asks which framework you are using. The regulator asks the same question with different intent. Internal stakeholders just want to know which assessment to run. This guide cuts the noise: the major national frameworks, what each is actually for, and how to combine them without ending up with a job architecture that nobody can defend.

The five frameworks that matter

Treat these as the working set. Anything else is either sector-specific in a narrower sense, or a private translation of one of these.

HRSD — the national reference

The Ministry of Human Resources and Social Development publishes the broad national competency reference — behavioral and core competencies, leadership levels, job families. It is the closest thing the Kingdom has to a universal HR vocabulary, and it is what most government and semi-government employers default to when they need a defensible baseline.

NCA — cybersecurity competencies

The National Cybersecurity Authority owns the cybersecurity workforce framework. If you are hiring a SOC analyst, a cloud security engineer, or a CISO at a regulated entity, this is your reference — not a generic IT competency model. NCA mappings are also what auditors check first when reviewing whether a critical-infrastructure operator has the right people in the right roles.

SCFHS — healthcare practice standards

The Saudi Commission for Health Specialties governs clinical competency standards, residency frameworks, and the licensing competencies that follow. For any clinical role, SCFHS is non-negotiable; using HRSD's behavioral framework alone would be professionally meaningless.

SDAIA — data and AI roles

The Saudi Data and AI Authority publishes the national reference for data and AI workforce competencies. Data engineers, ML engineers, AI governance officers, and increasingly product roles touching AI fall here. SDAIA's framework is the youngest of the five and is updated more aggressively, which matters for version control.

Financial Academy — banking and finance

The Financial Academy, under SAMA's umbrella, owns the competency standards for banking, capital markets, insurance, and finance roles in regulated financial institutions. If you are at a bank or finance company, this framework — not HRSD alone — defines the bar for credit officers, risk managers, and compliance staff.

How to pick the right one

The right question is rarely "which framework?" It is "which combination, and in what order?" A regulated entity hiring a CISO uses NCA for the technical competencies and HRSD for the leadership behaviors. A hospital uses SCFHS for clinical practice and HRSD for management. A bank uses Financial Academy for the regulated functions and SDAIA for its growing data team.

Mapping to job architecture

A clean job architecture has three layers: a job family taxonomy, a level model, and a competency profile per job. Each layer maps to one or more frameworks, and the mapping should be explicit in your HRIS, not folklore in a spreadsheet.

• ·Job family taxonomy — usually a hybrid of HRSD and the dominant sector framework.
• ·Level model — most often HRSD's leadership levels, adapted to your organization's grade structure.
• ·Competency profile — the per-role list pulled from the relevant sector framework, with HRSD behaviors layered on for the soft side.

The three mistakes we see most often

1. 1.Treating one framework as universal — usually HRSD — and ignoring the sector regulator. This produces job descriptions that pass HR review and fail the first regulatory audit.
2. 2.Mapping to an outdated version. SDAIA in particular has revised its framework more than once; assessments built against the previous version quietly drift out of validity.
3. 3.Confusing competencies with skills. A framework gives you the competencies — the observable behaviors and capabilities. Skills are a finer-grained layer underneath, and you usually own that layer yourself.

When to localize further

Most large employers eventually add a private layer of organization-specific competencies on top of the national frameworks — values, ways of working, proprietary technical depth. That is healthy. The discipline is to keep that private layer clearly separated from the regulated layer, so an external auditor or a new CHRO can still see, in one view, exactly which competencies came from which authority and which version.

Frameworks are not the goal. Defensible, consistent hiring and development decisions are the goal. The frameworks are how you defend them.