Publikation
Legalseas
Our shipping law insights provide legal and market commentary, addressing the key questions and topics of interest to our clients operating in the shipping industry, helping them to effectively manage risk.
Cyber risk management in the ADGM: an analysis of the new regulatory framework
Naher Osten | Publikation | August 2025
On 29 July 2025, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) announced the implementation of a new Cyber Risk Management Framework that will apply to financial sector firms under its supervision1. The central purpose is to: (i) enhance the overall cyber resilience of the ADGM financial services sector, by establishing consistent cyber risk management standards; and (ii) align with the UAE government’s efforts to combat both cyber threats and financial crime at a national level.
The implemented framework takes account of industry feedback on the FSRA’s proposals in its Consultation Paper No. 3 of 20252. Firms now have a six-month transition period to ensure compliance with the requirements, which take effect from 31 January 2026.
Firms are expected to integrate the cyber risk management requirements into their existing risk frameworks, which should already meet the FSRA’s expectations in its Governance Principles and Practices to Mitigate Cyber Threats and Crime and Information Technology Risk Management Guidance3.
Applicability and scope
The Cyber Risk Management Framework has been implemented by way of amendments to various FSRA Rules that are applicable to:
- Authorised Persons, being the wide range of financial sector firms (including banks, insurers and investment firms) licensed to conduct regulated financial activities in the ADGM; and
- Recognised Bodies, being investment exchanges and clearing houses permitted by the FSRA to operate in the ADGM.
Most of the content appears in a new Cyber Risk Management section of the General Rulebook4. The key requirement is for firms to establish and maintain a written cyber risk management framework to identify, assess and manage its Cyber Risks effectively.
- Cyber Risk is defined with reference to both the probability and impact of Cyber Incidents occurring. A firm’s framework will therefore need to consider both prevention and mitigation measures.
- Cyber Incident is widely defined as an incident arising from the use of information or communication technology that adversely affects an Authorised Person’s ICT Assets or the information it processes, stores or transmits. There is no materiality threshold with respect to the types of incidents or their impact that should be considered.
- ICT Assets include the full range of data and technology (both infrastructure and applications) used by a firm, whether belonging to the firm or its service providers.
Systems and controls
As with risk management generally, it is the responsibility of a firm’s board of directors (or other governing body) and its senior management to ensure the effective management of cyber risk.
A firm’s cyber risk management framework must be integrated with its overall risk management framework and include systems and controls that are proportionate to the nature, scale and complexity of its activities and to its Cyber Risk. It will need to cover the following broad areas:
- Cyber Risk identification and assessment: Firms must maintain a current inventory of their ICT Assets and conduct regular, at least annual, assessments of Cyber Risk associated with those assets.
- Prevention: Firms must implement appropriate measures to prevent and mitigate Cyber Incidents. There are comprehensive requirements relating to:
- technical, physical and operational security;
- change management;
- staff training / awareness; and
- third party oversight. For more information on the requirements of the framework in relation to ICT service providers, see our article Technology contracts in the ADGM – new requirements under the Cyber Risk Management Framework.
- Monitoring and testing: Firms must implement a system to conduct ongoing monitoring and regular testing of systems and controls, such as vulnerability assessments and scenario-based testing. The scope and frequency will depend on the nature, scale and complexity of their businesses and associated Cyber Risks.
- Response and recovery: Firms must establish, maintain and regularly test a robust cyber incident response plan to ensure timely recovery from incidents, mitigation of consequences and compliance with the incident notification requirements (more details on this requirement are below). The plan should be integrated into the firm’s overall crisis management and disaster recovery plans.
In developing their cyber risk management frameworks, firms are guided to take account of regulations and guidance published by other UAE federal authorities and recognised international standards. Once established, firms are expected to review their frameworks at least annually.
Incident notification
The amendments to the FSRA Rules also establish a new Cyber Incident notification requirement5. Firms will be required to notify the FSRA immediately (and no later than 24 hours) after becoming aware that a material Cyber Incident has occurred, or having information that reasonably suggests that this is the case.
The FSRA has provided guidance on factors to be considered in determining the materiality of a Cyber Incident, including:
- the financial, operational and reputational impact of the incident on the firm and its customers;
- whether or not the incident is reportable to another regulator; and
- whether or not the incident falls within the other events that require immediate notification to the FSRA, such as an event which could result in serious adverse financial consequences to the ADGM financial system or other regulated firms in the ADGM6.
Next steps
The amendments to the FSRA Rules will take effect on 31 January 2026. Impacted firms will need to assess the extent to which existing policies, processes, governance structures and third-party contracts require updating (or overhauling) to meet the requirements.
In the meantime, the FSRA is planning to update its cyber incident notification template before the end of 2025 to facilitate the reporting process.
At a national level, the UAE is preparing for its next Financial Action Task Force Mutual Evaluation in 2026, which includes a focus on cybercrime prevention7.
With thanks to Sea-won Baek.
Footnotes
3
Governance Principles and Practices to Mitigate Cyber Threats and Crime, November 2020; Information Technology Risk Management Guidance, November 2024
5
General Rulebook (GEN) [VER11.290725]. Rule 3.5.18
6
General Rulebook (GEN) [VER11.290725]. Rule 8.10.6
Aktuelle Publikationen
Blog
Entscheidung des Bundesgerichtshofs im Fall Sony gegen Datel: Auswirkungen auf Gaming, Cheat-Software und das EU-Softwareurheberrecht
Cheat-Software ist für Spielehersteller seit Langem ein Ärgernis. Doch stellt sie auch eine Urheberrechtsverletzung dar? In einer wegweisenden Entscheidung vom 31. Juli 2025 hat der Bundesgerichtshof (BGH) entschieden, dass Cheat-Tools, die lediglich In-Game-Variablen im RAM manipulieren – ohne den Programmcode zu verändern – nicht gegen das Softwareurheberrecht nach EU-Recht verstoßen.
Blog
German Federal Court of Justice decision in Sony v. Datel: Its implications for gaming, cheat tools and EU software copyright law
Cheat software has long been a thorn in the side of game publishers. But does it also constitute a copyright infringement? In a landmark decision, issued on 31 July 2025, the German Federal Court of Justice (BGH) ruled that cheat tools that merely manipulate in-game variables in RAM - without altering the program code - do not violate software copyright under EU law.
Subscribe and stay up to date with the latest legal news, information and events . . .