On 29 July 2025, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) announced the implementation of a new Cyber Risk Management Framework that will apply to financial sector firms under its supervision1. The central purpose is to: (i) enhance the overall cyber resilience of the ADGM financial services sector, by establishing consistent cyber risk management standards; and (ii) align with the UAE government’s efforts to combat both cyber threats and financial crime at a national level.

The implemented framework takes account of industry feedback on the FSRA’s proposals in its Consultation Paper No. 3 of 20252. Firms now have a six-month transition period to ensure compliance with the requirements, which take effect from 31 January 2026.

Firms are expected to integrate the cyber risk management requirements into their existing risk frameworks, which should already meet the FSRA’s expectations in its Governance Principles and Practices to Mitigate Cyber Threats and Crime and Information Technology Risk Management Guidance3.

Applicability and scope

The Cyber Risk Management Framework has been implemented by way of amendments to various FSRA Rules that are applicable to:

  • Authorised Persons, being the wide range of financial sector firms (including banks, insurers and investment firms) licensed to conduct regulated financial activities in the ADGM; and
  • Recognised Bodies, being investment exchanges and clearing houses permitted by the FSRA to operate in the ADGM.

Most of the content appears in a new Cyber Risk Management section of the General Rulebook4. The key requirement is for firms to establish and maintain a written cyber risk management framework to identify, assess and manage its Cyber Risks effectively.

  • Cyber Risk is defined with reference to both the probability and impact of Cyber Incidents occurring. A firm’s framework will therefore need to consider both prevention and mitigation measures.
  • Cyber Incident is widely defined as an incident arising from the use of information or communication technology that adversely affects an Authorised Person’s ICT Assets or the information it processes, stores or transmits. There is no materiality threshold with respect to the types of incidents or their impact that should be considered.
  • ICT Assets include the full range of data and technology (both infrastructure and applications) used by a firm, whether belonging to the firm or its service providers.

Systems and controls

As with risk management generally, it is the responsibility of a firm’s board of directors (or other governing body) and its senior management to ensure the effective management of cyber risk.

A firm’s cyber risk management framework must be integrated with its overall risk management framework and include systems and controls that are proportionate to the nature, scale and complexity of its activities and to its Cyber Risk. It will need to cover the following broad areas:

  • Cyber Risk identification and assessment: Firms must maintain a current inventory of their ICT Assets and conduct regular, at least annual, assessments of Cyber Risk associated with those assets.
  • Prevention: Firms must implement appropriate measures to prevent and mitigate Cyber Incidents. There are comprehensive requirements relating to:
  • Monitoring and testing: Firms must implement a system to conduct ongoing monitoring and regular testing of systems and controls, such as vulnerability assessments and scenario-based testing. The scope and frequency will depend on the nature, scale and complexity of their businesses and associated Cyber Risks.
  • Response and recovery: Firms must establish, maintain and regularly test a robust cyber incident response plan to ensure timely recovery from incidents, mitigation of consequences and compliance with the incident notification requirements (more details on this requirement are below). The plan should be integrated into the firm’s overall crisis management and disaster recovery plans.

In developing their cyber risk management frameworks, firms are guided to take account of regulations and guidance published by other UAE federal authorities and recognised international standards. Once established, firms are expected to review their frameworks at least annually.

Incident notification

The amendments to the FSRA Rules also establish a new Cyber Incident notification requirement5. Firms will be required to notify the FSRA immediately (and no later than 24 hours) after becoming aware that a material Cyber Incident has occurred, or having information that reasonably suggests that this is the case.

The FSRA has provided guidance on factors to be considered in determining the materiality of a Cyber Incident, including:

  • the financial, operational and reputational impact of the incident on the firm and its customers;
  • whether or not the incident is reportable to another regulator; and
  • whether or not the incident falls within the other events that require immediate notification to the FSRA, such as an event which could result in serious adverse financial consequences to the ADGM financial system or other regulated firms in the ADGM6.

Next steps

The amendments to the FSRA Rules will take effect on 31 January 2026. Impacted firms will need to assess the extent to which existing policies, processes, governance structures and third-party contracts require updating (or overhauling) to meet the requirements.

In the meantime, the FSRA is planning to update its cyber incident notification template before the end of 2025 to facilitate the reporting process.

At a national level, the UAE is preparing for its next Financial Action Task Force Mutual Evaluation in 2026, which includes a focus on cybercrime prevention7.

With thanks to Sea-won Baek.

Footnotes

5   General Rulebook (GEN) [VER11.290725]. Rule 3.5.18

6   General Rulebook (GEN) [VER11.290725]. Rule 8.10.6



Contacts

Shabnam Karim
Shabnam Karim
Partner
Email
shabnam.karim@nortonrosefulbright.com
T: +971 (4) 3696317
Kerri Gevers
Kerri Gevers
Counsel
Email
kerri.gevers@nortonrosefulbright.com
T: +971 (4) 3696365
Simon Lamb
Simon Lamb
Senior Associate
Email
simon.lamb@nortonrosefulbright.com
T: +971 (4) 5637312

Industry:

Practice area:

Recent publications

Shipping boat water

Publication

English Commercial Court Dismisses Jurisdiction and Bias Challenges to LMAA Award: V & Anor v K

In <em>V & Anor v K</em> [2025] EWHC 1523 (Comm), the Commercial Court has dismissed jurisdictional and serious irregularity challenges under sections 67 and 68 of the Arbitration Act 1996 arising out of an LMAA arbitration.

Global | August 20, 2025

Transport

Publication

Navigating charterparty conditions and financing friction: The quiet power of letters of quiet enjoyment

The recent Singapore High Court decision in <em>The “CHLOE V” [2025] SGHC 142</em> explores the legal and commercial tensions that arise at the intersection of ship finance, charterparty negotiations, and mortgagee enforcement rights.

EMEA | August 08, 2025

Shipping

Blog

German Federal Court of Justice decision in Sony v. Datel: Its implications for gaming, cheat tools and EU software copyright law

Cheat software has long been a thorn in the side of game publishers. But does it also constitute a copyright infringement? In a landmark decision, issued on 31 July 2025, the German Federal Court of Justice (BGH) ruled that cheat tools that merely manipulate in-game variables in RAM - without altering the program code - do not violate software copyright under EU law.

Global | August 06, 2025

Gaming
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now