• The Riffle
  • Posts
  • ADGM FSRA Rolls Out New Cyber Risk Framework Ahead of 2026

ADGM FSRA Rolls Out New Cyber Risk Framework Ahead of 2026

Effective from January 31, 2026, with a six-month window for transition

Author

Bhumika Arora
August 05, 2025

The Riffle

In a decisive step to fortify cyber resilience, the ADGM Financial Services Regulatory Authority (FSRA) has released a revised Cyber Risk Management Framework, effective January 31, 2026, with a six-month transition period. This marks a pivotal evolution in ADGM’s regulatory landscape, aligning its standards with global best practices.

Key Highlights

1. Cyber Risk Now Fully Embedded in Risk Frameworks
Firms must integrate a Cyber Risk Management Framework into their overall risk management systems. It must be governing body-approved, regularly reviewed, and tailored to the firm’s risk profile, per updated GEN 3.5 rules.

2. Clear Governance and Accountability
Boards and senior management hold ultimate responsibility for cyber risk oversight, defining risk tolerance, ensuring expertise, and maintaining oversight—even when outsourcing ICT functions.

3. Rigorous Controls Required Across the Lifecycle
Requirements now span identification, protection, monitoring, and incident response. This includes:

  • ICT asset inventory and classification

  • Network and access controls

  • Change and patch management

  • Incident detection and containment

  • Annual penetration and resilience testing

4. 24-Hour Incident Notification Rule
Firms must notify the FSRA within 24 hours of becoming aware of a material cyber incident, with clear guidance provided on materiality triggers (e.g., customer data breaches, operational disruptions, reputational harm).

5. Strong Focus on Third-Party Risk
Third-party ICT providers are a key risk area. Firms remain fully accountable for their security posture and must conduct due diligence, establish robust contracts, and implement continuous oversight.

6. Broad Application Across ADGM Rulebooks
The cyber framework is now embedded into multiple rulebooks (e.g., PRU, COBS, MIR, PIN), reinforcing its cross-sector importance.

What Should Firms Do Now?

  • Conduct a gap analysis against the new GEN 3.5 requirements

  • Engage senior leadership to define risk appetite and approve frameworks

  • Review contracts and oversight mechanisms for ICT service providers

  • Test and update incident response plans with 24-hour protocols

  • Enhance employee training to build firm-wide cyber awareness

ADGM is making it clear: cyber risk is a boardroom issue. Firms have until July 2026 to comply, but the work starts now.

Read the full briefing document by 10 Leaves here -

ADGM's Cyber Risk Management Framework_A Comprehensive Overview.pdf 149.56 KB • PDF File