UAE Edition 
Egypt Edition 
Saudi Edition 
MENA <> India Corridor 
Logistics (MENA) 
Climate (MENA) 
Share
Read Full Issue 
ADGM firms must now integrate cyber risk into their core risk systems: The Financial Services Regulatory Authority (FSRA) has issued a new cyber risk framework, mandating that all authorized persons and recognized bodies integrate cyber risk management into their overall enterprise risk frameworks, according to a press release (pdf). The regulation will take effect from 31 January 2026, giving firms a six-month transition period to comply.
We knew this was coming: FRSA had first floated the proposal in May, publishing a consultation paper that laid out the planned amendments and opened the door for public feedback.
The regulatory amendments (pdf) introduces new compliance and incident response obligations, starting with a cyber risk management framework that firms will need to set up to assess cyber risks and determine response plans for day-to-day operations as well as cyber threats. The framework must be reviewed and updated on an annual basis, be proportionate to the scope and scale of the firm’s activities, and be able to protect its ICT assets.
Scoping out external partners: They’ll also have to conduct due diligence on their IT and cybersecurity service providers, and ensure outsourcing arrangements do not weaken their ability to manage cyber threats.
Monitoring and reporting: Firms will have to make sure a system is in place to regularly test the resilience of their IT systems, and report material cyber incidents — where financial losses or operational disruptions and compromised data are involved — to the FRSA within 24 hours of identification. They’ll also be obliged to keep an inventory of ICT assets, classified according to their level of confidentiality, along with an assessment of how at risk each asset is.
Who is responsible? Senior management and boards are now explicitly accountable for overseeing cyber risk and making sure the cyber risk management framework is properly implemented. They will also have to make sure they are aware of and trained for developments in the field of cybersecurity, maintain up-to-date anti-malware software, and ensure that only the lowest level of access is granted for tasks in order to mitigate risk as much as possible.
