Regulatory GuideLegally Binding

ADGM Cyber Risk Management Framework: Security Regulatory & Compliance Requirements for Dubai (2026)

Effective Date: January 31, 2026 (Legally Binding)

Issued by: ADGM Financial Services Regulatory Authority (FSRA)

Framework Type: Legally binding regulation (upgraded from voluntary guidance)

Executive Summary

On July 29, 2025, the ADGM Financial Services Regulatory Authority (FSRA) announced that its Cyber Risk Management Framework would become legally binding effective January 31, 2026. This represents a fundamental shift from voluntary guidance to enforceable regulatory requirements for all ADGM-regulated entities.

Key Requirements at a Glance

1. Board-Approved Framework

  • Written Cyber Risk Management Framework approved by governing body
  • Must include: Risk appetite statement, governance structure, implementation roadmap
  • Audit evidence: Board meeting minutes showing approval

2. ICT Asset Inventory & Classification

  • Tier 1: Critical systems (essential for business operations)
  • Tier 2: Important systems (significant impact if compromised)
  • Tier 3: Standard systems (limited impact)
  • Quarterly reviews required

3. 24-Hour Incident Notification ⚠️

  • Report material cyber incidents to FSRA within 24 hours of detection
  • Applies to: Unauthorized access, data breaches, ransomware, any material incident
  • Notification through ADGM portal with initial assessment

4. Access Controls & Identity Management

  • Least Privilege: Minimum access necessary for role
  • Quarterly Reviews: Documented access reviews for all systems
  • MFA Required: For all internet-facing systems and remote access

5. Third-Party Risk Management

  • Security clauses in all vendor agreements
  • Security assessments before onboarding critical vendors
  • Regular reviews of vendor security postures

6. Continuous Monitoring & Testing

  • 24/7 monitoring of ICT assets
  • Annual penetration testing (critical systems)
  • Quarterly for internet-facing applications
  • Annual incident response tabletop exercises

Implementation Timeline (Post-January 2026)

Immediate (0-30 days)

  • • Confirm board-approved framework is documented
  • • Verify ICT asset inventory is complete and classified
  • • Test 24-hour incident notification procedures

Short-term (1-3 months)

  • • Complete access control reviews and implement MFA gaps
  • • Finalize third-party vendor security assessments
  • • Conduct initial incident response tabletop exercise

Common Compliance Gaps

Based on early 2026 examination trends, ADGM FSRA is focusing on:

  1. Documentation Weakness: Technical controls exist but aren't documented
  2. Asset Inventory Gaps: Shadow IT and cloud assets missing
  3. Notification Delays: Taking 48-72 hours instead of required 24
  4. Third-Party Blind Spots: Insufficient vendor assessments
  5. Board Engagement: Lack of evidence of active cyber risk review

Comparison: ADGM vs. Other UAE Frameworks

RequirementADGMDIFC (DFSA)
Incident Notification24 hours72 hours
Legal StatusLegally binding (Jan 2026)Risk-based guidance
Asset ClassificationTier 1, 2, 3 (prescribed)Required (methodology flexible)

The average cost of a data breach in the Middle East is $8.75 million — the second highest globally, according to the IBM Cost of a Data Breach Report 2024. ADGM's legally binding framework exists to prevent exactly this.

Frequently Asked Questions

What is the ADGM Cyber Risk Management Framework?

The ADGM Cyber Risk Management Framework is a legally binding regulation issued by the Abu Dhabi Global Market Financial Services Regulatory Authority (FSRA) that became enforceable on January 31, 2026. It requires all ADGM-regulated entities to implement board-approved cyber risk governance, ICT asset classification, 24-hour incident notification, and continuous monitoring.

Who does the ADGM Cyber Risk Management Framework apply to?

The framework applies to all entities regulated by the ADGM Financial Services Regulatory Authority (FSRA), including digital banks, wealth managers, asset managers, and other financial services firms operating within the Abu Dhabi Global Market free zone.

What is the 24-hour incident notification requirement under ADGM?

ADGM-regulated entities must report any material cyber incident to the FSRA within 24 hours of detection. This includes unauthorized access, data breaches, ransomware attacks, and any incident with material operational impact. This is the strictest notification window in the UAE — compared to 72 hours under the DIFC DFSA framework.

How does ADGM compare to DIFC cybersecurity requirements?

ADGM's framework is more prescriptive and legally binding since January 2026, while DIFC DFSA operates on risk-based guidance. Key differences: ADGM requires 24-hour incident notification vs. DIFC's 72 hours; ADGM mandates a prescribed Tier 1/2/3 asset classification system vs. DIFC's flexible methodology; ADGM requires annual penetration testing for critical systems.

What is Tier 1, 2, 3 asset classification under the ADGM framework?

The ADGM framework requires ICT assets to be classified into three tiers: Tier 1 — Critical systems essential for core business operations; Tier 2 — Important systems where compromise would have significant impact; Tier 3 — Standard systems with limited impact if compromised. Quarterly reviews of this classification are mandatory.

What are the penalties for non-compliance with ADGM cybersecurity requirements?

Non-compliance with the ADGM Cyber Risk Management Framework can result in regulatory sanctions from the FSRA, including financial penalties, license restrictions, and reputational consequences. As a legally binding regulation since January 31, 2026, failure to comply is treated as a regulatory breach.

What steps should a Dubai-based regulated entity take to achieve ADGM compliance?

Key compliance steps include: (1) Obtain board approval for a written Cyber Risk Management Framework; (2) Complete and classify your ICT asset inventory into Tier 1/2/3; (3) Implement 24-hour incident notification procedures; (4) Deploy MFA on all internet-facing systems; (5) Conduct annual penetration testing; (6) Establish third-party vendor security assessments. A cybersecurity partner familiar with ADGM FSRA expectations can accelerate this process.

Is penetration testing required under the ADGM framework?

Yes. The ADGM Cyber Risk Management Framework requires annual penetration testing for critical (Tier 1) systems and quarterly testing for internet-facing applications. Annual incident response tabletop exercises are also required to test readiness.

ADGM Compliance Support

Our Essentials service provides the 24/7 surveillance ADGM requires, with automated vulnerability detection and real-time alerting that satisfies the "ongoing surveillance" mandate.

Schedule an ADGM Compliance Assessment

Official Sources

  • • ADGM FSRA. "ADGM's FSRA Issues Cyber Risk Management Framework." July 29, 2025. adgm.com