DFSA Rulebook GEN 5.5: Cyber Risk Management Requirements
Effective Date: Active (2025-2026 Business Plan cycle)
Issued by: Dubai Financial Services Authority (DFSA)
Rulebook Section: General (GEN) Module - Section 5.5
Framework Type: Risk-based regulatory requirements (flexible implementation)
Executive Summary
The DFSA's approach to cybersecurity is codified in Rulebook GEN 5.5 (Cyber Risk Management), part of the General (GEN) Module applicable to all DIFC-authorized firms and entities. Unlike ADGM's prescriptive framework, the DFSA employs a risk-based approach allowing firms to adopt standards that fit their specific risk profile—provided they can demonstrate effective outcomes.
Key Requirements at a Glance
1. Written Cyber Risk Management Framework (GEN 5.5.1)
- Requirement: Documented framework approved by governing body
- Flexibility: Firms may adopt ISO 27001, NIST CSF, CIS Controls, G7 Cybersecurity Principles, or equivalent
- Must address: Governance, risk assessment, incident response, business continuity, third-party risk
2. Board Accountability & Governance (GEN 5.5.2)
- Governing Body Responsibility: Ultimate accountability for cyber risk management
- Regular board agenda items on cyber risk
- Approved risk appetite statements
- Evidence of oversight (meeting minutes, reports reviewed)
3. ICT Asset Inventory & Classification (GEN 5.5.3)
- Identification and classification of ICT assets based on criticality
- Scope: Hardware, software, network components, cloud services, data repositories
- Asset registers with ownership, criticality ratings, and protection requirements
4. Access Controls & Identity Management (GEN 5.5.8)
- Least Privilege: Minimum necessary access for job functions
- Regular Reviews: Periodic access rights reviews (typically quarterly)
- Authentication: MFA recommended for sensitive systems
5. Incident Management & Notification (GEN 5.5.11 - 5.5.13)
- 72-Hour Notification: Report material cyber incidents to DFSA within 72 hours
- Firms must define what constitutes "material" in their framework
- Evidence preservation for investigation
6. Continuous Monitoring & Testing (GEN 5.5.15 - 5.5.16)
- Continuous surveillance of ICT systems
- Annual penetration testing for internet-facing systems
- Regular vulnerability scanning
- Annual incident response testing
DFSA Threat Intelligence Platform (TIP)
A unique aspect of DIFC's approach is the Threat Intelligence Platform (TIP):
- Mandatory Engagement: Firms expected to participate in DIFC's information-sharing platform
- Intelligence Consumption: Receive and act upon DIFC-specific threat intelligence
- Examination Focus: DFSA auditors assess whether firms actively use TIP intelligence
Implementation Approach: Risk-Based Flexibility
The DFSA allows firms to choose their control framework based on size, complexity, and risk profile:
Small Firms (20-50)
CIS Controls implementation, focus on essential cyber hygiene
Mid-Market (50-200)
ISO 27001 certification or equivalent, hybrid security operations
Large (200+)
NIST CSF or comprehensive ISO 27001/2, dedicated security teams
Comparison: DFSA vs. ADGM Approaches
| Feature | DFSA (DIFC) | ADGM FSRA |
|---|---|---|
| Philosophy | Risk-based, flexible | Prescriptive, specific |
| Incident Notification | 72 hours | 24 hours |
| Framework Options | ISO 27001, NIST, CIS, etc. | Specific ADGM framework |
| Legal Status | Ongoing requirements | Legally binding (Jan 2026) |
DFSA Compliance Support
We help DIFC firms implement flexible frameworks (ISO 27001, NIST CSF, or CIS) with documentation that satisfies DFSA's outcomes-based approach.
Schedule a DFSA Compliance Assessment→Official Sources
- • Dubai Financial Services Authority. "DFSA Rulebook - General Module - GEN 5.5." dfsaen.thomsonreuters.com
- • DFSA. "Business Plan 2025-2026." February 2025. dfsa.ae