Compliance2-3 min readBy Mujahid Hasan

The DIFC vs ADGM Compliance Reality: Post-January 2026 Enforcement

ADGM's Cyber Risk Management Framework became binding in July 2025, with full compliance required by 31 January 2026, while DIFC enforces cybersecurity through the DFSA's risk-based GEN 5.5 Rulebook. For UAE financial firms the practical question is what auditors now check — and these six controls are where DIFC and ADGM examinations most often focus.

What does ADGM's legally binding cyber framework require?

On July 29, 2025, the ADGM Financial Services Regulatory Authority (FSRA) announced its Cyber Risk Management Framework (GEN 3.5). The rules became binding in July 2025, with a six-month transition giving firms until January 31, 2026 to reach full compliance. This wasn't an update to existing guidelines—it was an elevation of requirements to enforceable status.

The framework mandates specific controls that go beyond traditional risk management:

24-Hour Incident Notification

ADGM-regulated firms must now report material cyber incidents to the FSRA within 24 hours of detection. This isn't a best practice—it's a legal requirement with enforcement mechanisms. Our incident response services help firms meet this mandate.

Asset Classification Requirements

Firms must maintain a current ICT asset inventory classified by confidentiality and business criticality, including third-party assets. Auditors request to see these inventories, alongside cyber-risk assessments reviewed regularly and at least annually.

Third-Party Contractual Obligations

Your agreements with cloud providers, MSPs, and SaaS vendors must now include specific security clauses addressing incident notification, data protection, and audit rights.

What does DIFC (DFSA GEN 5.5) require for cybersecurity?

While DIFC's approach through DFSA Rulebook GEN 5.5 maintains flexibility—allowing firms to adopt ISO 27001, NIST CSF, CIS Controls, or G7 Cybersecurity Principles—the expectations have sharpened in 2026.

The DFSA's 2025-2026 Business Plan emphasizes "meaningful outcomes" over checkbox compliance. Recent examinations focus on:

Board Accountability

Cyber risk must be on your board agenda with documented evidence of oversight. The DFSA expects to see governing body approval of your cyber risk framework—not just IT department sign-off.

Core Technical Controls

Firms must implement and evidence baseline technical controls in proportion to asset criticality—anti-malware with automatic scanning, network-perimeter monitoring, and least-privilege access. The DFSA also operates a Threat Intelligence Platform (TIP); participation is voluntary and free for DIFC firms, and strengthens posture rather than being an audited requirement.

Data Protection Integration

Cyber risk management and data protection are now examined as integrated functions under DIFC Data Protection Law No. 5 of 2020. Separate programs without coordination are flagged as gaps.

Is it too late to prepare for the 2026 requirements?

If you were preparing for these requirements, preparation time is over. Across the UAE, financial regulators are actively using their enforcement powers—fines, restrictions, and personal sanctions—so the cost of not being able to evidence compliance is no longer theoretical.

The question for February 2026 isn't whether you're familiar with these frameworks—it's whether you can demonstrate continuous compliance with legally binding requirements.

Sources and Citations

[1] Dubai Financial Services Authority (DFSA). "Rulebook - General - GEN." DFSA Rulebook GEN 5.5 Cyber Risk Management requirements for DIFC entities. Available at: dfsa.ae

[2] Crowe UAE. "UAE Regulatory Cyber Compliance." Summary of ADGM Cyber Risk Management Framework requirements. Published: 2025

[3] ADGM Financial Services Regulatory Authority. "Regulatory Framework Updates." Announcement of the Cyber Risk Management Framework (GEN 3.5) — binding July 2025, full compliance required by 31 January 2026. Published: July 29, 2025. Available at: adgm.com

[4] DFSA. "Business Plan 2025-2026." Strategic Document outlining focus on "meaningful outcomes" for cyber risk management. Published: February 2025. Available at: dfsa.ae

[5] Ronin Legal. "ADGM Cyber Risk Management Framework: Now Legally Binding." Legal Analysis. Published: July 2025

[6] Central Bank of the UAE. Enforcement actions, 2025 — illustrative of active UAE financial-sector enforcement. Note: the largest publicly reported CBUAE 2025 penalties were AML/CFT-related rather than cyber-specific.

[7] Norton Rose Fulbright. "Cyber risk management in the ADGM: an analysis of the new regulatory framework." Legal analysis (binding July 2025; full compliance by 31 January 2026). Published: 2025

Navigate Post-January 2026 Compliance

Our DIFC/ADGM compliance assessment identifies gaps against the new legally binding requirements and provides a remediation roadmap.

Schedule a Compliance Assessment