What does ADGM's legally binding cyber framework require?
On July 29, 2025, the ADGM Financial Services Regulatory Authority (FSRA) announced its Cyber Risk Management Framework (GEN 3.5). The rules became binding in July 2025, with a six-month transition giving firms until January 31, 2026 to reach full compliance. This wasn't an update to existing guidelines—it was an elevation of requirements to enforceable status.
The framework mandates specific controls that go beyond traditional risk management:
24-Hour Incident Notification
ADGM-regulated firms must now report material cyber incidents to the FSRA within 24 hours of detection. This isn't a best practice—it's a legal requirement with enforcement mechanisms. Our incident response services help firms meet this mandate.
Asset Classification Requirements
Firms must maintain a current ICT asset inventory classified by confidentiality and business criticality, including third-party assets. Auditors request to see these inventories, alongside cyber-risk assessments reviewed regularly and at least annually.
Third-Party Contractual Obligations
Your agreements with cloud providers, MSPs, and SaaS vendors must now include specific security clauses addressing incident notification, data protection, and audit rights.
What does DIFC (DFSA GEN 5.5) require for cybersecurity?
While DIFC's approach through DFSA Rulebook GEN 5.5 maintains flexibility—allowing firms to adopt ISO 27001, NIST CSF, CIS Controls, or G7 Cybersecurity Principles—the expectations have sharpened in 2026.
The DFSA's 2025-2026 Business Plan emphasizes "meaningful outcomes" over checkbox compliance. Recent examinations focus on:
Board Accountability
Cyber risk must be on your board agenda with documented evidence of oversight. The DFSA expects to see governing body approval of your cyber risk framework—not just IT department sign-off.
Core Technical Controls
Firms must implement and evidence baseline technical controls in proportion to asset criticality—anti-malware with automatic scanning, network-perimeter monitoring, and least-privilege access. The DFSA also operates a Threat Intelligence Platform (TIP); participation is voluntary and free for DIFC firms, and strengthens posture rather than being an audited requirement.
Data Protection Integration
Cyber risk management and data protection are now examined as integrated functions under DIFC Data Protection Law No. 5 of 2020. Separate programs without coordination are flagged as gaps.
Is it too late to prepare for the 2026 requirements?
If you were preparing for these requirements, preparation time is over. Across the UAE, financial regulators are actively using their enforcement powers—fines, restrictions, and personal sanctions—so the cost of not being able to evidence compliance is no longer theoretical.
The question for February 2026 isn't whether you're familiar with these frameworks—it's whether you can demonstrate continuous compliance with legally binding requirements.