Are You Ready for the Updated FSRA Cyber Risk Framework Requirements?

Significant changes to cyber risk management requirements will be enforced for financial firms operating in Abu Dhabi at the end of the month. Is your firm ready for it? 

As of January 31, 2026, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) will officially implement its new Cyber Risk Management Framework (CRMF) rules. 

These rules follow extensive feedback on Consultation Paper No. 3 of 2025 and reflect the UAE’s heightened focus on advancing cyber resilience across the financial sector. 

Mirroring the direction set by other regulatory bodies, including the Digital Operational Resilience Act (DORA) in the EU and the Dubai Financial Services Authority (DFSA) in Dubai, the FSRA’s final enhancements solidify a region‑wide regulatory shift. As emphasized in the consultation paper, varying levels of cyber maturity across firms are leaving the broader ecosystem vulnerable. By establishing a consistent baseline of security measures, the FSRA aims to ensure stronger protection for all participants in an increasingly interconnected financial environment. 

Meeting the New CRMF Rules Require

The rules apply to the full spectrum of ADGM‑licensed financial institutions, including banks, investment firms, and recognized bodies such as exchanges and clearing houses. Under the requirements, firms must follow the below requirements.  

1. Establish and Maintain a Cyber Risk Management Framework Firms are expected to identify, assess, and manage cyber risks using a risk‑based approach proportional to their size, nature, and operational complexity. The CRMF must be integrated into broader risk governance frameworks and include controls for prevention, mitigation, and continuous oversight. 

Consider:

• Do you regularly maintain an up-to-date inventory of information assets, applications and data processes across all environments, including cloud-based services? 
• Are your cyber policies current, appropriate for your organizational complexity, and reviewed annually? 

2. Strengthen Governance and Testing

Senior Management and your Governing Body are responsible for ensuring cyber risks are properly identified and controlled. Firms must conduct ongoing monitoring and regular testing, such as vulnerability assessments, penetration testing, and red‑team exercises, to validate the effectiveness of their defenses. 

Consider:

• Is cyber risk clearly included as part of your risk appetite, risk register, and board Risk Committee goals? 
• Do you have an explicitly identified senior team member who owns cyber risk and incident response? Are their responsibilities clearly defined? 
• Have you briefed your board on FSRA’s new Cyber Risk Management Framework?  
• Do senior management and the board receive regular cyber risk reporting with meaningful metrics to help them oversee and manage cyber risk decisions? 

3. Enhance Third‑Party Risk Oversight 

Given the sector’s reliance on outsourced technology and cloud service providers, firms must implement robust due diligence, monitoring, and contractual controls to manage third‑party ICT risks. 

Consider:

• Do you have an outsourced IT and/or cybersecurity provider? Do you know critical information about the provider, including the services they provide you, their access levels, and how to contact them in case of an incident? Do you know if your terms or processes need to be updated to meet the changing FRSA standards?  
• If you have an outsourced provider, are they independently audited for assurance of security? 
• Do you know your critical technologies and how your data is handled and protected? 

4. Formalize Incident Response and Recovery 

Firms must maintain and routinely test a comprehensive cyber incident response plan designed to minimize operational disruption and ensure timely recovery. 

Consider:

• Do you have a written incident response plan?  
• When was the last time you tested your incident response plan? Do you have a documented policy for regular tests?  
  

5. Comply With 24‑Hour Incident Notification Requirements 

There is a new tightened timeline for notifying the FSRA of material cyber incidents. Firms must report such incidents immediately and no later than 24 hours after becoming aware of them. 

Consider:

• Do you have a process in place so you can notify FRSA within 24-hours of a material incident? 
• Do you have a process in place so you can provide FSRA clear follow-up reports post incident? 

Increasing Resiliency in the Region Through Clear Regulatory Direction 

While the new FSRA requirements place higher expectations on firms, they ultimately translate to meaningful benefits for clients across the financial ecosystem. Stronger, more consistent cyber risk management directly enhances trust, stability, and long‑term security for the individuals and institutions relying on ADGM‑regulated firms. Benefits include: 

• Greater Protection of Client Data and Assets: Clients benefit from more secure handling of sensitive information, stronger safeguards against breaches, and a reduced likelihood of cyber incidents.
• More Reliable and Resilient Services: A well‑structured CRMF reduces outages, disruptions, and downtime
• Increased Transparency and Accountability: Stronger governance and reporting rules ensure faster detection, escalation, and response. 
• A More Stable and Competitive Financial Environment: Consistent baseline standards reduce systemic risks and support a stronger financial ecosystem. 
• Confidence in a Globally Aligned Regulatory System: Alignment with international best practices reassures clients seeking mature and credible regulatory environments.

Work with Abacus to Meet Regulatory Requirements & Create Organizational Resilience

With FSRA’s rules going into effect, firms must ensure their governance practices, technical stack, and incident response capabilities meet regulatory expectations. 

At Abacus, our specialists help financial firms navigate regulatory requirements, implement best-in-class proactive security solutions, deliver advanced cybersecurity testing, and more. With experience across the globe helping firms stay secure and compliant with requirements, including DFSA, FRSA, DORA, MAS, and SEC, we offer tailored solutions and a consultative approach. 

If your firm is operating within Abu Dhabi, Abacus can assist in creating tailored policies to meet FRSA expectations, creating clear documentation to facilitate compliance with the new standards. Specializing in serving financial services firms, we are positioned to help organizations across the globe protect their data and meet regulatory requirements. To learn more, contact us today.