Important Changes in Cyber Risk Management Regulation in Abu Dhabi: What the FSRA’s New Requirements Mean for Firms

Written by Khurem Ali, Senior GRC Analyst at Abacus Group

Significant changes to cyber risk management regulatory requirements are being implemented for financial firms operating in Abu Dhabi. The Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) has announced that a new Cyber Risk Management Framework requirement will come into force on January 31, 2026. The changes follow feedback on proposals in the authority’s Consultation Paper No.3 of 2025 which emphasized the UAE’s increased focus on cyber threats and the need to protect its financial ecosystem.

Similar to the Thematic Review published by the DSFA for Dubai, the released enhancements from the FSRA outline a broader regulatory push for increased cyber resilience in the region. As noted by the FSRA in the consultation paper, “the varying levels of cyber resilience across firms have resulted in incomplete protection for the sector as a whole, due to its interconnected nature and reliance on outsourced services. To enhance overall cyber resilience, it is essential for all industry participants to establish a consistent baseline of security measures.”

The New Cyber Risk Management Framework Rules

The implemented changes use a risk-based approach applied to the wide range of financial sector firms licensed by the ADGM, such as banks and investment businesses, plus recognized bodies, including investment exchanges and clearing houses.

The rules will require firms to identify and assess their cyber risks and to establish and maintain their Cyber Risk Management Framework (CRMF), commensurate to the size, nature and complexity of their business. 

Firms are expected to integrate their CRMF into their overall risk frameworks and to address prevention and mitigation. They must ensure they have appropriate governance systems and controls as part of the CRMF, with continuous monitoring and reporting of their effectiveness. 

The new regulatory requirements include updates to the below risk management practices:

• Third-Party Risk Oversight: Firms must implement robust controls and due diligence processes for third-party ICT service providers
• Governance and Testing: Senior Management/Governing Body must ensure cyber risks are identified and managed effectively. Additionally, firms are required to conduct regular monitoring and testing of their systems and controls e.g. vulnerability assessments, penetration testing, and red teaming.
• Response and Recovery: Firms must establish, maintain, and regularly test a robust cyber incident response plan to ensure timely recovery and mitigation of consequences.
• Incident Notification: Firms must notify FSRA immediately and no later than 24 hours after becoming aware that a material cyber incident has occurred.

Let’s dive deeper into one of the updated requirements, incident reporting.

Incident Reporting Requirements

Each firm has a duty to manage and control cyber incidents and to notify the FSRA when such incidents are “material.” Materiality factors include operational, financial and reputational impact and whether the incident has to be reported to other regulators. 

Notification of such incidents must take place no later than 24 hours after the firm becomes aware of the incident, regardless of weekends or public holidays. The purpose is to spur firms into faster mitigation to reduce the level of impact and minimize the potential for contagion across the ecosystem.

The consultation paper pointed out that since existing rules already require immediate reporting to the FSRA of “material issues,” the new requirement is not a significant extra burden. Initial reporting need only cover the preliminary information known at the time to the relevant firm.

The Broader Context of Increased Focus on Resilience in the UAE 

The most recent update from FSRA reflects the broader shift across regulatory bodies towards prioritizing cyber resilience, with the expectation of financial firms viewing compliance as much more than a “box-ticking” exercise. This requires them to stay abreast of requirements and continuously update their frameworks. The FSRA wants firms to be honest with their standings and take strides to drive genuine improvement, supporting the resilience of the region’s ecosystem as whole in the process.

If we take a step back and look at these new rules in the round, we can see they align with international best practices while also showcasing the FSRA’s preferred approach of prioritizing risk-mitigation, accountability, and transparency. The UAE, of which Abu Dhabi is part, was on the Paris-based Financial Action Task Force’s global grey list until authorities like the FSRA  in Abu Dhabi and the DFSA in Dubai invested time and effort into improving cyber resilience to attract more business and protect their own financial integrity. The UAE’s broader reforms - spanning financial integrity, governance, antimony laundering (AML), and Countering Financing of Terrorism (CTF) frameworks - have reinforced regulators’ focus on cyber resilience as a pillar of trust and global credibility

There are differences in the regulations outlined by Abu Dhabi and its neighbor, Dubai, but both bodies have demonstrated a shift towards proactive and risk-based governance. Evolving standards are a signal that compliance has become vital to both survival and to success in the region . In a market as competitive and reputation driven as the UAE, compliance isn’t optional, its mandatory.

At Abacus, our team of cybersecurity experts can help you navigate the FSRA’s new regulations and build a compliance strategy that strengthens your firm’s resilience across the globe. To learn more, contact us today.