The Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market (ADGM) brought its amended cyber risk management rules into force on 31 January 2026. For the firms it covers, the framework is now a continuous obligation: one the FSRA expects to be owned at board level, evidenced on request and kept current as risk changes.
The rules were issued on 29 July 2025 and reach every Authorised Person and Recognised Body in ADGM. They sit in a dedicated cyber risk management section of the FSRA’s General Rulebook and build on the regulator’s earlier work: its Governance Principles and Practices to Mitigate Cyber Threats and Crime, and its Information Technology Risk Management Guidance. The requirement is to integrate cyber risk management into a firm’s existing risk framework and scale it to the business, so a clearing house is held to more than a small advisory company.
Three obligations carry the most weight. They are also the three where a settled arrangement quietly falls short.
The first is governance. The framework must be written down and approved by the governing body, then reviewed as risk changes. A policy that exists but was never signed off, or was signed off once and left untouched, does not meet the standard. Accountability sits with the governing body, which must be able to show its own oversight.
The second is the notification clock. A material cyber incident must reach the FSRA within 24 hours of the company becoming aware of it, weekends and public holidays included. That is not long once an incident is live. The work that makes the deadline achievable – a tested response plan, a clear view of what counts as material, named people who can act – has to be in place beforehand, because an incident leaves no time to assemble it.
The third is the supply chain. The rules reach the information and communications technology (ICT) services a company relies on, including subcontractors. Contracts must require providers to report material incidents and cooperate on remediation, and the company must hold an inventory of those providers and weigh the risk each one carries. Oversight no longer stops at the company’s own perimeter.
Little of this is new ground. The FSRA has stayed close to international practice, so anyone already working under the EU’s operational resilience regime will recognise the shape of it. What changed on 31 January is that the standard became live and examinable.
After a deadline, what matters is evidence. Can the company show the framework working: the board minute approving it, the incident plan tested against the clock, the provider inventory current and dated? If you cannot point to those three today, that is the gap, and closing it is the work we do.
References