Cloud Hosting in ADGM

What’s allowed, what’s risky, and what’s working – guidance for firms evaluating Azure, AWS, or private hosting options in line with FSRA

Lester Pinto
Corporate Cloud ADGM

Cloud has become the backbone of modern IT – and in Abu Dhabi Global Market (ADGM), moving to Azure, AWS, or any private hosting platform isn’t just a technology choice, it’s a regulatory decision.

The Financial Services Regulatory Authority (FSRA) allows cloud use, but only under strict outsourcing and IT risk rules that put accountability squarely on the regulated firm.

For ADGM-based CEOs, CISOs and compliance leaders, understanding what’s permitted – and how to prove you’re in control – is the difference between innovation and a compliance headache. 

FSRA’s view on cloud

Cloud is not off-limits for ADGM firms, but the FSRA treats it as a form of outsourcing with clear compliance obligations.

GEN 3.3 of the FSRA General Rulebook requires firms to maintain robust systems and controls, and GEN 3.3.31 makes clear that outsourcing does not transfer responsibility – the regulated firm remains fully accountable.

FSRA’s November 2024 IT Risk Management Guidance includes a dedicated section on cloud computing. It calls for due diligence on providers, logical separation of client data in multi-tenant environments, and clear understanding of where data resides.

“FSRA isn’t against cloud – but you must prove risk and compliance are fully managed,” says Mohammad Hammoudeh of Penta.

Key risks to assess

  • Cross-border data: Public cloud regions may store data outside the UAE. Firms must map data locations and ensure ADGM Data Protection Regulations are met, using contractual safeguards for transfers.
  • Third-party controls: Cloud providers become critical vendors. FSRA expects documented due diligence covering security certifications, resilience, and subcontractor management. Contracts should include rights to independent audit reports. “Trust but verify,” says Hammoudeh. 
  • Availability: Outages in public cloud can disrupt regulated services. FSRA expects firms to evaluate provider resilience, integrate this into their own continuity plans, and test recovery of cloud-hosted systems regularly.
  • Regulatory access: Outsourcing must not reduce FSRA’s ability to supervise. Contracts need clauses allowing regulator access to data and audit trails. 

Documentation and auditability 

Material cloud hosting projects require FSRA notification and a formal outsourcing contract under GEN 3.3.32. The agreement must cover SLAs, security obligations, breach notifications, and allow regulatory oversight. FSRA guidance also stresses maintaining evidence – risk assessments, audit reports, and monitoring logs – to demonstrate control. 

Data protection clauses are essential. Providers must commit to complying with ADGM’s Data Protection Regulations and supporting firms’ obligations as data controllers. Maintaining an up-to-date inventory of what data sits where is also expected. 

“Having a structured risk assessment and mapped control framework is key to satisfying FSRA auditors,” notes Hammoudeh. 

What works in practice 

ADGM firms are finding success with: 

  • Hybrid models: Keeping critical systems on private or UAE-based infrastructure while moving less sensitive workloads to Azure or AWS. FSRA guidance supports multi-cloud if risks are managed.
  • Trusted providers: Using cloud infrastructure with UAE regions or local providers who understand FSRA obligations. Industry-specific SaaS platforms audited for financial services are also gaining traction.
  • Strong vendor oversight: Treating the cloud provider as part of the control environment with clear SLAs, regular service reviews, and compliance reporting.
  • Continuous monitoring: Leveraging native tools and independent assessments to monitor cloud configurations and enforce policies such as encryption and data residency. 

“A phased approach works best – start with less critical systems and build maturity before migrating sensitive workloads,” says Hammoudeh.

Practical tips for ADGM firms 

  1. Classify data: Identify which systems and data can move to public cloud and which require private or hybrid setups.
  2. Conduct a risk assessment: Use FSRA’s IT Risk Management Guidance as a checklist and document mitigations.
  3. Choose regions wisely: Prefer UAE or approved jurisdictions and ensure legal safeguards for transfers.
  4. Build controls in: Enforce strong identity management, encryption, and logging in the cloud environment.
  5. Tighten contracts: Include compliance clauses, breach notification timelines, audit rights, and exit support.
  6. Plan for exit: Document a termination and data migration plan from day one.
  7. Engage stakeholders: Involve compliance and risk teams early and train staff on new processes. 

How Penta helps 

Penta supports ADGM firms in building compliant, resilient cloud strategies. Services include readiness assessments, drafting FSRA outsourcing notifications, and designing secure hybrid architectures.  

“Our role is bridging technology and compliance,” says Hammoudeh. “We help evaluate providers, draft controls and contracts, and implement continuous monitoring so firms can innovate in the cloud without compromising regulatory obligations.” 

With careful planning and expert support, ADGM firms can harness Azure, AWS, or private hosting while staying fully aligned with FSRA’s IT risk and outsourcing requirements. 
Lester

Lester Pinto

Regional Manager

Lester Pinto is Regional Manager at Penta, where he manages client relationships and ensures seamless delivery of IT services tailored to regulated industries. With a focus on understanding business needs and translating them into secure, compliant solutions, he plays a pivotal role in maintaining long-term partnerships and supporting clients through complex IT and compliance challenges.

Connect with Lester