What the DFSA’s cyber, AI and quantum report signals for DIFC companies

The Dubai Financial Services Authority (DFSA) has set out where its supervision of digital risk is heading. Its report on cyber, artificial intelligence (AI) and quantum risk reads as a preview: it shows the practice the regulator expects to see, and where a settled security arrangement may quietly fall short. For a company in the Dubai International Financial Centre (DIFC), that preview is worth more than any single rule, because it shows the direction before the direction becomes an obligation.

Published in June 2025, the report followed the DFSA’s inaugural Cyber and AI Risk Regulatory College, held the previous month. That meeting drew 70 representatives from 18 financial authorities across the Middle East, North America, Europe, Africa and Asia, alongside experts from the Bank for International Settlements Innovation Hub and the International Monetary Fund. It also set the DFSA’s own work in context, including the first regulator-led Cyber Threat Intelligence Platform in the Middle East and sector-wide cyber simulation exercises. The report distils what that group is watching across three areas: cyber, quantum and AI.

Cyber: the theme is concentration

The report treats the cyber threat landscape as well mapped, while noting how its character is shifting. Attacks are growing in frequency and sophistication, but the emphasis falls on concentration. As financial institutions rely on a small number of cloud and technology providers for critical services, those providers become single points of failure, and an incident at one can cascade across the system. Supply-chain compromise, where one vulnerable vendor opens a path into many institutions, sits at the centre of this concern.

Two further shifts stand out. Attackers increasingly use legitimate tools already present on a network, a technique that leaves little trace and is harder to detect than external malware. And AI is being turned to offensive use, sharpening phishing and generating convincing deepfakes and synthetic voice. Against this, the report describes supervision moving from pilot programmes towards established cyber supervisory regimes, with outcome-focused, principle-based requirements that place cyber risk at board level. Threat intelligence sharing, supply-chain mapping, scenario-based resilience testing and clear incident reporting are the practices it points to.

Quantum: a slow risk that rewards early work

Quantum computing is the area where the timeline is longest and the preparation most deliberate. The report explains that a sufficiently capable quantum computer could break the public-key cryptography – such as RSA and ECC – that secures banking, payments and interbank communication. Such a machine does not yet exist. The report projects that a cryptographically-relevant quantum computer could emerge within a decade, with estimates ranging from 2030 to 2040.

One element of the risk is already present: the tactic the report calls ‘harvest now, decrypt later’, where data is captured today, stored and decrypted once the capability arrives. For long-lived financial and personal data, that moves a future threat into the present. The report frames the response as steady preparation. Build a cryptographic inventory, so the organisation knows what it uses and where. Develop crypto-agility, the capacity to change cryptographic systems with little disruption. Set a planned path to post-quantum cryptography, piloting it first on the highest-risk systems. The financial sector, the report notes, is likely to be a prime target, which is the argument for starting early.

AI: the explainability problem

On AI, the report’s concern is the governance of complexity. As institutions embed sophisticated models in core operations, those models become difficult to interpret, which the report calls the ‘black box’ problem. It separates two ideas that are often merged: interpretability, understanding how a model works inside, and explainability, translating a decision into reasons a person can follow. Both matter for trust, audit and regulatory compliance, and the report sets out established methods for achieving them.

The wider risks track the cyber section. Dependence on a few dominant AI providers, for hardware as much as software, concentrates risk in the way cloud does. The report also flags AI-induced herding, the amplification of historical bias and opaque communication between increasingly autonomous agents. It places the DFSA’s thinking alongside the frameworks supervisors elsewhere are building, among them the European Union’s Digital Operational Resilience Act and AI Act, the UK Prudential Regulation Authority’s work on model risk, and the US National Institute of Standards and Technology’s AI Risk Management Framework. The direction is a balanced approach: room for innovation, held to core requirements of auditability, explainability and accountable governance.

The common thread: operational resilience

What ties the three together is operational resilience. The report is candid that supervisors understand operational risk well, while operational resilience, in the face of systemic cyber risk, is less developed. That gap is the report’s real subject, and it is the one most useful to a DIFC board. The practical test is plain. Who owns each of these topics today? A company that cannot name the person accountable for AI governance, for concentration risk, or for its path to post-quantum cryptography has found its gap, and has found it before a supervisor does.

None of this calls for alarm. It calls for the topic to sit on the board agenda, with a named owner and a plan that can be shown when a supervisor asks. The report is forward-looking by design, and nothing in it is a deadline, which is the reason to act now, while there is room to prepare without pressure. That is the groundwork Penta helps companies in the DIFC put in place, so that the supervisory conversation becomes one they are ready for.

References

1. Dubai Financial Services Authority, ‘New DFSA report explores regulatory insights into cybersecurity, Artificial Intelligence, and quantum risks’, 30 June 2025. Link (primary source; linked in body on first mention).
2. Dubai Financial Services Authority, Cyber and Artificial Intelligence Risk in Financial Services: Strengthening Oversight Through International Dialogue (full report, PDF, 20 pages), June 2025.