The Financial Services Regulatory Authority (FSRA) of ADGM has finalised amendments to its regulatory framework requiring authorised firms and recognised bodies to formally integrate cyber risk management into their existing risk systems.
The new rules, which take effect from January 31, 2026, follow industry consultation through Consultation Paper No. 3 of 2025. The FSRA said the revisions align with its broader efforts to strengthen operational resilience across ADGM-regulated entities.
Under the updated framework, firms must incorporate cyber risk controls into their governance and risk management structures. This includes compliance with existing FSRA guidance on information technology risk and cyber threat mitigation, as well as clearer oversight of third-party IT service arrangements.
The FSRA confirmed that feedback from the consultation supported the new requirements and led to several adjustments. These include a six-month transition period, enhanced guidance on proportional application of the rules, and clarification on integration expectations for firms of varying size and complexity.
The regulator also said it has updated guidance to help firms assess the materiality of cyber incidents and plans to release a revised notification template for cyber events before the end of 2025.
Emmanuel Givanakis, Chief Executive of the FSRA, said the changes are intended to ensure firms remain aligned with evolving global standards in cybersecurity and risk governance.
ADGM has recently taken steps to position itself as a jurisdiction for digital finance, with increasing focus on cybersecurity amid growing threats to financial infrastructure. The latest amendments come as regulators globally push for stronger cyber oversight, including requirements around incident reporting, governance structures, and service provider accountability.
Firms operating within ADGM have until the end of January 2026 to fully comply with the new rules.
