The FSRA Raises the Bar for Cybersecurity Risk Management

  • Cyber Alert
  • Compliance, Cybersecurity, FSRA, UAE
  • Aaron Pinnick and Doria Bouallag

On July 29, 2025, the FSRA announced new requirements designed to improve the cybersecurity risk management practices of the Authorised Persons and Recognised Bodies (collectively referred to as covered entities) in the ADGM. The implementation of this new framework follows extensive industry engagement and incorporates feedback received on Consultation Paper No. 3 of 2025. Firms operating or expanding into the ADGM must act now to ensure that their cyber risk management practices align with these new requirements before the January 31, 2026, compliance deadline.

Key Elements of the FSRA’s Cybersecurity Requirements

The FSRA now requires covered entities to better identify, assess, and manage cybersecurity risks across their firms by:

  • Establishing and maintaining a Cyber Risk Management Framework (CRMF): Covered entities must implement a CRMF that can effectively identify, assess, and manage cyber risks. The CRMF must be formally documented and approved by the firm’s Governing Body and:
      • Include controls and cybersecurity systems that are proportionate to the covered entity’s cyber risks.
      • Establish clear roles and responsibilities for cyber risk management, including roles and responsibilities during cyber incidents.
      • Identify and assess the covered entity’s cyber risks.
      • Protect the firm’s information communication technology (ICT).
      • Prepare the covered entity to respond to cyber incidents.

    The CRMF should be reviewed at least annually to ensure it remains effective and up to date.

  • Enhancing oversight of third-party cyber risk: Covered entities are expected to manage the cyber risks presented by third-party providers and will be responsible for ensuring that third parties comply with relevant cybersecurity obligations. They must:
    • Conduct due diligence and ongoing monitoring of third parties providing ICT services to ensure they meet appropriate cybersecurity standards.
    • Establish contractual arrangements with ICT providers.
    • Require ICT providers to notify covered entities about cyber incidents and cooperate in the remediation of cyber incidents.
  • Establishing senior-level cybersecurity oversight: Covered entities must ensure their Governing Body and senior management are able to provide appropriate oversight of the CRMF. This oversight should focus on ensuring that cyber risks are adequately identified and addressed and the individuals responsible for managing cyber risks have the appropriate skills and expertise to do so.
  • Creating cyber risk assessment and maintaining ICT assets: This assessment should include a review of their cyber risk, criticality, and access to confidential information. It should also contain relevant controls, monitoring, and testing that have been put in place to manage the risks associated with these assets. This assessment of risk should be updated at least annually.
  • Protecting ICT assets from cyber incidents: Covered entities are expected to implement and maintain a variety of controls to protect its ICT assets. These include:
    • Up-to-date anti-malware software
    • Network security controls and monitoring
    • Access management controls that are regularly reviewed and updated and provide only the minimum required access to IT systems
    • IT systems and network protections including strong authentication requirements and multi-factor authentication (or the equivalent) protections
    • Change management processes that account for cyber risk during updates to IT systems and networks
    • Software updating processes and procedures to address security vulnerabilities
    • Encryption of data in transit, at rest, and at destruction
    • Limited physical access to data centers and server rooms
    • Annual cybersecurity training
  • Monitoring and testing the CRFM: Covered entities should conduct ongoing monitoring on the effectiveness of their cyber controls and CRFM. This should include annual resilience testing of systems and networks (e.g., penetration testing and vulnerability assessments), remediation of issues identified in testing, and reporting on testing results to senior management or the Governing Body.
  • Effectively preparing for and responding to cyber incidents: Covered entities are expected to continuously monitor their systems and networks for cyber incidents or anomalies and establish a process to escalate and respond to suspected or actual cyber incidents. This includes creating and maintaining a formal incident response plan that is tested, reviewed at least annually, and updated when appropriate.

    If a cyber incident is detected, the covered entity must take immediate action to contain the incident and begin the recovery process outlined in its incident response plan. If the incident or suspected incident is determined to be material, the FSRA must be notified immediately, or no later than 24 hours after the incident has been detected.

Preparing for the January 31, 2026, Compliance Deadline

Firms should consider taking the following steps prior to the January 31, 2026, compliance deadline:

      • Conduct a gap analysis between the FSRA’s requirements and the firm’s current cybersecurity policies, procedures, and controls, and establish remediation plans for gaps identified.
      • Review the firm’s third-party risk management framework to ensure proper due diligence is being conducted on ICT vendors, an inventory of ICT vendors is being maintained, and contracts include the necessary language to help establish vendors will comply with the FSRA’s cybersecurity standards.
        • Conduct a cyber risk assessment along with penetration testing, vulnerability scans, and other testing activities on the firm’s networks and systems to identify weaknesses in the firm’s cybersecurity defenses prior to the compliance deadline.
      • Review the firm’s incident response plan and conduct tabletop exercises to ensure the firm can meet the FSRA’s 24-hour reporting deadline for material incidents.

Partner with ACA to Comply

Uncertain about your firm’s ability to meet the FSRA’s new cybersecurity requirements? We can help!

We offer a wide range of cybersecurity solutions and products, backed by a deep understanding of the UAE’s unique regulatory environment, to ensure your firm’s cybersecurity program can meet evolving regulatory expectations and reduce the risk of cyber incidents. Please reach out to learn more about how ACA can support you with our:

  • Cybersecurity Risk Assessment
  • FSRA Regulatory Gap Assessment
  • Penetration Testing
  • Incident Response Planning and Tabletop Exercises
Contact Us
Contact
Contact