Understanding the ADGM Cyber Risk Framework: Insights from Consultation Paper 3 of 2025

The Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM) has published Consultation Paper 3 of 2025, proposing a comprehensive set of binding cyber risk management rules. These measures will apply to all Authorised Persons and Recognised Bodies operating within ADGM and represent a significant regulatory advancement designed to harmonise cybersecurity requirements for financial firms.
As the financial sector continues to embrace digital transformation, the FSRA is taking proactive steps to address escalating cyber threats. Under the ADGM cyber risk framework, entities will be required to implement robust risk management structures, enhance third party oversight and adhere to stringent incident reporting protocols.

The FSRA welcomes industry responses to Consultation Paper 3 of 2025 until 11 June 2025. Firms may submit their comments by email or post, and confidentiality will be maintained upon request.
Email: fsra.consultation@adgm.com
Postal Address:
Consultation Paper 3 of 2025
FSRA, ADGM Square, Al Maryah Island
P.O. Box 111999, Abu Dhabi, UAE

We encourage all stakeholders—particularly those with insights on implementation feasibility or operational impact—to share their perspectives.

Rationale for reform

These proposed cybersecurity requirements for financial firms seek to eliminate vulnerabilities within ADGM’s interconnected market ecosystem. Cyber crime poses a systemic hazard to financial stability, and uneven preparedness among firms can create sector wide weak points. The FSRA’s Consultation Paper 3 of 2025 aims to establish a consistent baseline of controls, safeguarding clients, firms and the broader market.
Moreover, these reforms align with the UAE’s national cybersecurity strategy and current preparations for the upcoming FATF Mutual Evaluation. By introducing the ADGM cyber risk framework, the FSRA promotes uniform standards across the financial industry and encourages firms to elevate their cyber risk practices.

What is the FSRA proposing?

The following summarises the principal elements of the ADGM cyber risk framework proposed in Consultation Paper 3 of 2025:

1.    Mandatory Cyber Risk Management Framework (CRMF)
Firms must adopt a risk based CRMF that is approved by the board and integrated into their overarching risk governance structure.

2.    Expanded scope
Recognised Bodies—including exchanges and clearing houses—will be subject to the same cybersecurity requirements for financial firms as Authorised Persons.

3.    Enhanced third party oversight
ICT providers (e.g. cloud, software vendors) will face rigorous due diligence, contractual protections and ongoing supervision requirements.

4.    Regular testing and monitoring
Firms must conduct vulnerability assessments, red teaming and penetration testing (minimum annually for internet facing systems) and maintain internal reporting mechanisms.

5.    Technical safeguards
Controls covering malware defence, encryption, access management, change control processes and staff training are mandated.

6.    Prompt incident reporting
Material cyber incidents must be reported within 24 hours of identification—regardless of weekends or public holidays. Initial reports may consist of preliminary data to minimise regulatory burden while ensuring swift mitigation and coordination.

7.    Implementation period
A three-month transition window will be granted once the ADGM cyber risk framework is finalised.

Supervisory and reporting regime

Post implementation, the FSRA intends to undertake thematic or risk based reviews to assess adherence to the new rules. Depending on outcomes, a requirement for an annual Cyber Risk Management Return may be introduced to enhance transparency and allow continuous supervisory engagement.
This outcome focused approach aligns with the FSRA’s data driven risk mitigation philosophy and reinforces the importance of the cybersecurity requirements for financial firms set out in Consultation Paper 3 of 2025.

Our view and responses to the FSRA’s consultation questions

Question 1: Are there any specific aspects of the Cyber Risk Rules that are likely to present material challenges for firms?

Yes. Smaller firms may struggle with technical controls such as privileged‐access monitoring, red‐teaming or third‐party audits. The FSRA may wish to consider scalable obligations or phased requirements for different firm sizes.

Question 2: Do you agree with the requirement for firms to establish and maintain a CRMF?

Yes. Establishing a CRMF ensures that cybersecurity requirements for financial firms are not only clearly defined but institutionally embedded in day-to-day governance.

Question 3: Do you agree with the CRMF being integrated within a firm’s overall risk management framework?

Absolutely. This creates accountability at board level and ensures that cyber risk is treated on a par with operational, credit and market risks.

Question 4: Do firms need three months to effect compliance, or is this too short or too long?

Three months is suitable for most firms already familiar with the FSRA’s IT Guidance. But newer or smaller firms may need six months—especially if developing a CRMF from scratch or renegotiating vendor contracts.

Question 5: Do you agree with the requirement to notify material cyber incidents within 24 hours?

Yes. This standard aligns with global benchmarks and enhances incident-response coordination. Since firms already must report significant incidents under GEN 8.10.6, this won’t add regulatory burden.

Question 6: Do you agree with the introduction of an annual Cyber Risk Management Return in due course?

Yes. An annual return will provide visibility over how firms are adapting to evolving threats and maturing their cyber controls under the ADGM cyber risk framework.

Question 7: Do you have any other comments on the proposals?

The FSRA might consider publishing common scenarios or anonymised findings from its future post-implementation reviews. This could give firms benchmarks to assess their own maturity and foster peer learning.

Question 8: Do you have any comments on the proposed miscellaneous amendments included in Appendices 2, 3 and 5?

The clean-up and alignment changes are welcome, especially where they streamline incident notification and integrate cyber into broader prudential and conduct rules under the wider ADGM cyber risk framework.

How Equiom Can Assist

If you require support in assessing the impact of Consultation Paper 3 of 2025 on your operations, or guidance on developing a compliant CRMF, third party review process or consultation response, Equiom’s Governance, Risk and Compliance (GRC) specialists are on hand to help. Get in touch with our team today.

This article has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. This article cannot be relied upon to cover specific situations, and you should not act, or refrain from acting, upon the information contained within this article without obtaining specific professional advice. Please contact Equiom to discuss these matters in the context of your particular circumstance. Equiom Group, its partners, employees, and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this article or for any decision based on it.