Post by : Mariam
Al-Faris
Photo: WAM
The Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM) has announced new rules for financial companies to help protect them from cyber threats. These updated rules focus on improving how companies manage cyber risks. All affected companies must follow these new rules starting from January 31, 2026.
The updated rules apply to Authorised Persons and Recognised Bodies that operate under ADGM’s regulatory system. These are companies and organisations that provide financial services and are officially approved to work under ADGM.
Rules Made After Industry Feedback
These changes were not made suddenly. The FSRA spent time talking with people and companies in the financial industry. This included meetings, feedback sessions, and a formal Consultation Paper No. 3 of 2025. Many companies shared their views, which helped the FSRA decide what changes were needed and how to make them clear and fair.
The FSRA carefully studied this feedback and used it to improve the rules before making them final. Because the feedback was mostly supportive, the FSRA felt confident that these changes were the right step forward.
Cyber Risks Must Be Included in Risk Plans
One of the biggest changes in the new rules is that companies must now include cyber risks as part of their regular risk planning. This means that managing threats like hacking, data theft, and cyberattacks must become a regular part of how financial firms manage risk.
Before this, many companies treated cyber risks as something separate. But the FSRA now wants firms to understand that cyber threats are just as important as other risks—like fraud or market problems—and should be treated in the same way.
Based on Existing Guidance and Global Standards
The new rules are not starting from zero. They build on the FSRA’s earlier work, such as:
- Information Technology Risk Management Guidance, and
- Governance Principles and Practices to Mitigate Cyber Threats and Crime.
These earlier documents already encouraged companies to take cyber threats seriously. The updated rules make these suggestions stronger and clearer by turning them into requirements.
Also, the FSRA is making sure these rules are in line with international best practices. This will help ADGM continue to be seen as a safe and respected place for global financial activity.
Six-Month Period Given for Compliance
To help companies follow the new rules properly, the FSRA is giving them six months to prepare. This means companies have from now until January 31, 2026, to make any changes needed to their systems and processes.
This time will help firms train their staff, adjust their risk plans, and make sure their IT systems are ready to meet the new standards. The FSRA believes that this is a reasonable period and will help avoid confusion or rushed mistakes.
Focus on Proportionality and Integration
Not all companies are the same. Some are large with many staff and high-risk operations, while others are small or have simple activities. Because of this, the FSRA has made sure the new rules follow the principle of proportionality.
This means the level of cyber protection needed depends on the size and type of the business. Small firms won’t have to follow the same strict measures as very large banks, for example. Each firm will be expected to manage cyber risk at a level that makes sense for its business.
Also, the rules stress integration, which means cyber risk should not be kept separate from other risk processes. Instead, companies must connect it with their whole risk management framework.
Clearer Rules for IT Service Providers
Many financial companies use outside IT service providers to handle parts of their computer systems, websites, or online tools. The FSRA has updated the rules to make it clearer what these companies must do when they work with such IT providers.
Companies must now make sure that their IT service providers also follow strong cyber safety rules. This helps to reduce the risk that a weak link in an outside company could lead to cyber problems for a financial firm.
This part of the rule encourages firms to ask better questions and monitor their service providers more closely.
Help with Reporting Cyber Incidents
Another important change is related to reporting cyber incidents. If a company faces a cyberattack or any security problem involving data, it must report this to the FSRA.
To make this easier, the FSRA has improved its guidance to help firms decide whether a cyber problem is serious enough to be reported. The guidance explains how to measure the “materiality” of a cyber event—basically, how big or harmful it is.
In addition, the FSRA is working on a new cyber incident notification template, which it plans to release before the end of 2025. This form will help firms report cyber events in a clear and standard way.
CEO Says Changes Will Boost Cyber Safety
Emmanuel Givanakis, the Chief Executive Officer of the FSRA, spoke about the changes. He said these rules show that the FSRA is serious about cybersecurity and operational resilience—which means making sure financial companies can keep working even if problems happen.
He added that these updates are part of the FSRA’s efforts to stay ahead by using the best global standards. Mr. Givanakis believes that these changes will help protect the reputation and safety of ADGM as a financial center.
He also said these changes support responsible innovation, meaning financial companies can use new technology safely and securely, which is important in today’s fast-changing digital world.
ADGM Aims to Be a Safe Global Financial Hub
The updated rules are part of ADGM’s bigger plan to be a leading international financial center. In today’s world, cyberattacks and digital crimes are growing quickly. Financial firms are often targets because they deal with sensitive data and large amounts of money.
By improving cyber rules, ADGM is making sure that firms working under its laws are better protected. This also makes global businesses more likely to choose ADGM as a trusted place to work.
The new cyber rules show that ADGM is not just reacting to problems, but actively preparing for future risks. It is trying to build a safe and smart financial environment.
Safer Future for Financial Services
The FSRA’s new rules are a major step to protect financial companies from cyber risks. These rules were created after deep discussions with the industry and are based on global best practices. Firms now have six months to get ready.
By including cyber risks in everyday business planning, working closely with IT providers, and reporting incidents clearly, companies can avoid bigger problems later. These rules aim to keep the financial industry in ADGM strong, secure, and ready for the future.
The FSRA’s leadership and smart planning are helping make ADGM a model for other financial centers around the world.
English
