Introduction

The Abu Dhabi Global Market has introduced one of the most significant cybersecurity regulatory updates seen in the region to date.

By 31 January 2026, all Authorised Persons and Recognised Bodies regulated by the ADGM Financial Services Regulatory Authority (FSRA) must comply with the Cyber Risk Management requirements under GEN Rule 3.5.

This is not a guidance note or a best-practice recommendation.

It is a formal regulatory obligation with direct accountability at board and senior management level.

This article explains, in clear and practical terms:

·        Who the regulation applies to

·         What GEN 3.5 requires

·         What has changed compared to previous expectations  

·         What firms should be doing now to prepare

·         Common misconceptions that increase regulatory risk

Who Must Comply with ADGM Cyber Risk Management Rules

The Cyber Risk Management framework applies to:

·        All Authorised Persons regulated by the ADGM FSRA

·         All Recognised Bodies, including exchanges and financial market infrastructures

·         Firms of all sizes, regardless of complexity or headcount 

Importantly, outsourcing does not reduce responsibility.

Even if technology, cloud services, or cybersecurity functions are fully outsourced, the regulated entity remains accountable to the FSRA.

What Is GEN Rule 3.5

GEN Rule 3.5 introduces a mandatory Cyber Risk Management framework that must be:

·        Documented

·         Tailored to the firm’s business model and risk profile

·         Approved by the board or equivalent governing body

·        Actively maintained and reviewed

The regulation moves firms away from informal controls and generic policies toward structured, auditable cybersecurity governance.

Core Requirements Under GEN 3.5

1. A Documented Cyber Risk Management Framework

Firms must establish a written framework that defines how cyber risks are identified, assessed, managed, monitored, and reported.

This framework must be specific to the firm. Generic templates or high-level policies without operational detail will not meet expectations.

The framework must cover:

·        Cyber risk appetite

·         Roles and responsibilities

·         Governance and escalation paths

·        Integration with overall risk management

2. Board and Senior Management Accountability

Cybersecurity is now explicitly a board-level responsibility.

Boards and senior management are expected to:

·        Approve the cyber risk management framework

·         Understand the firm’s cyber risk exposure

·         Receive regular cyber risk reporting

·         Ensure sufficient resources and expertise are in place

Delegation is permitted, but accountability is not transferable.

3. Identification and Protection of Information Assets

Firms must maintain an inventory of information and ICT assets, including:

·        Systems

·         Applications

·         Data repositories

·         Cloud services

·          Third-party hosted environments

Appropriate technical and organisational controls must be implemented to protect these assets, based on their criticality and risk.

4. Continuous Monitoring and Testing

GEN 3.5 requires firms to actively monitor cyber risks, not simply document them.

This includes:

·        Ongoing security monitoring

·         Detection of anomalous activity

·         Regular testing of controls

At a minimum, annual testing of internet-facing systems is expected. More frequent testing may be required depending on the firm’s risk profile.

5. Incident Response and Cyber Resilience

Firms must maintain a documented cyber incident response plan that includes:

·        Clear roles and responsibilities

·         Escalation procedures

·         Internal and external communication protocols

·         Recovery and remediation steps

The focus is not only on prevention, but also on the firm’s ability to respond and recover effectively from cyber incidents.

6. Mandatory Incident Reporting to the FSRA

Material cyber incidents must be reported to the FSRA within 24 hours of detection.

This requirement applies:

·         Regardless of weekends or public holidays

·         Even if full details are not yet known

Failure to report within the required timeframe may itself be considered a regulatory breach.

7. Third-Party and Outsourcing Risk Management

Outsourcing does not remove regulatory responsibility.

Firms must ensure that third-party providers:

·        Are subject to appropriate due diligence

·        Have adequate cybersecurity controls

·         Are contractually obligated to meet security requirements

·         Are monitored on an ongoing basis

Sub-outsourcing must also be understood and managed.

8. Cyber Threat Intelligence and Regulatory Awareness

Firms are expected to remain aware of:

·        Emerging cyber threats

·        FSRA communications and advisories

·         Relevant industry developments

Threat intelligence should inform risk assessments, control design, and board reporting where appropriate.

What Has Changed Compared to Previous Expectations

Historically, cybersecurity expectations were often addressed through general IT controls or high-level risk policies.

GEN 3.5 introduces:

·        Explicit cyber governance requirements

·        Formal board accountability

·      Mandatory documentation and testing

·       Defined regulatory reporting timelines

In short, cybersecurity is now treated as a core prudential risk, not a technical afterthought.

Common Misconceptions Among ADGM Firms

“We are too small to be a target.”

Size does not reduce regulatory obligations or cyber risk exposure.

“Our IT provider handles security.”

Outsourcing does not remove accountability.

“We already follow best practices.”

Best practices must now be demonstrable, documented, and auditable.

“We can deal with this closer to the deadline.”

Framework development, approvals, testing, and remediation take time. Waiting increases risk.

Consequences of Non-Compliance

 Failure to comply with GEN 3.5 may result in:

·        Regulatory enforcement actions

·        Financial penalties

·       Licence restrictions or conditions

·       Reputational damage

More importantly, inadequate cyber controls expose firms to operational disruption and client harm.

How Axiom Supports ADGM-Regulated Firms

Axiom works with ADGM firms as a long-term cyber risk and compliance partner, helping translate regulatory requirements into practical, defensible operating models.

Support can include:

·        GEN 3.5 gap assessments

·        Cyber risk management framework development

·       Board-level reporting structures

·       Incident response planning and testing

·       Ongoing compliance monitoring and advisory

To explore your options, view our ADGM Cyber Risk Management services or speak with an ADGM cyber specialist.

Final Thoughts

GEN 3.5 represents a fundamental shift in how cyber risk is governed within ADGM.

Firms that treat this as a strategic governance initiative, rather than a last-minute compliance exercise, will be far better positioned both regulatorily and operationally.

The January 31, 2026 deadline is fixed.

Preparation should not be.