Cybersecurity has always been treated as an IT problem, however in regulated environments like Abu Dhabi Global Market (ADGM), this is no longer the case.
The Financial Services Regulatory Authority (FSRA) has introduced GEN 3.5 Cyber Risk Management, requiring authorised firms to implement a structured approach to managing cyber risk across the organisation. Announced in July 2025, these requirements became binding on 31 January 2026. Firms that have not yet begun implementing a compliant framework are already behind.
For many firms, the challenge is demonstrating governance, accountability, and formal cyber risk management processes.
What is GEN 3.5?
GEN 3.5 requires all Authorised Persons and Recognised Bodies in ADGM to establish and maintain a Cyber Risk Management Framework. Full compliance is required by 31 January 2026. The requirements apply to all ADGM-authorised firms, including banks, insurers, investment firms, fintechs, and asset managers, with the exception of representative offices.
This framework must be:
- Documented and approved by the Governing Body
- Proportionate to the size and complexity of the firm
- Reviewed annually
- Clearly define roles, responsibilities, and processes
- Identify and manage cyber risk
The full requirements are published in the FSRA Rulebook.
Governing Body
One of the most important aspects of GEN 3.5 is to create the role of a Governing Body.
Boards must:
- Approve the Cyber Risk Management Framework
- Define the organisation’s cyber risk tolerance
- Ensure appropriate resources are available
- Review regular reports on cyber risk
Outsourcing IT Does Not Outsource Responsibility
Many financial firms rely on managed IT providers or cloud platforms, but GEN 3.5 makes it clear that regulatory responsibility remains with the authorised firm. Even if IT is outsourced, the firm remains fully accountable to the FSRA.
Organisations must manage third-party IT risk, including:
- Conducting supplier due diligence
- Defining security expectations
- Monitoring third-party risk
- Maintaining the ability to audit suppliers
- Understanding and managing sub-outsourcing, including the security standards of your suppliers’ own subcontractors
This is an area many firms overlook. GEN 3.5 requires visibility not just of direct suppliers, but of the subcontractors those suppliers use. Security standards must extend through the full supply chain.
Security Controls and Monitoring
GEN 3.5 also requires the organisation to implement appropriate security protections, including:
- Network security and anti-malware protection
- Strong user access controls
- Multi-factor authentication for remote or privileged access
- Encryption of sensitive data
- Physical protection for infrastructure
- Monitoring and testing the resilience of systems
- Regular assessing the security of internet-facing services
Incident Response and Reporting
A key requirement under GEN 3.5 is the ability to detect and respond to cyber incidents quickly.
Firms must maintain a documented Cyber Incident Response Plan and regularly test their ability to respond to cyber events.
If a material cyber incident occurs, it must be reported to the FSRA within 24 hours of becoming aware of it, this applies regardless of weekends or public holidays. Firms must submit an initial report using Template A to incidents.fsra@adgm.com, followed by progressive updates using Template B as the situation develops. Failure to report within the required timeframe may itself be treated as a regulatory breach. Preparation and clear internal processes are essential to meet this requirement.
Cyber Threat Intelligence
GEN 3.5 also requires firms to actively monitor and respond to cyber threat intelligence. This means designating responsibility for tracking FSRA cybercrime prevention advisories and integrating relevant threat information into ongoing risk assessments and board reporting.
If the FSRA issues an advisory warning about ransomware targeting financial services platforms your firm uses, that threat must be factored into your risk evaluation and control priorities. This is not optional, regulatory obligations include staying aware of the current threat landscape and acting on it.
Consequences of Non-Compliance
GEN 3.5 is a formal regulatory obligation, not guidance. The FSRA has broad enforcement powers, and firms that fail to meet the requirements expose themselves to significant consequences, including financial penalties, restrictions on their licence, or licence withdrawal.
Beyond regulatory risk, firms without structured cyber governance face a greater likelihood of operational disruption, data breaches, and reputational damage. In the UAE’s competitive financial services market, cyber resilience has become a factor in client and partner confidence as well as regulatory standing.
What This Means for ADGM Firms
Most firms already have a form of security technology in place, such as firewalls, antivirus software, and backups.
However, GEN 3.5 focuses on structured cyber governance, not just individual security tools. Regulators expect firms to demonstrate:
- A formal framework
- Clear governance and accountability
- Vendor risk management processes
- Incident response planning
- Ongoing monitoring and testing
- Comprehensive documentation
- Structured Governance and Risk Management
Kew’s Key Takeaways
The introduction of GEN 3.5 introduces important expectations:
- Cyber risk is a governance issue and not just an IT responsibility
- Firms must maintain a documented framework
- Outsourcing IT does not remove regulatory responsibility
- Governing bodies or boards must oversee and approve cyber risk management
- Firms must maintain incident response procedures and report within 24 hours
- Third-party suppliers must be actively managed
- Compliance was required from 31 January 2026 – firms not yet fully compliant should act immediately
- Non-compliance exposes firms to enforcement action, including fines, licence restrictions, or licence withdrawal
How Kew Solutions Supports ADGM Firms
At Kew Solutions, we work with regulated firms across the UAE to ensure their technology environments align with regulatory expectations.
This includes helping organisations:
- Establish and document Cyber Risk Management frameworks
- Strengthening cybersecurity controls and infrastructure
- Implement secure access, monitoring, and incident response processes
- Review and manage third-party technology risk
- Build technology environments that support ongoing regulatory compliance
With experience supporting organisations operating in regulated environments, including IT support for ADGM-based firms and those in the Dubai International Financial Centre (DIFC), we help businesses move towards structured, resilient IT environments aligned with regulatory standards.
