Stay up to date with our latest news
In July 2025, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market introduced binding cyber risk management obligations under GEN 3.5. Unlike previous guidance, these are enforceable rules – and all Authorised Persons and Recognised Bodies were required to comply by 31 January 2026.
Now that the compliance deadline has passed, FSRA expects firms to demonstrate evidence of their cyber risk frameworks. The question many boards face is: what does "evidence" actually mean, and how do we demonstrate compliance without becoming cyber experts?
This article explains the governance shift GEN 3.5 represents and why many ADGM firms – particularly smaller ones – are finding implementation more challenging than expected.
1. The Governance Shift: Cyber Risk is Now a Board Issue
GEN 3.5 fundamentally changes how cyber risk is managed in ADGM firms. It's no longer acceptable for boards to treat cybersecurity as purely an IT or operational matter.
What this means in practice:
Boards must be able to demonstrate that cyber risk is identified, assessed, and monitored within the firm's broader risk framework. This doesn't require board members to become technical experts, but it does require them to ask the right questions and ensure accountability exists.
The challenge? Most boards only see cyber when something goes wrong. GEN 3.5 requires ongoing oversight, not reactive crisis management.
The accountability question:
If FSRA asked your board today, "How is cyber risk managed in this firm?" – could you answer clearly and confidently? Or would the answer be, "Our IT provider handles that"?
For many ADGM firms, this is where the compliance gap begins.
2. Why Outsourcing Doesn't Remove Responsibility
Here's the reality: most small and mid-sized ADGM firms outsource IT infrastructure and cybersecurity. This is practical and appropriate.
But there's a critical misunderstanding in the market.
Outsourcing shifts operational responsibility. It does not shift regulatory accountability.
Your managed service provider may secure your systems. But they don't report to FSRA. You do.
GEN 3.5 expects firms to demonstrate:
Due diligence in selecting providers
Contractual protections that include incident notification and audit rights
Ongoing oversight of provider performance
Clear understanding of what the provider covers – and what remains your responsibility
If your firm cannot answer these questions, there's a compliance gap that needs addressing.
Our FSRA Cybersecurity Compliance Brief provides detailed guidance on third-party oversight requirements and what effective vendor contracts should include.
3. The SME Challenge: Capacity, Not Intent
Most ADGM firms want to comply. The issue isn't intent – it's capacity.
We consistently see:
Lean teams juggling regulatory obligations, client onboarding, and daily operations. Cyber risk falls between the gaps.
No in-house expertise to translate technical controls into board-level risk language. IT providers manage systems but rarely report in terms boards can act on.
Over-reliance on bundled tools without confirmation of what they actually cover, or what they don't.
No clear ownership of cyber risk. When an incident happens, who escalates? To whom? Within what timeframe?
GEN 3.5 doesn't expect perfection. But it does expect evidence that someone accountable understands the firm's cyber risk posture.
This is where many firms are exposed.
4. Proportionality: What It Means (and What It Doesn't)
FSRA has been clear: GEN 3.5 is proportional. Expectations scale with firm size, complexity, and risk profile.
What proportionality means:
Smaller firms don't need 100-page security policies
Testing requirements can be scaled (annual vulnerability assessments may suffice for lower-risk firms)
Reliance on external providers is acceptable – with appropriate oversight
What proportionality doesn't mean:
You can skip documentation because you're small
Outsourcing removes the need for governance
Controls don't need to be tested because "we haven't had an incident"
Proportional compliance still requires evidence. The scope may be smaller, but the accountability remains.
Understanding what "proportionate" means for your firm is critical – and it's not always straightforward. Our Compliance Brief includes guidance on how FSRA expects firms of different sizes and risk profiles to approach implementation.
Download the FSRA Cybersecurity Compliance Brief
5. Common Pitfalls We're Seeing
Based on our work with ADGM firms, these are the most common gaps:
Treating cyber as an IT problem, not a governance issue. IT implements controls. The board ensures oversight. Both are required.
Assuming compliance because tools are in place. Security software doesn't equal a cyber risk framework. Documentation, testing, and accountability are separate requirements.
Policies that exist only on paper. Many firms have frameworks written years ago that were never implemented, tested, or updated.
No testing or validation. A plan that's never tested isn't a plan. Firms need scheduled vulnerability assessments and incident response exercises – not ad hoc reactions.
Vendor contracts missing key provisions. Without incident notification obligations and audit rights, firms lack visibility into third-party risks.
These aren't theoretical concerns. They're practical compliance gaps that FSRA will identify during supervision.
6. What Firms Should Do Now
Whether your firm met the January 2026 deadline or needs to strengthen its compliance position, the starting point is the same: understand where you stand.
This requires:
Gap assessment against GEN 3.5 requirements
Risk prioritisation – not everything can be addressed at once
Clear documentation that boards and regulators can actually use
Vendor contract review to ensure third-party obligations are enforceable
Remediation roadmap with phased milestones and accountability
The challenge for most firms is knowing what "good" looks like for their specific size and risk profile – and building a practical path to get there without overwhelming lean teams.
This is where expert guidance makes a material difference.
GEN 3.5 represents a fundamental shift in how ADGM firms must approach cyber risk. It's no longer optional, and it's no longer purely technical.
For many firms, the biggest challenge isn't capability – it's visibility. Cyber risk lives in IT or with external providers, disconnected from board-level oversight.
The framework is designed to close that gap. But doing so requires more than installing software. It requires governance, documentation, testing, and accountability.
At j. awan & partners, we help ADGM firms navigate this shift. Our gap assessment service benchmarks your current position against GEN 3.5 requirements and delivers a practical roadmap tailored to your firm's size and risk profile.
We don't provide generic checklists. We provide expert guidance that helps boards understand their cyber risk posture and demonstrate compliance with confidence.
Download our FSRA Cybersecurity Compliance Brief for detailed guidance on FSRA's requirements across governance, risk identification, ICT controls, testing, third-party oversight, and incident response.
Contact our team to discuss how we can support your firm's compliance needs.
GEN 3.5 Explained: What ADGM Boards Must Evidence on Cyber Risk
A practical guide for ADGM boards on cyber risk oversight under GEN 3.5. Understand proportionate compliance without becoming cyber experts.
GEN 3.5 Explained: What ADGM Boards Must Evidence on Cyber Risk
A practical guide for ADGM boards on cyber risk oversight under GEN 3.5. Understand proportionate compliance without becoming cyber experts.
In July 2025, the Financial Services Regulatory Authority (FSRA) of the Abu Dhabi Global Market introduced binding cyber risk management obligations under GEN 3.5. Unlike previous guidance, these are enforceable rules – and all Authorised Persons and Recognised Bodies were required to comply by 31 January 2026.
Now that the compliance deadline has passed, FSRA expects firms to demonstrate evidence of their cyber risk frameworks. The question many boards face is: what does "evidence" actually mean, and how do we demonstrate compliance without becoming cyber experts?
This article explains the governance shift GEN 3.5 represents and why many ADGM firms – particularly smaller ones – are finding implementation more challenging than expected.
1. The Governance Shift: Cyber Risk is Now a Board Issue
GEN 3.5 fundamentally changes how cyber risk is managed in ADGM firms. It's no longer acceptable for boards to treat cybersecurity as purely an IT or operational matter.
What this means in practice:
Boards must be able to demonstrate that cyber risk is identified, assessed, and monitored within the firm's broader risk framework. This doesn't require board members to become technical experts, but it does require them to ask the right questions and ensure accountability exists.
The challenge? Most boards only see cyber when something goes wrong. GEN 3.5 requires ongoing oversight, not reactive crisis management.
The accountability question:
If FSRA asked your board today, "How is cyber risk managed in this firm?" – could you answer clearly and confidently? Or would the answer be, "Our IT provider handles that"?
For many ADGM firms, this is where the compliance gap begins.
2. Why Outsourcing Doesn't Remove Responsibility
Here's the reality: most small and mid-sized ADGM firms outsource IT infrastructure and cybersecurity. This is practical and appropriate.
But there's a critical misunderstanding in the market.
Outsourcing shifts operational responsibility. It does not shift regulatory accountability.
Your managed service provider may secure your systems. But they don't report to FSRA. You do.
GEN 3.5 expects firms to demonstrate:
Due diligence in selecting providers
Contractual protections that include incident notification and audit rights
Ongoing oversight of provider performance
Clear understanding of what the provider covers – and what remains your responsibility
If your firm cannot answer these questions, there's a compliance gap that needs addressing.
Our FSRA Cybersecurity Compliance Brief provides detailed guidance on third-party oversight requirements and what effective vendor contracts should include.
3. The SME Challenge: Capacity, Not Intent
Most ADGM firms want to comply. The issue isn't intent – it's capacity.
We consistently see:
Lean teams juggling regulatory obligations, client onboarding, and daily operations. Cyber risk falls between the gaps.
No in-house expertise to translate technical controls into board-level risk language. IT providers manage systems but rarely report in terms boards can act on.
Over-reliance on bundled tools without confirmation of what they actually cover, or what they don't.
No clear ownership of cyber risk. When an incident happens, who escalates? To whom? Within what timeframe?
GEN 3.5 doesn't expect perfection. But it does expect evidence that someone accountable understands the firm's cyber risk posture.
This is where many firms are exposed.
4. Proportionality: What It Means (and What It Doesn't)
FSRA has been clear: GEN 3.5 is proportional. Expectations scale with firm size, complexity, and risk profile.
What proportionality means:
Smaller firms don't need 100-page security policies
Testing requirements can be scaled (annual vulnerability assessments may suffice for lower-risk firms)
Reliance on external providers is acceptable – with appropriate oversight
What proportionality doesn't mean:
You can skip documentation because you're small
Outsourcing removes the need for governance
Controls don't need to be tested because "we haven't had an incident"
Proportional compliance still requires evidence. The scope may be smaller, but the accountability remains.
Understanding what "proportionate" means for your firm is critical – and it's not always straightforward. Our Compliance Brief includes guidance on how FSRA expects firms of different sizes and risk profiles to approach implementation.
Download the FSRA Cybersecurity Compliance Brief
5. Common Pitfalls We're Seeing
Based on our work with ADGM firms, these are the most common gaps:
Treating cyber as an IT problem, not a governance issue. IT implements controls. The board ensures oversight. Both are required.
Assuming compliance because tools are in place. Security software doesn't equal a cyber risk framework. Documentation, testing, and accountability are separate requirements.
Policies that exist only on paper. Many firms have frameworks written years ago that were never implemented, tested, or updated.
No testing or validation. A plan that's never tested isn't a plan. Firms need scheduled vulnerability assessments and incident response exercises – not ad hoc reactions.
Vendor contracts missing key provisions. Without incident notification obligations and audit rights, firms lack visibility into third-party risks.
These aren't theoretical concerns. They're practical compliance gaps that FSRA will identify during supervision.
6. What Firms Should Do Now
Whether your firm met the January 2026 deadline or needs to strengthen its compliance position, the starting point is the same: understand where you stand.
This requires:
Gap assessment against GEN 3.5 requirements
Risk prioritisation – not everything can be addressed at once
Clear documentation that boards and regulators can actually use
Vendor contract review to ensure third-party obligations are enforceable
Remediation roadmap with phased milestones and accountability
The challenge for most firms is knowing what "good" looks like for their specific size and risk profile – and building a practical path to get there without overwhelming lean teams.
This is where expert guidance makes a material difference.
GEN 3.5 represents a fundamental shift in how ADGM firms must approach cyber risk. It's no longer optional, and it's no longer purely technical.
For many firms, the biggest challenge isn't capability – it's visibility. Cyber risk lives in IT or with external providers, disconnected from board-level oversight.
The framework is designed to close that gap. But doing so requires more than installing software. It requires governance, documentation, testing, and accountability.
At j. awan & partners, we help ADGM firms navigate this shift. Our gap assessment service benchmarks your current position against GEN 3.5 requirements and delivers a practical roadmap tailored to your firm's size and risk profile.
We don't provide generic checklists. We provide expert guidance that helps boards understand their cyber risk posture and demonstrate compliance with confidence.
Download our FSRA Cybersecurity Compliance Brief for detailed guidance on FSRA's requirements across governance, risk identification, ICT controls, testing, third-party oversight, and incident response.
Contact our team to discuss how we can support your firm's compliance needs.