Regulated financial services sector firms in the Abu Dhabi Global Market (ADGM) have six months to comply with the new Cyber Risk Management Framework announced by the Financial Services Regulatory Authority (FSRA) on 29 July 2025. The framework includes requirements for managing Third-Party Cyber Risks, being risks that may arise from use of ICT Services provided by a third party or its subcontractors.
Here we discuss the key requirements for managing Third-Party Party Cyber Risks. For more information on the applicability, scope and impact of the framework, see our article Cyber risk management in the ADGM: an analysis of the new regulatory framework.
ICT Services versus technology outsourcing
Where a firm relies on a third party for the provision of ICT Services, that firm remains responsible for compliance with the FSRA’s Regulations and Rules in relation to the activities performed by the third party.1 This principle is consistent with the FSRA’s approach to outsourcing of both technology and non-technology functions, as well as that of the financial regulators in onshore UAE and the Dubai International Financial Centre…
