+971.4.257.2406
Operating across Dubai and Abu Dhabi’s financial ecosystems means navigating three distinct cybersecurity regimes — each with its own philosophy on risk, reporting, and control depth.
For regulated entities under the Virtual Assets Regulatory Authority (VARA), the Abu Dhabi Global Market’s Financial Services Regulatory Authority (ADGM FSRA), and the Dubai Financial Services Authority (DFSA), cybersecurity is not just a technology function. It is a regulatory requirement embedded in licensing, supervision, and audit-readiness.
This guide by ITSEC, the cybersecurity arm of SecureVisa Group, provides a clear and practical comparison of these three regimes — showing how organizations can design a unified, regulator-aligned cybersecurity framework that satisfies all.
Effective: 19 June 2025
Scope: Virtual Asset Service Providers (VASPs) operating in Dubai (outside DIFC)
VARA’s Technology and Information Rulebook takes a highly prescriptive approach tailored for crypto operations. Firms must establish a board-approved technology risk framework, supported by a Chief Information Security Officer (CISO) who operates independently from compliance.
The rulebook mandates strict cryptographic key management — including wallet segregation, multi-signature controls, key rotation, and cold storage policies. Periodic penetration testing, smart-contract audits, and secure software development life cycle (SDLC) documentation are required to ensure continuous resilience.
Firms must also report material cybersecurity incidents within 72 hours, maintain business continuity and disaster recovery (BCDR) plans to protect custody and blockchain operations, and ensure annual cybersecurity training for all employees.
Overall, VARA’s framework is hands-on and crypto-native, integrating deep technical standards like encryption, DLT security, and wallet architecture into the regulatory lifecycle.
Announced: 29 July 2025
Compliance Effective: 31 January 2026
The ADGM FSRA Cyber Risk Management Framework (CRMF) emphasizes enterprise-level governance. It requires a board-approved cyber risk management framework that aligns with a firm’s enterprise risk management (ERM) model, setting clear risk appetites, key performance indicators, and oversight responsibilities.
The framework’s standout feature is its expansive third-party and ICT service provider requirements. Obligations extend beyond outsourcing partners to every ICT vendor, mandating audit rights, data-location assurances, and subcontractor transparency.
Firms must define material incident thresholds and use FSRA templates for timely reporting. The regulation also enforces continuous vulnerability management, red-team testing, and log correlation through SIEM systems.
In essence, ADGM’s model is contractually driven and integration-heavy, ensuring that cybersecurity extends into every vendor and technology agreement.
Under the DFSA GEN Module, the DIFC applies a principles-based approach focused on governance and proportionality rather than prescriptive technical controls.
Firms must maintain cybersecurity frameworks capable of identifying, protecting, detecting, responding to, and recovering from cyber incidents. They can adopt internationally recognized standards such as ISO 27001, NIST CSF, or CIS Controls — as long as they can prove operational resilience and effective governance.
Senior management must allocate sufficient budget, expertise, and independence to cybersecurity operations, ensuring controls are proportionate to the size and complexity of the firm.
DFSA’s framework focuses on governance outcomes and evidence-based resilience, giving firms flexibility to choose how they demonstrate control effectiveness.
While the three regulators share a common vision of governance and resilience, their approaches differ in scope and specificity.
All three frameworks demand board oversight, defined cyber governance, testing and monitoring programs, vendor risk management, and business continuity planning. Every firm must demonstrate its ability to detect, respond to, and recover from cyber incidents, and provide documentation to support compliance.
However, key differences emerge in how deeply each regulator defines its controls. VARA is the most technically prescriptive, requiring crypto-native standards such as key management and smart-contract testing. ADGM is broader in contractual reach, emphasizing third-party accountability and ICT compliance. DFSA, meanwhile, takes a governance-first stance — focusing on proportionality, governance maturity, and evidence of results rather than specific technologies or standards.
In short: VARA > ADGM > DFSA in technical specificity, while ADGM leads in contractual depth and vendor oversight.
ITSEC begins by mapping your existing cybersecurity framework against VARA Parts I–III, the ADGM CRMF, and the DFSA GEN Module.
This phase identifies compliance gaps and collects supporting artifacts — including policies, runbooks, vendor contracts, audit logs, and testing reports.
The baseline architecture integrates Zero-Trust principles, role-based access controls (RBAC), hardened cloud infrastructure (Azure/AWS), and a central SIEM aligned with UAE’s Personal Data Protection Law (PDPL).
Regulator-specific modules are then layered on top:
ITSEC deploys continuous vulnerability scanning, quarterly penetration testing, smart-contract reviews, and red-team simulations.
All results are integrated into real-time dashboards that map directly to regulator expectations.
A unified workflow ensures regulator-aligned reporting — including VARA’s 72-hour notifications, ADGM’s material incident thresholds, and DFSA’s proportional reporting.
Annual CISO attestations, board-level reviews, and vendor resilience audits complete the compliance cycle.
