What GEN 5.5 actually requires.
Since 1 January 2024, every DFSA-authorised firm has been required to implement and maintain a documented Cyber Risk Management Framework under GEN Module Rule 5.5. The rule is not optional, not principles-based, and not satisfied by an IT policy bolted onto a compliance manual.
Specifically, the rule requires:
- A framework approved and overseen by your governing body, with named senior accountability
- Identification, assessment and management of cyber risks proportionate to your firm's nature, scale and complexity
- Detection, response and recovery capability for cyber incidents
- A Cyber Incident Response Plan, tested and maintained
- Material cyber incident notification to the DFSA without undue delay
- Third-Party Cyber Risk oversight extending to your vendors, MSPs and their subcontractors
- Ongoing review, testing and update of the framework
Most firms have some of this, on paper. The thematic review findings the DFSA has published over the last two years suggest that few have all of it, evidenced, and operationally embedded.
Four typical starting points.
The firms that engage Meridian Cyber for GEN 5.5 work tend to be in one of four situations:
Approaching a licence renewal or thematic review
You've had a Dear SEO letter, or you know one is coming. You need a framework that holds up to questions, not a folder of templated PDFs.
Mid-build with an internal team that's stretched
You have a Compliance Officer, possibly an MLRO, and an outsourced IT provider. None of them owns cyber. The board has asked who does, and there isn't a clean answer.
Post-incident or post-near-miss
Something happened. Maybe nothing was lost. But it surfaced that your response plan was a Word document nobody had read, and your third-party register was a spreadsheet two years out of date.
New DIFC entrant
You're a UK, Singapore or US firm setting up in DIFC. Your home-jurisdiction framework needs translating into DFSA language, with the right governance hooks and the right local accountability.
A defensible, examiner-aligned
framework, built in three phases.
Discover
- Regulated activity mapping — what you do, what data you hold, who you serve, what's outsourced
- Control environment baseline against GEN 5.5 (all eight elements: strategy, governance, risk and controls, monitoring and detection, response and recovery, information sharing, training, third-party)
- Threat landscape and risk assessment, calibrated to your firm type and the DFSA's published focus areas
- Gap register with prioritised remediation and effort estimates
- Board pre-read — a one-page briefing the SEO can take into a board meeting unchanged
Build
- Cyber Risk Management Framework document — board-approvable, examiner-aligned, written in DFSA-recognised language
- Supporting policy pack: information security, access control, data classification, incident response, third-party risk, acceptable use, change management, cryptography, secure development (where applicable)
- Cyber Incident Response Plan with the DFSA notification pathway baked in, including templated SEO letter response language
- Third-party cyber risk register and onboarding workflow covering your MSP, your cloud providers, your fund administrator, your custodian, your auditors
- Risk register format and population, integrated with your existing operational risk framework
- Awareness training rollout for board, senior management, and operational staff — tracked, evidenced, retained
Operate
- Quarterly framework review and risk register refresh
- Annual incident response tabletop exercise with documented outcomes (DFSA expects evidence)
- Monthly board KRI pack — written for non-technical readers
- DFSA rule-change monitoring and impact assessment
- Examiner engagement support: pre-meeting prep, on-the-day attendance if requested, follow-up correspondence
- Acting as the named senior individual for the framework, where the engagement structure permits
We don't sell shelfware.
Meridian doesn't deliver a 200-page framework PDF and disappear. We don't subcontract junior consultants and put a partner name on the cover. We don't bill day-rates for status meetings.
If you want a glossy report you can put in a drawer, several firms in the market will sell you one. If you want a framework that survives a thematic review and an actual incident, that's the engagement we run.
How engagements are shaped.
Most GEN 5.5 build engagements run as our Growth retainer over six months, transitioning to Foundation or Growth for ongoing operation. Smaller Category 4 firms often start on Foundation; firms approaching a thematic review or with active regulator correspondence typically engage at Enterprise tier to ensure capacity.
Indicative monthly pricing:
- Foundation — approximately USD $1,499 / AED 5,500 per month — for Category 4 firms with established baseline controls
- Growth — approximately USD $2,499 / AED 9,200 per month — the standard tier for GEN 5.5 build engagements
- Enterprise — approximately USD $5,499 / AED 20,200 per month — for firms with active regulator engagement or accelerated timelines
Pricing is published and transparent on our retainer plans page. Engagements scale with complexity, not friction — you can move between tiers month to month as the work demands.
Book a 30-minute discovery call and we'll tell you which fit makes sense — including telling you honestly if you don't need us at all.
Questions firms ask before they engage.
How is a Meridian vCISO accepted by the DFSA as the named individual for the framework?
GEN 5.5 requires named senior accountability but does not prohibit fractional or outsourced arrangements, provided the individual has genuine authority, board access, and meaningful ongoing involvement. We structure engagements explicitly to meet this expectation. The named individual is appointed in writing, attends governance meetings, has direct board access, and maintains documented involvement that an examiner can audit. Where a firm prefers, an internal senior individual remains the named owner and Meridian provides advisory backstop.
We already have an MSP managing our IT. Why do we need this?
Your MSP delivers IT services. The DFSA requires you, as the authorised firm, to own the risk framework that governs what your MSP does. GEN 5.5.21 explicitly extends your obligations to third-party providers — meaning your MSP is in scope of your framework, not a substitute for it. Meridian sits on your side of that table.
How long until we're defensible?
For a Category 3 or 4 firm with no existing framework, 90 days to a documented, board-approved framework and policy pack is realistic. Full operational maturity — embedded risk register, completed tabletop, first quarterly review cycle, third-party register populated — typically takes six months. Firms approaching an examiner engagement on a tighter window can be accelerated through the Enterprise retainer.
Can the same engagement cover UAE PDPL DPO obligations?
Yes. The Enterprise tier includes acting DPO advisory under UAE Federal Decree-Law No. 45 of 2021. For Growth-tier clients, DPO advisory services can be added as a scoped extension to the engagement.
Are you a UK or UAE entity?
Meridian Cyber Ltd is incorporated in England and Wales, with operating presence in both London and Dubai. We engage DIFC firms under UK-law engagement letters by default, with the option to engage under DIFC-law contracts where the client prefers — particularly for engagements where the named individual will represent the firm to the DFSA.
Book a discovery call.
30 minutes. No obligation. We'll look at your licence category, your existing control environment, and your nearest regulatory pressure point. If Meridian isn't the right fit, we'll tell you who is.