Cybersecurity · UAE
Cybersecurity regulation in UAE (2026)
UAE shaded by its cybersecurity status
The UAE operates a multi-layered cybersecurity regime anchored by Federal Decree-Law No. 34/2021 (in force January 2022), which criminalises unauthorised access, hacking, and infrastructure attacks, complemented by a mandatory 72-hour breach-notification duty under the Personal Data Protection Law (Federal Decree-Law No. 45/2021). A dedicated UAE Cybersecurity Council (established by Cabinet in 2020) oversees national coordination, and the Cabinet-approved National Cybersecurity Strategy 2025–2031 (February 2025) sets a whole-of-government active-defence agenda backed by over $2 billion in investment.
Key points
Federal Decree-Law No. 34 of 2021 on Combatting Rumors and Cybercrimes (effective 2 January 2022) is the UAE's foundational cybersecurity statute, criminalising hacking, unauthorised access, infrastructure attacks, and AI/deepfake-enabled fraud; executives face personal criminal and civil liability for negligent cybersecurity governance.
Federal Decree-Law No. 45/2021 (PDPL) mandates notification of personal data breaches to the UAE Data Office within 72 hours of discovery, with further notification to affected data subjects where risk is significant; administrative fines reach AED 5 million for non-compliance.
The National Electronic Security Authority (NESA), now operating as the Signals Intelligence Agency (SIA), enforces mandatory Information Assurance Standards for government entities and operators of critical national infrastructure across energy, water, transport, banking, and telecoms sectors; non-compliance carries regulatory sanctions.
Approved by the UAE Cabinet on 3 February 2025 and published in September 2025, the strategy shifts national posture from capacity-building to active defence across five pillars: cybersecurity governance and risk management, national cyber resilience and defence, secure digital transformation, emerging-technology security, and ecosystem partnerships.
Licensed financial institutions must notify the Central Bank of the UAE (CBUAE) of significant breaches affecting consumer data and notify affected consumers where financial or personal security is at risk; the Telecommunications and Digital Government Regulatory Authority (TDRA) requires prompt major-incident notification from telecoms operators.
The UAE Cybersecurity Council, established by Cabinet resolution in November 2020, coordinates the National Cyber Incident Response Plan and oversees the broader legal and regulatory framework; organisations across sectors are required to report cyber incidents promptly to the Council or the relevant sector regulator.
Timeline - major decisions & events
The UAE Cybersecurity Council announced it had thwarted a series of AI-augmented cyberattacks targeting the country's digital infrastructure and vital sectors, warning of a 'qualitative shift' in threat methodology by hostile actors. The incident accelerated inter-agency coordination and reinforced the AI-specific defensive mandates embedded in the 2025–2031 national strategy.
Bloomberg ↗The UAE Cabinet approved the National Cybersecurity Strategy 2025–2031, structured around five pillars (governance, protection, innovation, capacity-building, and partnership) and backed by a $2 billion investment mandate; it shifts posture from capacity-building to active defence, expands compliance obligations to supply-chain participants, and integrates AI/ML security as a first-class requirement across all regulated sectors.
UAE Cabinet (uaecabinet.ae) ↗The UAE Cybersecurity Council published a comprehensively revised Information Assurance Standard (v2, later v2.1) replacing the decade-old NESA IAS; it introduces 15 security-control families spanning management (M1–M6) and technical (T1–T9) domains, adds post-quantum cryptography, threat intelligence, and secure software engineering requirements, and integrates directly with seven National Cybersecurity Policies including Cloud, IoT, and AI/ML security. Compliance is mandatory for all government bodies and critical-infrastructure operators.
UAE Cybersecurity Council (csc.gov.ae) ↗The UAE Cybersecurity Council issued the National Cloud Security Policy, setting mandatory security requirements — covering data residency, access controls, encryption, and third-party vendor assessments — for government entities and critical-sector operators adopting cloud services; the policy forms part of a suite of seven thematic national cybersecurity policies underpinning the Information Assurance Standard framework.
UAE Government Portal (u.ae) ↗The Cabinet issued Executive Regulations under the 2021 Personal Data Protection Law, mandating concrete technical controls for any organisation processing personal data: AES-256 encryption at rest, TLS 1.2+ in transit, multi-factor authentication, Data Protection Impact Assessments for high-risk processing, and a 72-hour breach notification duty to the UAE Data Office; a six-month grace period applied, with full enforcement expected by January 2027.
UAE Government Portal (u.ae) ↗On the same date, the UAE enacted two landmark instruments: Decree-Law No. 34 of 2021 overhauled the cybercrime regime (replacing the 2012 law) criminalising hacking, phishing, ransomware, identity theft, and spread of false information, with extra-territorial reach covering crimes planned or directed from the UAE; simultaneously Decree-Law No. 45 of 2021 established the UAE's first federal personal data protection law, requiring security-by-design and incident response obligations; both laws took effect 2 January 2022.
UAE Legislation Portal (uaelegislation.gov.ae) ↗The UAE Cabinet created the UAE Cybersecurity Council as the central national cybersecurity authority, absorbing the functions of NESA; the Council is chaired by the UAE Government's Head of Cyber Security and is mandated to develop national strategy, build a comprehensive legal and regulatory framework, and operate a National Cyber Incident Response Plan — consolidating previously fragmented oversight under a single body.
UAE Government Portal (u.ae) ↗The UAE launched its first comprehensive National Cybersecurity Strategy, establishing a risk-based framework to protect government systems, critical national infrastructure, and the digital economy across six strategic pillars; it laid the governance and policy foundations that were subsequently operationalised through the creation of the UAE Cybersecurity Council in 2020.
UAE Government Portal (u.ae) ↗The UAE enacted Federal Decree-Law No. 5 of 2012, replacing the 2006 law with significantly expanded coverage: it removed intent as a prerequisite for many offences, increased criminal penalties, added new categories of cybercrime (including attacks on critical infrastructure and electronic systems), and was published in full by TDRA as the operative cybercrime statute until superseded in 2022.
TDRA (tdra.gov.ae) ↗The UAE enacted Federal Law No. 2 of 2006 on the Prevention of Information Technology Crimes, making the UAE the first Arab country to pass a standalone cybercrime statute; the 27-article law criminalised unauthorised system access, data interception, electronic fraud, and misuse of information technology, establishing the foundational legal framework for prosecuting digital offences that all subsequent legislation has built upon.
UAE Government Portal — Cyber Laws (u.ae) ↗UAE - other topics
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →