Cybersecurity - UAE

Federal Decree-Law No. 34 of 2021 on Combatting Rumors and Cybercrimes (effective 2 January 2022) is the UAE's foundational cybersecurity statute, criminalising hacking, unauthorised access, infrastructure attacks, and AI/deepfake-enabled fraud; executives face personal criminal and civil liability for negligent cybersecurity governance.

Federal Decree-Law No. 45/2021 (PDPL) mandates notification of personal data breaches to the UAE Data Office within 72 hours of discovery, with further notification to affected data subjects where risk is significant; administrative fines reach AED 5 million for non-compliance.

The National Electronic Security Authority (NESA), now operating as the Signals Intelligence Agency (SIA), enforces mandatory Information Assurance Standards for government entities and operators of critical national infrastructure across energy, water, transport, banking, and telecoms sectors; non-compliance carries regulatory sanctions.

Approved by the UAE Cabinet on 3 February 2025 and published in September 2025, the strategy shifts national posture from capacity-building to active defence across five pillars: cybersecurity governance and risk management, national cyber resilience and defence, secure digital transformation, emerging-technology security, and ecosystem partnerships.

Licensed financial institutions must notify the Central Bank of the UAE (CBUAE) of significant breaches affecting consumer data and notify affected consumers where financial or personal security is at risk; the Telecommunications and Digital Government Regulatory Authority (TDRA) requires prompt major-incident notification from telecoms operators.

The UAE Cybersecurity Council, established by Cabinet resolution in November 2020, coordinates the National Cyber Incident Response Plan and oversees the broader legal and regulatory framework; organisations across sectors are required to report cyber incidents promptly to the Council or the relevant sector regulator.