Last review date: 10 December 2025
The main laws are:
Last review date: 10 December 2025
Generally, cybersecurity tends to be regulated at a sector level, with requirements contained in a combination of primary legislation (such as in regulations) and secondary legislation issued by sector regulators, including policies, standards, and guidelines. These requirements are not always made publicly available. In addition, specific security requirements may apply to certain services or technologies (e.g., Internet of Things). Some requirements may also extend to organizations conducting business in the DIFC.
In addition to the data protection law, the main source of requirements for organizations doing business in the DIFC is set out in the UAE’s Penal Code and Cybercrimes Law, which prohibit certain activities from being carried out in the digital space or through technological means. These criminal laws apply equally across the UAE's free zones, including financial free zones such as the DIFC.
Financial institutions that are regulated by the Dubai Financial Services Authority (DFSA) are encouraged, although not mandated, to implement the DFSA Cyber Risk Management Guidelines issued in December 2020 ("Guidelines"). The Guidelines are mainly principle-based and reflect good industry practices to assist financial institutions to: (i) establish a robust cyber risk management framework within which to identify, manage and mitigate cyber risks effectively in an integrated and comprehensive manner; and (ii) strengthen the security, reliability, resiliency and recoverability of their systems.