United Arab Emirates

The UAE does not have a consolidated information security law, however, the following legislations govern information security in the UAE:
(A) Cyber Crimes Law:
Federal Law No. 5 of 2012 (“Cyber Crimes Law”) stipulates a range of offences that are committed online including issues like hacking into IT networks to steal data, hindering access to an IT system, and distributing viruses. Generally, the relevant information security -related provisions of the Cyber Crimes Law prohibits the following:
(i) Unauthorized access to an IT system resulting in access to personal data;
(ii) Unauthorized access to an IT system to obtain government data;
(iii) Hindering access to an IT system;
(iv) Disabling an IT system by introducing spam email and virus programs; and
(v) Hacking into an IT system.
(B) National Electronic Security Authority
Federal Decree by Law No. 3 of 2012 established the National Electronic Security Authority (“NESA”), which sits under the umbrella of the Supreme Council for National Security. NESA is responsible for implementing controls to prevent any attempt to hinder or disrupt or sabotage or change the communication network or the content of any information systems, and is empowered to undertake all steps required to avoid the occurrence of such actions and attempts, whether inside or outside the UAE.
(C) Federal Information Security Resolution
Cabinet Resolution No. 21 of 2013 Concerning the Regulation of Information Security in Federal Authorities (“Federal Information Security Resolution”) provides a framework for ensuring the security of information in Federal agencies.
(D) Dubai International Financial Centre (DIFC) Data Protection Law
The DIFC Data Protection Law of 2007 regulates the processing and transferring of personal data including sensitive personal data located in the Dubai International Financial Centre (a free zone hereinafter referred to as the (“DIFC”). Specifically, the DIFC Data Protection Law requires all data controllers (i.e. any person in the DIFC who, alone or jointly with others, determines the purposes and means of the processing of personal data) to implement appropriate technical and organizational measures to protect personal data.
Additionally, obligations to properly secure information, arise in a range of other laws and regulations including the Dubai Healthcare City (“DHCC”) Governing Regulations and the Federal Credit Information Law, which require data holders to institute appropriate information security policies to protect health and credit related data.
(E) Dubai Information Security Policy
Executive Council Resolution No. 13 of 2012 Regarding the Information in the Government of Dubai (“Dubai Information Security Resolution”) enables the Dubai e-Government Department to develop an information security policy for the government of Dubai. Dubai Information Security Resolution includes:
(i) governance of information security;
(ii) incident and risk management;
(iii) access control;
(iv) process, system and communication management;
(v) development and management of information systems; and
(vi) legislative regulation.
ADGM Data Protection Regulations
The ADGM Data Protection Regulations 2015, regulate the processing of personal data by data controllers located in the Abu Dhabi Global Market (“ADGM”), a financial free zone located in Abu Dhabi. These regulations control how personal information is used by organizations and businesses in the ADGM.
As per Article 9 of the ADGM Data Protection Regulations, a data controller shall implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss or destruction of, or damage to, personal data. Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected. A data controller shall appoint a data processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and shall ensure compliance with those measures. In case of a breach, whether physical, personal or otherwise, the data processor will inform the data controller. The data controller will in turn inform the Registrar appointed under the ADGM Regulations.
Abu Dhabi Government Information Security Policy
The Abu Dhabi Government Information Security Policy and related Abu Dhabi Government Information Security Standards (together referred to as the “AD Information Security Policy”) constitute the most comprehensive regulation addressing government data in the Emirate of Abu Dhabi. The AD Information Security Policy defines requirements for ensuring that critical government information is secured regardless of the medium in which the information resides.
Generally, pursuant to the AD Information Security Policy, all Abu Dhabi government entities are required to:
(i) categorize their information assets (including information systems) based on the importance and critical nature of the relevant asset;
(ii) develop an Information Security Program Plan;
(iii) build the required capabilities to monitor the information systems and manage information security incidents in the entity; and
(iv) regularly report to the Abu Dhabi Systems and Information Center (now known as Abu Dhabi Smart Solutions and Services Authority (“ADSSSA”)) – responsible for assisting the government entities in implementing their respective Information Security Program Plans.
All Abu Dhabi government entities must comply with the obligations set out in the AD Information Security Policy to ensure the confidentiality, integrity, and availability of government information. Additionally, Abu Dhabi government entities must ensure that suppliers engaged by them adhere to the applicable obligations of the AD Information Security Policy.