Cybersecurity Law in the UAE 2026: The Cybercrimes Statute, Regulators, and Critical Infrastructure Protection
July 15, 2026
Cybersecurity in the UAE is governed by a multi-layered system: a base criminal cybercrimes statute applies federally, with sector-specific and emirate-level regulatory requirements layered on top depending on the company’s industry and licence.
The current base statute is Federal Decree-Law No. (34) of 2021 On Combatting Rumours and Cybercrimes, issued 20 September 2021 and effective 2 January 2022, replacing Federal Decree-Law No. 5 of 2012 Concerning Countering Cybercrimes.
The UAE Cybersecurity Council was established by Cabinet decision in November 2020 as the body responsible for the national cybersecurity strategy and incident-response coordination.
There is no single, narrow “UAE cybersecurity law” — applicable requirements depend on where the company is registered (mainland/DIFC/ADGM), which sector it operates in (finance, healthcare, telecom), and which emirate it is in.
⚠ Certain offences under this law are automatically classified as “crimes against UAE security” — with significantly more severe consequences. Per the law’s primary text, this applies to Articles 3, 5, 7, 11(3), 12(3), 13, 19–28, 47(II), 52, 53, and 55, as well as any offence under this law committed for the benefit of a foreign country, terrorist group, gang, or illegal organisation.
1. The Legal Basis
Cybersecurity and cybercrime in the UAE are governed by several interconnected instruments at different regulatory levels.
Federal Decree-Law No. (34) of 2021 expressly repeals Federal Decree-Law No. (5) of 2012 Concerning Countering Cybercrimes — the previous base statute in this area.
Federal Decree-Law No. (3) of 2012 Establishing the National Electronic Security Authority established NESA, the predecessor of functions later transferred to the UAE Cybersecurity Council.
Beyond the federal criminal statute, sector-specific regulatory requirements apply: the Central Bank of the UAE for the financial sector, the Dubai Electronic Security Center (DESC) for Dubai government bodies, and the Department of Health Abu Dhabi for the emirate’s healthcare sector.
The 2021 law has already been amended: the official uaelegislation.gov.ae portal confirms one amendment, last updated 4 April 2024 — this is Federal Law No. 5 of 2024, which strengthened penalties for a range of online offences. Verify specific fine figures for individual offences directly before relying on them, as some may have changed since 2021.
Need advice on cybersecurity compliance for your UAE company? UPPERSETUP legal services →
2. What the UAE Cybersecurity Council Is
The UAE Cybersecurity Council is the central body for national cybersecurity strategy, not merely an advisory structure.
The Council was established by UAE Cabinet decision in November 2020; it is chaired by the Head of Cyber Security for the UAE Government.
The Council is responsible for shaping the legal and regulatory framework on cybercrimes, securing existing and emerging technologies, and creating a National Cyber Incident Response Plan.
✅ Per the official UAE government portal, citing the International Telecommunication Union’s (ITU) Global Cybersecurity Index 2024, the UAE ranked 5th globally for cybersecurity infrastructure resilience.
3. What the Cybercrimes Law Actually Prohibits
Federal Decree-Law No. 34 of 2021 covers a broad range of conduct — from hacking government systems to spreading false information.
• Unauthorised access to websites, networks, and information systems.
• Hacking and tampering with government information systems and data.
• Interception of data transmitted over an information network.
• Dissemination of false information harming the UAE’s interests and security.
• Creating fake electronic accounts, sites, or online identity impersonation (including deepfake technology).
ℹ The law introduces its own set of definitions, including “Information Network Broker” (any person providing information network brokerage services, including social networking and search engines) and “Service Provider” (any natural or legal person providing users with access to the information network).
4. Regulatory Tools: Orders and Blocking
The law gives competent authorities specific administrative tools, separate from criminal prosecution.
A writ of correction requires a person to correct, remove, or delete illegal content, false information, or data within a stated period.
A disable order requires an information network broker to disable users’ access to illegal content or data.
An access blocking order — issued if other instructions are not complied with — requires a service provider inside the UAE to disable users’ access to a website or electronic account.
5. Fines and Criminal Liability
|
Violation |
Sanction |
|
Unauthorised access to an electronic site (Art. 2) |
Fine of AED 100,000–300,000 |
|
Interception of access to an information network/system (Art. 12) |
Imprisonment and/or a fine of AED 150,000–500,000 |
|
Disclosure of intercepted data |
Imprisonment of at least 1 year and a fine of up to AED 1,000,000 |
|
Hacking a government website/system without causing damage |
Temporary imprisonment and a fine of AED 200,000–500,000 |
|
Hacking causing damage to a government system |
Imprisonment of at least 5 years and a fine of AED 250,000–1,500,000 |
⚠ These figures are ranges for specific offences, not a single “cybercrime fine.” Certain serious offences (for example, those related to state security) carry imprisonment of at least 7 years and a fine of AED 250,000 to AED 1,500,000.
✅ Committing an offence against a public official during or because of the performance of their duties is recognised as an aggravating circumstance under the law’s primary text.
6. Critical Information Infrastructure Protection
Separate from the criminal cybercrimes statute, the UAE maintains a dedicated policy for protecting critical infrastructure.
The official Critical Information Infrastructure Protection (CIIP) Policy defines critical information infrastructure as physical and virtual information assets supporting essential functions and services critical to UAE society and the economy.
The policy covers identifying critical sectors and national services, assessing risks, defining sector-specific cybersecurity requirements, and monitoring implementation of sector plans.
7. The Multi-Layered Regulatory System
|
Body |
Area of responsibility |
Level |
|
UAE Cybersecurity Council |
National cybersecurity strategy, Information Assurance Regulation, incident-response coordination |
Federal |
|
TDRA (Telecommunications and Digital Government Regulatory Authority) / aeCERT |
Standards for the telecom sector, national incident-response team |
Federal |
|
Central Bank of the UAE (CBUAE) |
Cyber-risk requirements for banks, finance companies, insurers, payment providers |
Federal, sector-specific |
|
Dubai Electronic Security Center (DESC) |
Information Security Regulation (ISR) for Dubai government bodies and regulated entities |
Emirate-level (Dubai) |
|
Department of Health Abu Dhabi |
ADHICS — healthcare cybersecurity standard |
Emirate-level (Abu Dhabi), sector-specific |
⚠ There is no single universal cybersecurity standard applying to every UAE company — the applicable requirement set depends on registration jurisdiction (mainland/DIFC/ADGM), emirate, and industry. A company must identify its specific regulatory “stack” rather than rely on a general notion of “UAE cybersecurity law.”
8. DIFC and ADGM: Separate Regimes
The UAE’s financial free zones operate under their own data protection and cyber-risk rules, distinct from the federal framework.
DIFC applies the DIFC Data Protection Law 2020, and ADGM applies the ADGM Data Protection Regulations 2021, in place of the federal Federal Decree-Law No. 45 of 2021 (PDPL).
✅ The Financial Services Regulatory Authority (FSRA) in ADGM signed a memorandum of understanding with the UAE Cybersecurity Council in May 2024 to strengthen cybercrime-prevention collaboration among licensed financial firms.
9. Step-by-Step Compliance Process for a Company
1. Identify the applicable jurisdiction: mainland, DIFC, or ADGM — this determines the applicable data protection regime and supervisory body.
2. Identify the applicable sector standard: DESC ISR (Dubai, public sector), ADHICS (Abu Dhabi healthcare), CBUAE requirements (financial sector) — absent these, refer to the general UAE Information Assurance Regulation.
3. Assess whether the company processes personal data falling under the federal PDPL or the DIFC/ADGM regional equivalents.
4. Implement internal incident-response procedures matching the applicable standard.
5. Train staff to recognise phishing and social engineering — the human factor remains the primary attack vector per industry research.
6. In the event of an incident, promptly assess the need to notify the regulator and prepare documentation for a possible investigation.
10. Common Mistakes
• Assuming there is a single “UAE cybersecurity law” applicable uniformly to everyone. The actual requirement set is built from the federal criminal statute plus sector and emirate-specific standards — these must be identified individually for a specific company.
• Overlooking that DIFC and ADGM apply their own, not federal, data protection rules. A company registered in these zones follows the DIFC Data Protection Law 2020 or ADGM Data Protection Regulations 2021, not the federal PDPL.
• Underestimating the classification of certain cybercrimes as “crimes against state security.” This significantly changes the procedural and sanction regime compared to an ordinary offence of the same conduct.
• Treating regulatory orders (writ of correction, disable order) as a formality that can be ignored. Non-compliance with such orders creates grounds for stricter measures, including access blocking.
11. Who Needs an In-Depth Compliance Audit
• Financial firms licensed by CBUAE, DFSA, or FSRA. These regulators’ sector-specific cyber-risk requirements are significantly more detailed than the general criminal statute.
• Healthcare companies in Abu Dhabi. ADHICS is a mandatory sector standard, not a recommendation.
• Dubai government and semi-government bodies. DESC ISR applies directly to this category of organisations.
12. When Professional Verification Is Essential
Self-assessment is worth supplementing with specialist advice when: planning personal data processing at the intersection of the federal PDPL and the DIFC/ADGM regimes; assessing the risk of a specific incident being classified as a “crime against state security”; and determining the applicable sector cybersecurity standard for a company with a mixed activity profile.
FAQ
Which law governs cybercrime in the UAE?
Federal Decree-Law No. (34) of 2021 On Combatting Rumours and Cybercrimes, effective 2 January 2022, replacing the 2012 law.
What is the UAE Cybersecurity Council?
A body established by Cabinet decision in November 2020, responsible for the national cybersecurity strategy and incident-response coordination at the federal level.
Does the federal data protection law apply in DIFC and ADGM?
No, these financial free zones apply their own regimes — the DIFC Data Protection Law 2020 and ADGM Data Protection Regulations 2021 — instead of the federal PDPL.
What are the penalties for unauthorised access to a website?
Per Article 2 of the law, a fine of AED 100,000 to AED 300,000.
Key Takeaways
• The base statute is Federal Decree-Law No. 34 of 2021, effective 2 January 2022.
• The UAE Cybersecurity Council was established in November 2020 and coordinates the national strategy.
• Certain offences under the law are classified as crimes against state security, with more severe consequences.
• A separate Critical Information Infrastructure Protection Policy protects critical assets outside the criminal statute.
• DIFC and ADGM apply their own data protection regimes, separate from the federal PDPL.
• The applicable cybersecurity requirement set depends on registration jurisdiction, emirate, and industry — there is no single universal standard.
Summary
Cybersecurity in the UAE is governed by Federal Decree-Law No. (34) of 2021 On Combatting Rumours and Cybercrimes, effective 2 January 2022, replacing the 2012 law. The UAE Cybersecurity Council, established by Cabinet decision in November 2020, coordinates the national cybersecurity strategy and the Information Assurance Regulation. A separate Critical Information Infrastructure Protection Policy protects critical information assets. Certain offences under the 2021 law are classified as crimes against state security, carrying a more severe liability regime. Fines range from AED 100,000–300,000 for unauthorised website access to imprisonment of at least 5 years and a fine of AED 250,000–1,500,000 for hacking a government system with resulting damage. DIFC and ADGM apply their own data protection regimes (DIFC Data Protection Law 2020, ADGM Data Protection Regulations 2021), separate from the federal PDPL. Additional sector requirements are set by CBUAE (finance), DESC (Dubai public sector), and the Department of Health Abu Dhabi (healthcare).
Sources
• The Official Portal of the UAE Government — Law on Combatting Rumours and Cybercrimes (u.ae)
• The Official Portal of the UAE Government — UAE Cybersecurity Council (u.ae)
• Lexology — The UAE’s collaborative approach to combat cybercrime (lexology.com)
• UAE Legislation — official legislation metadata (issue date, effective date, amendments), confirming Federal Law No. 5 of 2024 (uaelegislation.gov.ae)
Disclaimer
This material is for informational purposes only and does not constitute legal advice. Qualification of specific conduct requires individual legal assessment — before making decisions, obtain consultation with a qualified UAE cyber law specialist. Information is accurate as of June 2026.
Subscribe to our newsletter
Receive expert materials and special offers in the field of company setup and support, citizenship and residence permit for investment. Once a week without spam.









