Industry · Finance

Cybersecurity for UAE-regulated finance.

Banks · Payment providers · Fintechs · Insurers · DIFC-authorised firms · ADGM-registered entities. Eight mandates to align. One CBUAE deadline on 16 September 2026.

Live deadline

CBUAE Federal Decree-Law 6/2025 — reconciliation by 16 Sep 2026

Article 184 gives existing licensees one year from the law's 16 Sep 2025 effective date to be fully aligned. Penalty exposure: licence action plus administrative fines up to ten times the violation value or the unjust enrichment, whichever is higher.

Book a 20-minute reconciliation review →See the full registry →

Finance vertical · eight mandates

Every regulator. Every requirement.

Primary-source-validated. Updated against the underlying statute or the regulator's own page, not secondary analyses.

UAE financial-services cybersecurity and data-protection mandates — reference, regulator, key requirements, deadline, status, maximum penalty.
MandateRegulatorKey requirementsDeadlineMax penalty
CBUAE DL 6/2025 (reconciliation)
Fed. Decree-Law 6/2025
Active deadline
Central Bank UAEFinancial data localization (UAE); 5-year payment-data retention; 72-hour card-scheme incident notification; open-finance cybersecurity.16 Sep 2026License revocation + fines up to 10× violation value
DFSA Cyber Risk Management
DFSA Rulebook GEN 5.5
Enforced
DFSACyber governance; senior-exec accountability; risk assessments; access mgmt; encryption; monitoring; incident response; third-party risk; GEN 5.5.19 mandatory incident reporting.Effective 1 Jan 2024DFSA enforcement action + fines
DIFC DPL (2025 amendments)
DIFC Law 5/2020 + 1/2025
Enforced
DIFC CommissionerGDPR-aligned: DPIAs; DPO reviews; private right of action; 72-hour breach notification; cross-border adequacy checks.15 Jul 2025USD 25K (annual assess) / USD 50K (DPIA / data sharing) + Art. 62 fines
ADGM DPR 2021
ADGM DPR 2021
Enforced
ADGM Office of Data ProtectionPrivacy-by-design; mandatory DPO; SCCs/BCRs for transfers; 72-hour breach notification; active administrative enforcement.In forceUSD 28M statutory cap
UAE PDPL
Fed. Decree-Law 45/2021
In force
UAE Data OfficeCustomer-data protection; consent management; DPIAs; breach notification; cross-border transfer restrictions.In force since 2 Jan 2022 · ER pendingPending ER (cited range AED 50K–10M)
VARA T&I Rulebook
VARA Dubai
Enforced
VARAAnti-hacking; secure crypto wallets (MPC / cold storage); AML/CFT; cybersecurity audits; 72h breach (Rule H); annual TLPT; quarterly vulnerability scans; continuous monitoring; 3rd-party risk.In force (eff. 19 Jun 2025)License revocation
Federal Cybercrime Law
Fed. Decree-Law 34/2021
Enforced
Public ProsecutionCriminal liability for data breaches, electronic fraud, unauthorized access to banking systems, phishing.In forceAED 100K–3M per offense + prison
NCS 2025–2031
UAE Cybersecurity Council
Strategic framework
Cybersecurity CouncilSecurity-by-design; ISO 27001 alignment; vendor risk management; MFA on all financial systems; incident response.Phased 2025–31No direct NCS penalties (via underlying laws)

Source: UAE primary legislation and regulator-issued rulebooks. Full method and source domains in our UAE Regulations Registry.

What we find

Three gaps that repeat, across CBUAE-supervised firms.

Specific to UAE-regulated finance, not generic cybersecurity hygiene. Each one maps to a named mandate above.

01

Payment data sitting in “regional” cloud

Workloads provisioned before DL 6/2025 that reference “MENA region” or “GCC region” in the cloud contract — which includes Bahrain, Oman, or Saudi data centres, not just UAE. CBUAE expects UAE-resident payment data. The cloud vendor's regional badge isn't enough.

02

72-hour card-scheme notification with no runbook

The obligation is documented in the compliance manual. The operational path from an acquirer detecting a card-scheme failure to CBUAE receiving notification within 72 hours is not. Escalation paths, named owners, holiday cover, and a notification template tested by tabletop are what inspectors look for.

03

DFSA GEN 5.5 and DIFC DPL run as two disconnected tracks

Cyber risk reports to one board committee, data protection to another. No shared governance forum. DFSA examinations now flag this as a gap — both regulators expect these to be integrated functions for DIFC-based authorised firms.

Where we've done this

References in UAE-regulated finance.

Sector

DIFC-licensed digital bank

Cybersecurity partnership across DFSA GEN 5.5 alignment, ongoing monitoring, and incident-response readiness. Full scope available under NDA.

Sector

DIFC-regulated wealth management firm

Cybersecurity, compliance support across DIFC DPL and DFSA GEN 5.5, and managed detection and response. Full scope available under NDA.

Additional CBUAE-supervised and DIFC/ADGM-authorised firms under NDA — specific names and scopes shared on qualified introduction.

Common questions

Answers CFOs and CROs actually ask.

When is the CBUAE reconciliation deadline?+
The CBUAE reconciliation deadline is 16 September 2026. Federal Decree-Law 6 of 2025 entered effect on 16 September 2025, and Article 184 grants existing CBUAE-licensed entities a one-year reconciliation window to come into full alignment. That applies to banks, payment providers, fintechs, insurers, finance companies, and exchange houses.
What happens if we miss the CBUAE reconciliation deadline?+
Missing the deadline exposes the firm to licence action plus administrative fines of up to ten times the value of the violation or the unjust enrichment, whichever is higher. The 10× multiplier is written into the law text itself — not regulator guidance — so it is not discretionary. Penalty exposure scales with transaction volume, which makes the board-level risk significant for any payment-heavy business.
Do we need to comply with both DFSA GEN 5.5 and DIFC DPL?+
Yes, if you are a DIFC-incorporated firm authorised by the DFSA. They are separate instruments issued by separate regulators and they cover different things: DFSA Rulebook GEN Module 5.5 is cyber-risk management (effective 1 January 2024), while DIFC DPL is data protection (Law 5/2020, amended 2025). Firms routinely conflate them. Both need their own governance track with clear owners.
Are you a DIFC- or ADGM-authorised service provider?+
We serve DIFC- and ADGM-authorised firms as a third-party cybersecurity service provider. Our public references include a DIFC-licensed digital bank and a DIFC-regulated wealth management firm, plus additional CBUAE-supervised and DIFC/ADGM-authorised firms under NDA. Specific names and scopes are shared on qualified introduction.
What does a CBUAE reconciliation assessment cover?+
A CBUAE reconciliation assessment maps your current controls against every new or changed provision in DL 6/2025 — including payment-data localization, five-year retention, and 72-hour card-scheme notification. It produces the documented evidence CBUAE inspections ask for (not a spreadsheet), prioritises gaps by penalty exposure and remediation cost, and sequences the work to land before 16 September 2026.
Do you work with fintechs and payment providers, not just banks?+
Yes. Our finance scope covers banks (commercial, retail, Islamic), payment service providers and electronic money institutions, insurers (life, non-life, takaful), finance companies, exchange houses, remittance operators, and wealth and asset management firms. Any CBUAE-supervised entity or DIFC/ADGM-authorised financial firm is in scope, regardless of size.

Start with a reconciliation review

Twenty minutes. Written findings within a week.

A 20-minute call to understand your scope and obligations. Followed by a written findings report against CBUAE DL 6/2025, DFSA GEN 5.5, DIFC DPL, ADGM DPR, and PDPL — whichever apply — with prioritised remediation. No obligation.

Book the call →Email info@nshield.io →