What the Law Does
Federal Decree-Law 6 of 2025 consolidates and modernizes the regulatory architecture for CBUAE-supervised entities. Article 184 sets a one-year reconciliation window from the law's effective date — which gives existing licensed entities until 16 September 2026 to be fully aligned with the new requirements.
The law's cybersecurity and data provisions aren't isolated from the rest. They sit inside the broader CBUAE framework — consumer protection, payment services regulations, card schemes, open finance — and the reconciliation applies across the full set.
What CBUAE Expects
- →Payment-data localization inside the UAE — no exceptions for “the cloud is regional.”
- →Five-year retention for payment services (CBUAE Rulebook 2.8 + RPSCS Article 6).
- →72-hour incident notification for card-scheme failures.
- →Documented governance for open-finance and virtual-asset payment cybersecurity.
- →Customer financial-data protection as a board-level obligation, not a technology one.
The 10× Multiplier
What CBUAE can do if you miss the deadline: licence action, plus administrative fines up to ten times the value of the violation or the unjust enrichment, whichever is higher.
The 10× multiplier is in the law text. It is not theoretical, and it is not the traditional ceiling fine you'd find in a European framework. For a payment incident involving high transaction volume, the multiplier produces numbers that board risk committees need to see.
The Reconciliation File
“Reconciliation file” is the phrase that matters. CBUAE inspections for the deadline will ask for documented alignment against each new or changed provision — not a pass-fail against the old framework. Firms that have only mapped the changes in a spreadsheet (not produced the evidence and governance artefacts) will find the inspection window tighter than they planned for.
If you're a CBUAE-supervised entity and you're not certain your reconciliation file would survive an inspection — the quarter to start is this one, not Q3 2026.