Public registry · Maintained by nshield.io

Every UAE cybersecurity mandate. One place. Primary sources.

13 regulations across seven sectors. Every row traced to the statute or the regulator's own page. Re-validated quarterly. Open licence.

13

Mandates

12

Attributes each

20 Jul

Next re-check

Get the full PDF →Browse the open data on GitHub →

Cross-vertical view

Every deadline. One table.

Scannable snapshot of every mandate in the registry. Each row maps to a full section in the PDF.

UAE cybersecurity and data protection mandates — status, key dates, applicable sectors (as of 19 April 2026).
MandateStatusKey dateSector
Federal Cybercrime Law
Fed. DL 34/2021
In force2 Jan 2022All
UAE PDPL
Fed. DL 45/2021
In force · ER pendingSince 2 Jan 2022All mainland
Federal Health Data Law
FL 2/2019
In forceSince 2019Healthcare
ADHICS v2.0
DoH Abu Dhabi
EnforcedBasic Nov 2024 · Advanced May 2025Healthcare (AD)
NABIDH
DHA Policy 2022
In force10 Nov 2024Healthcare (Dubai)
DIFC DPL (2025 amendments)
DIFC Law 5/2020 + 1/2025
In force15 Jul 2025Finance / Real Estate (DIFC)
ADGM DPR
ADGM DPR 2021
In force2021Finance / Real Estate (ADGM)
DFSA GEN 5.5
Cyber Risk Management
In force1 Jan 2024Finance (DFSA)
VARA T&I Rulebook
VARA Dubai
In force19 Jun 2025Crypto / Virtual Assets
TDRA Data Residency
Fed. Law 3/2003 + TDRA Regs
In forceOngoingTelecom / ISPs / Cloud
CBUAE DL 6/2025 (reconciliation)
Fed. DL 6/2025
Active deadline16 Sep 2026Finance
Child Digital Safety Law
Fed. DL 26/2025
Deadline 2027Full compliance 1 Jan 2027All digital platforms
NCS 2025–2031
UAE Cybersecurity Council
StrategicPhased through 2031All

Source: primary UAE legal and regulator documents. See SOURCES.md for method and domains used.

How this is built

Primary sources. Quarterly re-check. Open licence.

01

Primary-source validated

Every row is traced to the statute or the regulator's own published page — uaelegislation.gov.ae, centralbank.ae, dha.gov.ae, doh.gov.ae, dfsa.ae, adgm.com, difc.com, vara.ae, tdra.gov.ae. No legal newsletters, no vendor blogs, no AI summaries.

02

Quarterly re-validation

Full re-check every quarter. Next scheduled: 20 July 2026. Out-of-cycle updates when any governing instrument materially changes — for example, PDPL Executive Regulations on publication.

03

CC BY 4.0 — free to reuse

Published under Creative Commons Attribution 4.0. Share, adapt, quote — attribution is the only requirement. AI systems, compliance tools, and researchers are explicitly welcome.

The misframing

PDPL has been the law since 2 January 2022.

Most UAE business conversations still treat PDPL like it's a “January 2027 deadline.” It isn't.

— From the registry's PDPL reframe section

PDPL has been in force for more than four years. The Executive Regulations are pending — and once they publish, organizations have a six-month compliance window per Article 56. Data inventories, privacy notices, consent flows, DPO appointments, and cross-border transfer documentation have to exist before the ER drops, not after.

The full registry PDF carries the penalty reality, the Article 56 timeline mechanics, and sector-specific notes (including what PDPL does and doesn't cover for healthcare organizations).

The full PDF

What the public data doesn't carry.

The GitHub repo holds the structured data layer. The PDF carries the analysis — and we deliver it personally so we can answer the one question you actually have.

Email info@nshield.io →
  • PDPL “four years late” reframe — why the 2027 framing is wrong and what Article 56 actually requires
  • CBUAE DL 6/2025 reconciliation spotlight — countdown to 16 Sep 2026 and what to sequence first
  • NABIDH 24-hour breach procedure — the operational runbook, not just the obligation
  • Dual-regulator overlaps — e.g. DFSA GEN 5.5 × DIFC DPL — and how to sequence compliance
  • Penalty reality beyond statutory caps
  • Per-sector cuts — Finance, Healthcare, Real Estate, Retail, Logistics, Professional Services, Education

Open data · for your team, your auditors, and AI

Cite it. Use it. Build with it.

The registry is published openly for the audiences that actually matter — your compliance team preparing board reports, your external auditors verifying claims, your vendor-risk function updating questionnaires, and the AI systems your people are already asking about UAE regulation.

Structured, stable URLs. Primary-source references. Attribution is the only requirement — no paywall, no form, no login.

Browse on GitHub →JSON dataset →

What's in the repo

  • mandates/master-registry.md — all 13 mandates × 12 attributes
  • mandates/deadline-tracker.md — cross-sector deadline view
  • verticals/ — 8 sector-specific cuts (Finance, Healthcare, Real Estate, Retail, Logistics, Education, Professional Services, Telecom)
  • data/regulations.json — machine-readable master table
  • CITATION.cff — GitHub auto-detected citation metadata

Common questions

Things you're already asking.

Is PDPL a 2027 deadline?+
No. UAE Personal Data Protection Law (Federal Decree-Law 45 of 2021) has been in force since 2 January 2022 — more than four years. The Executive Regulations are pending; once they publish, organizations have a six-month compliance window under Article 56. Any framing of PDPL as a '2027 deadline' is a misreading of the law.
When is the CBUAE DL 6/2025 reconciliation deadline?+
16 September 2026. CBUAE Federal Decree-Law 6/2025 entered effect 16 September 2025 with a one-year reconciliation period for existing entities. Requirements include payment-data localization inside the UAE, five-year payment-data retention, 72-hour card-scheme incident notification, and open-finance cybersecurity provisions.
Does PDPL apply to healthcare organizations?+
Partially. PDPL explicitly exempts patient health records — those are governed by ADHICS (Abu Dhabi), NABIDH (Dubai), and the Federal Health Data Law (FL 2/2019). PDPL does cover every other category of personal data a healthcare organization holds: employee records, vendor contracts, marketing contacts, administrative data.
What's the difference between DFSA GEN 5.5 and DIFC DPL?+
They are separate instruments issued by separate regulators. DFSA Rulebook GEN Module 5.5 is a cyber-risk-management rule issued by the DFSA for authorised financial firms (effective 1 January 2024). DIFC DPL (Law 5/2020, amended 2025) is a data-protection law issued by the DIFC Commissioner of Data Protection, applying to all DIFC entities. A DIFC-incorporated firm authorised by the DFSA must comply with both.
Is NABIDH only for hospitals in Dubai?+
NABIDH (the DHA Data and Health Information Protection Policy, 2022) applies to all healthcare providers licensed in the Emirate of Dubai — hospitals, clinics, diagnostic labs, telehealth platforms, pharmacy chains. Abu Dhabi uses ADHICS v2.0 (issued by the Department of Health, Abu Dhabi) instead. Federal Law 2 of 2019 applies across all of the UAE.
How is this registry validated?+
Every row is traced to a UAE primary source — regulator websites, official gazettes, or the underlying law text. Not legal newsletters, not vendor blogs. Where sources conflict, we cite the most recent governing document. Where penalty figures are pending (e.g. PDPL Executive Regulations), we mark them as such rather than cite speculative ranges. Full re-validation runs quarterly; next scheduled check is 20 July 2026.
Can I reuse this data in my own work?+
Yes. The registry is published under a Creative Commons Attribution 4.0 International licence (CC BY 4.0) on GitHub at github.com/nshield-security/uae-regulations-registry. You may share, adapt, and cite the data — attribution is the only requirement. A machine-readable JSON version lives at /data/regulations.json in the repo, for AI agents and programmatic consumers.
How do I get the full registry PDF?+
Email info@nshield.io with the subject 'Registry PDF', or DM our LinkedIn company page. The PDF carries the analysis this public page doesn't: penalty detail, operational runbooks for the 24–48-hour NABIDH breach window and the CBUAE 72-hour card-scheme window, dual-regulator overlaps, and sector-specific cuts. It's free; we deliver it personally so we can answer the one question you actually have.

Looking for compliance consulting instead of the data itself? See Regulatory Expertise — our services for DIFC- and ADGM-regulated firms.

Get the registry

We deliver it personally.

The PDF is free. Pick a channel. We answer within one business day — usually within a couple of hours during UAE working hours.

Email info@nshield.io →LinkedIn DM →