Understanding NESA Compliance for UAE Cybersecurity Law

What is NESA Cyber Security Regulation?

NESA, the abbreviation of National Electronic Security Authority, in the United Arab Emirates (UAE) is the federal body which takes care of the growth in Cyber Security in the UAE region.

With cyber awareness and building a secure culture around information technology, NESA has UAE Information Assurance Standards (UAE IAS) which comes with several strategies, policies, and standards to directly fall in line with Cyber Security compliance in the United Arab Emirates.

Adherence to NESA standard, as described in the UAE IA Standards, is mandatory for government and semi-government firms, and business organizations which are recognized as ‘critical infrastructure’ in the UAE.

What is UAE IAS?

NESA is responsible for security culture in the UAE. This gains immense strength in the security of UAE’s critical data information (CII) with the UAE Information Assurance Standards (UAE IAS), which is a set of standards and policies guidelines.

NESA UAE Compliance Objectives

By complying with NESA UAE Information Assurance Standards, organizations make sure that:

  • It safeguards UAE’s information assets and reduce risks
  • Secure crucial digital infrastructure and IT systems from cyber vulnerabilities.
  • Implementation of effective security controls
  • Promote cyber security awareness
  • Pave way for human capital and IT security readiness

When was NESA regulation formed?

Formed on June 25,2014, the National Electronic Security Authority (NESA) made the declaration about important security policies and standards to align with UAE National cyber-security efforts.

The announcement came after a meeting with key members of UAE federal and local entities which were part of the ‘National Cyber Security Program’.

Why was NESA Compliance formed?

NESA Controls List

The UAE-NESA standards have 188 security controls– grouped under management level and Technical security level controls. 60 are related to management and the other 128 are technical.

Out of these 188 controls, there are 136 mandatory sub-controls and 564 sub-controls which are purely driven by risk assessment. The 188 controls of NESA UAE IAS function under a tier-based methodology.

NESA Security Control Implementation  and Priority level
NESA Security Control Implementation and Priority level

NESA UAE Controls Standards

Management Control FamilyControlsTechnical control familiesControls
M1: Strategy and Planning15T1: Asset management10
M2: Information Security Risk Management11T2: Physical & environmental security16
M3: Awareness and Training8T3: Operations management17
M4: Human Resource Security8T4: Communications15
M5: Compliance13T5: Access control22
M6: Performance Evaluation & Improvement5T6: 3rd-party security6
T7: Information systems acquisition, development and maintenance25
T8: Information security incident management13
T9: Information security continuity management4
NESA UAE families of management controls and technical controls

These controls are further categorized on the basis of a 4-tier layered approach – basically on the basis of Priority. P1 (Priority 1) being the highest and P4 is, as guessed, the lowest.

Also, NESA security controls are based on 24 types of threats and have been given the corresponding priority level according to the volume of data breaches certain type of attack caused.

PriorityControls
P139
P269
P335
P445
Control has one of four priorities

39 controls, out of 188, are Priority 1 controls which contribute in 20% of security threats. Moreover, based on a tiered approach, Priority 1 controls are mandatory to be applied whereas none of the technical controls are “always applicable”.

NESA audit and compliance process

Gap audit

Training

Risk assessment

Implementation

Compliance audits

NESA UAE Cyber Security Regulation Summary

Scroll to Top