Understanding NESA Compliance For UAE Cybersecurity Law

NESA, the abbreviation of National Electronic Security Authority, in the United Arab Emirates (UAE) is the federal body which takes care of the growth in Cyber Security in the UAE region.
With cyber awareness and building a secure culture around information technology, NESA has UAE Information Assurance Standards (UAE IAS) which comes with several strategies, policies, and standards to directly fall in line with Cyber Security compliance in the United Arab Emirates.

Adherence to NESA standard, as described in the UAE IA Standards, is mandatory for government and semi-government firms, and business organizations which are recognized as ‘critical infrastructure’ in the UAE.

NESA Compliance - We Talk About

What is UAE IAS?

NESA is responsible for security culture in the UAE. This gains immense strength in the security of UAE’s critical data information (CII) with the UAE Information Assurance Standards (UAE IAS), which is a set of standards and policies guidelines.

NESA UAE Compliance Objectives

By complying with NESA UAE Information Assurance Standards, organizations make sure that:

When was NESA regulation formed?

The National Electronic Security Authority (NESA) was formed on June 25,2014, and it made the declaration about important security policies and standards to align with UAE National cyber-security efforts. The announcement came after a meeting with key members of UAE federal and local entities which were part of the ‘National Cyber Security Program’.

NESA Compliance - A snapshot

NESA stands for National Electronic Security Authority, which is a federal authority established in the United Arab Emirates (UAE) in 2012 to enhance the cybersecurity of the country's critical information infrastructure (CII) and combat cyber threats. NESA's mission is to ensure the protection and resilience of the UAE's critical information infrastructure through risk management, capacity building, and the adoption of best practices in cybersecurity. NESA is responsible for developing and implementing national strategies and policies related to cybersecurity, conducting cybersecurity awareness campaigns, and regulating the implementation of cybersecurity standards and regulations across all sectors of the economy, including government entities, critical infrastructure operators, and the private sector.
NESA Compliance stands for National Electronic Security Authority Compliance, which is a set of guidelines developed by the UAE's National Electronic Security Authority (NESA) to protect the country's critical information infrastructure (CII) from cyber threats. NESA Compliance mandates the implementation of information security controls in organizations operating within the UAE, including government entities, critical infrastructure operators, and companies in the private sector. It requires organizations to adopt a risk-based approach to cybersecurity and establish an information security management system (ISMS) to identify, assess, and mitigate cyber risks.
NESA Compliance consists of 188 security controls categorized under two families: Management and Technical security controls.
NESA Compliance applies to all organizations operating within the United Arab Emirates (UAE), including government entities, critical infrastructure operators, and companies in the private sector. This includes organizations that provide services related to the UAE's critical information infrastructure, such as telecommunications, finance, energy, healthcare, transportation, and government services.

The scope of SAMA (Saudi Arabian Monetary Authority) regulation is vast and covers a wide range of financial activities and institutions operating in Saudi Arabia.

SAMA is responsible for regulating and supervising the entire financial system in Saudi Arabia, including banks, insurance companies, exchange houses, financial intermediaries, and other financial institutions.

The scope of SAMA regulation covers various areas such as monetary policy, financial stability, consumer protection, and financial market development.

SAMA also sets rules and regulations for payment systems, credit card operations, electronic banking, and other financial services offered by institutions operating within Saudi Arabia.

In addition, SAMA is responsible for ensuring that financial institutions operating in Saudi Arabia comply with international standards, such as Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) policies and procedures.

Some common SAMA Compliance requirements that financial institutions must adhere to include:

  • Anti-Money Laundering (AML) and Counter Financing of Terrorism (CFT) policies and procedures to detect, prevent, and report suspicious activities.
  • Know Your Customer (KYC) policies to verify the identities of customers and prevent fraud.
  • Regular reporting and disclosure of financial information to SAMA.
  • Maintaining adequate records and documentation to support compliance efforts.
  • Regular training of employees to ensure they are aware of the latest SAMA regulations and compliance requirements.


Find the Right SEMA Compliance & Audit Consultant Fast

Get matched for free with top NESA compliance Expert for Audit Assistance, readiness & implementation strategy; fitting your budget & timeline.

NESA Controls List

How to meet NESA compliance requirements?

The UAE-NESA standards have 188 security controls– grouped under management level and Technical security level controls. 60 are related to management and the other 128 are technical.

The NESA security controls are based on 24 types of threats and have been given the corresponding priority level according to the volume of data breaches certain type of attack caused.

NESA UAE families of management controls and technical controls

NESA Management Control FamilyControlsNESA Technical Control FamilyControls
M1: Strategy and Planning15T1: Asset management10
M2: Information Security Risk Management11T2: Physical & environmental security16
M3: Awareness and Training8T3: Operations management17
M4: Human Resource Security8T4: Communications15
M5: Compliance13T5: Access control22
M6: Performance Evaluation & Improvement5T6: 3rd-party security6
T7: Information systems acquisition, development and maintenance25
T8: Information security incident management13
T9: Information security continuity management4

These controls are further categorized on the basis of a 4-tier layered approach – basically on the basis of Priority. 

P1 (Priority 1) being the highest and P4 is, as guessed, the lowest.

NESA Controls Priority Levels

NESA Controls have one of four priorities levels. 39 controls, out of 188, are Priority 1 controls which contribute in 20% of security threats. Moreover, based on a tiered approach, Priority 1 controls are mandatory to be applied whereas none of the technical controls are “always applicable”.
Priority ControlsControls

NESA’s Audit & Compliance Process

NESA Compliance Consulting, Audit & Implementation

SAMA Compliance Audit service typically involves an audit of financial institutions' cybersecurity systems and processes to ensure compliance with the SAMA Cybersecurity Framework. We may assess the financial institution's cybersecurity posture and identify gaps, weaknesses, and areas for improvement. Based on the audit findings, we may offer recommendations and remediation plans to help institution achieve compliance with the SAMA Cybersecurity Framework to ensure they are adequately protected against cyber threats and are in compliance with SAMA's regulations.

GAP Assessment

A GAP assessment is important for NESA compliance because it is a critical first step in ensuring that a business is adequately protected against cyber threats. The review also helps to identify any gaps or areas of weakness in a company's security framework and provides recommendations for remediation.

Risk Assessment

Conducting an ISMS risk assessment based on the NESA UAE National Cyber Risk Management Framework is essential for organizations operating in the UAE. It enables them to identify and prioritize cyber risks, develop risk treatment plans, meet regulatory requirements, and improve their cyber resilience.

Risk Treatment Plan

The NESA Compliance Risk Treatment Plan is a critical component of achieving NESA compliance. It ensures that identified gaps and risks are addressed in a systematic and effective manner, to remediate the gaps and risks and enhancing its overall security posture.

Policy & Procedure Implementation

Periodic Security Testing

Implementation of Controls

Status & Progress report

NESA Internal Audits

Find the Right NESA Consultant Fast

Get in touch with top NESA Consultant that fit your budget & timeline

Scroll to Top