Understanding NESA Compliance for UAE Cybersecurity Law

NESA Compliance - An Overview

What is NESA Cyber Security Regulation?

NESA, the abbreviation of National Electronic Security Authority, in the United Arab Emirates (UAE) is the federal body which takes care of the growth in Cyber Security in the UAE region.

With cyber awareness and building a secure culture around information technology, NESA has UAE Information Assurance Standards (UAE IAS) which comes with several strategies, policies, and standards to directly fall in line with Cyber Security compliance in the United Arab Emirates.

Adherence to NESA standard, as described in the UAE IA Standards, is mandatory for government and semi-government firms, and business organizations which are recognized as ‘critical infrastructure’ in the UAE.

What is UAE IAS?

NESA is responsible for security culture in the UAE. This gains immense strength in the security of UAE’s critical data information (CII) with the UAE Information Assurance Standards (UAE IAS), which is a set of standards and policies guidelines.

NESA UAE Compliance Objectives

By complying with NESA UAE Information Assurance Standards, organizations make sure that:

  • It safeguards UAE’s information assets and reduce risks
  • Secure crucial digital infrastructure and IT systems from cyber vulnerabilities.
  • Implementation of effective security controls
  • Promote cyber security awareness
  • Pave way for human capital and IT security readiness

When was NESA regulation formed?

Formed on June 25,2014, the National Electronic Security Authority (NESA) made the declaration about important security policies and standards to align with UAE National cyber-security efforts.

The announcement came after a meeting with key members of UAE federal and local entities which were part of the ‘National Cyber Security Program’.

Why was NESA Compliance formed?

NESA Controls List

The UAE-NESA standards have 188 security controls– grouped under management level and Technical security level controls. 60 are related to management and the other 128 are technical.

Out of these 188 controls, there are 136 mandatory sub-controls and 564 sub-controls which are purely driven by risk assessment. The 188 controls of NESA UAE IAS function under a tier-based methodology.

NESA Security Control Implementation and Priority level


NESA Security Control Implementation and Priority level

NESA UAE Controls Standards

Management Control Family Controls Technical control families Controls
M1: Strategy and Planning 15 T1: Asset management 10
M2: Information Security Risk Management 11 T2: Physical & environmental security 16
M3: Awareness and Training 8 T3: Operations management 17
M4: Human Resource Security 8 T4: Communications 15
M5: Compliance 13 T5: Access control 22
M6: Performance Evaluation & Improvement 5 T6: 3rd-party security 6
    T7: Information systems acquisition, development and maintenance 25
    T8: Information security incident management 13
    T9: Information security continuity management 4
NESA UAE families of management controls and technical controls

These controls are further categorized on the basis of a 4-tier layered approach – basically on the basis of Priority. P1 (Priority 1) being the highest and P4 is, as guessed, the lowest.

Also, NESA security controls are based on 24 types of threats and have been given the corresponding priority level according to the volume of data breaches certain type of attack caused.

Priority Controls
P1 39
P2 69
P3 35
P4 45
Control has one of four priorities

39 controls, out of 188, are Priority 1 controls which contribute in 20% of security threats. Moreover, based on a tiered approach, Priority 1 controls are mandatory to be applied whereas none of the technical controls are “always applicable”.

NESA audit and compliance process

Gap audit


Risk assessment


Compliance audits

NESA UAE Cyber Security Regulation Summary

Contact Us

Your are at right place for NESA Assessment

Leave this field blank
Scroll to Top