Laws & RegulationsCBUAE Cyber Framework (UAE)
In ForceBanking, Insurance, Financial services, Payment services
CBUAE Cybersecurity Framework for Financial Institutions
Also known as: CBUAE Cyber Framework (UAE)
Central Bank of UAE cybersecurity framework requiring licensed financial institutions to implement comprehensive cybersecurity programs. Mandates cyber risk governance, security controls, incident response, and third-party risk management aligned with international standards.
Jurisdiction
United Arab Emirates
Regulator
—
Effective
1/1/2021
Sector
Banking, Insurance, Financial services, Payment services
Full Text / Summary
The Central Bank of the UAE (CBUAE) Cybersecurity Framework for Financial Institutions establishes cybersecurity requirements for banks, insurance companies, and other financial institutions regulated by CBUAE. The Framework is structured around five domains: governance and compliance; risk management; operations and technology; third-party management; and resilience. Financial institutions must implement the Framework based on their risk profile and systemic importance. Key requirements include: board-approved cybersecurity strategy; Chief Information Security Officer (CISO) appointment; annual cybersecurity risk assessments; penetration testing; security operations center; incident response plan; and business continuity planning. The Framework requires institutions to report cybersecurity incidents to CBUAE within 4 hours for critical incidents and 24 hours for significant incidents. Third-party and cloud service providers must comply with the Framework's requirements when providing services to regulated institutions. CBUAE conducts regular cybersecurity examinations of regulated institutions to assess compliance.