The United Arab Emirates has built one of the most active cyber-regulation regimes in the MENA region. Federal entities, banks, telecommunications providers, healthcare operators, and Critical Information Infrastructure (CII) owners all face binding rules that explicitly require structured vulnerability management and regular penetration testing.
This guide walks through the five regulations that matter most when building a UAE-defensible vulnerability management programme: the UAE Information Assurance Standards (issued by the Signals Intelligence Agency, formerly NESA); CBUAE\'s cyber-risk regulations for licensed financial institutions; DESC\'s Information Security Regulation for Dubai government and selected sectors; ADHICS for Abu Dhabi healthcare; and TDRA\'s cybersecurity obligations for telecommunications and digital service providers.
UAE IAS โ the foundational national framework
The UAE Information Assurance Standards (IAS), issued by the SIA and applied to federal entities and CII operators, define the baseline cyber-security controls every UAE entity should treat as the floor. The IAS is divided into Management (M) and Technology (T) control families. Vulnerability management sits primarily in T7, with penetration testing in T7.5 and patch management as part of T7.4.
- T7.4 Patch management โ documented patch cycles with risk-based prioritisation. Auditors expect SLA tiers tied to severity and criticality.
- T7.5 Vulnerability assessment & penetration testing โ periodic VA and pen testing, with findings tracked through closure. Annual cadence is the floor; CII operators are expected to test more frequently.
- M1.2 Risk register โ current vulnerability findings must roll up into the entity\'s ISMS-level risk register, with named accountable owners.
- T2.4 Asset classification โ vulnerability findings inherit the criticality and confidentiality classification of the assets they affect.
See our dedicated UAE IAS compliance page for a control-by-control mapping of how Centraleyezer covers the IAS Technology controls.
CBUAE โ vulnerability management for UAE banks
The Central Bank of the UAE issues binding cyber-security regulations on every licensed bank, exchange house, finance company, and payment-service provider in the country. The framework explicitly requires:
- Vulnerability and threat management with documented, risk-based remediation timelines for findings on customer-facing and core-banking systems.
- Penetration testing at least annually, plus event-driven testing after major architectural changes. Results must be tracked through closure, not filed as PDFs.
- Board-level cyber risk reporting โ periodic, with KPIs and trend lines that show whether the cyber-risk posture is improving, holding, or degrading.
- ICT third-party risk management extending to vulnerabilities introduced through critical service providers and supply-chain components.
The Consumer Protection Standards reinforce the cyber-risk regulation by adding proportionate security expectations around customer-facing channels โ which in practice raises the contextual risk weight on internet-exposed banking systems. Centraleyezer\'s CBUAE compliance page maps these obligations control-by-control.
DESC, ADHICS, and TDRA
DESC Information Security Regulation v2 (Dubai)
Dubai Government entities and selected private-sector partners.
Mandatory vulnerability assessments and penetration testing on a defined frequency, with findings risk-assessed and tracked through remediation. Asset classification ties vulnerability scope to confidentiality / availability / integrity ratings.
ADHICS v2.0 (Abu Dhabi Healthcare)
Healthcare entities operating under the Department of Health โ Abu Dhabi.
Vulnerability management as a Required Control. Periodic VA and pen testing must demonstrate that patient-data-handling systems are protected; findings feed into the entity's formal risk-treatment plan.
TDRA Cybersecurity Regulations
Telecommunications and digital-service providers across the UAE.
Operator-grade vulnerability management with continuous scanning of customer-facing infrastructure and incident-driven re-assessment. Pen testing on a regulator-defined cadence.
PDPL โ Federal Decree-Law No. 45 of 2021
Any controller or processor handling personal data of UAE residents.
Article 20 Security obligations imply a vulnerability management programme as part of "appropriate technical and organisational measures." Demonstrable evidence of vulnerability and patch management is what regulators look for.
What every UAE programme needs in place
Across these five frameworks, the same set of operational evidence shows up again and again. If you can produce all of the following on demand, you are well-positioned for any UAE supervisory examination, IAS assessment, CBUAE inspection, or DESC review:
- A current asset inventory with criticality and classification ratings, including cloud and SaaS scope.
- A documented vulnerability management policy approved at senior-management level, with defined SLA tiers per severity and asset class.
- Continuous (not periodic) scanning evidence โ timestamped and authenticated where applicable.
- A risk-based prioritisation method with documented factors. Raw CVSS-only ranking is increasingly flagged by Gulf assessors as insufficient.
- Findings lifecycle tracking: open โ in remediation โ verified, with end-to-end audit trail.
- A risk-acceptance register for items not remediated within SLA, with named approver and review date.
- Penetration test reports linked to the same finding lifecycle, not stored separately as PDFs.
- Board / senior-management cyber-risk reports showing trend, SLA adherence, and material risk acceptances.
- Third-party / ICT supplier vulnerability evidence covering critical services.
Common questions
Is penetration testing legally mandatory in the UAE?
For entities in scope of the UAE IAS (federal entities and CII operators), CBUAE-licensed financial institutions, DESC-regulated Dubai entities, ADHICS-regulated healthcare providers, and TDRA-regulated telecom and digital-service providers โ yes. Outside those frameworks, penetration testing is treated as a strongly expected good-practice control rather than an explicit legal mandate.
How often does the UAE expect penetration tests?
The consensus floor across the regulators is annually, with event-driven re-tests after material architectural change. CBUAE inspectors and SIA assessors increasingly expect more frequent testing for customer-facing and core-banking systems.
Does Centraleyezer support Arabic for UAE deployments?
Yes โ the website is available in Arabic (with RTL layout), and the platform itself can be deployed in the UAE under either the SaaS plan or as a self-hosted Enterprise / MSSP deployment in your own UAE-region cloud or on-prem environment.
How does Centraleyezer map to the UAE frameworks?
See the dedicated UAE IAS and CBUAE compliance pages for control-by-control mapping. In short: contextual six-factor scoring satisfies the risk-based prioritisation expectation; SLA tracking satisfies the patch-management cadence requirement; the audit trail and evidence exports satisfy supervisory-examination requirements; and the platform supports both UAE-region SaaS and self-hosted deployments.