Back to Blog
GRC
December 2, 202422 min read

CBUAE Information Security Regulations: Compliance Guide for UAE Banks

Complete implementation guide for the Central Bank of UAE Information Security Regulations covering requirements for banks, exchange houses, and financial institutions in the UAE.

A
Asfaleia Team
Security Consultant
Share on LinkedIn
CBUAE Information Security Regulations: Compliance Guide for UAE Banks
24hrs
Incident Report
5yrs
Log Retention
30days
Critical Patch
4hrs
Critical RTO

Understanding CBUAE Requirements

The Central Bank of the UAE (CBUAE) has issued comprehensive Information Security Regulations establishing mandatory cybersecurity requirements for all licensed financial institutions (LFIs) operating in the United Arab Emirates.

Who Must Comply

CBUAE regulations apply to UAE national banks, foreign bank branches, exchange houses, finance companies, insurance companies, payment service providers, and digital banks operating in the UAE.

Core Compliance Areas

Phase 1

Governance

Board oversight, CISO role, security function

Phase 2

Technical Controls

Network, IAM, data, application security

Phase 3

Operations

SOC, vulnerability mgmt, incident response

Phase 4

Business Continuity

BCP, DR, recovery objectives

Governance Requirements

Board Responsibilities

  • Approve security strategy
  • Oversee cyber risk
  • Ensure resources
  • Review incidents

Management Requirements

  • Appoint CISO
  • Establish security function
  • Implement policies
  • Conduct assessments

Technical Control Requirements

Network Security

  • Segmentation
  • Firewall/IPS
  • DMZ architecture
  • Secure remote access

Access Management

  • Unique user IDs
  • Role-based access
  • MFA required
  • PAM controls

Data Protection

  • 4-level classification
  • Encryption at rest/transit
  • DLP implementation
  • Secure disposal

MFA Requirements

Multi-factor authentication is mandatory for all remote access, privileged accounts, customer-facing systems, and critical applications. This is a foundational control for CBUAE compliance.

Vulnerability Remediation Timelines

Remediation SLAs

Critical30 days
High60 days
Medium90 days
Low180 days

Recovery Objectives

Critical RTO4 hours
Critical RPO1 hour
Important RTO24 hours
Standard RTO72 hours

Cloud Services

CBUAE approval is required for material outsourcing including cloud services. Data residency, security assessments, contractual protections, and encryption requirements must be addressed before cloud adoption.

Implementation Roadmap

1

Assessment

Weeks 1-8: Gap assessment, risk evaluation, roadmap

Week 8
2

Foundation

Weeks 9-20: Governance, policies, core controls

Week 20
3

Enhancement

Weeks 21-36: Advanced controls, automation, training

Week 36
4

Optimization

Weeks 37-52: Continuous improvement, audit readiness

Week 52

CBUAE Compliance Checklist

Governance
Board oversight established
CISO appointed
Security function staffed
Policies documented
Technical Controls
Network segmentation
MFA implemented
Data encryption
Vulnerability scanning
Operations
24/7 SOC monitoring
Incident response plan
5-year log retention
Patch management
Third-Party
Vendor due diligence
Contract requirements
Cloud approvals
Ongoing monitoring

Consumer Protection Integration

CBUAE Information Security Regulations integrate with Consumer Protection Regulations including data privacy, consent management, breach notification, and customer rights to access, correct, and delete their data.

#CBUAE#UAE#Information Security#Banking#Financial Services#Compliance
A
Asfaleia Team
Security Consultant

UAE financial sector compliance expert specializing in CBUAE regulations, helping banks and financial institutions achieve and maintain regulatory compliance.

Need CBUAE Compliance Support?

Our team specializes in UAE financial sector regulations and can help your institution achieve CBUAE information security compliance.

Get Compliance Assessment