Quick Answer: The CBUAE Cybersecurity Framework is a mandatory regulatory standard for all UAE Central Bank-licensed financial institutions. It covers 9 domains: governance, risk management, architecture, identity management, third-party risk, data protection, threat management, incident management, and awareness. Compliance is assessed by CBUAE examiners and non-compliance can result in regulatory sanctions. eShield IT provides gap assessments (3-4 weeks, full report) and end-to-end compliance programs.
The CBUAE Cybersecurity Framework is a mandatory regulatory standard issued by the Central Bank of the UAE for all licensed financial institutions. It covers 9 domains including governance, risk management, identity management, and incident response. Non-compliance can result in regulatory penalties, operational restrictions, or licence conditions. eShield IT provides end-to-end CBUAE framework gap assessments and compliance consulting for UAE banks, fintechs, and payment service providers.
What Is the CBUAE Cybersecurity Framework?
The Central Bank of the UAE (CBUAE) issued its Cybersecurity Framework to establish minimum cybersecurity standards for all entities it licenses and supervises — including commercial banks, Islamic banks, exchange houses, finance companies, and payment service providers.
The framework was developed in alignment with international standards (NIST Cybersecurity Framework, ISO 27001, PCI DSS) but tailored specifically for the UAE financial sector’s threat landscape and operational context. Compliance is not optional — the CBUAE has the authority to issue directives, impose remediation timelines, and apply regulatory sanctions for non-compliance.
CBUAE Cybersecurity Framework — 9 Domains
| Domain | Key Requirements | Common Gaps |
|---|---|---|
| 1. Cybersecurity Governance | Board-level oversight, CISO appointment, cybersecurity policy framework | No formal cybersecurity committee; CISO role combined with IT Director |
| 2. Cybersecurity Risk Management | Annual risk assessment, risk register, risk appetite statement | Informal risk tracking in spreadsheets; no documented risk appetite |
| 3. Cybersecurity Architecture | Network segmentation, secure configuration standards, defence-in-depth | Flat network architecture; missing firewall rule reviews |
| 4. Identity and Access Management | MFA for privileged access, PAM controls, quarterly access reviews | Shared admin accounts; no PAM solution; stale accounts not revoked |
| 5. Third-Party Risk Management | Vendor cybersecurity assessments, contractual security clauses, due diligence | No vendor risk scoring; no security requirements in supplier contracts |
| 6. Data and Information Protection | Data classification, encryption at rest and in transit, DLP controls | No data classification policy; unencrypted sensitive data in legacy systems |
| 7. Threat and Vulnerability Management | Quarterly vulnerability scanning, annual penetration testing, patch management SLAs | Irregular patching; no formal vulnerability tracking; VAPT not performed |
| 8. Incident Management | Documented IRP, CBUAE incident reporting timelines (72 hours for significant incidents), tabletop exercises | Generic IRP not tested; unclear escalation paths; CBUAE notification process undefined |
| 9. Cybersecurity Awareness | Annual security training for all staff, phishing simulation, board-level awareness | Ad hoc training; no phishing simulation program; no board cyber briefing |
Who Must Comply with the CBUAE Cybersecurity Framework?
The framework applies to all entities licensed and supervised by the Central Bank of the UAE, including:
- Commercial and Islamic banks operating in the UAE
- Exchange houses and money transfer operators
- Finance companies and consumer credit providers
- Payment service providers and payment token service providers
- Insurance companies (where also supervised by CBUAE for related financial products)
- Designated non-financial businesses and professions (DNFBPs) subject to CBUAE oversight
If your organisation is licensed by the CBUAE and you have not completed a formal gap assessment against the Cybersecurity Framework, you are likely non-compliant in multiple domains.
CBUAE Compliance — Our Engagement Model
| Phase | What We Do | Deliverable | Timeline |
|---|---|---|---|
| 1. Gap Assessment | Assess current state against all 9 CBUAE framework domains; interview key stakeholders; review policies, architecture, and controls | Gap Assessment Report with domain-by-domain scoring and remediation roadmap | 3–4 weeks |
| 2. Remediation Planning | Prioritise gaps by regulatory risk and implementation effort; create 90/180/365-day remediation roadmap aligned to CBUAE timelines | Remediation Roadmap with effort estimates, ownership matrix, and budget guidance | 1–2 weeks |
| 3. Control Implementation | Support implementation of priority controls: policy drafting, technical configuration, PAM deployment, VAPT execution, awareness program delivery | Implemented controls, evidence packs, updated policy library | 3–9 months (scope-dependent) |
| 4. Audit Readiness Review | Pre-assessment review simulating CBUAE examiner approach; identify any remaining gaps before formal assessment | Readiness Report with exam-ready evidence pack | 2–3 weeks |
| 5. Ongoing Advisory | Post-compliance retainer: annual VAPT, quarterly control reviews, incident response support, regulatory update monitoring | Monthly compliance status report, incident response on-call | Ongoing |
CBUAE Framework vs ISO 27001 vs PCI DSS — What’s the Difference?
Many UAE financial institutions ask whether achieving ISO 27001 or PCI DSS compliance satisfies CBUAE requirements. The short answer: partial overlap, but not substitution.
| Standard | Mandated by CBUAE? | Overlap with CBUAE Framework | Gap |
|---|---|---|---|
| ISO 27001 | Not mandated, but recommended | High — governance, risk, controls alignment | CBUAE has UAE-specific incident reporting timelines and financial sector controls not covered in ISO 27001 |
| PCI DSS v4.0 | Required if processing cards | Medium — technology controls, logging, monitoring | PCI DSS covers only cardholder data environments; CBUAE covers the entire organisation |
| NIST CSF | Not mandated | Very high — CBUAE framework is heavily NIST-aligned | NIST CSF is a voluntary framework; CBUAE adds enforcement, timelines, and UAE-specific requirements |
Organisations that are ISO 27001 certified will have a significant head start on CBUAE compliance — typically 40–60% of controls already in place. However, a dedicated CBUAE gap assessment is still required to identify the financial-sector-specific gaps.
CBUAE Framework Compliance — FAQ
What are the consequences of non-compliance with the CBUAE Cybersecurity Framework?
The CBUAE can issue formal directives requiring remediation within specified timelines, impose licence conditions restricting certain business activities, and ultimately apply regulatory sanctions up to and including licence revocation for persistent or severe non-compliance. In practice, most enforcement actions take the form of directed remediation with defined timelines — but ignoring those timelines escalates regulatory risk significantly. Proactive compliance is always less costly than reactive remediation under regulatory pressure.
How long does a CBUAE gap assessment take?
A thorough CBUAE Cybersecurity Framework gap assessment covering all 9 domains typically takes 3–4 weeks from kick-off to final report delivery. This includes stakeholder interviews (IT, Risk, Compliance, Operations), policy and architecture review, evidence collection, and gap analysis. Smaller or simpler organisations (e.g., exchange houses with limited IT environments) can be completed in 2–3 weeks.
Do we need to conduct annual penetration testing under the CBUAE framework?
Yes. Domain 7 (Threat and Vulnerability Management) requires annual penetration testing of critical systems and applications, quarterly vulnerability scanning, and a formal patch management process with defined SLAs. These are not optional — they are specific control requirements that CBUAE examiners verify with evidence (test reports, remediation tracking, scanning records). eShield IT provides VAPT services designed to produce CBUAE-formatted evidence packs ready for examiner review.
