Quick Answer: UAE banks must comply with CBUAE Cybersecurity Framework (all 9 domains), PCI DSS v4.0 (card processing), and SWIFT CSP (interbank payments). eShield IT provides banking-specific VAPT, CBUAE gap assessments (AED 35,000-75,000), SWIFT CSP assessments (AED 18,000-35,000), SOC monitoring (AED 8,000-25,000/month), and incident response for UAE commercial banks, Islamic banks, and exchange houses.
UAE banks face a uniquely complex cybersecurity environment. They must simultaneously satisfy the Central Bank’s Cybersecurity Framework, SWIFT’s Customer Security Programme, PCI DSS v4.0 for card processing, and the UAE Personal Data Protection Law — all while managing the operational risk of being primary targets for sophisticated cybercriminal groups including nation-state-affiliated actors targeting the Gulf financial sector.
The CBUAE Cybersecurity Framework, updated in 2023, applies to all Central Bank-licensed entities without exception: commercial banks, Islamic banks, exchange houses, finance companies, and payment service providers. Board-level accountability for cybersecurity is now explicit — the framework requires a board-approved cybersecurity risk appetite statement and annual reporting from the CISO directly to the board.
What Makes Banking Cybersecurity Different in the UAE?
General cybersecurity services are not adequate for UAE banking institutions. Three factors make bank-specific expertise essential:
Regulatory complexity: UAE banks must satisfy at least four simultaneous regulatory frameworks (CBUAE, PCI DSS, SWIFT CSP, PDPL), each with different assessment methodologies, reporting cadences, and evidence requirements. An assessor unfamiliar with all four will miss critical compliance gaps or produce findings that satisfy one framework but create violations in another.
Sector-specific threats: Threat actors targeting UAE banks use tactics not commonly seen in other sectors — SWIFT payment fraud, core banking application exploitation, ATM logical attacks (jackpotting and black box attacks), and sophisticated BEC campaigns targeting payment authorisation workflows. Security assessments must be designed around these threats, not generic penetration testing templates.
Operational sensitivity: Banking systems operate 24/7 with zero tolerance for availability impact. Security testing must be conducted in isolated environments or under strict change-control windows. eShield IT’s banking engagements include a formal test plan approved by the client’s Change Advisory Board before any active testing begins.
CBUAE Cybersecurity Framework: The 9 Domains Explained
The CBUAE Cybersecurity Framework is structured around 9 domains that cover the full lifecycle of banking cybersecurity governance. eShield IT conducts gap assessments against all 9 domains, producing a domain-by-domain maturity score and a prioritised remediation roadmap:
- Domain 1 — Governance: Board accountability, CISO role, cybersecurity committee, security strategy
- Domain 2 — Risk Management: Annual risk assessment, risk register, risk appetite statement, residual risk acceptance
- Domain 3 — Security Architecture: Network segmentation, secure design principles, cloud security standards
- Domain 4 — Identity and Access Management: MFA, privileged access management, access reviews, account lifecycle management
- Domain 5 — Third-Party Risk: Vendor security assessments, contractual security requirements, supply chain monitoring
- Domain 6 — Data Protection: Data classification, encryption standards, DLP controls, PDPL compliance
- Domain 7 — Threat Management: SOC/SIEM capability, threat intelligence integration, vulnerability management programme
- Domain 8 — Incident Response: IR plan, crisis communication, regulatory notification procedures (72-hour CBUAE notification)
- Domain 9 — Awareness and Training: Role-based security training, phishing simulation, board-level cyber literacy
Why UAE Banks Choose eShield IT
eShield IT’s banking cybersecurity team includes former bank information security officers and CBUAE examination preparation specialists with direct experience of UAE banking examinations. Our clients include commercial banks, Islamic banks, and exchange houses across the UAE. We understand how UAE banking examiners assess compliance — and we prepare our clients accordingly, not just to pass assessments, but to maintain sustainable security programmes between examination cycles.
UAE banks operate under the most demanding cybersecurity compliance requirements in the region: CBUAE Cybersecurity Framework (all 9 domains), PCI DSS v4.0 for card processing, SWIFT Customer Security Programme for interbank payments, and UAE PDPL data protection obligations. eShield IT provides banking-specific security assessments, SOC monitoring, and compliance consulting for UAE commercial banks, Islamic banks, and exchange houses.
UAE Banking Cybersecurity Compliance Requirements
| Framework | Mandating Authority | Key Requirements | Frequency |
|---|---|---|---|
| CBUAE Cybersecurity Framework | Central Bank of UAE | 9 domains; board governance; CISO; 24/7 incident detection; vendor risk | Annual assessment |
| PCI DSS v4.0 | PCI SSC (Visa/Mastercard) | 12 requirements; SAQ or ROC; ASV quarterly scanning; annual pentest | Annual; quarterly scanning |
| SWIFT CSP | SWIFT | Mandatory controls for all SWIFT users; annual self-attestation | Annual attestation |
| UAE PDPL | UAE Data Office | 72-hour breach notification; privacy by design; data minimisation | Ongoing compliance |
Top Cyber Threats Targeting UAE Banks in 2026
- Business Email Compromise (BEC) — UAE banks and corporate clients are prime BEC targets. Average loss: USD 125,000 per incident.
- SWIFT/interbank payment fraud — Insider or external compromise of SWIFT credentials leading to fraudulent wire transfers
- ATM and card fraud — Physical skimming, logical ATM attacks (Black Box, jackpotting), card-not-present fraud
- DDoS attacks — Politically or financially motivated availability attacks on banking portals
- Ransomware — Targeting back-office systems, core banking, and document management
- Supply chain attacks — Compromise via fintech partners, payment processors, or cloud providers
eShield IT Banking Security Services
- CBUAE Framework Gap Assessment — All 9 domains; board-ready report; 3-4 weeks; AED 35,000-75,000
- VAPT for Banking Systems — Core banking application, internet/mobile banking, ATM logical testing, internal network
- SWIFT CSP Assessment — Independent assessment of all mandatory and advisory SWIFT CSP controls; attestation support; AED 18,000-35,000
- PCI DSS Compliance — Gap assessment, SAQ, ASV quarterly scanning, QSA audit preparation
- Managed SOC — 24/7 monitoring with banking-specific detection rules: SWIFT monitoring, account takeover, ATM anomalies; UAE data residency
- Red Team / Adversary Simulation — Full-scope banking attack simulation targeting fraudulent transfers and data exfiltration
Related: Complete your banking cybersecurity programme
Protect your bank 24/7 with our managed SOC services, validate controls with banking VAPT, or explore top cybersecurity companies in Dubai & UAE.
