Cybersecurity Services for Banking & Financial Services in Dubai — CBUAE, PCI DSS, DFSA Compliance
Quick Answer — What cybersecurity regulations apply to banks in Dubai?
Banks and financial institutions in Dubai are subject to the CBUAE Cybersecurity Framework, DFSA Technology Risk Management (TRM) Module for DIFC-licensed entities, PCI DSS v4.0 for card data environments, and SWIFT Customer Security Programme (CSP) for interbank messaging. The UAE Personal Data Protection Law (PDPL) also applies to all financial customer data. Non-compliance risks regulatory censure, licence suspension, and significant fines.
The Cybersecurity Threat Landscape Facing UAE Financial Institutions
The UAE financial sector processed over AED 14 trillion in transactions in 2024. That volume makes Dubai’s banks, exchange houses, and fintech platforms one of the most actively targeted sectors for cybercrime in the Middle East. The threats are not theoretical.
In the past 36 months, UAE financial institutions have faced:
- Business Email Compromise (BEC) attacks targeting trade finance and SWIFT payment flows
- API-layer attacks exploiting open banking integrations in fintech platforms
- Ransomware campaigns encrypting core banking backups and demanding cryptocurrency payments
- Insider threat incidents involving privileged access to customer account data
- Third-party supply chain breaches through payment processors and cloud providers
The challenge for most UAE banks is not awareness — it is execution. Regulatory frameworks are demanding, threat actors are sophisticated, and internal security teams are stretched. eSHIELD provides the depth of specialisation that in-house teams cannot maintain alone.
Regulatory Landscape — What Governs Financial Cybersecurity in the UAE
Understanding your obligations is the foundation of a defensible security programme. Here is the regulatory framework that applies to financial institutions operating in Dubai and across the UAE.
1. CBUAE Cybersecurity Framework
The Central Bank of the UAE published its Cybersecurity Framework in 2021, with mandatory implementation timelines for all licensed financial institutions. The framework covers:
- Governance and risk management structures
- Identity and access management requirements
- Continuous monitoring and threat intelligence obligations
- Incident reporting — institutions must notify the CBUAE within 2 hours of a critical cyber incident
- Third-party and cloud security standards
- Annual independent cybersecurity assessment requirements
Non-compliance with the CBUAE framework is treated as a prudential risk matter and can result in supervisory action, remediation orders, and financial penalties.
2. DFSA Technology Risk Management (TRM) Module
Firms licensed by the Dubai Financial Services Authority (DFSA) and operating within the Dubai International Financial Centre (DIFC) are subject to the DFSA TRM Module. This module imposes specific requirements around:
- Information security governance at board level
- Cyber resilience testing (including red team exercises for systemically important firms)
- Business continuity and disaster recovery standards
- Technology change management and patch management controls
- Outsourcing and cloud risk management
DFSA inspections increasingly include dedicated technology risk components. Firms that cannot demonstrate documented control effectiveness — not just policy existence — face remediation requirements.
3. PCI DSS v4.0
Any institution that stores, processes, or transmits payment card data must comply with the Payment Card Industry Data Security Standard. Version 4.0, which became the mandatory standard in March 2024, introduces significant changes including:
- Customised implementation approach allowing risk-based compensating controls
- Expanded multi-factor authentication requirements across all admin access
- New requirements for targeted risk analysis
- Phased requirements — 64 additional requirements with a compliance deadline of 31 March 2025
UAE retail banks, acquirers, payment processors, and card-issuing institutions face direct audit obligations from their card brands. Non-compliance results in fines from card schemes, potential loss of merchant acquiring rights, and reputational damage following card data breaches.
4. SWIFT Customer Security Programme (CSP)
All institutions connected to SWIFT — including correspondent banks, securities dealers, and exchange houses — must attest annually against the SWIFT CSP mandatory controls. The 2024 CSCF v2024 framework includes 25 mandatory controls covering:
- Restriction and protection of internet access from SWIFT infrastructure
- Operator session integrity and privileged account controls
- Malware protection on SWIFT-related systems
- Anomaly detection on payment flows
Failure to attest, or attestation without genuine control implementation, exposes institutions to counterparty risk and potential exclusion from SWIFT messaging.
5. UAE Personal Data Protection Law (PDPL)
The UAE PDPL (Federal Decree-Law No. 45 of 2021) treats financial data — account details, transaction histories, credit information — as personal data requiring defined protection controls. Financial institutions must implement:
- Data inventory and classification for customer personal data
- Lawful basis for processing and data retention periods
- Data subject rights fulfilment processes
- Cross-border data transfer controls for cloud-hosted systems
- Data breach notification within 72 hours to the UAE Data Office
6. SAMA Cross-Border Considerations
UAE financial institutions with Saudi Arabia operations or correspondent relationships are also subject to the Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework. Where a group-level programme exists, controls must align across both jurisdictions.
Financial Institutions We Serve
eSHIELD works with the full spectrum of UAE financial sector organisations:
| Segment | Typical Engagements |
|---|---|
| Retail and commercial banks | CBUAE compliance programme, SOC services, PCI DSS assessment |
| Investment banks and asset managers | DFSA TRM gap assessment, data classification, ISO 27001 |
| Exchange houses and remittance firms | SWIFT CSP assessment, AML system security review, PCI DSS |
| Fintech and payments companies | API security testing, PCI DSS fast-track, cloud security review |
| DIFC-licensed financial firms | DFSA TRM audit readiness, red team exercises, vCISO |
| Insurance companies | CBUAE framework, data privacy, third-party risk management |
| Wealth management and private banking | Client data protection, privileged access controls, ISO 27001 |
Our Cybersecurity Services for Financial Institutions
SOC for Financial Services — Fraud-Aware Threat Monitoring
A standard Security Operations Centre monitors infrastructure. A financial-grade SOC monitors the threats that move money. Our managed SOC for banking clients includes:
- SWIFT payment anomaly detection — behavioural baselines on payment flows, alerting on after-hours or high-value outliers
- Fraud-correlated threat intelligence — feeds specific to banking trojans, BEC campaigns, and ATM malware active in the GCC
- Core banking system monitoring — log ingestion from Temenos, Finastra, Misys, and Oracle FLEXCUBE environments
- 24/7 analyst coverage with financial-sector L2 escalation (not generic IT)
- CBUAE incident reporting support — documentation and communication templates for regulatory notification within the 2-hour window
Vulnerability Assessment and Penetration Testing for Banking Applications
Financial applications are high-value targets and complex attack surfaces. Our banking VAPT programme covers:
- Core banking platform testing — authenticated and unauthenticated access paths, privilege escalation, data exposure
- Mobile banking app security — iOS and Android reverse engineering, API interception, session management
- Internet banking portal testing — OWASP Top 10, business logic flaws (fund transfers, limit bypasses), authentication weaknesses
- Open banking API testing — OAuth 2.0 implementation review, data leakage between client scopes
- ATM and kiosk security — physical and logical security assessment
- Network segmentation review — isolation of SWIFT infrastructure, cardholder data environments, and production systems
Deliverables include an executive risk summary, a technical findings report mapped to CBUAE control domains, and a prioritised remediation roadmap.
PCI DSS v4.0 Compliance Programme
Our Qualified Security Assessor (QSA)-aligned team delivers end-to-end PCI DSS programmes:
1. Scoping and gap assessment — define the cardholder data environment, identify control gaps against v4.0 requirements 2. Remediation support — implement compensating controls, network segmentation, tokenisation, encryption 3. Evidence collection — build the audit evidence library for QSA assessment 4. QSA liaison — coordinate with your chosen QSA to streamline the formal assessment 5. Ongoing compliance maintenance — quarterly vulnerability scans, annual penetration testing, change management review
SWIFT CSP Security Assessment
Annual SWIFT CSP attestation requires documented control evidence, not just a checklist signature. Our CSP assessment includes:
- Control-by-control evaluation against CSCF v2024
- Technical testing of SWIFT environment isolation and access controls
- Gap remediation recommendations with implementation guidance
- Attestation support documentation for submission to SWIFT
CBUAE Governance and Compliance Audit
For institutions requiring independent assurance against the CBUAE Cybersecurity Framework:
- Control framework mapping and maturity scoring across all CBUAE domains
- Policy and procedure gap analysis
- Evidence review and control testing
- Board-ready report with regulatory language
- Roadmap to full framework compliance
Incident Response for Financial Breaches
When a financial institution faces an active breach, the response must be simultaneous across security, legal, regulatory, and communications dimensions. Our incident response retainer for financial clients includes:
- 2-hour response SLA for retainer clients
- CBUAE notification drafting and timeline management
- SWIFT payment freeze and investigation coordination
- Forensic evidence collection aligned with legal hold requirements
- Post-incident review and lessons-learned report for regulatory submission
Pricing — Financial Services Cybersecurity
Pricing reflects the complexity of UAE financial environments, scope of regulatory coverage, and depth of engagement required. All engagements are scoped individually — the ranges below are indicative starting points.
| Service | Indicative Price Range (AED) |
|---|---|
| Banking Application VAPT (single application) | AED 25,000 – 45,000 |
| Banking Application VAPT (full suite — web + mobile + API) | AED 55,000 – 80,000 |
| PCI DSS Gap Assessment | AED 18,000 – 35,000 |
| PCI DSS Full Compliance Programme (scoping to QSA-ready) | AED 40,000 – 150,000 |
| SWIFT CSP Security Assessment | AED 22,000 – 45,000 |
| CBUAE Cybersecurity Framework Audit | AED 30,000 – 65,000 |
| DFSA TRM Gap Assessment | AED 25,000 – 55,000 |
| Managed SOC (financial-grade, 24/7) | AED 15,000 – 40,000 per month |
| Incident Response Retainer | AED 8,000 – 20,000 per month |
| vCISO for Financial Institutions | AED 12,000 – 25,000 per month |
All engagements scoped after a complimentary initial assessment. VAT applicable at 5% where applicable.
Why Financial Institutions Choose eSHIELD
Regulatory depth without regulatory jargon. Our team has worked inside UAE financial institutions, not just consulted to them. We understand the difference between what a CBUAE examiner is looking for and what a checkbox audit produces.
Evidence-first methodology. Every assessment we conduct produces documentation structured for regulatory consumption — board reports, examiner-ready evidence packs, and remediation roadmaps that can be attached to regulatory submissions.
Financial-sector threat intelligence. We maintain active intelligence on threat actors targeting GCC financial infrastructure, including TTPs of groups active against UAE banks and exchange houses.
No security theatre. We do not sell frameworks. We identify real vulnerabilities, quantify their business impact in the language of financial risk, and help you fix them.
Frequently Asked Questions
1. Is the CBUAE Cybersecurity Framework mandatory for all licensed financial institutions?
Yes. The CBUAE Cybersecurity Framework applies to all banks, finance companies, exchange houses, and other entities licensed by the Central Bank of the UAE. Implementation timelines were phased, but the framework is now fully in force. Institutions are expected to demonstrate ongoing compliance, not just initial implementation. Annual independent assessments are a specific requirement within the framework.
2. Does PCI DSS apply to UAE banks that do not process card payments directly?
PCI DSS applies to any entity that stores, processes, or transmits cardholder data — or that could impact the security of an entity that does. UAE banks that issue cards, process transactions, or operate systems connected to payment networks are in scope. Card-issuing banks that outsource processing entirely may have a reduced scope but are not automatically out of scope. Scoping is the critical first step.
3. What is the DFSA TRM Module and does it replace CBUAE requirements for DIFC firms?
The DFSA TRM Module applies specifically to firms licensed by the DFSA and operating within the DIFC. It does not replace CBUAE requirements — DIFC-licensed entities that also hold CBUAE licences (for example, for onshore operations) must comply with both regulatory frameworks. The TRM Module has specific requirements around cyber resilience testing, technology governance, and outsourcing that go beyond the CBUAE framework in some areas.
4. How quickly must a UAE bank notify the CBUAE after a cyber incident?
The CBUAE Cybersecurity Framework requires notification within 2 hours of identifying a critical cyber incident. This is an extremely tight window and requires pre-prepared notification procedures, pre-authorised contacts, and a response plan that does not require lengthy internal approval chains. Our incident response retainer includes regulatory notification support as a core component.
5. What does a SWIFT CSP assessment involve and how long does it take?
A SWIFT CSP assessment evaluates your implementation of all mandatory controls within the SWIFT Customer Security Controls Framework (CSCF). This involves reviewing documentation, interviewing control owners, and technically testing SWIFT environment isolation and access controls. For a typical exchange house or mid-tier bank, the assessment takes 3–4 weeks. Larger institutions with complex SWIFT environments may require 6–8 weeks. The output is the evidence documentation required for SWIFT attestation.
6. Can a fintech startup in DIFC use eSHIELD for both DFSA compliance and PCI DSS?
Yes. We regularly work with DIFC-licensed fintech firms that face overlapping regulatory obligations — DFSA TRM, PCI DSS (for payment products), and UAE PDPL. We structure engagements to maximise overlap between frameworks, avoiding duplicate effort. A single control implementation can satisfy requirements across multiple frameworks when properly documented. This is particularly valuable for startups and scale-ups managing compliance costs.
Related Services
- [VAPT Services UAE](/vapt-services-uae/) — Vulnerability assessment and penetration testing for all sectors
- [PCI DSS Compliance UAE](/pci-dss-compliance-uae/) — End-to-end PCI DSS v4.0 compliance programme
- [Managed SOC Services UAE](/managed-soc-services-uae/) — 24/7 security monitoring and threat detection
- [Virtual CISO UAE](/virtual-ciso/) — Fractional CISO for regulated financial institutions
- [Data Privacy UAE](/data-privacy-uae/) — UAE PDPL compliance and data protection programme
Book Your Free Banking Cybersecurity Assessment
Understanding your regulatory exposure and technical risk posture is the first step. Our initial banking cybersecurity assessment is complimentary and covers:
- Review of your current regulatory obligations (CBUAE, DFSA, PCI DSS, SWIFT CSP)
- Identification of the highest-priority gaps
- Indicative timeline and investment for remediation
- No obligation. No sales pitch. Specific, actionable output.
[Book Your Free Banking Cybersecurity Assessment →](#contact)
Or contact us directly:
- Email: [email protected]
- Phone: +971 585778145
- Office: Dubai, UAE
