Practices
Sectors
Country Groups
Client Solutions
Find a Lawyer

Book an appointment with us, or search the directory to find the right lawyer for you directly through the app.

Find out more

Level Up: Unlocking Financial Potential In The Middle East

Welcome to this edition of Law Update, where we focus on the ever-evolving landscape of financial services regulation across the region. As the financial markets in the region continue to grow and diversify, this issue provides timely insights into the key regulatory developments shaping banking, investment, insolvency, and emerging technologies.

Read Now

Eyes
On 2025

Legal Updates in
Middle East & North Africa

Read More
Eyes On 2025

2025 is set to be a game-changer for the MENA region, with legal and regulatory shifts from 2024 continuing to reshape its economic landscape. Saudi Arabia, the UAE, Egypt, Iraq, Qatar, and Bahrain are all implementing groundbreaking reforms in sustainable financing, investment laws, labor regulations, and dispute resolution. As the region positions itself for deeper global integration, businesses must adapt to a rapidly evolving legal environment.

Our Eyes on 2025 publication provides essential insights and practical guidance on the key legal updates shaping the year ahead—equipping you with the knowledge to stay ahead in this dynamic market.

The leading law firm in the Middle East & North Africa region.

A complete spectrum of legal services across jurisdictions in the Middle East & North Africa.

Today's news and tomorrow's trends from around the region.

17 offices across the Middle East & North Africa.

Cancel
Find out more

Our Firm Back

Our Services Back

Our Knowledge Back

Our Offices Back

Published: May 17, 2024

Mission Critical

“Critical infrastructures” are vital to the functioning of our society as we know it, as they provide crucial services such as power, telecommunications, transportation, water. Improving resilience of critical infrastructures has become a priority for the authorities around the world.

In particular  it has become crucial to  strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures used to deliver or support  Critical Infrastructures (referred to as “Critical Information Infrastructure”  or “CIIP”)  from rising cyber threats either as direct targets  or  as a means to reach Critical Infrastructures that they support.

In 2023 the UAE Cyber Security Council (“CSC”), which is a council of the UAE Cabinet, released a policy document that aims to strengthen the cybersecurity posture of the nation’s CII. It adds to the UAE cybersecurity frameworks for CIIP that also includes the Telecommunications and Digital Government Regulatory Authority’s Information Assurance Regulation.

“The Critical Information Infrastructure Protection (CIIP) Policy” (“Policy”), outlines a consistent and iterative approach to identifying, assessing, and building the national risk profile across its CII. The Policy also defines the governance mechanism and the protection program for CII entities, including the identification of CIIs, baseline requirements for the identified entities and the mechanisms for the oversight and enforcement of requirements related to CII protection The policy is based on five CIIP principles:

  • building national cyber resilience,

  • sector focused governance,

  • risk-based prioritization,

  •  establishing best practices and standards, and

  • encouraging cooperation and partnerships.

The Policy is applicable to the CII entities, and relative sector regulators/ designates, and relevant participating stakeholders in the following sectors and sub-sectors, as well as any other sector determined by the CSC: digital infrastructure, financial services, transport, energy, healthcare, electricity and water, government services, education, space, and food.

The policy categorizes the CII entities into two groups: Group A and Group B.

Group A entities are from the sectors that predominantly operate within a sector context in the UAE, such as digital infrastructure, financial services, transport-air, energy-nuclear, energy-oil and gas, space, food, and education.

Group B entities are from the sectors that predominantly operate within each Emirate, such as transport-rail, road and maritime, electricity and water, and healthcare.

The Policy assigns different roles and responsibilities to the CSC, the Emirate leads, the designated sector leads, and the CII entities and operators, to ensure effective governance and coordination for CIIP.

The CSC is the main authority that drives the implementation of the CIIP program across all CII sectors, sub-sectors, entities and operators, and provides oversight and guidance to them.

The Emirate leads are responsible for supporting and monitoring the CII entities within Group A within their respective Emirates.

The designated sector leads are responsible for providing guidance and direction to CII entities and operators within their respective sectors and being accountable for the implementation of the CIIP program within the sector.

The CII entities and operators are responsible for understanding their roles and responsibilities towards building a secure information infrastructure and complying with the national and sectoral cybersecurity requirements.

The Policy also outlines the key policy domains and sub-domains for CIIP, which are: governance for CIIP program, risk profile development, CII protection program, and assurance for CIIP program.

Each policy sub-domain elaborates on the objectives and policy statements that the CII stakeholders need to follow. Some of the main policy statements  include :

  • CII entities and operators shall set up a dedicated security management function and designate/appoint competent personnel to manage and drive the implementation of the entity’s cybersecurity requirements.

  • CII entities and operators shall establish a supply chain security strategy that requires following a risk management principles and cyber defence in depth approach.

CII entities shall follow a structured approach

  • for the identification and prioritization of Critical Services, based on best practice principles defined in the National Cyber Risk Management Framework
  • CII entities shall conduct annual security risk assessment focusing on critical information infrastructure components identified, for protection from failures related to integrity, availability, and confidentiality.
  • CII entities shall implement any cybersecurity policies, control standards, baselines, and plans, as required and mandated by the CSC and/or sector leads and Emirate leads.
  • CII entities shall address the integration of Internet of Things (IoT) devices into critical information infrastructure, and, more generally, the convergence of Information Technology (IT) and Operational Technology (OT).
  • CII entities shall ensure all reasonable provisions for building capabilities for prevention of CII disruption and continuity of CII services, are identified and implemented, including technical and technological controls, based on the entities risk assessment.
  • CII entities shall undergo attestation, based on the defined risk profile, where ‘High risk’ entities are mandated to adhere to the Accreditation Program while ‘Medium and Low risk’ entities are encouraged to adopt the voluntary track defined in the Accreditation Program.
  • CSC is to enforce implementation of the mandatory policies and standards and institute regular CII security inspection and audits to monitor compliance on an annual basis.

Key Contacts

Andrew Fawcett

Partner

a.fawcett@tamimi.com