Cybersecurity Services Agreement (UAE)

Penetration testing is legal in the UAE when conducted with explicit written authorisation from the system owner, but it is a heavily regulated activity under the UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021). Article 2 of the Cybercrime Law prohibits unauthorised access to information technology systems; Article 3 prohibits the disruption or disabling of IT systems without authorisation; and Article 4 prohibits the interception of electronic communications without consent. A penetration test — which involves probing systems for vulnerabilities, sometimes triggering alerts or temporary service disruptions — falls within the literal scope of these prohibitions unless the tester has express written authorisation from the system owner.

The cybersecurity services agreement's authorisation clause is therefore the legal foundation for the legality of the penetration test in the UAE. The agreement must clearly identify the systems that may be tested (by IP address ranges, domain names, or infrastructure description), the types of testing permitted (external network testing, web application testing, social engineering, physical security review), the testing period, and the scope limitations. Any activity outside the agreed scope — including testing third-party systems, attempting to access data beyond what is necessary to demonstrate a vulnerability, or continuing testing after the agreed period has ended — is unauthorised under the Cybercrime Law and could result in criminal prosecution of the testing personnel.

For testing systems connected to UAE Critical Information Infrastructure — including financial systems supervised by the Central Bank of the UAE, telecommunications networks, and government systems — additional governmental or regulatory authorisation may be required beyond the client's own written consent.

A cybersecurity incident response clause in a UAE services agreement should establish clear obligations for the provider when a security incident is detected, covering detection, containment, eradication, recovery, and reporting.

Detection and triage: the agreement should require the provider's Security Operations Centre (SOC) to classify detected incidents by severity — critical (ongoing breach with data exfiltration or system compromise), high (significant threat with potential for rapid escalation), medium (suspicious activity requiring investigation), and low (policy violations or minor alerts). Each severity tier should have a defined detection-to-notification timeline.

Containment: on detection of a critical or high-severity incident, the provider should be obligated to immediately notify the client and take agreed containment actions — such as isolating affected systems from the network — without waiting for client instruction, provided the client has pre-authorised such actions in the agreement.

PDPL notification: where the incident involves personal data, the client as data controller must notify the UAE Data Office under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) 'without undue delay' upon becoming aware of a personal data breach. The cybersecurity services agreement should require the provider to deliver incident details to the client within a short window (4 hours is common for critical incidents) to enable the client to make its PDPL notification decision in time.

Forensic evidence preservation: the provider should be required to preserve forensic evidence of the incident — system logs, memory dumps, network traffic captures — in a chain-of-custody-compliant manner, in case of subsequent litigation or regulatory investigation by the UAE Data Office or the Dubai Courts.

UAE enterprises and regulated-sector organisations procuring cybersecurity services should require their providers to hold relevant professional certifications and organisational accreditations. These provide assurance of the provider's technical competence and quality management standards.

ISO 27001:2022 (Information Security Management Systems) is the most widely recognised organisational certification in the UAE cybersecurity market. Providers holding ISO 27001 certification have demonstrated a managed approach to information security, including risk assessment, security controls, incident management, and continual improvement. The Central Bank of the UAE's vendor due diligence requirements for regulated financial institutions commonly include ISO 27001 as a minimum standard.

For penetration testing personnel, relevant professional certifications include: Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), CREST Registered Tester (CRT), and Certified Information Systems Security Professional (CISSP). The agreement should require all personnel conducting penetration testing to hold at least one of these certifications and should require the provider to maintain a register of certified testers.

SOC 2 Type II reports (Service Organization Controls) are increasingly required by UAE enterprise customers procuring managed SOC services. A SOC 2 Type II report provides independent audit evidence that the provider's security, availability, and confidentiality controls were operating effectively over a 6 to 12-month period.

UAE-specific accreditations include UAE Information Assurance (IA) certifications from the Signals Intelligence Agency (SIA) and the UAE Cybersecurity Council for providers working with government entities. Providers holding UAE IA certification are approved to handle government classified information systems.

Data handling during cybersecurity assessments is a critical legal risk area under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021). The cybersecurity services agreement must impose strict obligations on the provider regarding data encountered during testing.

Minimal data access: the agreement should require the provider to access only the minimum amount of data necessary to demonstrate a vulnerability or assess a security control. Testers must not exfiltrate, copy, store, or analyse personal data beyond what is required for the immediate assessment purpose. Any personal data encountered during testing must be treated as strictly confidential and must not be disclosed to third parties.

Prohibition on data retention: any data accessed during the assessment — including password hashes, credentials, personal data, or financial records encountered during testing — must be deleted by the provider promptly after the assessment, with written certification of deletion provided to the client.

Incident-adjacent data: where the cybersecurity provider is called in to respond to a live incident, it may need to collect and analyse substantial amounts of data including emails, financial transactions, and personal records to investigate the incident timeline. The agreement should authorise this data collection for incident response purposes only and require destruction of any client data retained by the provider after the incident report is delivered.

Sub-contractor restrictions: the PDPL prohibits data processors from engaging sub-processors without the data controller's prior consent. The agreement should require the provider to list all sub-contractors who may access client data and obtain the client's consent before engaging new sub-contractors. This applies to any third-party tools or platforms (SIEM systems, threat intelligence feeds, forensic analysis platforms) that process client data as part of the service.

Vulnerability disclosure — the process by which discovered vulnerabilities are reported, remediated, and (potentially) publicly disclosed — is a sensitive area in UAE cybersecurity agreements that requires careful drafting. The UAE cybersecurity services agreement should address the following aspects of vulnerability disclosure.

Internal disclosure and reporting: the provider should be required to report all discovered vulnerabilities to the client in writing within a defined period after discovery (24 to 48 hours for critical vulnerabilities; within the assessment report for lower-severity findings). Reports should include a description of the vulnerability, the potential impact, the CVSS (Common Vulnerability Scoring System) severity score, and detailed remediation recommendations. The client should have a defined period (typically 30 to 90 days) to remediate critical findings before any external disclosure is considered.

Confidentiality of vulnerability findings: vulnerability assessment reports must be treated as strictly confidential by both parties. The UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021) does not create a safe harbour for the public disclosure of vulnerabilities without the system owner's consent — public disclosure of a vulnerability in a UAE company's systems without authorisation could constitute a criminal offence. The agreement should expressly prohibit the provider from publicly disclosing any vulnerability findings without the client's prior written consent.

Coordinated disclosure: where the provider discovers a critical vulnerability that could affect third-party systems (for example, a zero-day vulnerability in a widely used software product), the agreement should specify a coordinated disclosure process that involves notifying the affected vendor before any public disclosure. This aligns with international responsible disclosure norms recognised by the UAE Cybersecurity Council.

Regulatory notification: where a discovered vulnerability has been actively exploited and personal data has been compromised, the UAE Data Office notification requirement under the PDPL is triggered. The agreement should require the provider to deliver the technical information needed for the client's PDPL notification.

Allocation of liability for a data breach between a UAE company and its cybersecurity services provider depends on the cause of the breach, the contractual limitation provisions, and the regulatory obligations of each party under the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).

Where the breach occurs due to the cybersecurity provider's negligent failure to detect a known threat, inadequate security monitoring, or failure to notify the client of a critical vulnerability in a timely manner, the provider may be liable to the client for breach of contract under the UAE Civil Code (Federal Law No. 5 of 1985). The contractual limitation of liability clause typically caps the provider's exposure at the fees paid in the prior 12 months and excludes indirect losses including business interruption and reputational damage.

Where the breach occurs due to the client's failure to implement the provider's recommended remediation actions, failure to apply security patches, or use of equipment outside the agreed monitoring scope, the client bears primary responsibility.

Regulatory liability under the PDPL is separate from contractual liability. As the data controller, the client is responsible for notifying the UAE Data Office and affected data subjects of the breach. The UAE Data Office may investigate both the client (for failing to implement adequate security measures) and the cybersecurity provider (for failure to detect the breach or notify the client in time). Administrative penalties under the PDPL can be imposed on both parties independent of their contractual arrangement.

The cybersecurity services agreement should contain a clear causation clause — linking liability to the specific party whose failure caused or materially contributed to the breach — and should require both parties to cooperate in any investigation by the UAE Data Office, the Dubai Courts, or other competent authority.

Cybersecurity services in the UAE are subject to oversight from multiple regulatory bodies depending on the sector in which the services are provided and the systems being protected. Understanding this regulatory landscape is essential for both providers and clients.

The UAE Cybersecurity Council, established by Cabinet Resolution No. 41 of 2020, is the apex federal body for cybersecurity policy and standards. The Cybersecurity Council issues national cybersecurity standards (UAE IA Standards) that apply to federal government entities and critical infrastructure operators. Cybersecurity service providers working with government entities must comply with UAE IA Standards and may require Signals Intelligence Agency (SIA) authorisation.

For cybersecurity incidents affecting critical information infrastructure (including banking, energy, telecommunications, and transport systems), the UAE National Computer Emergency Response Team (aeCERT), operated by the Telecommunications and Digital Government Regulatory Authority (TDRA), serves as the national coordination body. Cybersecurity services agreements for critical infrastructure clients should include provisions for coordination with aeCERT in the event of a significant incident.

For financial sector cybersecurity services, the Central Bank of the UAE (CBUAE) has issued IT Risk Management Guidelines and Cybersecurity Guidelines applicable to licensed financial institutions. Cybersecurity providers working with UAE banks must support their clients' compliance with these guidelines, including incident reporting timelines (material cyber incidents must be reported to the CBUAE within specified timeframes) and annual independent security assessments.

The Dubai International Financial Centre (DIFC) Cyber Security Law (DIFC Law No. 2 of 2019) applies to entities operating in the DIFC and imposes specific cybersecurity risk management and incident reporting requirements. The ADGM has comparable cybersecurity guidelines from the Financial Services Regulatory Authority (FSRA).

Cybersecurity services in the UAE are typically priced through a combination of a monthly retainer for ongoing services and separate project-based fees for one-time assessments. Understanding the standard fee structures helps clients budget accurately and negotiate appropriate value.

Monthly retainer (managed SOC services): Security Operations Centre monitoring, threat detection, and incident response are charged on a monthly retainer basis, typically ranging from AED 8,000 to AED 30,000 per month for SME clients, and AED 30,000 to AED 150,000+ per month for enterprise financial institutions and large corporates, depending on the volume of logs and events monitored, the number of systems in scope, the geographic footprint, and the required SLA response times.

Penetration testing: annual or semi-annual penetration tests are charged as separate project fees. External network penetration tests for a UAE SME typically range from AED 15,000 to AED 40,000 per engagement. Full-scope tests for enterprise environments (external + internal + web application + social engineering) can range from AED 50,000 to AED 200,000 per engagement, depending on the size of the environment.

Incident response retainer: a cybersecurity incident response retainer (pre-contracted hours for emergency incident response) is typically priced at AED 20,000 to AED 80,000 per year, providing the client with a guaranteed SLA response without the uncertainty of emergency hourly rates at the time of an incident. Emergency incident response without a retainer is typically priced at AED 1,500 to AED 3,500 per hour.

VAT at 5% under Federal Decree-Law No. 8 of 2017 applies to all cybersecurity service fees. The agreement should confirm whether the quoted fee is VAT-exclusive and require FTA-compliant invoices.