Public Policy Document

The United Arab Emirates has emerged as a regional hub for cloud services, data, and artificial intelligence. With the increasing use of cloud services both locally and globally causing a noticeable rise in general threats, it has become essential to adopt a comprehensive approach to address risks and maintain the security of the UAE's digital transformation.

Developed by the UAE government in 2023, the National Cloud Security Policy aims to enhance the cloud security of the UAE by establishing clear principles for the practice and delivery of secure cloud services and addressing the challenges facing the current cloud services landscape. The policy also provides guidelines for the integrated cloud system in the country, defines cloud security requirements, and identifies the entities responsible for overseeing and enforcing cloud security regulations.

This policy will help ensure that cloud service providers comply with a set of security requirements, guaranteeing a good level of protection for all cloud service users when purchasing and using these services. The policy also aims to avoid potential negative impacts that could result from its implementation, such as deterring investment and hindering the growth of the cloud services sector due to overly stringent requirements.
 

1. Achieve the UAE’s strategic objectives to enhance cybersecurity.
2. Keep pace with evolving global changes in the field of cybersecurity and the digital economy.
3. Safeguard and secure digital assets and cyberspace.
4. Strengthen cloud security in line with the UAE’s national priority.
5. Accelerate the use of cloud services in the region by facilitating access of government entities and businesses to relevant data and information, based on the best cybersecurity standards.
6. Establish a successful ecosystem based on rigorous standards to build trust in the UAE's cybersecurity service providers.
    

The following five cloud security principles were developed to provide the necessary decision-making elements to drive the secure adoption of cloud services and operations in the UAE. These principles help cloud users and providers in their policy, operation, and procurement decision-making process, in line with the below-mentioned policies.

1. Risk-based approach.
   • Potential risks to security and resilience are considered when assessing cloud adoption and scaling.
2. Data-driven cloud security.
   • The level of cloud security is aligned with the level of data sensitivity, its impact on business, and privacy expectations.
3. Best practice guidelines.
   • Establishing security frameworks aims to encourage the adoption of global best practices to provide security guarantees and drive compliance efficiencies.
4. An ecosystem based on cooperation and transparency.
   • Encourage cloud services’ users, providers, and regulators to share information and good practices, and to report any incidents in the cloud.
5. Continuous improvement.
   • Seek continuous improvement of cloud security practices to ensure their relevance, efficiency, and effectiveness.

1. Adoption of the National Cloud Security Policy is set to address challenges related to data security and privacy; secure and protect cloud resources; as well as ensure governance and compliance, which are deemed as the biggest cybersecurity challenges associated with cloud adoption.
2. Ensure the secure exchange of information in line with globally recognized best practices.
3. Secure operational systems of vital sectors and ensure the robustness of their protection systems.
4. Ensure a swift and effective response to cyber incidents and breaches, as well as swift recoveries.
5. Establish a unified cyber policy at the national level to support all cloud security needs.
6. Create greater exchange and cooperation between the public and private sectors by standardizing cloud services.
7. Ensure alignment with applicable international best practices and policies.
8. Build community confidence in cloud services and digital transformation.
9. Reduce the number of reports and technical incidents related to personal data and other cybercrime attacks.
    

Government entities, private sector enterprises, and community members.