Governance and Policy ManagementUAE Information Assurance Standard V2Redefining Cyber Resilience in the Emirates
After nearly a decade, the UAE Cyber Security Council (CSC) has released the long-awaited UAE Information Assurance Standard Version 2 (V2), a major milestone in the country’s cyber resilience journey. This is not just a revision; it is a transformation of how cybersecurity governance, risk management, and technical controls are structured across the UAE’s digital ecosystem. For organizations operating in both government and private sectors, this update represents a new era of accountability, adaptability, and alignment with global best practices.
Version 1 of the UAE IA Standard laid the foundation for a unified national baseline of information security, particularly for entities deemed part of the Critical Information Infrastructure (CII). It enabled a structured approach to governance, risk management, and control implementation. However, the cyber landscape of 2025 is dramatically different from that of 2013. The explosive growth of AI/ML, cloud computing, IoT, remote work, and quantum computing threats required the standard to evolve, and UAE IA V2 is the direct response to that need.
At Complyan, we view this new release as a defining moment for national cybersecurity maturity. As one of the region’s leading cybersecurity consulting and managed service providers, we’ve spent the past years helping organizations align with local and international security frameworks. The new UAE IA V2 harmonizes many of these global standards into a single, future-ready national framework, providing clarity where previously there was fragmentation.
Key Differences Between UAE IA v1.1 and v2.0
Area | UAE IA Regulation v1.1 (2020) | UAE IA Standard v2.0 (2025) |
Issuing Authority | TDRA (formerly TRA) | UAE Cyber Security Council (CSC) |
Scope | Government & Critical Infrastructure | Ministries, Federal Authorities, and non-government Critical Information Infrastructure (CII) entities under CSC supervision |
Framework Composition | 188 controls (P1–P4) across 15 families | 15 families, 47 sub-families, 134 controls and 449 sub-controls |
Control Architecture | Overlapping and less modular | Risk-aligned, modular, and integrated; clear ownership and accountability |
Policy Integration | National policies referenced separately | Direct mapping to 7 National Cybersecurity Policies (Annex E/F) |
Newly Introduced Areas | Limited focus on emerging tech | Post-Quantum Cryptography, Threat Intelligence, Secure SDLC, Remote Work Security, AI/ML, IoT, and Supply-Chain Assurance |
Prioritization Model | P1–P4 tiers with limited guidance | P1–P4 retained, now clarified with “Always Applicable” and “Based on Risk” categorizations; distinguishes 70 Always Applicable and 64 risk-based controls |
Performance Measurement | Checklist-style compliance | Continuous improvement and measurable effectiveness through performance indicators |
Risk Management | Entity-driven, qualitative | Integrated National Cyber Risk Management Framework (NCRMF 2025) |
A Unified, Future-Ready Framework
While the six Management and nine Technical control domains remain consistent with the earlier version, UAE IA V2 fundamentally refines their structure, intent, and interconnectivity. Rather than reinventing the framework, the Cyber Security Council has modernized and harmonized it to meet the realities of today’s cyber landscape.
The earlier UAE IA framework (V1.1) established the foundational M1–M6 and T1–T9 families, but many of its controls overlapped or lacked sufficient clarity on accountability, dependencies, and cross-domain integration. Version 2 addresses these limitations by introducing a more modular, risk-aligned, and context-driven architecture. The control families now carry expanded objectives, detailed implementation guidance, and explicit mapping to the seven National Security Policies introduced under Annexes E and F, covering Encryption, Third-Party Security, Secure Remote Work, Cloud, AI/ML, Data Exchange, and IoT Security.
The management controls in V2 go beyond governance to emphasize strategic alignment, policy lifecycle management, risk communication, workforce competence, and continuous improvement, ensuring that cybersecurity leadership is measurable and accountable. The technical controls, meanwhile, have evolved to reflect modern operational domains such as endpoint and remote work security, post-quantum cryptography, threat intelligence, and secure software engineering.
Another major enhancement is in how prioritization and applicability are defined. The P1–P4 levels remain, but their criteria are clarified and now supported by explicit “Always Applicable” and “Based on Risk” categorizations. This update transforms prioritization from a static label into a dynamic decision model, encouraging entities to implement controls based on impact, threat exposure, and criticality rather than mere prescription.
In essence, UAE IA V2 retains the recognizable skeleton of the original standard but rebuilds the muscle around it, introducing precision, adaptability, and traceability. The result is a framework that continues the legacy of Version 1 while becoming truly future-ready, scalable, and aligned with the UAE’s broader cyber-resilience ambitions.
Alignment with National Security Policies
A standout enhancement in UAE IA V2 is the way it integrates directly with the UAE’s seven National Cybersecurity Policies, listed under Annex E and F of the standard. These include policies for Encryption, Third-Party Security, Secure Remote Work, Data Exchange, Cloud Security, AI/ML Security, and IoT Security.
Previously, organizations had to interpret and apply these policies independently, often leading to confusion, duplication, or gaps. Now, the UAE IA Standard acts as the unifying reference point. It shows exactly how each control maps to these national directives, allowing organizations to see how every technical safeguard contributes to the country’s overarching cybersecurity strategy.
This integration will dramatically simplify compliance efforts for both regulators and entities. It allows organizations to eliminate redundant documentation, streamline audits, and achieve alignment with national objectives more efficiently. From a governance standpoint, it’s a major leap forward, it turns cybersecurity from an isolated IT initiative into a national policy execution framework.
Modern Controls for Emerging Threats
The most striking enhancement in UAE IA V2 lies in its newly introduced control areas:
- Post-Quantum Cryptography (PQC)
UAE IA V2 introduces entirely new controls reflecting the technologies and risks shaping today’s cyber landscape. Among the most notable are the controls for Post-Quantum Cryptography (PQC), a visionary inclusion that positions the UAE as one of the first nations to prepare for the post-quantum era. This ensures that organizations begin assessing their cryptographic dependencies and plan transitions to quantum-resilient algorithms before the threat materializes.
2. Threat Intelligence
Similarly, Threat Intelligence has received dedicated focus. The new framework encourages entities to move beyond reactive defences and develop structured threat intelligence programs that feed into detection, prevention, and response functions.
Controls emphasize multi-level intelligence sharing, strategic, tactical, and operational, across sectors and entities.
3. Secure Software Development
Software assurance has also been strengthened through Secure Coding and Software Development Lifecycle (SDLC) controls. These address secure design principles, code review practices, dependency management, and vulnerability testing, ensuring that security is built into applications from inception rather than bolted on afterward.
4. Secure Remote Work & Endpoint Security
The Secure Remote Work and Endpoint Security domains now feature enhanced safeguards for hybrid work environments, including controls for BYOD governance, mobile device management, endpoint detection and response (EDR), and secure collaboration platforms.
5. AI/ML and IoT Security
Equally forward-thinking are the AI/ML and IoT Security controls. These ensure responsible use of artificial intelligence by requiring model transparency, bias mitigation, integrity protection, and validation of AI supply chains. For IoT, controls extend to device onboarding, firmware validation, network segmentation, and lifecycle management, all essential for protecting the expanding attack surface in industrial, healthcare, and smart-city ecosystems.
For Continuity, Accountability, and Improvement
While the UAE IA V1 set the foundation for information assurance, it was often interpreted as a compliance checklist. Version 2 changes that narrative. It embeds continuous improvement and performance measurement into the heart of the framework. Organizations are now expected to demonstrate ongoing evaluation of control effectiveness, root-cause analysis for incidents, and measurable progress toward higher maturity.
This evolution reinforces a culture of accountability. Leadership involvement is no longer optional; it’s explicit. Executives are required to take ownership of cyber risk, integrate cybersecurity KPIs into governance reporting, and align risk management with corporate objectives. This shift is crucial as cybersecurity becomes an enterprise-wide responsibility rather than a technical afterthought.
For auditors and regulators, these updates provide a clearer view of how governance connects to operational security and business resilience. For organizations, they enable the design of cybersecurity programs that are measurable, improvable, and integrated into daily business operations.
How Complyan Supports and Accelerates UAE IA V2 Adoption
At Complyan, we are already partnering with critical infrastructure entities, ministries, and enterprises to help them interpret and operationalize UAE IA V2. Our methodology focuses on translating the framework’s requirements into actionable implementation roadmaps that align with business realities.
Complyan’s comprehensive approach ensures that our clients are not merely compliant but strategically aligned with the UAE’s national cybersecurity vision. Our experience across projects demonstrates our capability to integrate governance, architecture, and operations under unified national and international standards.
Service Area | Description | Key Outcomes / Value |
|---|---|---|
1️⃣ Strategic Advisory & Readiness | Complyan conducts comprehensive UAE IA V2 Readiness & Gap Assessments, benchmarking governance, risk, and technical environments against the 15 control families and 134 controls. We identify “Always Applicable” and “Based on Risk” controls, map existing frameworks, and design prioritized implementation roadmaps aligned with sector regulators and business objectives. | • Clear visibility of gaps and maturity • Executive-level roadmap for adoption • Alignment with CSC and regulatory requirements |
2️⃣ Targeted Operating Model (TOM) Design | Complyan designs a Targeted Operating Model (TOM) to integrate cybersecurity governance, roles, and accountability across the organization. This model defines the interaction between governance, risk, operations, and technology, ensuring UAE IA V2 controls are embedded within day-to-day operations and decision-making. | • Defined cybersecurity governance and ownership • Streamlined roles and responsibilities • Integrated operating model aligned to UAE IA V2 objectives |
3️⃣ Governance, Risk & Compliance (GRC) Enablement | Using the Complyan™ GRC Platform, automates UAE IA V2 control mapping, evidence collection, and compliance tracking. The system integrates with ISO 27001, NIST CSF, and other frameworks to provide AI-driven analytics and real-time dashboards. | • Continuous compliance, not periodic • Automated evidence and workflow management • Audit-ready dashboards and insights |
4️⃣ Technical Implementation, Network Architecture & Security Engineering | Complyan bridges governance and technology through end-to-end network architecture reviews, security assessments, and design. Services include: • Identity & Access Management (IAM) • Cloud & Hybrid Security Architecture • Network & Endpoint Protection • Encryption & Post-Quantum Readiness • Secure SDLC & DevSecOps • Network Architecture Review & Assessment | • Secure, validated architecture • Operationalized UAE IA V2 controls • Enhanced detection and resilience posture |
5️⃣ Managed Cybersecurity & Continuous Monitoring (HAWKEYE CSOC / Purple Team) | The HAWKEYE 24×7 Cyber Security Operations Center (CSOC) combines blue-team monitoring and red-team simulation into an integrated purple-team model. It delivers continuous threat detection, incident response, and cyber-intelligence sharing. | • Real-time visibility & active threat response • Continuous assurance & compliance • Unified red/blue/purple operations for improved defense |
6️⃣ Penetration Testing & Offensive Security | Complyan provides advanced penetration testing, red-team simulations, and vulnerability assessments across IT, OT, and cloud environments, including social-engineering and exploit-based testing. | • Early detection of exploitable weaknesses• Measurable improvements to cyber defenses • Evidence-based risk reduction |
7️⃣ Training, Awareness & Culture | Tailored programs for executives, IT/OT teams, developers, and end-users, covering cyber risk ownership, secure coding, incident response, and hybrid-work security. | • Empowered leadership and workforce • Strong cyber culture and accountability • Continuous maturity improvement |
8️⃣ End-to-End Integration & Assurance | Complyan combines advisory, design, engineering, monitoring, and awareness into a complete lifecycle Assessment → TOM → Implementation → Monitoring → Improvement. | • Sustained compliance automation • Enterprise-wide resilience • Measurable ROI on cybersecurity investment |
The Road Ahead
The release of UAE IA V2 represents more than a regulatory milestone, it is a blueprint for the next decade of cybersecurity governance in the UAE. Its strength lies in its adaptability: it acknowledges that technology and threats evolve faster than standards traditionally can, and it builds flexibility and foresight directly into its design.
For organizations, this is the moment to act. Understanding the new framework, assessing readiness, and beginning the transition early will pay dividends in compliance efficiency and risk reduction. For the UAE as a nation, this evolution reinforces its position as a global leader in cybersecurity, digital governance, and innovation.
At Complyan, we are proud to be part of this journey. Our mission is to empower organizations to navigate complex cybersecurity landscapes with clarity, confidence, and capability, ensuring that resilience becomes a competitive advantage, not a compliance burden.
“This revision demonstrates the UAE’s leadership in cyber resilience. By aligning national policies, emerging technologies, and international standards under one cohesive framework, UAE IA v2 gives organizations a clear path to safeguard the nation’s digital future, and DTS Solution is proud to be part of that journey.” added Rizwan Tanveer, Our Lead Consultant for Cybersecurity GRC, and Data Protection
If your organization is preparing for UAE IA V2 compliance or wishes to understand how the changes impact your environment, our consultants are ready to assist. Together, we can transform this new standard from a regulatory requirement into a foundation for long-term digital trust.
Contact Complyan to start your UAE IA V2 readiness assessment and explore how our GRC, automation, and cybersecurity expertise can strengthen your organization’s resilience in the era of evolving threats.