CBUAE Cybersecurity Requirements: A vCISO Compliance Guide (2026)

CBUAE Cybersecurity Requirements: A vCISO Compliance Guide (2026)

CBUAE Cybersecurity Requirements: A vCISO Compliance Guide (2026)

CBUAE Cybersecurity Requirements: A vCISO Compliance Guide (2026)

If you hold or are applying for a licence from the Central Bank of the UAE, information security is a licensing and supervisory requirement, not something the IT team handles quietly in the background. The CBUAE does not hand you a single line that says "appoint a Chief Information Security Officer," the way VARA does for virtual asset firms. What it does instead is require the governance, the accountability, the control functions, and the security baseline that a CISO exists to own. Read the rules together and the picture is unambiguous: a licensed financial institution needs a senior person accountable for its information security programme, reporting to the board, and answerable to CBUAE examiners.

For most firms at the licensing or early operating stage, that creates the same problem VARA does. A security executive credible enough to satisfy the regulator is expensive to hire full time, and the heaviest part of the work, building the framework and clearing the first review, lands before the licence has earned a dirham. A virtual CISO closes that gap. You get a named, qualified, accountable owner of the programme without carrying a full C-level salary from day one.

This guide covers which licences carry the obligation, what the information security rules actually require, whether you need a CISO, where firms get this wrong, and how the vCISO route works in practice.

Your vCISO in the UAE and Middle East
A named security leader of record, backed by a delivery team that builds the programme, not just advises. From $2,500 / mo

Who CBUAE regulates, and what "CBUAE compliance" means for security

The CBUAE licenses and supervises Licensed Financial Institutions across the UAE. If your firm sits in any of these categories, information security obligations apply to you as a condition of your licence:

  • National and foreign banks

  • Finance companies

  • Exchange houses

  • Payment service providers

  • Stored value facility (e-wallet) licensees

  • Insurance companies, brought under the CBUAE after the Insurance Authority was merged into it

  • Digital banks

The legal ground shifted recently, so a quick orientation matters. Federal Decree-Law No. (6) of 2025, the new CBUAE Law, came into force on 16 September 2025. It widened the regulatory perimeter to include open finance services, payment services using virtual assets, and enabling technology providers. Entities newly in scope have until 16 September 2026 to obtain the licence or approval they now need, and operating without one is a criminal offence under the 2025 Law, carrying fines up to AED 500 million. The existing sector regulations remain in force pending new implementing regulations under the 2025 Law, so the detailed technology and security requirements below still govern day-to-day compliance.

The obligation is not one rule in one place. Each licence category carries its own technology risk and information security provisions:

  • Retail Payment Services and Card Schemes Regulation (Circular No. 15/2021), Article 13, Technology Risk and Information Security. The most explicit and specific of the set, and the one this guide draws on most.

  • Stored Value Facilities Regulation (Circular No. 6/2020), Article 12, Technology and Specific Risk Management, for e-wallet providers.

  • Payment Token Services Regulation (Circular No. 2/2024), covering stablecoin issuance, conversion, and custody, with its own technology and cybersecurity risk management and incident reporting requirements.

  • Open Finance Regulation (Circular No. 3/2025), Article 31, Technology Risk and Information Security, for Open Finance Providers and the API Hub, with a detailed framework for authentication, secure communication, and IT governance. Banks and insurers are also pulled in as data holders, and other CBUAE licensees can be brought in as Deemed Licensed.

Banks, finance companies, and insurers carry parallel obligations through their own governance, operational risk, and consumer protection standards. The common thread across all of them is simple: every CBUAE licence carries a technology risk and information security obligation, and for payment providers the UAE Information Assurance Standards are named as the floor.

What the information security rules actually require

The clearest statement of CBUAE's expectations sits in Article (13) of the Retail Payment Services and Card Schemes Regulation. Five requirements define what a licensed entity has to build:

  • A security baseline that is not optional. A payment service provider must apply and meet, at a minimum, the UAE Information Assurance Standards, the national standards issued by NESA, now the Signals Intelligence Agency, and maintained under the UAE Cyber Security Council. The current version is Version 2, published September 2025 and rebased on ISO/IEC 27001:2022. This is the floor, not the ceiling, and we cover the standards in detail in the UAE IAR guide.

  • An IT governance framework with separated functions. The rules require a clear structure of IT functions built around three distinct capabilities: an effective IT function that runs systems, a technology risk management function that governs risk, and an independent technology audit function that checks both. Folding risk, operations, and audit into one team defeats the independence CBUAE looks for.

  • Board-level accountability. The board, or a committee the board designates, is responsible for a sound risk management framework for technology risk, sized to the nature and scale of the firm. Security cannot be a matter the board hears about once a year. Supervision expects a reporting cadence and evidence that leadership acts on what it sees.

  • A testing regime that bites at scale. Any payment service provider whose monthly average transaction value reaches AED 10 million or more has to assess the need for penetration testing and cyber-attack simulation, and the scope has to reach beyond an external network scan to internal networks, application systems, social engineering, and emerging threats, with timely remediation. For any firm with real volume, this makes independent testing effectively mandatory.

  • Resilience and user protection. The framework has to include documented, tested, and reviewed recovery strategies, the ability to restore records after loss or damage, reliable authentication, and notification to users when their records are lost or stolen. The CBUAE also issues targeted directives that licensees have to implement, such as the one-time password requirements it circulated to banks.

Two more requirements shape who runs all of this. Licence applications require an information security and technology risk documentation set alongside the governance structure. And the people in the senior roles that own these functions have to satisfy the CBUAE's fit-and-proper criteria: background checks, financial soundness, and relevant experience. The regulator is assessing the person, not just the paperwork.

Does CBUAE require a CISO?

The honest answer is more useful than a marketing one, and the detail sharpens it. CBUAE does not publish a single, across-the-board clause that names a "CISO" as a universal licensing condition, in the way VARA's Technology and Information Rulebook does for every VASP. If a provider tells you CBUAE flatly mandates a CISO by title, they are simplifying.

The accountable security leadership role is still effectively required, and here is the chain. For payment providers, RPSCS Article 13 makes the UAE Information Assurance Standards the mandatory floor. Those standards, in their current version, carry control M1.1.3, Roles and Responsibilities for Information Security, which is flagged Always Applicable, meaning it applies regardless of the risk assessment. M1.1.3 requires top management to appoint a leadership member with overall responsibility for the security programme, backed by a dedicated security function, and to establish an Information Security Committee to govern it. The standard names the Chief Information Security Officer as the typical holder of that role, and it requires the security leadership to be kept separate from IT, with no conflict in reporting lines. So the role you would call a CISO is mandated through the baseline the CBUAE tells you to meet, even though the CBUAE rulebook itself avoids the job title.

The rest of the framework points the same way. The RPSCS three-function separation is the same segregation M1.1.3 demands. Board accountability puts technology risk in front of the directors. Fit-and-proper scrutiny tests the senior people who own these functions. Put together, there is no way to satisfy the set without a senior, credible individual who owns the information security programme, reports to the board, and can stand in front of a CBUAE examiner. That person is a CISO in function, whatever the org chart calls them.

This distinction matters for two reasons. A nominal or junior appointment that exists only on paper will not survive fit-and-proper review or an examiner's questions. And the accountability is real and personal at the senior level, so the firm needs someone who can genuinely carry it, not a name entered into a form. The regulator cares about the function and the accountability far more than the title.

Where firms get CBUAE security wrong

The failure patterns repeat across engagements. The ones worth calling out before they cost you a review cycle:

  • Treating an ISO 27001 certificate as CBUAE compliance. The overlap is real and useful, and an ISO 27001 certified firm has a meaningful share of the controls already in place. It is not a substitute. The UAE Information Assurance Standards mapping, the sector-specific technology risk provisions, the independent technology audit function, and the board-reporting expectations are gaps an ISO certificate alone does not close. You need a dedicated gap assessment against CBUAE's requirements.

  • Collapsing the three functions. Running technology operations, technology risk, and technology audit under the same person or team is the most common structural miss. It reads as a control weakness to an examiner, and it breaches the segregation the UAE Information Assurance Standards require in the same breath.

  • Under-scoping penetration testing. The AED 10 million threshold catches most payment firms with genuine volume, and the required scope reaches social engineering and emerging threats, not just a perimeter scan. A single annual external test, run to tick a box, does not meet the intent.

  • Outsourcing the work but keeping the accountability confused. Payment firms lean heavily on cloud infrastructure, processors, and agents. CBUAE's position is that accountability stays with the licensee regardless of who runs the systems. Contracts with technology providers have to carry data security, service continuity, and regulatory compliance provisions, and material outsourcing, cloud in particular, needs the right approvals and notifications. Handing a vendor the systems does not hand them the responsibility.

  • No board-level security reporting. When the board or its designated committee has no regular line of sight into technology risk, the firm fails the accountability test even if the technical controls are sound. Supervision looks for the governance loop, not just the tooling.

Why hiring a full-time CISO first is usually the wrong call

None of this means your first move should be a permanent C-level hire. For most firms at the licensing or early operating stage, a full-time CISO is the wrong instrument, for three reasons:

  • Cost. An experienced CISO in the UAE market commands a senior-executive salary, broadly in the AED 400,000 to 700,000 a year range, committed before the licence has produced revenue. Carried across a year of build-up and review, that is a heavy fixed cost against an uncertain runway.

  • Workload shape. The effort is front-loaded. Standing up the governance structure, writing the policies, meeting the UAE Information Assurance baseline, and clearing the first round of independent testing is intense work concentrated around licensing. Once the framework is operating, the role settles into oversight, testing cycles, and board reporting. A full-time hire from day one buys idle capacity later.

  • The experience bar. Fit-and-proper scrutiny and the need for someone an examiner will accept tend to price out the hire a young firm can afford. The candidate who fits the budget often does not satisfy the requirement, and the candidate who satisfies it is out of budget.

How a vCISO meets the CBUAE requirement

A virtual CISO is an experienced security executive who takes the accountable security role on a retained, part-time basis. For CBUAE purposes the appointment is real. The vCISO is named as the firm's accountable owner of the information security programme and carries the responsibility the rules assign, while you pay for the level of involvement the firm genuinely needs. In a CBUAE engagement that usually means:

  • Building and owning the technology and cyber security risk management framework.

  • Structuring the IT governance so the risk, operations, and audit functions are properly separated, which is what both RPSCS Article 13 and the UAE Information Assurance Standards require.

  • Aligning the programme to the UAE Information Assurance Standards and closing the gaps against them.

  • Scoping and running the penetration testing and cyber-attack simulation programme, and remediating what it finds.

  • Setting up the board-level reporting cadence and preparing the information security and technology risk documentation the licence application and ongoing supervision require.

  • Governing the outsourced providers and the contractual security terms so accountability stays with the licensee.

The same person carries the role through licensing, then moves to a steady-state cadence once the framework is operating. Two adjacent obligations often sit alongside it. Under UAE data protection law, many of these firms also need a Data Protection Officer, and a single engagement can frequently cover both the security and privacy roles. And CBUAE's expectations around detection and response point toward continuous monitoring, which a managed detection capability can supply under the vCISO's direction. We cover the privacy side in our UAE PDPL compliance guide, and the monitoring side through our 24/7 SOC for startups.

Choosing a vCISO for CBUAE work

Not every vCISO is set up for this. CBUAE's framework is specific to UAE financial services, and an arrangement that works for a generic SaaS company will not hold up in front of an examiner. A few things worth checking before you appoint anyone:

  • UAE financial-sector experience, not just ISO. Has the person worked against the UAE Information Assurance Standards and the CBUAE technology risk provisions, or only against ISO 27001 and general enterprise security? The frameworks overlap, but the sector-specific obligations and the regulator's expectations have no equivalent in standard IT.

  • Standing and credentials. Recognised certifications such as CISSP and CISM, alongside a track record an examiner will accept, are what give a fit-and-proper appointment credibility.

  • Board and regulator fluency. The role calls for someone who can present technology risk to a board and answer a CBUAE examiner directly, not only produce documents.

  • Delivery, not just advice. The requirement is to build the framework and run the testing and reporting, not to hand over a report and leave execution to your team. Ask whether the person executes or only advises.

How Dynova handles CBUAE engagements

Dynova provides virtual CISO services in the UAE and DPO-as-a-service to regulated firms, including banks, fintechs, payment providers, and virtual asset businesses. Our work covers the frameworks that matter in this market: the UAE Information Assurance Standards and CBUAE technology risk requirements, ISO 27001, PCI DSS, UAE PDPL, and the VARA regime. We led OGold's ISO 27001 certification with BSI in six months from a standing start, and we run information security programmes for financial-sector firms against UAE regulatory requirements.

The model is built for how CBUAE work actually lands. A senior CISO takes the accountable role, builds the governance structure and testing programme through licensing, sets up the board reporting, then holds the steady-state oversight the rules require, without the firm carrying a full-time C-level salary. If a full-time comparison is what you are weighing, we set out the numbers in Virtual CISO vs Full-Time CISO.

If you are applying for a CBUAE licence, or already hold one and need a credible, accountable security lead in place, we can take the role and the build that comes with it. Book a call and we will map what your licence category requires and where your gaps sit.

Frequently asked questions

Does CBUAE require a CISO?

Not by a single named clause the way VARA does. But the role is effectively required. For payment providers, CBUAE mandates the UAE Information Assurance Standards as a minimum, and those standards make appointing a security leadership role, backed by a dedicated security function and an Information Security Committee, an Always Applicable control (M1.1.3). Add the RPSCS three-function separation, board accountability, and fit-and-proper scrutiny, and you need a senior owner of the security programme who reports to the board and can face an examiner. That is a CISO in function, whatever the title.

Which entities have to comply with CBUAE information security rules?

Licensed Financial Institutions supervised by the CBUAE: banks, finance companies, exchange houses, payment service providers, stored value facility (e-wallet) licensees, insurance companies, and digital banks. Newly in-scope entities under the 2025 CBUAE Law, including some virtual asset payment and enabling technology providers, have until 16 September 2026 to obtain the required licence or approval.

What security standard does CBUAE build on?

The UAE Information Assurance Standards, the national baseline issued by NESA, now the Signals Intelligence Agency, and maintained under the UAE Cyber Security Council. The current version is Version 2 (September 2025), rebased on ISO/IEC 27001:2022. CBUAE's payment regulations require licensees to meet these standards as a minimum, then add sector-specific technology risk obligations on top. We break the standards down in the UAE IAR guide.

Does an Open Finance or e-wallet licence carry the same security obligations?

Yes. Each CBUAE licence category has its own technology risk and information security provisions: Article 13 of the Retail Payment Services and Card Schemes Regulation for payment providers, Article 12 of the Stored Value Facilities Regulation for e-wallet providers, the Payment Token Services Regulation for stablecoin activities, and Article 31 of the Open Finance Regulation for Open Finance Providers. The payment rulebook names the UAE Information Assurance Standards explicitly; the newer regimes require an equivalent security framework aligned to recognised international standards.

Does an ISO 27001 certificate make us CBUAE compliant?

No. The overlap is useful and gives you a head start, and the current UAE Information Assurance Standards are themselves rebased on ISO 27001:2022, so a live ISO 27001:2022 ISMS covers a good share of the management controls. It does not cover the UAE-specific mandatory controls, the sector-specific technology risk provisions, the independent technology audit function, or the board-reporting expectations. A dedicated gap assessment against CBUAE's requirements is still needed.

Does CBUAE require penetration testing?

For payment service providers, effectively yes once you have volume. Any PSP with a monthly average transaction value of AED 10 million or more has to assess the need for penetration testing and cyber-attack simulation, covering internal and external networks, applications, social engineering, and emerging threats, and remediate what it finds. Cadence and thresholds vary by licence category and instrument.

Can a vCISO be our accountable security lead for CBUAE?

Yes. A vCISO can be named as the accountable owner of your information security programme, carry the responsibility the rules assign, present to your board, and face CBUAE examiners. The appointment is real; only the working arrangement is part-time.

Can the same person be our CISO and DPO?

Often, yes. The security and privacy roles overlap heavily, and for many CBUAE-regulated firms a single engagement can cover the vCISO role and the Data Protection Officer role under UAE PDPL. See our UAE PDPL compliance guide for how the DPO obligation works.

Related: UAE IAR Compliance (NESA IAS): A vCISO Guide · vCISO for VARA Compliance: Meeting Dubai's CISO Requirement · UAE PDPL Compliance: A vCISO and DPO Guide · Virtual CISO vs Full-Time CISO: The Real Cost in the UAE

Experience

Guide

Get started

Don’t scale security harder. Scale smarter.

Dynova provides Virtual CISO (vCISO) and Fractional CISO services in Dubai and across the UAE, from security strategy and CBUAE, VARA, ISO 27001, PCI DSS and SOC 2 compliance to hands-on execution, security testing, and code review.

Info: info@business-ciso.com 

Incident Report: soc@business-ciso.com


Dynova Services LLC-FZ, License 2644102.01, Issued by Meydan Free Zone, Dubai, UAE

Get started

Don’t scale security harder. Scale smarter.

Dynova provides Virtual CISO (vCISO) and Fractional CISO services in Dubai and across the UAE, from security strategy and CBUAE, VARA, ISO 27001, PCI DSS and SOC 2 compliance to hands-on execution, security testing, and code review.

Info: info@business-ciso.com
Incident Report: soc@business-ciso.com


Dynova Services LLC-FZ,

License 2644102.01,

Issued by Meydan Free Zone, Dubai, UAE

Get started

Don’t scale security harder. Scale smarter.

Dynova provides Virtual CISO (vCISO) and Fractional CISO services in Dubai and across the UAE, from security strategy and CBUAE, VARA, ISO 27001, PCI DSS and SOC 2 compliance to hands-on execution, security testing, and code review.

Info: info@business-ciso.com

Incident Report: soc@business-ciso.com


Dynova Services LLC-FZ, License 2644102.01,

Issued by Meydan Free Zone, Dubai, UAE