Complete Guide to NESA
Compliance in UAE (2026).

What is NESA and the IAS framework?

NESA — the National Electronic Security Authority — was established under UAE Federal Law No. 7 of 2014 to protect national critical information infrastructure and enhance cybersecurity across the Emirates. It has since evolved into the UAE Signals Intelligence Agency (SIA), though the framework is still widely referred to as NESA IAS.

The Information Assurance Standards (IAS) are NESA's primary compliance framework: a set of 188 security controls designed to create a defensible cybersecurity baseline for organizations operating critical systems. Think of it as the UAE's equivalent of NIST SP 800-53 or ISO 27001 Annex A — but with UAE-specific enforcement and applicability scope.

Who must comply with NESA IAS?

NESA IAS is mandatory for organizations that own or operate Critical Information Infrastructure (CII) in the UAE. The following sectors are explicitly covered:

• Government and federal entities
• Telecommunications and digital infrastructure
• Energy (oil, gas, utilities, water)
• Banking and financial services
• Healthcare (hospitals, health data systems)
• Transportation and logistics
• Technology companies supplying critical systems to the above

If you supply IT systems, managed services, or cloud infrastructure to any of these sectors, you may fall in scope depending on your contractual role and data handling. When in doubt, treat it as mandatory — the cost of a gap assessment is significantly lower than the cost of enforcement action.

The 188 controls: structure and priority tiers

NESA IAS divides its 188 controls into two families:

Management Controls (60 controls): These cover the organizational and governance foundations of a security program — information security policy, risk management, organizational roles and responsibilities, supplier relationships, compliance oversight, and incident management governance. 35 of these are "always applicable" — meaning they must be implemented regardless of the organization's risk assessment outcome.

Technical Controls (128 controls): These cover operational implementation — access control, cryptography, network security, application security, endpoint protection, logging and monitoring, and vulnerability management. Technical controls are risk-adjusted: their applicability is determined by the organization's asset inventory and risk profile.

Controls are organized into Priority Tiers (P1 through P4):

• P1 (39 controls): Non-negotiable. Must be implemented by all in-scope entities regardless of size, sector, or risk profile. These 39 controls address 80% of identified cybersecurity threats. Regulators check these first.
• P2 (controls): Highly recommended; risk-based justification required if not implemented
• P3/P4: Risk-determined; applicability based on organizational risk assessment

What are the P1 controls? What they cover.

The 39 P1 controls span both management and technical domains. Without going through all 39, the categories covered include:

• Information security policy (documented, board-approved, annually reviewed)
• Organizational security roles and responsibilities
• Asset inventory and classification
• Access control and identity management
• Change management and configuration control
• Vulnerability management and patch management
• Incident detection and response
• Business continuity and disaster recovery planning
• Security monitoring and logging
• Backup and recovery procedures

In our experience conducting NESA assessments across UAE organizations, P1 gaps that appear most frequently: lack of a documented, board-approved information security policy; absence of a formal asset inventory; no formal patch management process; and no documented incident response procedure. These are not technically complex to fix — but they require organizational discipline to implement properly.

NESA compliance in 2026: what's changed

NESA's enforcement posture in 2026 has shifted on three dimensions:

Evidence requirements are higher. Organizations must now demonstrate compliance through structured evidence — logs, incident records, control validation records — not just policies. A policy document that says "we do X" without evidence that X is actually happening will not satisfy a NESA review.

Continuous monitoring is expected. Point-in-time assessments are no longer sufficient on their own. Organizations are expected to demonstrate ongoing compliance monitoring — not just annual snapshots.

Supply chain is in scope. The UAE National Cybersecurity Strategy 2025–2031 has expanded cybersecurity expectations to include supply chain risk. Organizations should expect that their own suppliers will increasingly be asked to demonstrate security controls.

How to conduct a NESA gap assessment

A NESA gap assessment is a structured evaluation of your current security posture against all 188 IAS controls. The output is a baseline picture of what's implemented, what's partial, and what's missing — with a prioritized roadmap for remediation.

A credible gap assessment includes:

• Documentation review: Policies, procedures, configuration standards, and evidence artifacts reviewed against control requirements
• Stakeholder interviews: IT, Security, and Compliance leadership interviewed to validate control implementation and identify undocumented gaps
• Technical verification: Where controls can be technically verified (logging configurations, access control settings, patch status), direct verification is conducted
• Control classification: Each of the 188 controls classified as Met, Partial, or Not Implemented
• Remediation roadmap: Prioritized action plan starting with P1 gaps, with effort estimates and recommended remediation approaches

A full assessment covering all 188 controls typically takes 4–6 weeks with a dedicated practitioner. Shortcuts — like assessing only P1 controls, or relying exclusively on self-reported questionnaires without verification — produce assessments that won't hold up under regulatory review.