Your request for Endpoint Protector was sent!
One of our representatives will contact you shortly to schedule a demo.
Free, custom demo to suit your needs
One of our representatives will contact you shortly to schedule a live demo. We'll answer questions, address your concerns and tailor the demo to your needs.

* We don't share your personal info with anyone.
Check out our Privacy Policy for more information.
Please use a valid email address!
Thousands of global clients
already use our product
Trusted by companies of all sizes, from all industries. Fortune 500 companies, Universities, Governments, Banks, Media, and more.
Join them

Download our FREE ebook on GDPR compliance. Download Now

A Guide to NESA IAS Compliance

The National Electronic Security Authority (NESA) was established in 2012 in the United Arab Emirates (UAE) as the first federal authority responsible for innovating cybersecurity in the country. As part of its mandate, NESA produced the UAE Information Assurance Standards (IAS), a set of standards and guidelines for entities that support critical national services across all sectors.

These standards aim to protect the UAE’s critical data infrastructure and advance national cybersecurity. To be compliant, organizations must protect information assets, mitigate identified information security risks, implement effective controls and establish a secure culture by raising awareness of security-related issues.

Compliance with them is mandatory for all government organizations, semi-government organizations and critical infrastructure business organizations.

The Structure of the IAS

The IAS are heavily inspired by existing international standards, most notably ISO 27001 and NIST, from which they adopted a number of controls. The IAS consist of 188 security controls and standards split into four priority tiers, P1 having the highest priority and P4 the lowest. Each control has additional sub-controls, document requirements and performance indicators.

The list of security controls is based on 24 threats NESA identified through industry reports and prioritized taking into consideration the percentage of breaches they were responsible for. In this way, the 39 controls that make up the highest priority tier, P1, address 80% of the security threats NESA identified.

In total the IAS have 136 mandatory sub-controls (that fall under 35 of the 188 controls) and 564 sub-controls whose application depends on risk assessment results. The risk assessment requirements are similar to those stipulated in the ISO 27001. Organizations need to establish a risk methodology and criteria that they can then use to identify risks, threats, vulnerabilities and calculate their potential impact to determine their risk level. Based on results, they can then decide whether the organization needs to apply the IAS sub-controls. These risks must then be monitored and reviewed regularly.

The controls can also be divided into two families: 60 management controls and 128 technical controls. The management controls refer to strategy and planning, information security risk management, human resources security, compliance efforts, awareness and training, performance evaluation and improvement.

The technical controls meanwhile address asset management, physical and environmental security, operations management, communications, access control, third party security, information systems acquisition, development and maintenance, information security incident management and information security continuity management.

It is worth noting that of the 188 security controls, the mandatory 35, which NESA considers to be essential for a strong information security foundation, are all part of the management controls families. None of the technical controls are mandatory, their application depends solely on risk assessment results.

Enforcement and penalties

NESA’s enforcement of the IAS takes a 4-tier approach based on the level of risk an organisation poses to the UAE’s critical data information infrastructure:

  1. Reporting: self-assessment by organizations in line with mandatory and voluntary IAS requirements;
  2. Auditing: NESA can request specific evidence from organizations to support their self-assessment reports;
  3. Testing: when appropriate, NESA can commission tests of the information security measures organizations have in place;
  4. National Security Intervention: in extreme cases, if NESA judges that an organization’s activities are leading to unacceptable national security risks, it can directly intervene.

While NESA does not mention any specific penalties for non-compliance, organizations doing business in the UAE need to be aware that, should their operations be considered critical to the UAE’s data infrastructure, they will inevitably fall under the scrutiny of industry regulators and NESA. Non-compliance brings with it the risk of such scrutiny intensifying and escalating to a direct intervention from NESA.

The NESA IAS are based on internationally recognized standards and form an excellent basis for a sturdy cybersecurity framework that can help companies, even does that do not fall under their incidence, to avoid data breaches and keep sensitive data secure.


Frequently Asked Questions

Why was the NESA IAS introduced?
NESA’s UAE IAS regulations were created with the aim to:
  • Strengthen the security of the UAE’s cyber assets and reduce relevant risk levels
  • Protect the UAE’s critical infrastructure
  • Improve cybersecurity threat awareness in the UAE
  • Develop infrastructure and technical capabilities

Check out our endpoint compliance scanner.

Which organizations need to comply with NESA’s IAS?
NESA compliance is mandatory for:
  • Government organizations
  • Semi-government organizations
  • Business organizations that are identified as UAE’s critical infrastructure.

Check out the 5 frequently asked questions about compliance.

Is GDPR applicable to UAE?

The GDPR states that entities that process or store personal data relating to people living within the EU need to follow the rules laid down in the regulation. This means that the GDPR applies to any Gulf-based company also that offers goods or services to subjects in the EU or monitors their behavior.

Check out the 5 frequently asked questions about compliance.

What is NIST?

The NIST Cybersecurity Framework is a detailed guidance for cybersecurity best practices, built by professionals in the field. It has been widely embraced by both industry giants and governments across the world, showing that it provides an excellent starting point for compliance with data protection regulations and a solid cybersecurity plan to guard against threats and risks.

Learn more about NIST


Download our free ebook on
GDPR compliance

A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.

Inline Feedbacks
View all comments