The evolving geopolitical landscape in the GCC region presents a complex array of legal and operational challenges for businesses operating in the region. With a focus on the UAE, this article examines three pressing issues that demand immediate attention from businesses operating in the region: the surge in cyber-attacks, infrastructure vulnerabilities affecting cloud service providers, and heightened government enforcement concerning online content and misinformation.
Increase in Cyber Attacks Across the GCC
The ongoing regional developments have been accompanied by an increase in cyber activity targeting GCC countries. Risk-monitoring firm CloudSEK reported that between 27 February and 2 March 2026, coordinated cyber disruption attempts were logged against ten financial institutions, seven aviation and logistics entities, government ministries, and telecommunications providers across the region. In the UAE, some online and phone banking services experienced temporary unavailability.
For businesses in the UAE, this carries substantial legal implications: under UAE Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes, organizations face stringent cybersecurity obligations, with inadequate measures exposing companies to regulatory penalties, civil liability, and potential personal liability for directors and officers where negligence is demonstrated. Additionally, many insurance policies contain exclusions for state-sponsored attacks, potentially leaving organizations without coverage.
To enhance readiness, clients should conduct comprehensive cybersecurity audits, activate incident response teams with clear escalation protocols, and review backup and disaster recovery procedures. Organizations must ensure compliance with sector-specific regulations issued by authorities such as the UAE Central Bank, Dubai Financial Services Authority, and Abu Dhabi Global Market, while documenting all cybersecurity measures to demonstrate due diligence. Contractual reviews should address cyber risk allocation provisions, force majeure clauses, and breach notification requirements, and insurers should be engaged to clarify coverage gaps. Finally, employees should be trained on cybersecurity hygiene protocols, including multi-factor authentication and phishing awareness.
Cloud Infrastructure Resilience and Data Location Concerns
The recent attacks, and in particular the incident involving physical damage to Amazon Web Services infrastructure in the UAE, has prompted many organizations to reconsider their data storage and back-up strategies and contemplate migrating data to alternative jurisdictions. While such contingency planning is prudent, it raises a series of legal considerations that must be carefully navigated.
The UAE has implemented data localization requirements across various sectors. Financial institutions regulated by the Central Bank, for example, are generally required to store and process customer data within the UAE unless specific approvals are obtained. Health data and government data is subject to strict data localization requirements at Federal and Emirate level. Entities operating in the Abu Dhabi Global Market and Dubai International Financial Centre must comply with their respective data protection frameworks, which impose conditions on international data transfers. Federal Law No. 45 of 2021 concerning the Protection of Personal Data, although not presently enforceable, establishes cross-border transfer requirements, including the need for adequate safeguards when transferring personal data to jurisdictions that do not provide equivalent levels of protection.
Before initiating any data migration, organizations should undertake the following steps. First, conduct a thorough data mapping exercise to identify all categories of data, their classification under applicable law, and any sector-specific restrictions on transfer. Second, review contractual arrangements with cloud service providers to understand rights and obligations concerning data portability, service continuity, and liability for service disruption. Third, assess the legal framework of potential destination jurisdictions, including their data protection regimes, government access powers, and any bilateral arrangements with the UAE. Fourth, engage with relevant regulators where required approvals or notifications may be necessary prior to transferring data offshore.
The UAE Cyber Security Council has issued the Critical Information Infrastructure Protection (CIIP) Policy and the National Cloud Security Policy. These policies are directly applicable to government entities and to businesses that have been instructed by sector regulators to comply, including entities regulated by the Central Bank of the UAE, the Telecommunications and Digital Government Regulatory Authority, and the Integrated Transport Centre in Abu Dhabi. While these policies may not be directly applicable to all businesses or to all categories of data that may be subject to a backup or migration project, organizations should verify their applicability on a case-by-case basis. Notably, the policies do not contain express data sovereignty requirements mandating that data remain within the UAE; however, they represent valuable guidance on best practices as articulated by the UAE government and should inform any organisation’s approach to cloud security and data protection.
Government Enforcement on Online Content and Misinformation
UAE authorities have intensified enforcement efforts concerning the dissemination of videos, social media posts, and other content deemed to contain inaccurate or misleading information about the current situation in the country. This enforcement campaign carries significant legal risks for both individuals and corporate entities.
Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes establishes severe penalties for the publication or dissemination of false information, rumours, or misleading news that may harm the state’s reputation, public order, or national interests. Under this law, online users who share incorrect information are considered part of the offence, not merely the original publisher, meaning everyone bears responsibility to verify information before sharing or risk criminal prosecution. The specific penalties include: fake news, rumours, misleading or inaccurate information that contradicts official announcements carries one year in prison and a fine of AED 100,000; fake news published during pandemics, emergencies, or crises carries two years in prison and a fine of AED 200,000; and information that agitates public opinion, causes panic, or harms national security carries one year in prison and a fine of AED 100,000. Moreover, it must be noted that the law applies extraterritorially to conduct committed outside the UAE where it produces effects within the country, potentially exposing international personnel and parent companies to liability.
Federal Decree-Law No. 55 of 2023 on the Regulation of Media (the UAE Media Law) and its implementing regulations provide a comprehensive framework governing all forms of media, including digital platforms, social media influencers, content creators, podcasters, and traditional media outlets. Under Article 17 of the UAE Media Law, anyone practising an activity or profession in the field of media must adhere to Media content standards, which requires that media content must comply with public order, national values, and the laws of the UAE, and it prohibits the publication or dissemination of certain categories of content.
The National Media Authority, established under Federal Decree-Law No. 11 of 2025, now serves as the unified federal regulator for media policy, licensing, and oversight nationwide. Its mandate extends to developing programmes and mechanisms to manage media crises, countering misinformation and negative content, and providing guidance and advisory support to government entities to enhance national awareness during crises. The Authority monitors and reviews all published and broadcast media content within the State, including in free zones, analyses public opinion trends, and takes appropriate actions in accordance with applicable legislation. Cabinet Decision No. 42 of 2025, which came into force on 29 May 2025, provides a detailed schedule of administrative penalties for violations of these media content standards.
The UAE National Media Authority has issued essential guidelines for handling media content responsibly amid current regional developments. The Authority has emphasized the importance of full compliance with laws and official instructions regarding media content and information circulation. Key instructions issued by the Authority include: do not film, record, post, repost, or circulate any visual or audio material, information, media content, or rumours from unofficial sources; use social media and digital channels only to share verified information from official UAE authorities and institutions; and avoid content that incites, abuses, spreads unverified information, or may harm public interest or privacy. The Authority has confirmed that legal action will be taken against anyone found in breach of these instructions, in accordance with UAE law.
Please do not hesitate to get in touch with David Yates and Valeria Dessolis if you have any questions or if you require guidance on navigating the legal implications described in this article and how they may impact your business during these uncertain times. Our Digital & Data Practice team is ready to support you.
Key Contacts