TMT focus
Siddharth Goud Associate, Digital & Data
As UAE paces up its digital transformation journey, cloud service adoption has been a key enabler in maintaining this momentum. An increasing number of organisations, including public institutions and businesses operating in UAE’s public sector are migrating either a part or all of their workloads to cloud environments.
We have begun to see a rapid shift in how laws and regulations are catching up with the widespread adoption of cloud solutions in the country. There is no single comprehensive regulation that governs the usage of cloud services. Instead, UAE’s cloud regulatory landscape comprises of a matrix of different rules and regulations whose applicability depends on various factors such as the sector in which the organisations operate, whether their data and workload is regulated and the extent to which cloud computing solutions are adopted.
We discuss the relevant laws and regulations for both users and cloud service providers to take into account in considering a move to cloud services.
A key regulatory framework for UAE entities to consider is the Information Assurance Regulation (“IAR”) developed and issued by the Telecommunications and Digital Government Regulatory Authority (“TDRA”). The IAR sets out requirements and minimum standards for the protection of information assets and supporting systems across all entities operating in ‘critical’ infrastructure sectors in the UAE. All UAE government entities, and other entities identified as ‘critical’ by the TDRA are obligated to implement the IAR. However, the TDRA highly recommends all entities in the UAE to adopt the IAR on a voluntary basis (as applicable), in order to participate in raising the national minimum-security levels. ‘Critical’ entities may be those operating in sectors like energy, utilities, government, finance, health, ICT and transportation.
The controls in the IAR do not expressly prevent the use of cloud but require a risk-based approach used to establish data security requirements for cloud environments. For example, entities are required to define information security requirements covering the retention, processing, and storage of data in cloud environments.
UAE’s cloud regulatory landscape comprises of a matrix of different rules and regulations whose applicability depends on various factors such as the sector in which the organisations operate, whether their data and workload is regulated and the extent to which cloud computing solutions are adopted.
Where cloud customers are government entities, they will be subject to additional information security requirements applying in the Emirates of Dubai and Abu Dhabi.
For Dubai government entities, the Dubai Electronic Security Center (“DESC”) has issued regulations that restrict cloud service providers from storing Dubai government entity data outside of the UAE.
In Abu Dhabi, the Abu Dhabi Information Security Standards (“ADISS”) and the Abu Dhabi Data Management Standards (“ADDMS”) govern information security requirements and obligations for the Abu Dhabi government entities’ with respect to its engagement of third-party suppliers for cloud-related services. With specific reference to the hosting of information systems, entities must ensure that government information classified as “Restricted” (not defined) is hosted on Abu Dhabi government infrastructure, or may only be hosted on public cloud infrastructure by presenting a business case to the Abu Dhabi Digital Authority (“ADDA”) and obtaining its approval.
Entities operating in certain sectors may be subject to more extensive regulatory regimes.
Notably in the financial services sector, regulatory authorities such as the UAE Central Bank, the Dubai Financial Services Authority (“DFSA”) of the Dubai International Financial Centre and the Financial Services Regulatory Authority (“FSRA”) of Abu Dhabi Global Market, have together issued the “Guidelines for Financial Institutions adopting Enabling Technologies” (the “Guidelines”). The Guidelines are applicable to all institutions licensed and supervised by these authorities in the UAE that are using, or intend to use cloud computing services irrespective of the financial activities they conduct. Where financial service providers outsource and engage service providers for such cloud solutions, they must consider the materiality and the associated risks of the relevant cloud computing arrangement. Subject to the materiality of the cloud project, institutions may also be required to seek approval from their relevant supervisory authority for any material cloud computing plans in order to address any concerns and expectations prior to implementation.
Such approval must be sought in accordance with the broader outsourcing requirements set by their relevant supervisory authority, including, where applicable, the UAE Central Bank’s Outsourcing Regulations for Banks and accompanying Standards which apply to all Central Bank licensed financial institutions in the UAE, and cover all parts of the outsourcing lifecycle, from identifying the right outsourcing service provider, to contracting with them, maintaining a risk management and governance process throughout the outsourcing period and then managing any exit or migration away from the outsourcing service provider.
Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology (ICT) in Health Fields (“ICT Health Law”) together with its regulations applies to all methods and uses of ICT in the health fields in the UAE, including free zones. Key aspects of the ICT Health Law should be taken into consideration where cloud services are adopted by entities dealing in health-related data. Whilst the ICT Health Law does not expressly restrict healthcare organizations from using cloud services, there are various conditions (or use obligations) that must be adhered to in adopting cloud solutions. These requirements cover data confidentiality, cybersecurity, access and storage of health-related data. For example, patient data cannot be transferred outside the UAE unless approval is obtained from the local health authority and the UAE’s Ministry of Health. This is particularly relevant if a cloud service provider offers solutions from data centres outside the UAE.
Also note that Abu Dhabi’s Department of Health (“DOH”), the Dubai Healthcare Authority (“DHA”) and the Dubai Healthcare City (“DHCC”) free zone have introduced standards and regulations governing the access, storage, use and transfer of such health data. For example, the Abu Dhabi Healthcare Information and Cyber Security Standard (the “ADHICS Standard”) requires DOH regulated healthcare entities and healthcare service providers to obtain DOH approval prior to using any cloud services for storage of patients’ health, diagnostic or personal data.
Where entities plan to migrate workloads comprising of personal data or information to the cloud (particularly where cloud services are hosted on date centres abroad), due consideration must be given to the Federal Decree-Law No. 45/2021 On the Protection of Personal Data (“UAE Data Protection Law”). The UAE Data Protection Law, which took effect on 2nd January 2022, regulates the collection, processing, transfer, and/or use of personal data in the UAE. However, entities have up to 6 months after the publication of further implementing regulations, to ensure compliance with the law.
Pending the publication of these implementing regulations, personal data may be transferred and stored outside the UAE in certain circumstances, including to countries deemed to have an adequate level of protection for personal data by the UAE Data Office, pursuant to express consent of the data subject, where necessary to perform a contract with the data subject or where the arrangement is bound by a contract that imposes additional measures, controls and requirements set out in the law. The implementing regulations are expected to set out additional controls and measures for transferring and storing data outside the UAE for the cases described above.
For further information, please contact Andrew Fawcett and Siddharth Goud.
Published in June 2022
