Mission Critical
Technology, Media & Telecoms Focus
“The Critical Information Infrastructure Protection (CIIP) Policy” (“Policy”), outlines a consistent and iterative approach to identifying, assessing, and building the national risk profile across its CII.
Law Update: Issue 368 - Technology, Media & Telecoms Focus
Andrew FawcettPartner,Digital & Data
“Critical infrastructures” are vital to the functioning of our society as we know it, as they provide crucial services such as power, telecommunications, transportation, water. Improving resilience of critical infrastructures has become a priority for the authorities around the world.
In particular it has become crucial to strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures used to deliver or support Critical Infrastructures (referred to as “Critical Information Infrastructure” or “CIIP”) from rising cyber threats either as direct targets or as a means to reach Critical Infrastructures that they support.
In 2023 the UAE Cyber Security Council (“CSC”), which is a council of the UAE Cabinet, released a policy document that aims to strengthen the cybersecurity posture of the nation's CII. It adds to the UAE cybersecurity frameworks for CIIP that also includes the Telecommunications and Digital Government Regulatory Authority’s Information Assurance Regulation.
“The Critical Information Infrastructure Protection (CIIP) Policy” (“Policy”), outlines a consistent and iterative approach to identifying, assessing, and building the national risk profile across its CII. The Policy also defines the governance mechanism and the protection program for CII entities, including the identification of CIIs, baseline requirements for the identified entities and the mechanisms for the oversight and enforcement of requirements related to CII protection The policy is based on five CIIP principles:
building national cyber resilience,
sector focused governance,
risk-based prioritization,
establishing best practices and standards, and
encouraging cooperation and partnerships.
The Policy is applicable to the CII entities, and relative sector regulators/ designates, and relevant participating stakeholders in the following sectors and sub-sectors, as well as any other sector determined by the CSC: digital infrastructure, financial services, transport, energy, healthcare, electricity and water, government services, education, space, and food.
The policy categorizes the CII entities into two groups: Group A and Group B.
Group A entities are from the sectors that predominantly operate within a sector context in the UAE, such as digital infrastructure, financial services, transport-air, energy-nuclear, energy-oil and gas, space, food, and education.
Group B entities are from the sectors that predominantly operate within each Emirate, such as transport-rail, road and maritime, electricity and water, and healthcare.
The Policy assigns different roles and responsibilities to the CSC, the Emirate leads, the designated sector leads, and the CII entities and operators, to ensure effective governance and coordination for CIIP.
The CSC is the main authority that drives the implementation of the CIIP program across all CII sectors, sub-sectors, entities and operators, and provides oversight and guidance to them.
Protection of critical Information and Communication Technology (ICT) infrastructures is vital for the security of the UAE and the well-being of its citizens.
The Emirate leads are responsible for supporting and monitoring the CII entities within Group A within their respective Emirates.
The designated sector leads are responsible for providing guidance and direction to CII entities and operators within their respective sectors and being accountable for the implementation of the CIIP program within the sector.
The CII entities and operators are responsible for understanding their roles and responsibilities towards building a secure information infrastructure and complying with the national and sectoral cybersecurity requirements.
The Policy also outlines the key policy domains and sub-domains for CIIP, which are: governance for CIIP program, risk profile development, CII protection program, and assurance for CIIP program.
Each policy sub-domain elaborates on the objectives and policy statements that the CII stakeholders need to follow. Some of the main policy statements include :
CII entities and operators shall set up a dedicated security management function and designate/appoint competent personnel to manage and drive the implementation of the entity's cybersecurity requirements.
CII entities and operators shall establish a supply chain security strategy that requires following a risk management principles and cyber defence in depth approach.
CII entities shall follow a structured approach for the identification and prioritization of Critical Services, based on best practice principles defined in the National Cyber Risk Management Framework
CII entities shall conduct annual security risk assessment focusing on critical information infrastructure components identified, for protection from failures related to integrity, availability, and confidentiality.
CII entities shall implement any cybersecurity policies, control standards, baselines, and plans, as required and mandated by the CSC and/or sector leads and Emirate leads.
CII entities shall address the integration of Internet of Things (IoT) devices into critical information infrastructure, and, more generally, the convergence of Information Technology (IT) and Operational Technology (OT).
CII entities shall ensure all reasonable provisions for building capabilities for prevention of CII disruption and continuity of CII services, are identified and implemented, including technical and technological controls, based on the entities risk assessment.
CII entities shall undergo attestation, based on the defined risk profile, where 'High risk' entities are mandated to adhere to the Accreditation Program while 'Medium and Low risk' entities are encouraged to adopt the voluntary track defined in the Accreditation Program.
CSC is to enforce implementation of the mandatory policies and standards and institute regular CII security inspection and audits to monitor compliance on an annual basis.
For further information,please contact Andrew Fawcett.
Published in May 2024
