New regulations from the UAE Cyber Security Council require IoT devices to meet binding security controls. Here’s what you need to know—and how to get ready.
The UAE Cyber Security Council has released Version 2.0 of the National IoT Security Policy, establishing mandatory security requirements for all IoT service providers, developers, and implementers offering services within the UAE.
Unlike advisory guidance for consumers and individuals, this policy is mandatory for IoT service providers. Compliance is not optional.
Who Must Comply?
The following entities must meet the security controls outlined in the Policy:
- IoT service providers
- IoT developers and implementers
- Any entity offering IoT-based services within the UAE
“The IoT Security Policy is mandated on all IoT service providers, developers, and implementers offering services within the UAE.”
– Section 1.2, Scope & Applicability
Key Policy Domains for IoT Service Providers
The policy sets out clear requirements across 12 core domains.
Sr. No. | Domain | Key Requirements |
1 | IoT Governance | Establish an IoT security strategy, governance structure, and maintain a record of all IoT technologies and devices |
2 | Risk Management | Implement continuous risk assessments for IoT ecosystems |
3 | Awareness &Training | Provide role-specific IoT security training to all personnel |
4 | Third Party Security | Enforce supply chain security plans and contractual agreements |
5 | Compliance | Align with CSC, TDRA, and sector-specific standards |
6 | Data Security | Protect PII, implement encryption (including quantum-resistant readiness), and ensure secure communications |
7 | Identity & Access Management | Enforce least privilege, no hard-coded credentials, and mandatory password changes |
8 | Incident Management | Align with National Incident Response Framework, report incidents promptly to consumers and authorities |
9 | IoT Resilience | Ensure devices remain functional during communication loss and fail securely |
10 | Device Management | Secure by design, encrypted storage, secure boot, and verifiable software updates |
11 | Network Security | Segregate IoT networks, disable unused ports, use strong cryptography |
12 | Security Logging & Monitoring | Enable telemetry, anomaly detection, and endpoint logging |
How Compliance Is Monitored
Compliance with the National IoT Security Policy is tracked through the UAE Information Assurance (IA) Standard and reported via the National Cyber Index Platform. The Cyber Security Council, in coordination with Emirate leads and sector regulators, will actively monitor and enforce adherence.
“All requirements outlined in this policy are embedded within the UAE IA Standard. Entities are expected to report their compliance status via the National Cyber Index Platform.”
– Section 4, Implementation
How MAST Consulting Can Help Your Organization Achieve Compliance
Navigating a multi-domain regulatory mandate can be overwhelming. MAST Consulting specializes in translating UAE Cyber Security Council requirements into practical, actionable, auditable, and sustainable compliance programs.
Our Services for IoT Service Providers:
- Gap Assessment
- Map your current IoT security posture against all 8 policy domains
- Identify missing policies, technical controls, and documentation
- Deliver a prioritized remediation roadmap with timelines
- Framework Development
- Draft IoT-specific governance frameworks and security strategies
- Create incident response playbooks aligned with the National Incident Response Framework
- Develop third-party security and supply chain management plans
- Technical Control Implementation Support
- Guide implementation of encryption, access management, and secure communications
- Assist with network segmentation, micro-segmentation, and secure gateway deployment
- Support secure software development lifecycle (SDLC) for IoT applications
- Compliance Reporting & Attestation
- Prepare your compliance package for the UAE Information Assurance Standard
- Assist with National Cyber Index Platform reporting
- Conduct mock audits to ensure readiness for CSC or Emirate lead inspections
- Training & Awareness
- Deliver role-based IoT security training for technical, operational, and executive teams
- Provide customized awareness programs for contractors and third-party staff
Proactive alignment with the National IoT Security Policy today will not only ensure compliance but also strengthen your organization’s resilience, trust, and long-term digital growth.
