The UAE regulates the digital economy through an interlocking federal, emirate-level and sectoral framework. Personal data is governed onshore by Federal Decree‑Law No 45 of 2021 on the Protection of Personal Data (PDPL), which is to be administered by the UAE Data Office, with parallel General Data Protection Regulation (GDPR)‑style regimes applying in each of the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) free zones.

Consumer dealings, including e‑commerce, are covered by Federal Law No 15 of 2020 on Consumer Protection and its Executive Regulations (Cabinet Decision No 66 of 2023). This is complemented by a federal law specifically directed at trading via modern technological means that strengthens online seller and platform duties, known as Federal Decree-Law No (14) of 2023 on Trading by Modern Technological Means. Media and online content are regulated under Federal Decree‑Law No 55 of 2023 on Media and its Executive Regulations, administered by the UAE Media Council. The Telecommunications’ Internet Access Management policy directs internet service providers (ISPs) to block prohibited content categories. Telecommunications and connectivity remain under Federal Law by Decree No 3 of 2003, with the Telecommunications and Data Regulatory Authority (TDRA) issuing licence conditions, device-type approval requirements and the Consumer Protection Regulations (v2.0, 2023).

Cyber conduct is addressed by Federal Decree‑Law No 34 of 2021 on Combatting Rumours and Cybercrimes. Health data and information use are regulated by Federal Law No 2 of 2019 on the Use of ICT in Health Fields and implementing decisions that restrict offshore storage absent approvals. Financial services rely on central bank outsourcing and consumer protection rules, which impact cloud and data handling.

Virtual Assets

Onshore virtual assets service providers are supervised by the Security and Commodities Authority (SCA) and the Dubai-established Virtual Assets Regulatory Authority (VARA) for the Emirate of Dubai. Financial free zones run their own regimes; the Dubai Financial Services Authority (DFSA) in the DIFC and the Financial Services Regulatory Authority (FSRA) in the ADGM. The national policies of the UAE Cybersecurity Council (CSC), although directed at federal government entities and critical communications infrastructure, act as de facto codes of conduct in risk‑sensitive deployments.

The leading challenges arise from jurisdictional layering and sector carve‑outs, which require careful scoping of applicable regimes across onshore UAE, the financial free zones and emirate‑specific authorities. For platforms, aligning global content moderation with the UAE Media Law’s national content standards, age rating and influencer permit rules, and the TDRA’s blocking policy needs to be properly implemented, especially for mixed user‑generated content (UGC) and professional content.

Data transfer constraints add friction: the PDPL allows cross‑border transfers under adequacy or safeguards, but health data generally must remain in the UAE absent approval, and financial outsourcing requires stringent controls and audit rights. Federal Law No 26 of 2025 on Child Digital Safety came into force on 1 January but is in a transitional phase until 31 December 2026. Currently, AI and synthetic media risks are addressed through cybercrime, privacy, media standards and copyright rules rather than a single horizontal AI law, creating an evolving compliance target around explainability, safety assurance and provenance for deepfakes.

Finally, entity and activity structuring for virtual assets must navigate distinct onshore, Dubai VARA and DIFC/ADGM regimes, and stringent AML expectations, complicating national marketing and customer flows.

There is no bespoke digital tax regime in the UAE.

There is no bespoke digital tax regime in the UAE.

Digital TMT offerings are governed by Federal Law No 15 of 2020 on Consumer Protection and Cabinet Decision No 66 of 2023, which mandates truthful disclosures in Arabic (noting that bilingual Arabic/English is permitted and is the norm), compliant invoicing, warranties, and product safety and recalls, and prohibits unfair terms. These rules apply to electronic transactions and are reinforced by the law on trading via modern technology, which sets platform duties towards consumers. For telecoms, the TDRA Consumer Protection Regulations (v2.0, 2023) impose detailed requirements regarding contracting, billing transparency, complaint handling, service quality, advertising, data caps and hard stops, and subscriber privacy. Telemarketing is further controlled by recent Cabinet decisions that restrict call practices and require opt‑out and do‑not‑call adherence.

Firms should provide complete, accurate and Arabic-language pre‑contract information, honour refund entitlements, and implement warranties and after‑sales support suitable for digital goods and subscriptions. Contracts should avoid clauses the Executive Regulations deem null (such as unilateral change and rights waivers), and pricing and promotions must be truthful and transparent. For direct marketing, lawful consent must be obtained, and simple opt‑out paths provided. For platforms, operators should vet sellers and take responsibility for listings and defect remediation, consistent with the e‑commerce rules. Telecoms and subscription services should publish service-level commitments, credit policies for outages and clear complaint channels, while aligning subscriber privacy and data use to PDPL and TDRA privacy provisions.

Consumers can lodge complaints with the Ministry of Economy and the competent emirate economic departments under the consumer law, which can lead to administrative measures – though civil courts remain available for damages. Telecom customers escalate issues under the TDRA’s Consumer Protection Regulations via a defined complaint sequence, with the TDRA empowered to direct remedies. Privacy complaints may be filed with the UAE Data Office under the PDPL when it becomes operational. Media content violations are handled by the UAE Media Council, which operates a dedicated content violations committee and the A’men public reporting platform. Sector‑specific grievance mechanisms exist for virtual assets (eg, VARA’s grievance processes) and other regulated activities.

Further, the DIFC courts have established the Digital Economy Court (DEC) to oversee sophisticated national and transnational disputes related to current and emerging technologies across areas ranging from big data, blockchain, AI, fintech and cloud services to disputes also involving unmanned aerial vehicles (UAVs), 3D printing and robotics.

Consumer Disputes

The most effective way for UAE TMT companies to handle consumer disputes is to operationalise compliance by design with Federal Decree Law No 14 of 2023 on Modern Technology‑Based Trade and Federal Law No 15 of 2020 on Consumer Protection and its 2023 Executive Regulations. In practice, this means presenting clear offers and terms – and accurate total pricing and fees – and issuing compliant digital invoices.

Complaint channels should have defined service levels, and the statutory hierarchy of remedies – repair, replacement or refund – should be applied for defects, misdescription, non‑delivery or delay that deprives benefit. Digital content that is consumed once may be excluded from returns, but failed downloads, misbilling or misdescription must still be rectified. Promotions must be licensed and truthful, with processes to proactively credit price‑drop differences after purchase. Unfair terms that waive consumer rights or allow unilateral changes are void, and digital contracts below AED50,000 cannot mandate arbitration.

Marketplaces should require third‑party sellers to adhere to the mechanisms described in the foregoing, maintain a centralised complaints desk and step in with refunds or replacements when sellers fail. Companies should also respect telemarketing rules, maintain outage and incident continuity plans that extend return windows or issue goodwill credits, train frontline staff on legal entitlements, and track metrics such as first‑contact resolution and repeat defects to drive root‑cause fixes. This approach reduces escalation, aligns with enforcement expectations and sustains trust in the UAE digital marketplace.

Virtual assets introduce new monetisation and payment rails for digital media, telecoms and platforms, including tokenised content, micro‑transactions and loyalty programmes, but they require precise structuring under the appropriate regulator (the SCA onshore, VARA in Dubai, the DFSA in the DIFC, the FSRA in ADGM). Custody, brokerage, exchange and payment services are regulated activities, and unlicensed provision risks sanctions. Advertising is expressly regulated and must avoid misleading claims. AML/CFT compliance, travel rule implementation, sanctions screening, fraud controls and customer asset segregation are pivotal, and cross‑border integrations must consider regulator‑approved asset lists and local recognition frameworks.

Opportunities include novel business models for content and services, faster settlement and programmable commerce. Challenges include fragmented licensing across onshore and free‑zone regulators, strict marketing rules, licensing for custody and exchange functions, robust AML and sanctions obligations, and data protection and cybersecurity risk at wallet, exchange and smart‑contract layers. Consumer protection expectations are rising, and firms must integrate disclosures, suitability and complaint handling that match financial and media sector norms.

Onshore, the SCA supervises virtual assets and VASPs pursuant to Cabinet Decision No 111 of 2022 and subsequent rulemaking that covers licensing, market conduct, listings and AML/CFT. In the Emirate of Dubai (outside the DIFC), Law No 4 of 2022 established VARA, which issued a comprehensive rulebook in 2023 with activity‑specific modules (advisory, broker‑dealer, custody, exchange, lending/borrowing, payments/remittances and management services), as well as marketing and promotions rules and a grievance mechanism. In the financial free zones, the DFSA’s Crypto Token Regime (DIFC) and the FSRA’s virtual assets framework regulate exchanges, brokers, custodians and asset managers. Across the UAE, federal AML/CFT laws and central bank expectations apply to virtual asset activities and marketing, including travel rule compliance.

There is no single cloud statute as compliance is anchored in the PDPL, sectoral rules and government policies. The PDPL permits cloud processing and cross‑border transfers subject to lawful bases, security, transfer adequacy or safeguards, and breach notification to the Data Office (and to data subjects in risk‑relevant cases). Financial institutions must meet central bank outsourcing and operational risk standards that mandate due diligence, audit and access rights, incident reporting and controls that can constrain data location and subcontracting. Healthcare data is subject to Federal Law No 2 of 2019 and implementing decisions that generally require in‑UAE storage and processing – unless health authorities approve transfer. Government entities follow their own information assurance baselines and typically require local residency for sensitive government data. Edge deployments that intersect with the IoT and telecoms must also meet TDRA security and type approval requirements.

Banking, insurance and payments are subject to central bank rules for outsourcing, information security and consumer protection that set specific requirements for cloud, data location, regulator access and incident notification. Healthcare is constrained by the health information and communications technology (ICT) law’s data residency mandate absent approvals. Government entities are bound by information security and government data policies that typically restrict offshore storage. Telecom licensees must comply with TDRA licence conditions on security and lawful access. These sectoral rules can apply instead of PDPL obligations and impose stricter standards.

Cloud Computing and Personal Data Processing

In the UAE, the processing of personal data must first comply with the PDPL. Controllers need a valid legal basis, clear transparency and minimisation, and must bind cloud processors by contract on instructions, security, sub‑processor approvals, audit support and prompt breach notification. Cross‑border processing is permitted only where an adequacy decision or appropriate safeguards are in place (and exemptions apply in limited cases), so mapping data flows and conducting transfer impact assessments is prudent, given that there is no published adequacy list. Security should follow the CSC’s national cloud security policy, which sets governance, supplier risk, contractual, data life cycle, data location/sovereignty transparency, identity and access management, incident response/forensics, resilience and portability/interoperability expectations for both cloud customers and certified service providers (CSPs), and aligns with the updated UAE information assurance standard.

Sector overlays are critical. Health data is subject to Federal Law No 2 of 2019, which generally prohibits storing, processing, generating or transferring UAE health data outside the UAE without health authority approval. The Abu Dhabi Healthcare Information and Cyber Security Standard (ADHICS) further restricts cloud use absent exemptions, while Dubai policies allow certain cross‑border flows. Health data must be retained for at least 25 years, and violations carry fines. Federal Law No 6 of 2025 regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business governs financial institutions and insurance companies. Further, financial services are governed by the central bank’s Outsourcing Regulation and Standards and Enabling Technologies Guidelines, requiring materiality assessment and, for material or offshore arrangements, non‑objection, a UAE “master system of record”, regulator and audit access, customer data ownership, subcontractor controls, robust business continuity/exit plans and data location transparency. Practically, cloud contracts should reflect these statutory and policy requirements, and architectures should segment data to meet localisation and regulator access obligations.

The UAE does not have a single AI statute, as it regulates AI through a layered mix of policy, binding cross‑cutting laws and sector rules. At the federal level, the UAE has established the Minister of State for Artificial Intelligence Office (the “AI Office”) which has appointed a Minister of State for AI, Digital Economy and Remote Work Applications (the “Minister of AI”). The AI Office has issued non‑binding instruments – the National AI Strategy 2031, AI Charter, Ethics Guide, AI Adoption Guideline and a Deepfake Guide – aligned with OECD/United Nations Educational, Scientific and Cultural Organization (UNESCO) principles. Abu Dhabi established the Artificial Intelligence and Advanced Technology Council (AIATC) for regulating projects, investments and research related to AI and advanced technology within Abu Dhabi but has yet to issue any regulations. Digital Dubai’s Ethical AI Toolkit guides deployments. More general laws regulate AI, such as the Personal Data Protection Law (lawful bases, transparency, automated‑decision safeguards), the cybercrime law (offences for impersonation, false news, manipulated accounts/“e‑robots”), the media/content regime (licensing and standards for AI‑generated media) and the Modern Technology‑Based Trade law (AI‑enabled platforms and fair trading). In the DIFC, Data Protection Regulation 10 specifically governs processing via autonomous and semi‑autonomous systems, mandating prominent notices, governance and certification for high‑risk use. ADGM/DIFC privacy laws otherwise mirror GDPR‑style controls. Sector overlays include central bank guidance for enabling technologies (explainability, outsourcing risk, regulator access) and health authority rules, with strict health data localisation under the federal health ICT law.

Deepfake harms are addressed through cybercrime prohibitions, media takedown/blocking powers, privacy and image protections, and copyright moral rights (attribution and integrity), enabling criminal, administrative and civil remedies in parallel.

AI in transport is regulated: Dubai Law No 9 of 2023 (and its 2025 by-law) requires Roads and Transport Authority (RTA) licensing and technical approval of autonomous vehicles (AVs), imposes operator civil liability with mandatory UAE insurance and mandates logging, updates and incident reporting. A new federal traffic law modernises classifications. Commercial drones and deliveries require General Civil Aviation Authority/Dubai Civil Aviation Authority (GCAA/DCAA) registration, operational approvals, airspace compliance and respect for privacy/geospatial restrictions. Across use cases, key elements are clear liability and insurance allocation (operator‑centric for AVs), transparency and user notices, PDPL/DIFC/ADGM data protection compliance (including cross‑border safeguards), IP and moral rights clearance for AI outputs, and careful jurisdictional scoping across federal law, emirate rules and free‑zone regimes.

The TDRA’s IoT regulatory policy covers licensees, IoT providers and users, requiring IoT provider registration with the TDRA, a local presence or appointed representative, service reliability and compliance with telecoms policy. Personal data principles of purpose limitation and minimisation apply, and the policy classifies data into tiers (secret, sensitive, confidential), with government data residency requirements and conditions for offshore storage of private sector sensitive data where equivalent security is ensured. The framework dovetails with device type approval, numbering and addressing for machine-to-machine (M2M) communications, SIM provisioning and lawful access mandates under licence conditions, and is complemented by PDPL obligations for personal data.

IoT and M2M deployments must use TDRA‑approved SIMs and numbering plans, comply with device type approval and maintain communications secrecy per TDRA licence conditions and consumer/privacy rules. Controllers must apply PDPL principles to telemetry and analytics, ensuring lawful bases where data is used beyond core functionality, transparency to users and proportionate retention. For government and critical data, residency or equivalency controls apply, and encryption must be compatible with lawful inspection. Contracting should allocate responsibilities among device original equipment manufacturers (OEMs), connectivity providers and cloud processors for security, breach reporting and cross‑border transfers.

Further, the CSC has published the national IoT security policy, which applies to IoT service providers and IoT manufacturers who manufacture or sell IoT devices in the UAE. In terms of IoT consumers, the national IoT security policy applies to ministries and federal authorities, and to non-government critical information infrastructure (CII) entities. In the absence of emirate-level policy, the National IoT Security Policy applies to emirate government entities.

The TDRA’s IoT policy provides that any person offering loT services to the UAE market, irrespective of its place of establishment, management or operations, is subject to the UAE Telecommunications Law and any regulatory framework related to loT (including the IoT policy itself).

loT service providers must register with the TDRA. As a prerequisite, the loT service provider must either have a local presence or appoint an official representative who is physically present within the UAE to be responsible for communication with the TDRA (and other law enforcement agencies in the UAE).

Other compliance challenges include satisfying the TDRA IoT policy’s data classification and residency controls, particularly for government data. As the sale of eSIMs is a regulated activity requiring a licence, there need to be appropriate arrangements for local licensed telecommunications service providers.

Effective governance includes a data inventory and mapping for device and user data. Data protection impact assessments (DPIAs) for high‑risk use cases such as biometrics or children’s data, secure‑by‑design procurement with life cycle patching and key management, incident response aligned to PDPL and sector timelines, third‑party risk management for integrators and cloud back-ends, and contract matrices that define roles (controller/processor), instructions, sub‑processor approvals and cross‑border safeguards are needed. Internal accountability should be clear, with board‑level oversight for critical deployments and regulator‑ready documentation.

Data sharing must have a PDPL legal basis, be purpose‑limited and minimised and, if cross‑border, use adequacy or appropriate safeguards. Contracts should define the sharing purpose, security, sub‑processing limits and audit rights. Government data sharing follows emirate‑level open‑data and inter‑agency policies. Lawful disclosure to competent authorities must be honoured. For telecom‑related sharing, TDRA rules require confidentiality, limited use and contractual obligations on recipients. Secondary uses (such as analytics or advertising) require new legal bases and transparency. Further, the IoT regulatory policy contains data classification and data localisation requirements such that secret, sensitive and confidential data is to be stored primarily in the UAE.

All controllers and processors handling personal data in or from the UAE are directly subject to PDPL obligations. Licensed telecoms must meet TDRA‑mandated confidentiality and complaint rules. Entities holding government data are bound by government information policies. Sector entities such as banks and healthcare providers must comply with central bank and health ICT rules, which impose stricter sharing controls. Vendors and integrators act as processors and inherit contractual obligations, while group companies engaging in shared services must ensure a valid controller‑to‑controller or controller‑to‑processor basis and transfer safeguards.

Health data is tightly controlled under the federal health ICT law and generally cannot be stored or processed offshore without approval. Children’s data, biometric data and other sensitive categories demand heightened diligence, DPIAs and enhanced transparency under the PDPL. Government data typically must remain onshore unless authorised, and financial data is subject to central bank confidentiality and security rules, including breach notification and record‑keeping requirements.

Under the new Child Digital Safety law , digital platforms operating within the UAE or targeting users in the UAE are restricted from collecting, processing, publishing or sharing personal data of children under the age of 13, except after fulfilling and verifying certain prescribed requirements.

UAE audiovisual media services are regulated under Federal Decree‑Law No 55 of 2023 on Media Regulation and its Executive Regulations (effective 31 October 2024), supervised by the UAE Media Council and, where applicable, local competent authorities. Radio/TV broadcasting, internet protocol television (IPTV), video on demand, streaming and other electronic/digital media are licensable media activities, as entities delivering content into the UAE are in scope. Licensees must meet national media content standards, implement age classification, and comply with advertising and influencer rules. Non‑compliance can attract administrative fines up to AED2 million, suspension or licence revocation. Video‑sharing and streaming platforms are treated as electronic/digital media: if they conduct licensable activity in or into the UAE, they must align with licensing, content and ad disclosure requirements. Platforms without a licensed UAE presence remain subject to content blocking via the TDRA’s internet access management policy.

Authorisation is obtained electronically from the UAE Media Council or the relevant emirate authority. Applications are reviewed if complete within short administrative timelines specified in the Implementing Regulations (three working days for licence issuance where terms are met), and applicants must satisfy ownership/fitness criteria, content standards undertakings and any required approvals. Fees are set by Cabinet Resolution No 41 of 2025 on Media Services Fees and vary by activity and duration. By way of example, cinema venue licences range from AED60,000 to AED100,000 on initial issuance, with lower annual renewals, and there are defined fees for producing or distributing films, audio/video media and video games. The regulations also require deposits for certain outlets (eg, AED50,000 for newspapers and AED20,000 for some other media), separate permits for specific activities (such as social media advertising) and classification approvals for films, games and other content. Media free zones handle their own licensing and fee schedules, but federal content standards and national criminal laws apply, and activities conducted outside a free zone’s geographic limits are subject to onshore rules.

In the UAE, “telecommunications services” and “regulated activities” cover operating a public telecommunications network, supplying telecommunications services to subscribers and selling telecommunications services. These activities require a TDRA licence under the Telecom Law and licensing regulations. Public fixed and mobile connectivity, public networks and use of spectrum sit squarely in scope. Voice over internet protocol (VoIP) offered to subscribers is treated as a telecommunications service and, absent an exemption, requires authorisation under the TDRA’s VoIP policy. By contrast, most over‑the‑top apps are not licensed as telecom services, but must still comply with content, cybercrime and consumer rules. Any device that connects to UAE networks must obtain TDRA type approval before market entry and meet applicable UAE/Gulf Cooperation Council (GCC) technical standards for radio frequency (RF), electromagnetic compatibility (EMC), safety, specific absorption rate (SAR) and labelling. Importers or local representatives must be registered with the TDRA. IoT/M2M modules must also comply with TDRA policies on numbering, SIM provisioning and registration, and products integrating licensed radio must pass conformity assessment prior to sale.

Security obligations are embedded in licences and TDRA regulations. Operators must implement cybersecurity controls proportionate to risk, protect the confidentiality and integrity of subscriber information, and maintain lawful interception, emergency services access and outage resilience. They must support government blocking of illegal services and content, adhere to unsolicited communications and spam controls, and follow TDRA consumer protection requirements on transparent advertising, accurate billing, complaint handling and service quality. In practice, the TDRA expects documented information security management, incident reporting and co-operation with competent authorities, and technical and organisational measures that reflect the criticality of telecom infrastructure.

In the UAE, there are no formal net neutrality regulations like those in the EU or USA.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.

The key regulation that allows and governs the use of e-signatures in the UAE is Federal-Decree Law No 46 of 2021 on Electronic Transactions and Trust Services (ETTSL). The ETTSL introduces legal concepts into UAE law that are similar to the European eIDAS Regulation to promote legal certainty in electronic interactions

Although there are no longer express sectoral restrictions on the use of electronic signatures, and court judgments show that electronic signatures are generally accepted, in order to ensure the validity and enforceability of electronic signatures in a particular context/transaction, businesses should use their commercial judgement on a case-by-case basis to determine what would be the most appropriate electronic signature for a particular contract or agreement.

The three categories of electronic signatures under the ETTSL are “simple electronic signatures”, “reliable electronic signatures” and “qualified electronic signatures” – with reliable electronic signatures having a higher probative value than simple electronic signatures, and qualified electronic signatures in turn having the highest probative value.

The TDRA has not yet licensed any trust service provider under the ETTSL. However, CSPs, which were licensed under Federal Law No 1 of 2006 concerning e-Transactions and e-Commerce, continue to be valid on a transitional basis.

For completeness, each of the two financial free zones in the UAE, namely the ADGM and the DIFC free zones, have their own laws on electronic signatures, which specifically apply to companies in the DIFC and the ADGM (due to their limited geographical scope).

The UAE regulates “gaming” along two tracks. First, video games and esports are treated as media and fall under Federal Decree‑Law No 55 of 2023 and its Executive Regulations, supervised by the UAE Media Council. Developers, publishers and distributors must obtain appropriate media licences or permits where activities are conducted in or into the UAE, comply with national content standards and implement age ratings/classification for games. Advertising and influencer promotions must be truthful, clearly disclosed and culturally compliant. Prohibited content can be blocked via the TDRA’s internet access management policy. In‑game purchases are governed by the Consumer Protection Law and its 2023 Regulations (accurate pricing, Arabic disclosures, refunds/repairs for defects), and unlawful content or conduct engages the cybercrime regime. There is no standalone loot‑box statute, as mechanics resembling gambling risk enforcement under general prohibitions.

Second, gambling (“commercial gaming”) is a distinct, newly regulated sector. The federal General Commercial Gaming Regulatory Authority (GCGRA), established in September 2023, holds exclusive jurisdiction to regulate, license and supervise commercial gaming nationwide, including a national lottery, internet gaming, sports wagering and land‑based gaming facilities. Operating or facilitating commercial gaming without a GCGRA licence is illegal. The GCGRA’s evolving framework requires the licensing of operators, vendors and key persons, and imposes responsible gaming obligations, AML/CFT controls, technical standards and ongoing supervision. Individual emirates retain discretion on whether licensed activities may operate locally. Industry codes are embedded in these regimes: the Media Council’s content and age rating standards for video games, and the GCGRA’s responsible gaming and technical standards for licensed gambling.

The UAE runs gaming through a dual track: video games are regulated as “media” under Federal Decree‑Law No 55 of 2023 (licensing/permits, national content standards and mandatory age‑ratings), while “commercial gaming” (gambling) is overseen federally by the GCGRA. This layering creates practical friction for global publishers and platforms around Arabic language compliance, UGC moderation according to UAE content standards and emirate‑by‑emirate implementation. Uncertainty persists on chance‑based monetisation: there is no standalone loot‑box statute, as stated in the foregoing, and mechanics that resemble gambling risk enforcement under criminal law unless authorised by the GCGRA. Cross‑border operators also face TDRA internet blocking for non‑compliant content, strict ad/promotions rules and consumer law exposure for digital goods.

In the UAE, the following financial regulations address virtual currency “points” or “bucks”, which have become a commonplace offering in online gaming:

• the Securities and Commodities Authority (SCA) issued The Authority’s Chairman of the Board of Directors Decision No (23/ Chairman) of 2020 Concerning Crypto Assets Activities Regulation (the “Crypto Assets Decision”) on 1 November 2020; and
• the UAE central bank issued the Stored Value Facilities Regulation on 30 September 2020 (the “SVF Regulation”).

App or game developers that offer users the ability to purchase in-game currencies and digital goods may inadvertently find that they are subject to these laws.

The UAE Media Council operates a mandatory age classification system for video games and enforces national media content standards that prohibit, among other things, content offensive to religion, national symbols or public morals, and require culturally compliant advertising and influencer disclosures. Distributors must obtain the appropriate media licences/permits and secure age rating/classification before release in or into the UAE. Non‑compliance can lead to fines, suspension, licence revocation and ISP blocking. Platforms hosting UGC are expected to moderate to these standards for content accessible in the UAE.

Please refer to 9.1 Regulations.

Please refer to 9.1 Regulations.

UAE social media is governed by the federal media framework and cross‑cutting laws rather than a single platform statute. Federal Decree‑Law No 55 of 2023 and its Executive Regulations require licensing or permits for media activities carried out in or into the UAE, impose national content standards and mandate clear advertising and influencer disclosures. The UAE Media Council supervises licensing, age ratings and enforcement. The TDRA’s internet access management policy enables blocking of prohibited content, while the cybercrime law criminalises impersonation, privacy invasions and the spread of rumours or false news. Personal data use on platforms must comply with the PDPL (lawful bases, transparency, rights, security and cross‑border transfer safeguards). Consumer protection rules apply to social commerce, requiring truthful Arabic disclosures, accurate pricing, compliant invoices and fair complaint handling. These instruments function as the de facto “codes of conduct”, complemented by regulator guidance on ethics and disclosures.

Key legal challenges include:

• jurisdictional layering between federal law, emirate enforcement and free‑zone privacy regimes;
• Arabic‑language and cultural standards compliance for global platforms;
• moderation to comply with national content rules (where failure presents a blocking risk);
• aligning data monetisation with PDPL lawful bases and opt‑in marketing; and
• managing cross‑border transfers and lawful‑access expectations.

Age restrictions arise via mandatory age classification for media content and platforms’ duty to prevent minors from accessing inappropriate material. IP risks concentrate on takedowns and liability for infringing or synthetic content.

Cybersecurity obligations focus on robust security, incident response and co-operation with competent authorities. Platforms that advertise, sell or facilitate the provision of services to UAE consumers must also meet consumer law duties and be prepared for administrative enforcement by the Media Council, TDRA co-ordination in relation to blocking and complaints to the Data Office for privacy breaches.

Primary Regulators

The UAE Media Council licenses media activities (including influencer advertising), sets and enforces national content standards and now operates the Advertiser (Mu’lin) Permit. The TDRA enforces the internet access management policy and can direct ISPs to block prohibited content. The Federal Public Prosecution and police enforce the cybercrime law and the UAE Data Office oversees PDPL compliance for personal data on platforms. In Abu Dhabi, the Abu Dhabi Department of Economic Development (ADDED) enforces the separate trade licence requirement for influencers.

Enforcement Powers

The Media Council can require permits, order takedowns, impose significant administrative fines and suspend or revoke licences/permits. The TDRA can block content and require licensees’ co-operation. Public prosecution can bring criminal cases for offences such as spreading rumours, impersonation and privacy invasion, with fines and imprisonment. The Data Office can investigate, order remediation and impose administrative measures for PDPL breaches. ADDED can fine unlicensed influencer activity.

Recent Enforcement

In 2025, authorities referred social media users to public prosecution for violating media and cybercrime laws. The Media Council began active, real‑time monitoring tied to the new Advertiser Permit and issued warnings and penalties for unlicensed or non‑compliant promotions, and ADDED fined influencers and businesses (up to AED10,000) for operating without the required Abu Dhabi trade licence, while platforms and creators faced content removal and blocking for breaches of national content standards.

UAE telecom providers must comply with the federal PDPL, which requires a lawful basis, clear Arabic‑facing transparency, data minimisation, security by design, data subject rights handling and controls on cross‑border transfers via adequacy or contractual safeguards. In sector‑specific terms, TDRA licence conditions and regulations mandate confidentiality of subscriber information, accurate billing and complaint handling under the TDRA Consumer Protection Regulations, security obligations proportionate to risk, incident co-operation, emergency service access, and lawful interception and retention measures directed by competent authorities.

Direct marketing typically requires opt‑in consent and compliance with anti‑spam/telemarketing rules. Where processing touches health or financial data, stricter localisation and outsourcing controls apply under sector rules, and entities operating in the DIFC/ADGM must also meet those GDPR‑style data protection regimes.

The UAE Cabinet established the CSC in 2020 with the aim of developing a comprehensive cybersecurity strategy and creating a safe and strong cyber infrastructure in the UAE. The CSC has recently updated (September 2025) its CII protection policy. Digital infrastructure is a critical sector under the policy, and it specifically applies to telecommunications service providers.