close icon

Critical Information Infrastructure Protection (CIIP) Policy

Critical Information Infrastructure Protection (CIIP) is a complex but important topic for nations. Nations at large depend on Critical Infrastructure (CI)1services such as energy supply, telecommunications, financial systems, drinking water, and governmental services. CI rely on information infrastructures comprising of operational technologies, information and communication technologies (ICT)-based services and connected technologies, for their functioning. Disruption of these information infrastructures can jeopardize national security and stability, economic growth, citizen prosperity, and daily life, and may have far-reaching impact due to its inherent interconnectedness. The increased digitization in recent years has also opened the door for sophisticated and widespread cyber-attacks, ranging from malware, hackers, hacktivists, and adverse state operations, as a means for attacking critical national infrastructure. The need for effective CIIP strategies, policies and activities therefore becomes increasingly mandatory in most nations.

The Council has established this policy to ensure a baseline measure of security and cyber resilience of its Critical Information Infrastructure (CII), aligned with the UAE’s national priority to be a global leader in cyber security; and to implement measures towards a resilient and secure cyberspace for its critical information infrastructure.

This policy aims to strengthen the UAE’s cybersecurity posture by defining a consistent and iterative approach to identifying, assessing, and building the national risk profile across its critical information infrastructure. 

The policy will further outline the governance mechanism and the protection program for its CII entities, including the identification of CIIs, baseline requirements for the identified entities and the mechanisms for the oversight and enforcement of requirements related to CII protection.