Critical Information Infrastructure Protection (CIIP) is a complex but important topic for nations. Nations at large depend on Critical Infrastructure (CI) services such as energy supply, telecommunications, financial systems, drinking water, and governmental services. CI relies on information infrastructures comprising operational technologies, information and communication technologies (ICT)-based services, and connected technologies, for their functioning. Disruption of these information infrastructures can jeopardize national security and stability, economic growth, citizen prosperity, and daily life, and may have far-reaching impacts due to its inherent interconnectedness. The increased digitization in recent years has also opened the door for sophisticated and widespread cyber-attacks, ranging from malware, hackers, hacktivists, and adverse state operations, as a means for attacking critical national infrastructure. The need for effective CIIP strategies, policies, and activities therefore becomes increasingly mandatory in most nations.

The Council has established this policy to ensure a baseline measure of security and cyber resilience of its Critical Information Infrastructure (CII), aligned with the UAE’s national priority to be a global leader in cyber security, and to implement measures towards a resilient and secure cyberspace for its CII.

Governance for the CIIP Program 

Provides governance-related requirements to provide oversight and guidance to CII sectors, entities, and operators, ensuring they understand their roles and responsibilities. It also focuses on minimizing risks from third-party software and securing data from unauthorized access and tampering.
 

Risk Profile Development 

Outlines requirements to ensures entities identify critical services consistently, conduct regular risk assessments, and develop national risk profiles and improvement plans to enhance protection measures against identified risks.
 

CII Protection Program 

Outlines requirements to implement national cybersecurity requirements, address systemic risks, promote trust among CII stakeholders, and build national preparedness and response capabilities for cybersecurity incidents.
 

Assurance for the CIIP Program 

Highlights the enforcement mechanism for CIIP program requirements, measures the program's effectiveness, identifies potential issues, and promotes improvement actions. It also enables CII engagement with a trusted ecosystem for cybersecurity services and develops minimum standards for digital security in the UAE.