The United Arab Emirates (UAE) has solidified itself as a global digital hub in the international community. UAE has an extensive internet infrastructure characterized by high connectivity, a well-developed domestic cybersecurity policy framework, and a strong preference for an internet sovereignty approach over cyberspace. With near-universal internet penetration (99%)[1] and 17 developed undersea connection cables landing across five locations[2], the UAE has positioned itself at the forefront of digital infrastructure. However, this rapid digital expansion is accompanied by stringent government oversight, extensive surveillance, and restrictive cyber laws. The UAE’s approach to international internet governance aligns with an internet sovereignty model, prioritizing national control over digital spaces while selectively engaging in multilateral cybersecurity initiatives.
UAE’s Internet Landscape
The UAE’s internet landscape is one of the most advanced in the world. The country boasts 17 submarine cables, three Internet Exchange Points (IXPs)2, and 100% 4G network coverage[3], ensuring seamless connectivity across urban and rural regions. State-owned telecom giants like Etisalat (e&) dominate the market, reinforcing the government’s centralized control over digital infrastructure. Connectivity is only positioned to grow, as three more cables are being constructed in the region. Cables in the UAE connect to a total of five landing points, some being exclusively domestic, like the Sir Abu Nu’ayr cable connecting Sharjah and Sir Abu Nu’ayr island, owned solely by Etisalat UAE[4]. The largest of these landing points are Fujairah with 14 connecting cables and Dubai with three connections2.
Social media platforms such as WhatsApp and Facebook are widely used[5], though often subjected to surveillance and regulation. Authorities routinely block websites and VoIP services, leading the online media to lack diversity[6]. While the country’s technological infrastructure is robust, its highly regulated cyberspace limits online freedom and fosters self-censorship [6].
Domestic Cybersecurity Policy Frameworks
The UAE has a sophisticated cybersecurity policy framework driven by national security priorities. The Cyber Security Council, Signals Intelligence Agency (SIA), and Telecommunications and Digital Government Regulatory Authority (TDRA) oversee cybersecurity initiatives. The Cyber Security Council is the largest organization, responsible for overseeing national cybersecurity policies and coordinating defensive efforts[7]. The SIA, formerly known as NESA, secures critical infrastructure and conducts intelligence operations[8]. Along with the TDRA, who plays a critical role and oversees cybersecurity standards in the civilian sector, telecom operators (Etisalat and du) and manages aeCERT, the UAE’s national Computer Emergency Response Team[9].
Domestic policy has made strides towards mandating the complexities of the digital world. These mandates often showcase the UAE’s preference towards state sovereignty. Regarding the cyber sphere regulation like the Federal Decree Law No. 34 of 2021 on Combating Rumors and Cybercrimes and Federal Decree-Law No.45/2021 Personal Data Protection Law (PDPL), aim to set standards for criminalizing cyber offenses, but these regulations have showcased a duality as they severely limit online speech, reinforcing state control[10][11]. The UAE employs advanced surveillance technologies and has invested in offensive cyber capabilities through initiatives like Project Raven who engage in cyber espionage against foreign leaders, journalists, and activists [12]. Data protection laws, such as the PDPL, while modeled after global standards like GDPR, contain broad exemptions that allow the UAE government to access personal data. Notably, government data and information already governed by sector-specific laws (such as health data) are not covered by the PDPL [10][6].
The Federal Decree-Law No. 34 of 2021 on Combating Rumors and Cybercrimes is the UAE’s primary cybercrime legislation criminalizing hacking, unauthorized access, and data breaches, with severe penalties for cyberattacks on government infrastructure. It also enforces strict regulations on online speech, making the spread of false information, defamation, or criticism of the government punishable by imprisonment and fines [11]. While the UAE’s cyber laws are designed to enhance national security, they also restrict digital freedoms and enable extensive state-led monitoring of online activities, prioritizing state control over individual digital rights.
Orientation to International Internet Governance
The UAE has strongly advocated an internet sovereignty approach, advocating for state-led governance while selectively engaging in international cybersecurity discussions. It actively participates in the UN Group of Governmental Experts (UN GGE)[13] and Open-Ended Working Group (OEWG)[14], emphasizing the need for international collaboration on cyber threats while upholding national sovereignty. The UAE also supports the Paris Call[15] but has not joined the Budapest Convention[16], reflecting its reluctance to adopt externally imposed regulations. Regionally, it leads Gulf Cooperation Council (GCC) cybersecurity initiatives, reinforcing a state-driven governance model[17]. While the UAE engages in multi-stakeholder forums like ICANN[18] and the Internet Governance Forum (IGF)[19], its participation is primarily strategic, advocating for global cyber norms that align with its national interests[20]. Supporting multilateral approaches to combat cybercrime while ensuring that these do not infringe on state sovereignty.
Policy Recommendations for U.S. Engagement
A balanced approach toward the UAE is the most pragmatic and should be the path forward. It is undeniable that the UAE is both a valuable cybersecurity partner and a regional power with growing offensive cyber capabilities, but the UAE itself is caught in duality, striving to become a global digital hub while maintaining rigid state control over its cyber infrastructure. On one hand, it invests heavily in cybersecurity advancements, data protection frameworks, smart infrastructure, and international cooperation to bolster resilience against cyber threats. Yet, on the other, its strict surveillance laws, restrictive internet policies, and offensive cyber operations challenge global norms on digital rights and transparency.
Current administrative priorities should align on some key principles, a strong bilateral relationship, national security, and economic interests over concerns about digital rights. In this regard, US engagement with the UAE should likely focus on shared security threats and strategic multilateral cooperation. This is more pressing considering growing geopolitical tensions in the region over Iran. Iran remains a primary cyber threat to both the U.S. and UAE, engaging in cyber espionage and attacks on financial and energy sectors. Given increasing geopolitical tensions, strengthening intelligence-sharing and cyber defense collaboration with the UAE is crucial. Integrating UAE cyber capabilities into joint counterterrorism and intelligence frameworks would enhance regional cybersecurity while ensuring alignment with U.S. defense strategies.
Rather than challenging the UAE’s domestic surveillance policies, the U.S. may pragmatically focus on countering shared threats through expanded military and intelligence cooperation. Encouraging UAE participation in interoperable cybersecurity frameworks and multilateral initiatives, such as the Paris Call for Trust and Security in Cyberspace, can help shape global cyber norms without infringing on the UAE’s sovereignty-first approach. The UAE is housed in a fragmented region, and at this pivotal time, it is vital to not foster anymore fragmentation.
A strategic partnership with the UAE should balance cybersecurity cooperation, economic interests, and regional stability while managing risks related to digital authoritarianism and offensive cyber capabilities. By reinforcing collaboration against Iranian threats and shaping multilateral engagement, the U.S. can secure its cybersecurity priorities without directly challenging the UAE’s internal policies.
Sources
[1] Simon Kemp, “Digital 2024: The United Arab Emirates – DataReportal – Global Digital Insights,” DataReportal, February 21, 2024, https://datareportal.com/reports/digital-2024-united-arab-emirates
[2] TeleGeography, Submarine Cable Map, accessed February 5, 2025, https://www.submarinecablemap.com/submarine-cable/europe-india-gateway-eig
[3] World Bank, “Access to Electricity (% of Population) – Middle East & North Africa,” World Bank Open Data, 2023, https://data.worldbank.org/indicator/EG.ELC.ACCS.ZS?locations=ZQ
[4] Etisalat, “Etisalat Corporation,” Etisalat, accessed February 8, 2025, https://www.etisalat.ae/en/etisalat-corporation.html
[5] Ankita Srivastava, “Social Media in UAE: Popular Trends and Strategies,” Sprinklr, February 3, 2025, https://www.sprinklr.com/blog/social-media-in-uae/
[6] Freedom House, “United Arab Emirates: Freedom on the NET 2024 Country Report,” Freedom House, accessed March 1, 2025, https://freedomhouse.org/country/united-arab-emirates/freedom-net/2024
[7]UAE, “UAE Cybersecurity Council: The Official Portal of the UAE Government,” UAE Cybersecurity Council | The Official Portal of the UAE Government, accessed March 2, 2025, https://u.ae/en/information-and-services/justice-safety-and-the-law/cyber-safety-and-digital-security/uae-cybersecurity-council
[8] Christy Cherian, “NESA Standard Ensures Security of UAE’s Cyberspace,” Tripwire, accessed March 3, 2025, https://www.tripwire.com/state-of-security/nesa-standard-ensures-security-of-uaes-cyberspaceF
[9] TDRA, “TDRA Recognized as The First Government Entity Providing Sovereign Cloud Services in the Region,” TDRA, May 7, 2022, https://tdra.gov.ae/en/media/press-release/2022/tdra-recognized-as-the-first-government-entity-
[10] UAE, “Data Protection Laws: The Official Portal of the UAE Government,” Data protection laws | The Official Portal of the UAE Government, accessed March 1, 2025, https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws
[11] UAE, “Law on Combatting Rumours and Cybercrimes: The Official Portal of the UAE Government,” Law on combatting rumours and cybercrimes | The Official Portal of the UAE Government, accessed March 8, 2025, https://u.ae/en/information-and-services/justice-safety-and-the-law/cyber-safety-and-digital-security/law-on-combatting-rumours-and-cybercrimes
[12] Christopher Bing and Joel Schectman, “Exclusive: Ex-NSA Cyberspies Reveal How They Helped Hack Foes of UAE,” Reuters, January 30, 2019, https://www.reuters.com/investigates/special-report/usa-spying-raven/
[13] United Arab Emirates Mission to the United Nations. (2022, November 16). UAE Statement at the UN Security Council Open debate on maintaining international peace and security: Cyber Security – Permanent Mission of the United Arab Emirates to the United Nations. Permanent Mission of the United Arab Emirates to the United Nations. https://uaeun.org/statement/uae-statement-at-the-un-security-council-open-debate-on-maintaining-international-peace-and-security-cyber-security/
[14] United Arab Emirates Mission to the United Nations. (2022a, March 21). UAE emphasizes importance of Confidence-Building measures to promote cyber stability – Permanent mission of the United Arab Emirates to the United Nations. Permanent Mission of the United Arab Emirates to the United Nations. https://uaeun.org/press_release/uae-emphasizes-importance-of-confidence-building-measures-to-promote-cyber-stability/
[15] Supporters — Paris call. (n.d.). https://pariscall.international/en/supporters
[16] Budapest Convention. (2024, February 8). Cybercrime. https://www.coe.int/en/web/cybercrime/the-budapest-convention
[17] GCC. (n.d.). https://gcc-sg.org/en/Pages/default.aspx
[18] Esmat, B. (2019). ICANN MIDDLE EAST REGIONAL REPORT FY2019. https://www.icann.org/en/system/files/files/annual-middle-east-regional-report30jun19-en.pdf
[19] Internet Governance Forum [IGF]. (2019). Internet Governance Forum: Misinformation, Responsibilities and trust. intgovforum.org. Retrieved November 23, 2024, from https://www.intgovforum.org/en/content/igf-2019-ws-85-ws-268-misinformation-responsibilities-trust-%E2%80%8E
[20] Cyber laws | The Official Portal of the UAE Government. (n.d.). https://u.ae/en/resources/laws
