IP Care Enterprise Service

NESA Compliance Services in the UAE

Gap assessment, audit preparation and remediation for the UAE Information Assurance Standards (formerly NESA, now under the UAE Cyber Security Council) — delivered by people who have done this before.

Get a Free Quote View All Services

Overview

NESA is not optional. If you operate in a critical sector in the UAE — energy, government, banking, telecom, transport or healthcare — the Information Assurance Standards framework applies to you, whether you have started the work or not.

A quick naming note before we go deeper. The framework was published by the National Electronic Security Authority (NESA) in 2014. In 2020 NESA was absorbed into the UAE Signals Intelligence Agency (SIA), and policy responsibility now sits with the UAE Cyber Security Council. The standards themselves did not go away — they are still in force, still audited, and still universally referred to as "NESA compliance" or the "UAE Information Assurance Standards" (UAE IAS). When clients ask whether NESA is still a thing because the agency name changed, the answer is yes. The controls did not change. Only the letterhead did.

Most of the calls we get start the same way: an audit notice landed, and the internal team has 90 days to close gaps that took three years to open. We can help. But the version of this story where you are not panicking starts twelve months earlier.

IP Care has delivered end-to-end NESA programmes from our Abu Dhabi office for two decades — gap assessment, remediation roadmaps, control implementation, IAS audit preparation and ongoing controls operation across financial services, government, energy, healthcare and critical infrastructure. We are not a Big Four consultancy with a templated workbook. We are a working IT and security operations company that lives inside these environments every day, which is why our remediation work is implementable instead of theoretical.

This page explains what NESA / UAE IAS actually requires, what an audit looks like, how long a real programme takes, what it costs, and how to sequence the work so the first audit becomes a routine checkpoint rather than a fire drill. If you are at the start of your compliance journey, read it through. If you have an audit notice in hand, skip to "If you have 90 days" below — we have run that play many times.

— What the framework actually is —

The UAE IAS is a tiered control framework similar in spirit to ISO 27001 and NIST 800-53, but specifically scoped to UAE critical-sector entities. It defines six management domains (M1–M6) covering governance, risk management, awareness, human resources security, compliance and performance evaluation, and nine technical domains (T1–T9) covering asset management, physical security, operations, communications, access control, third-party security, information systems acquisition and development, incident management and continuity. There are 188 controls in total, though not every control applies to every organisation — applicability is determined by your sector and your risk profile.

Each control is assigned one of five priority levels (P1 critical through P5 advisory). Most audit findings cluster at P1 and P2, which is also where regulators focus enforcement attention. A defensible compliance posture means closing every P1 and P2 gap with evidence — control description, owner, frequency, last-tested date, and an artefact that proves the control actually runs.

— What the audit looks like —

NESA audits are not surprise visits. They are scheduled, often through your sector regulator (UAE Central Bank, TDRA, ADNOC GRP, FAHR depending on sector). The auditor will request evidence in advance through an Information Assurance Maturity Model (IAMM) questionnaire that scores each control on a 0–5 scale. Site visits follow, typically two to five working days for a mid-size organisation, during which the auditor walks the floor, interviews control owners and pulls sample evidence.

The most common reason organisations fail the first audit is not missing controls — it is missing evidence. Controls exist, they just are not documented, dated, owned or tested on a schedule the auditor can verify. The fix is unglamorous: an evidence repository, named control owners, calendar-driven attestation, and a quarterly internal review. We build that operating rhythm into every engagement.

— Sector-specific notes —

Banking and financial services. The UAE Central Bank Information Security Regulation (CB IBR) and the SCA cyber rules layer additional requirements on top of NESA — particularly around payment systems, third-party risk and incident reporting. Banking clients run NESA and CB IBR as a single programme; the overlap is roughly 80%.

Energy and utilities. ADNOC and federal energy entities apply additional operational technology (OT) security expectations on top of NESA — segmentation of IT and OT networks, ICS/SCADA hardening, vendor remote-access controls. NESA T6 (third-party) and T8 (incident management) are typically the heaviest workstreams.

Government and federal entities. UAE government bodies operate under a stricter version of the framework with additional classification, data residency and personnel vetting requirements. The Federal Authority for Government Human Resources (FAHR) requirements on cleared personnel are often the slowest path-item on the critical path.

Healthcare. DOH Abu Dhabi and DHA Dubai both reference NESA as the baseline information security standard for licensed health facilities. Patient data classification, medical device security and clinical system continuity are the typical hot spots.

Telecom. TDRA enforces the framework directly through the operator licensing regime. Telecom audits tend to be deeper on T4 (operations management) and T5 (communications security) than other sectors.

— Timeline and cost —

For a mid-size enterprise (500–2,000 users, single primary data centre, moderate cloud footprint) starting from "we have controls but no NESA mapping", expect a 6–9 month first pass. Gap assessment is 4–6 weeks. Roadmap and prioritisation, 2 weeks. Remediation, 4–7 months, with about a third spent on policy and process work and two-thirds on technical controls. Mock audit and evidence consolidation, 4 weeks. Real audit, typically 5–10 working days on site.

Indicative cost ranges, all in AED, for the same mid-size profile: gap assessment AED 60,000–120,000; remediation roadmap and programme management AED 80,000–180,000; technical control implementation AED 250,000–900,000 depending on what tooling needs to be deployed (a SIEM, DLP, PAM or vulnerability management platform are the biggest cost drivers); annual ongoing controls operation and attestation AED 180,000–360,000. These are real numbers from real engagements. We will give you a fixed-price scoped proposal after the initial assessment — never an hourly meter.

— If you have 90 days —

A 90-day window is tight but workable if you start right. We run a compressed engagement: weeks 1–2 are an emergency gap triage focused only on P1 controls; weeks 3–10 are parallel-track remediation with us doing the heavy lifting alongside your team; weeks 11–13 are evidence consolidation and a mock audit. The deliverable is not full compliance — it is a defendable audit position with a credible remediation plan for the P2–P3 controls that did not close in time. Auditors will accept this if the plan is real, costed, owned and on a published timeline. They will not accept "we will get to it eventually."

Key Features

NESA Gap Assessment

Full IAS controls audit against your current state. Honest scoring, prioritised remediation list, evidence-readiness scoring against the IAMM 0–5 scale.

Remediation Roadmap

Phased plan with owners, timelines and cost estimates — sequenced so quick wins fund the long-haul work and the audit window drives the critical path.

Technical Control Implementation

Identity, network segmentation, endpoint, vulnerability management, SIEM, DLP, PAM and OT/IT separation — built to the IAS requirements with named vendor selections.

Policy & Procedure Authoring

Information security policy, acceptable use, classification, incident response, BCP/DR, third-party — written in plain language, mapped control-by-control to NESA references.

IAS Audit Preparation

Evidence packs, control narratives, IAMM questionnaire responses and full mock audits so the real one is the routine one.

Ongoing Controls Operations

Continuous monitoring, control testing, exception management, calendar-driven attestation and quarterly evidence collection cycles.

Board & Regulator Reporting

Executive-ready dashboards and audit-ready evidence — translated for technical and non-technical audiences, formatted to the templates your sector regulator expects.

Sector-Specific Overlays

Additional control sets layered on top of NESA for CB IBR (banking), TDRA (telecom), DOH/DHA (healthcare), ADNOC (energy) and federal government entities.

Business Benefits

Audit-ready posture
Move from reactive scrambling to a defendable, evidenced control environment with named owners and tested controls.
Lower risk of regulatory action
Demonstrated compliance reduces the probability and cost of a non-compliance finding to near zero. We have not had a client receive a P1 enforcement notice post-engagement.
Coverage of overlapping frameworks
NESA work also moves you forward on ISO 27001 (≈70% overlap), NIST CSF, UAE PDPL and CB IBR. One programme, multiple compliance outcomes.
Predictable programme timeline
Typical 6–9 month programme for a mid-size enterprise, fully sequenced against your audit window and your sector regulator's reporting cycle.
Fixed-price commercials
No hourly meter. Scoped statement of work with deliverable-based milestones — you know what you are paying for before you sign.
Knowledge transfer to your team
We document everything we build and walk your team through it. The goal is your internal team operates the controls confidently long after we leave.

How It Works

A proven, repeatable delivery approach.

01

Assess

Map current controls to NESA IAS using the official IAMM questionnaire. Identify gaps by domain, severity and remediation effort.

02

Plan

Build a costed, sequenced remediation roadmap with owners, milestones and dependencies — paced against your audit window.

03

Remediate

Implement controls — technical, procedural and governance — with our team alongside yours. Weekly steering, biweekly evidence reviews.

04

Mock Audit

Internal audit using the same evidence checklist a NESA auditor uses. Close any remaining gaps before the formal assessment.

05

Audit Support

On-site support during the formal audit — control walkthroughs, evidence presentation, auditor liaison and finding-response drafting.

06

Operate & Attest

Continuous controls operation, quarterly attestation, evidence refresh and audit support through subsequent certification cycles.

Relevant Industries

Energy & UtilitiesGovernment & FederalBanking & FinanceTelecommunicationsTransport & LogisticsHealthcareCritical Infrastructure

Related Services

IT Consulting

Strategy, assessment, digital transformation

Explore

Infrastructure Services

Data centre, virtualization, procurement

Explore

ELV & Physical Security

CCTV, access control, cabling, PA systems

Explore

Frequently Asked Questions

Is NESA still a thing now that the agency was absorbed into SIA?

Yes. The agency name changed in 2020 when NESA was absorbed into the UAE Signals Intelligence Agency, and policy oversight now sits with the UAE Cyber Security Council. The Information Assurance Standards themselves are unchanged and still actively audited. Most people, including auditors, still call it "NESA compliance" — the term has stuck.

Who has to comply with NESA / UAE IAS?

Organisations operating in UAE critical sectors — energy, government, banking and financial services, telecommunications, transport, healthcare and emergency services. If you fall in one of those and have not formally engaged with the framework, you are likely already in scope. Your sector regulator (UAE Central Bank, TDRA, DOH, ADNOC GRP, FAHR, etc.) will eventually ask.

How long does a NESA compliance programme take?

For a mid-size enterprise starting from "we have some controls but no formal NESA mapping", expect 6–9 months. For an organisation with mature controls already aligned to ISO 27001 or NIST CSF, 3–5 months is achievable. If you have an audit notice already, see the 90-day section above.

What does a NESA compliance programme cost?

Indicative ranges for a mid-size enterprise: gap assessment AED 60,000–120,000; remediation programme management AED 80,000–180,000; technical control implementation AED 250,000–900,000 depending on tooling required; ongoing operations AED 180,000–360,000 per year. We scope a fixed-price proposal after the initial assessment so you have a defensible number to take to the board.

What are the five IAS priority levels?

P1 (critical) through P5 (advisory). Audit enforcement focuses heavily on P1 and P2 — that is where you need evidenced, tested controls. P3–P5 controls are still required but are more commonly addressed through documented improvement plans than immediate enforcement.

How does NESA overlap with ISO 27001 and UAE PDPL?

Significantly. About 70% of ISO 27001 Annex A controls map directly to NESA IAS requirements. UAE PDPL covers personal data handling, which overlaps with several NESA data classification and access control requirements. CB IBR (banking) shares ~80% with NESA. We run all of these as a single programme where it makes sense, so you do not pay for the same control three times.

What is the IAS audit and how do you prepare for it?

The Information Assurance Standards audit is the formal assessment of your controls, typically scheduled through your sector regulator. The auditor pre-issues an IAMM questionnaire scoring each control on a 0–5 maturity scale, followed by a 2–5 day on-site visit with interviews and evidence sampling. We prepare clients by running internal mock audits using the same evidence checklist, closing gaps before the real auditor arrives.

What happens if we fail an audit?

Outcomes range by sector. Banking and government see the strongest enforcement — formal findings, mandated remediation plans on regulator timelines, and in serious cases licence implications. Energy and healthcare typically see findings with remediation deadlines. The defining factor in the regulator response is not "did you fail" but "do you have a credible plan to fix it" — which is why even an emergency 90-day engagement focuses as much on the remediation plan as the controls themselves.

What is the most common gap you find in first assessments?

Three: incomplete asset and vendor inventories, untested business continuity plans, and weak privileged access controls. All three are slow to fix and disproportionately costly to leave broken. Expect to spend time here regardless of how mature the rest of your environment is.

Do we need to keep our data in UAE data centres to comply with NESA?

Not strictly — NESA itself does not mandate UAE data residency for all data classes. Specific data classifications (particularly sectors regulated by the Central Bank, TDRA and government bodies) do carry residency requirements that effectively force UAE-region cloud (Azure UAE North, AWS Middle East UAE) or on-premise hosting. We map data classes against residency requirements as part of the initial assessment.

Is cloud (AWS, Azure, Microsoft 365) compatible with NESA?

Yes. AWS, Azure and Microsoft 365 all operate UAE regions specifically positioned for NESA / UAE IAS compliance. The work shifts from "where is the data" to "how do we configure the cloud tenant for control parity" — landing zones, conditional access, audit logging, classification labels and data loss prevention. The shared-responsibility model means the cloud provider handles some controls and you handle others; we map this explicitly so nothing falls between the gaps.

Can we do this in-house without an external advisor?

In principle, yes — and a few large UAE enterprises do. In practice most internal teams underestimate the evidence and process workload, which is typically 60–70% of a real NESA programme. The technical controls are the easy part. The audit-ready evidence repository, the policy framework written to NESA references, the named control owners with calendar-driven attestation, and the regulator-facing reporting are where engagements go off the rails when done unaided. Even where you have strong internal security capability, external support during the first cycle is the standard pattern.

Can you operate the controls for us after implementation?

Yes. Most clients move into a managed compliance retainer once the initial programme finishes — continuous monitoring, quarterly control testing, evidence collection and audit support through their NESA attestation cycle. This is also the cheapest way to stay compliant year-over-year because the institutional knowledge from the initial programme stays in one place.

How quickly can we engage?

Gap assessment can typically start within 2 weeks of signed engagement. Emergency 90-day engagements can start within 1 week. For programmes with a hard audit date, we sequence the engagement against the audit window and pre-commit team capacity.

Ready to get started?

Talk to our enterprise team for a free consultation and tailored proposal — typically within 48 hours.

Start a Conversation +971 2 676 6935
Chat with us on WhatsApp