Contact Us
Contact Us

Fundamentals of UAE Legislation on Cybercrimes

Fundamentals of UAE Legislation on Cybercrimes (2026 Update)

Cybercrimes in the United Arab Emirates are regulated through a fast-evolving criminal framework designed to protect national security, public order, the economy, and private rights in an increasingly digital society. The cornerstone statute is Federal Decree-Law No. 34 of 2021 on Countering Rumors and Cybercrimes (the “Cybercrimes Law”), which repealed the earlier Federal Law No. 5 of 2012 and significantly expanded the scope of prosecutable online conduct. (UAE Legislation)

This guide explains what the Cybercrimes Law covers, how the UAE typically treats common cyber-offences (hacking, fraud, privacy violations, and online defamation), what evidence matters most, and what practical steps victims and businesses should take when responding to incidents—especially where cross-border actors, cryptocurrency, or platform-based misconduct is involved. (U.AE)

For broader cross-border defence strategy and UAE-facing compliance support, see Dewey & LeBoeuf LLP’s Criminal Defence practice page: https://deweyleboeuf.com/practice-areas/criminal-defence/ (Dewey & Leboeuf LLP)

1) What the UAE treats as a “cybercrime”

The Cybercrimes Law does not limit exposure to “hackers” in the popular sense. It criminalizes a wide range of conduct carried out using an information network, an information system, or information technology equipment—including acts that violate privacy, manipulate identities, exploit payment instruments, spread harmful or unlawful content, or facilitate fraud and extortion. (UAE Legislation)

It also contains enforcement tools relevant to platforms and intermediaries (including blocking and other compliance measures in defined circumstances), which is why corporate policies on access control, data governance, and employee conduct matter in practice, not just in theory.

2) Types of cybercrimes and the UAE penalty structure

UAE cybercrime penalties often combine:

  • custodial sentences (imprisonment/temporary imprisonment), and
  • substantial fines that scale with aggravating factors (government systems, critical infrastructure, sensitive data, national security implications, repeat conduct, or broader societal harm).

Below are the most practical “day-to-day” categories businesses and individuals face.

A) Unauthorized access and system hacking

Basic hacking offence (Article 2).
Hacking a website, electronic information system, information network, or IT equipment is punishable by imprisonment and/or fines between AED 100,000 and AED 300,000.

Hacking with damage or data impact (Article 2(2)).
If the hacking results in disruption, destruction, deletion, disclosure, copying, dissemination, acquisition of data, or loss of confidentiality, the penalty escalates to imprisonment of at least 6 months and/or fines between AED 150,000 and AED 500,000.

Hacking for illegal purposes (Article 2(3)).
If hacking is committed to obtain data for illegal purposes, the penalty increases again to imprisonment of at least one year and/or fines between AED 200,000 and AED 500,000.

Government systems and critical facilities (Articles 3 and 5).
Where the target is a government entity’s systems, the UAE treats the offence as materially more serious—moving into temporary imprisonment and higher fines, and escalating further where the incident causes operational damage or is linked to a “cyberattack.”

Practical takeaway: in UAE investigations, “attempted access,” “credential testing,” and “unauthorized internal probing” can become criminal risk quickly—especially for employees, contractors, vendors, or competitors engaging in aggressive reconnaissance.

B) Internet fraud, impersonation, and deceptive schemes

Internet fraud (Article 40).
A core fraud offence is triggered where a person illegally seizes a movable asset, benefit, or document (or signs a document) using fraudulent techniques or by taking an alias/false impersonation via the network/system/equipment. The penalty is imprisonment for at least one year and/or fines between AED 250,000 and AED 1,000,000.

Unauthorized fundraising / “digital investment” deception (Article 41).
Where a person calls for or promotes an electronic currency/contest, or creates a fictitious portfolio/company to raise funds from the public without a license, the penalty can reach up to 5 years imprisonment and/or fines between AED 250,000 and AED 1,000,000, with the court ordering refund of illegally seized funds.

Why this matters in 2026: Many cases now involve social-engineering + platform impersonation (fake WhatsApp “CEO” messages, cloned Instagram storefronts, spoofed invoices, or fraudulent “investment dashboards”). UAE enforcement typically treats these as high-impact fraud conduct, particularly when victims include UAE residents, UAE-licensed companies, or UAE-based payment rails.

C) Cyberextortion and online threats

Cyberextortion and threats (Article 42).
Using the network/equipment to extort or threaten another person to force action/inaction can carry up to 2 years imprisonment and/or fines between AED 250,000 and AED 500,000, escalating dramatically (temporary imprisonment up to 10 years) when threats involve compelling crimes or “dishonourable acts.”

This provision is frequently relevant in:

  • ransomware negotiations,
  • doxxing threats,
  • sextortion scenarios,
  • “pay or we publish your data” incidents, and
  • coercive workplace disputes carried onto digital channels.

D) Online defamation, insults, and social-media exposure

Defamation and slander (Article 43).
Using the information network/IT equipment/system to insult another or attribute a quality that could subject them to punishment or contempt is punishable by imprisonment and/or fines between AED 250,000 and AED 500,000. Conduct against public officials can be treated as an aggravating circumstance.

Privacy invasion and “true but harmful” publication (Article 44).
The UAE criminalizes a range of privacy-invasive actions—eavesdropping, recording/transmitting conversations, taking or keeping electronic photos, and publishing news/photos/comments/data even if true, if done with intent to harm—with imprisonment of at least 6 months and/or fines between AED 150,000 and AED 500,000.

Digitally altered content and deepfake-like conduct (Article 44, second paragraph).
Using a system/equipment to modify or process records/photos/scenes with intent to defame or insult triggers imprisonment of at least one year and/or fines between AED 250,000 and AED 500,000.

A practical corporate consequence is that executives, employees, and brand representatives can face exposure from:

  • reposting third-party accusations,
  • publishing screenshots of private chats,
  • sharing images without consent,
  • “call-out” content posted in anger, or
  • edited clips/images used to ridicule or “prove a point.”

E) Personal data theft, identity misuse, and payment instrument crimes

Infringement of personal data (Article 6).
Acquiring, possessing, modifying, destroying, leaking, copying, disseminating, or redistributing personal electronic data without permission is punishable by imprisonment of at least 6 months and/or fines between AED 20,000 and AED 100,000, with aggravated treatment where the data relates to medical records, bank accounts, or e-payment information.

Collecting/processing personal data unlawfully (Article 13).
Collecting, saving, or processing personal data of UAE nationals/residents in violation of applicable UAE legislation can be punished by imprisonment and/or fines between AED 50,000 and AED 500,000.

E-documents and payment instruments (Articles 14–15).
Forgery of e-documents (especially government-linked) and hacking/forging/cloning e-payment instruments carries materially higher penalties, reflecting the UAE’s strict approach to digital trust and financial rails.

F) Intellectual property and “digital content” offences

The Cybercrimes Law is not the only relevant instrument for IP. In practice, online infringement issues often intersect with:

  • UAE copyright law (notably Federal Decree-Law No. 38 of 2021 on Copyright and Neighboring Rights), and
  • cybercrime provisions where the conduct involves unauthorized access, unlawful dissemination, or platform-based abuse. (Muhami)

Practical takeaway: If an incident involves piracy + system intrusion, counterfeit storefronts, stolen brand assets, or mass scraping, you often need a blended strategy: cybercrime complaint + civil enforcement + platform takedown + evidence preservation.

3) Reporting cybercrime in the UAE

Step 1 — Preserve evidence (do this before anything else)

Collect and preserve:

  • screenshots of chats, threats, posts, comments, and profiles,
  • URLs and account handles (including variations),
  • email headers (where possible),
  • payment proofs (bank transfers, card statements, wallet addresses),
  • device logs or transaction logs available to your IT team.

Do not “clean up” accounts or delete content before capturing evidence. In UAE cybercrime matters, digital traces and timelines are often decisive, even when messages are later removed.

Step 2 — Identify the competent channel

Victims typically report via law-enforcement channels appropriate to the emirate and circumstance. UAE Government guidance confirms the central role of Federal Decree-Law No. 34/2021 in the national approach to cyber offences. (U.AE)

Step 3 — Online complaint (Dubai-focused)

For Dubai-related incidents, the Dubai Police eCrime portal is commonly used for online reporting. (English speaking lawyer in UAE)

A typical flow includes:

  • selecting the incident category (fraud, defamation, hacking, threats),
  • entering personal details and a factual timeline,
  • uploading evidence,
  • obtaining a reference/case number.

Step 4 — In-person reporting (when the risk is urgent)

Where there is:

  • significant financial loss,
  • imminent extortion,
  • account takeover affecting a business,
  • an active ransomware or leakage event, or
  • immediate reputational harm,

in-person reporting can be appropriate—especially if you need rapid action, seizure preservation, or immediate investigative intervention.

Step 5 — Involve counsel early (especially for businesses)

Cybercrime matters frequently trigger parallel risks:

  • criminal exposure (employee conduct, vendor conduct, “internal hacking”),
  • civil liability (privacy, contractual breaches),
  • regulatory scrutiny (data protection and sector obligations),
  • cross-border evidence and mutual assistance issues.

A legal team can coordinate:

  • evidence handling and privilege strategy,
  • statements to investigators,
  • civil recovery strategy,
  • communications discipline (to avoid compounding liability),
  • settlement/withdrawal pathways where legally available.

For related UAE defence support, see:

Need legal support for this topic?
If you need help reviewing contracts, terms, or legal guidance related to this post, our legal team can help.
+971 58 690 9684 info@deweyleboeuf.com

4) Cross-border reach and why “outside the UAE” is not always a shield

In many UAE cyber matters, offenders operate offshore (or use offshore infrastructure). Even where conduct occurs abroad, UAE enforcement can still proceed when:

  • victims are in the UAE,
  • systems/data are in the UAE,
  • payment rails touch UAE banks or UAE-licensed entities,
  • the reputational harm is centered in the UAE market.

For companies, this is why incident response should be designed for multi-jurisdiction cooperation from day one.

5) Potential consequences for foreigners (deportation risk)

Foreign nationals convicted of crimes in the UAE may face judicial deportation (court-ordered) in addition to custodial penalties and fines. Commentary sources commonly cite UAE Penal Code provisions on court-ordered deportation for convicted foreign nationals, particularly where conduct is treated as a public order or security concern. (The Times of India)

Separately, deportation can also arise through immigration/residency frameworks where authorities consider a person a risk to public safety or national security. (alriyamiadvocates.com)

Practical takeaway: In cybercrime investigations involving expats, tourists, or visiting executives, counsel typically treats deportation risk as a front-line issue—not an afterthought—because early procedural decisions can shape the final outcome.

6) Prevention and compliance: what actually reduces risk in the UAE

For individuals

  • Use strong, unique passwords and a password manager.
  • Enable multi-factor authentication for banking, email, cloud, and social accounts.
  • Treat links and attachments as “hostile by default” unless verified.
  • Avoid posting or reposting content that could be construed as insulting, privacy-invasive, or harmful—especially screenshots of private communications.

For companies

  • Harden identity access management (IAM) and least-privilege controls.
  • Define incident response playbooks (technical + legal + PR).
  • Train staff on UAE-specific risk areas (defamation, privacy invasion, recording rules, internal data handling).
  • Control who can speak externally during incidents.
  • Maintain defensible data governance for UAE nationals/residents’ personal data.

If your business is expanding in the UAE digital economy (e-commerce, platforms, content operations), corporate structuring and compliance alignment matter too: https://deweyleboeuf.com/en-ae/e-commerce-business-setup-in-the-uae/ (Dewey & Leboeuf LLP)

7) Structured summary table

TopicWhat the law targetsCore provisions (illustrative)Typical penalty band (illustrative)Common aggravatorsPractical note
Hacking / unauthorized accessAccessing systems/networks without permissionArt. 2; Art. 3 (gov systems)AED 100k–300k (basic); higher with damage/dataGov systems; damage; cyberattack; illegal purposeTreat “testing credentials” as high-risk conduct
Internet fraud / impersonationSeizing benefits/documents via alias/false impersonationArt. 40Prison ≥ 1 year and/or AED 250k–1mMulti-victim; large losses; organized schemesEvidence + payment traces are decisive
Unlicensed fundraising / “fake portfolios”Raising funds from public without licenseArt. 41Up to 5 years and/or AED 250k–1mCrypto-style pitches; mass solicitationCourt may order refund of seized funds
Cyberextortion / threatsCoercion via digital threatsArt. 42Up to 2 years and/or AED 250k–500k; up to 10 years in severe casesThreats of crimes/dishonourable actsReport early; preserve evidence
Defamation / slanderInsults and defamatory attribution onlineArt. 43AED 250k–500k and/or imprisonmentPublic officials; wider harmReposts can still create exposure
Privacy invasion / harmful publicationRecording, photos, publishing true info to harm, tracking locationArt. 44AED 150k–500k and/or imprisonment (≥ 6 months)Sensitive context; repeated acts“True but harmful” can still be criminal
Altered images / processed recordsModified content intended to insult/defameArt. 44 (second paragraph)Prison ≥ 1 year and/or AED 250k–500kBroad distribution; reputational harmHigh risk for edited clips/images
Personal data misuseUnauthorized acquisition/leak/copy of personal dataArt. 6; Art. 13AED 20k–100k + imprisonment (≥ 6 months); higher in some casesBank/medical/e-payment dataCorporate data governance matters
Foreign national consequencesDeportation after conviction / immigration consequencesPenal/immigration frameworksCan accompany convictionNational security/public order concernsTreat deportation risk as strategic from day one (The Times of India)

8) Contact cybercrime lawyers in Dubai (Dewey & LeBoeuf LLP)

Cybercrime matters move quickly in the UAE—especially where devices are seized, accounts are frozen, or reputational harm spreads online. Early legal positioning can materially affect outcomes.

For support with:

  • defending cybercrime allegations,
  • reporting and evidence strategy,
  • cross-border incident response,
  • civil recovery and parallel claims,
  • managing exposure for executives and companies,

visit:

Contact Information:
E-mail: info@deweyleboeuf.com
Phone: +971 58 690 9684
Address: 26B Street, Mirdif, Dubai, UAE

Leave a Reply

Your email address will not be published. Required fields are marked *