The UAE’s national cybercrimes legislation was last updated in 2012, but has now been repealed and replaced as part of the country’s legal reform programme by Federal Decree-Law No. 34 of 2021 Concerning the Fight Against Rumours and Cybercrime (the New Cybercrimes Law). In this article, we provide a commentary on various important changes and new offences that have been introduced by the New Cybercrimes Law.


The New Cybercrimes Law was published in the Official Gazette on 26 September 2021 and took effect on 2 January 2022. The scope of the New Cybercrimes Law’s application has been expanded to include the commission of cybercrimes that are prepared, planned, directed, supervised or financed in the UAE, or otherwise considered to undermine the interests of the UAE or its citizens and residents.

Most crimes under the previous legislation have been replicated in similar terms, but some are notably broader or have been re-introduced with a specific focus on particular sectors (such as banking, media and healthcare).

The broadening of certain offences potentially captures internet service providers and raises concerns around liability of intermediaries. There are new offences that seem likely to have been introduced to better regulate the use of social media in the UAE, including in relation to the dissemination of fake news and misinformation.

Sector-specific prohibitions

The New Cybercrimes Law sets out offences that are specific to sectors which are considered essential to the country, including banking, media, health and scientific institutions. There are also certain enhanced sanctions for offences involving government data and government institutions. Previous offences relating to unauthorised access to systems and data have been split out into more granular offences dealing specifically with unauthorised access and hacking.

Penalties for hacking the system of a health, scientific, media or banking institutions can range from AED 500,000 to AED 3,000,000, in addition to the possibility of imprisonment. The crime for unlawfully accessing or tampering with government data could lead to a prison sentence of not less than 10 years and a fine of up to AED 5,000,000.

Data protection violations

The New Cybercrimes Law contains a provision that makes it a criminal offence to collect, store or process personal data of UAE nationals or residents in violation of other laws. This is notwithstanding the passing of the UAE’s personal data protection law as part of the same package of legal reforms, which separately regulates the processing of personal data in the UAE. The criminal penalties introduced by the New Cybercrimes Law would seem to be applicable in addition to any sanctions stated in the data protection law or similar legislation.