According to Section 4.1 of the Regulatory Policy on Internet Access Management of 2017, licensees are required to block access to prohibited content. As specified in Section 3.1, prohibited content refers to online material considered unacceptable or contrary to the public interest, public morality, public order, national security, Islamic values, or any other matter prohibited under applicable laws, regulations, or administrative requirements in the United Arab Emirates. In practice, it has been reported that the country’s two main Internet Service Providers (ISPs) use proxy servers to filter and block material deemed inconsistent with national values, including content from certain international media sources.
Moreover, it is reported that Grindr has been inaccessible in the United Arab Emirates at least since October 2016, and this restriction remained in place through 2024. Additionally, in March 2021, local media reported that users in the UAE experienced significant audio and quality issues when attempting to access the audio-based social platform Clubhouse. As of March 2024, Clubhouse appears to remain blocked. The government also restricts the use of most voice over internet protocol (VoIP) services, including VoIP access via virtual private networks (VPNs), as well as the use of VPNs through domestic internet service providers (ISPs). It is further reported that authorities censor selected content on platforms such as YouTube, Facebook, and X.

The indicator "7.2.4 - Government Internet shut down in practice" of the V-Dem Dataset, which measures whether the government has the technical capacity to actively make internet service cease, thus interrupting domestic access to the internet or whether the government has decided to do so, has a score of 3 in the United Arab Emirates for the year 2024. This corresponds to "Rarely but there have been a few occasions throughout the year when the government shut down domestic access to Internet."

According to Art. 12 of the Federal Decree-Law No. 55 of 2023 Concerning Media Regulation, the competent authority is tasked with issuing licences or permits for electronic and digital media activities involving promotion and advertising, whether remunerated or not, through social media and other modern technological platforms. In addition, the Council is authorised to grant permits to natural persons who provide advertising or media content on such platforms, regardless of whether the activity is conducted for compensation.
Art. 27 of Cabinet Resolution No. 68 of 2024, issued as the Executive Regulation of the Federal Decree-Law No. 55 of 2023, specifies that the UAE Media Council is responsible for licensing particular media activities, including the design and production of advertisements of all kinds, as well as the provision of media and advertising consultations and studies.

According to Art. 5 of the Federal Decree-Law No. 55 of 2023 Concerning Media Regulation, the UAE Media Council or the competent authority, each within its jurisdiction, is responsible for issuing licences or permits to practise media activities. Art. 8 defines media activities to include the production, transmission, distribution, publishing, broadcasting, and dissemination of media content - whether audio, visual, or digital - and its availability to the public through media outlets, irrespective of whether such activities are conducted for remuneration. These activities encompass: (i) radio and television broadcasting, including Internet Protocol Television (IPTV), over-the-top (OTT) platforms, and video-on-demand (VOD) services; (ii) interactive and non-interactive video game and arcade game services developed and distributed within the UAE; (iii) newspapers and publications (including foreign publications); (iv) electronic and digital media activities; and (v) any additional activities determined by the Executive Regulation of this Law.
Cabinet Resolution No. 68 of 2024 further specifies the procedures and conditions applicable to each of these licensed activities.

According to Section 7 of the Internet of Things (IoT) Regulatory Policy, IoT service providers are required to register with the Telecommunications and Digital Government Regulatory Authority (TDRA) and obtain an IoT Service Provider registration certificate. As a prerequisite, providers must establish a local presence in the UAE or appoint an authorised representative who is physically based in the country and responsible for liaising with the TDRA and other law enforcement agencies. The Regulatory Procedure for Internet of Things (IoT) further specifies the application and approval process.

Under Section 3.1 of the Voice over Internet Protocol Regulatory Policy, any person seeking to provide VoIP services within the United Arab Emirates, insofar as such provision constitutes a regulated activity, must obtain a licence issued by the Telecommunications and Digital Government Regulatory Authority (TDRA) pursuant to Federal Law by Decree No. 3 of 2003. The policy further clarifies that only two licensees are currently authorised to offer VoIP services and that the TDRA does not presently intend to grant additional licences for such services. In addition, under Section 3.2, if a licensee identifies that VoIP services are being offered over its public telecommunications network by an unlicensed party, it is entitled to block access to those services, unless directed otherwise by the TDRA.
In parallel, Art. 28 of Federal Law by Decree No. 3 of 2003 stipulates that a telecommunications licence may only be issued to a corporate entity established under a decision of the Board, thereby precluding foreign companies from providing services on a cross-border basis without first creating a recognised legal entity within the UAE.

According to the UAE Import and Export Guide, import activities require a valid trade licence issued by a competent UAE authority, as well as registration with the Customs Department. It has been reported that such licences are currently issued by the respective local customs authorities; however, efforts are ongoing to establish a unified, UAE-wide licensing system.

Art. 9 of Federal Decree-Law No. 43 of 2021 prohibits the import of items within its scope without prior authorisation. This provision applies to a range of goods listed in the schedule of controlled commodities adopted under Cabinet Resolution No. 50 of 2020. The latter includes electronics, computers, and telecom and information security.
In addition, the Lists of Prohibited and Restricted Goods in the States of the GCC establish categories of goods subject to trade restrictions. Telecommunications-related equipment, specifically base stations (HS code 8517.61.00) and transmission apparatus incorporating reception apparatus (HS code 8525.60.00), is included in the restricted list. The import of such items may require prior authorisation or the issuance of special licences by the competent authorities.
In addition, under Section 3 of the Telecommunications Equipment Type Approval Regime, importers of radio and telecommunications terminal equipment (RTTE) in the United Arab Emirates are required to register with the Telecommunications and Digital Government Regulatory Authority (TDRA). Each importer must ensure that the company is duly registered and that the relevant equipment has obtained type approval from TDRA prior to being placed on the UAE market. In addition, Section 5 stipulates that customs clearance for RTTE will only be granted where the equipment has been type-approved and imported by a registered entity.

Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data establishes a comprehensive data protection framework in the United Arab Emirates, overseen by the UAE Data Office. In addition to this federal regime, the Dubai International Financial Centre (DIFC) is governed by DIFC Law No. 5 of 2020, and the Abu Dhabi Global Market (ADGM) is governed by the ADGM Data Protection Regulations 2021. Sector-specific legislation further regulates data handling in banking, telecommunications, and healthcare, including Federal Laws No. 14 of 2018, No. 3 of 2003, and No. 2 of 2019, respectively. Complementing these measures, Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cyber Crimes criminalises unlawful data collection and processing, while Federal Decree-Law No. 33 of 2021 on Employment Relations imposes confidentiality obligations on employees regarding information accessed through their work.

Pursuant to Art. 21 of Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data, where a form of processing involving emerging technologies is likely to pose a significant risk to the privacy and confidentiality of a data subject’s personal information, the data controller is obliged to undertake a data protection impact assessment (DPIA) prior to initiating such processing. Specifically, Art. 21.2 stipulates that the requirement to conduct a DPIA arises in circumstances where: (i) a systematic and comprehensive evaluation of data subjects is carried out through automated processing, including profiling, which produces legal effects or similarly significant consequences for the individuals concerned; or (ii) the processing involves large-scale handling of sensitive personal data.
In addition, in accordance with Arts. 10 and 11, both controllers and processors are required to appoint a data protection officer (DPO) in cases where: (i) the nature of the processing, particularly when employing new technologies or based on the scale of data processed, is likely to result in a high risk to the confidentiality and privacy of personal data; (ii) the processing entails systematic and extensive assessment of sensitive personal data, including profiling and automated decision-making; and/or (iii) the processing involves large-scale operations concerning sensitive personal data. The DPO’s responsibilities include, inter alia, ensuring that the controller or processor complies with the provisions of the legislation and any directives issued by the UAE Data Office. The DPO may be an employee of the controller or processor, or an external individual appointed by the organisation, whether located within or outside the United Arab Emirates.

Art. 5 of Federal Law No. 3 of 2012 defines the competencies of the Signals Intelligence Agency, granting it extensive powers that may include accessing personal data held by private entities. Under Art. 14, the Agency may, in urgent circumstances and following consultation with the National Security Advisor, monitor, infiltrate, disrupt, or block communications networks, information systems, and devices of any person or organisation suspected of engaging in activities that could threaten the United Arab Emirates’ security, public order, social stability, international relations, or critical infrastructure, or endanger life or property, provided that the public prosecution is notified within one week. Additionally, Art. 13 authorises the Agency to take "all necessary measures" to protect national communication networks and information systems from unlawful access and to identify vulnerabilities or malfunctions to prevent breaches of the Law.

The government owns shares in the only two telecom companies licensed to operate in the country. The Emirates Telecommunications Corporation (Etisalat) is 60% owned by the Emirates Investment Authority, while the remaining 40% is held by public shareholders. Similarly, du (Emirates Integrated Telecommunications Company PJSC) is majority controlled by public-sector investors, with approximately 50% owned by the Emirates Investment Authority and around 20% by DH 8 LLC, the investment holding company of the Government of Dubai, while the remaining 30% is held by public shareholders.

It is reported that the United Arab Emirates requires functional and accounting separation for telecommunications operators with significant market power (SMP). While the functional separation requirement has not been found in the legal texts, the accounting separation can be found in the Instructions Cost Accounting, Accounting Separation and LRIC Modelling.

In accordance with Art. 3 of the Council of Ministers Resolution No. 55 of 2021, foreign investors seeking to participate in any of the strategic activities listed in Art. 2, including the telecommunications sector, are required to submit a licence application to the competent authority. For the telecommunications sector, the Public Authority for the Regulation of the Telecommunications Sector and Digital Government must approve the FDI licence applications and determine: (i) the proportion of national and/or foreign participation in the company’s capital; and (ii) where applicable, the proportion of national and/or foreign representation on the board of directors.
Moreover, according to Art. 12 of the Resolution No. 9 of 2023, an entity is eligible to apply for a licence if is incorporated under the Commercial Companies Law, and foreign shareholding does not exceed 49%, with the remaining 51% held by one or more national citizen partners, unless otherwise approved by the board of directors of the Telecommunications and Digital Government Regulatory Authority (TDRA).
Moreover, according to Art. 2.6 of the Resolution No. 9 of 2023, the number and scope of any licences shall be determined by the Board, and may be restricted depending on:
- The level and state of competition in the telecommunications sector in the State; or
- The availability of the scarce resources (e.g. spectrum and numbers); or
- The implementation of any technical restrictions to regulate the use of scarce resources; or
- Any other reason determined by the board of directors of the Telecommunications and Digital Government Regulatory Authority (TDRA).
Under Art. 8 further states that a licence may be revoked if a competent authority determines that is in the national interest to do so.

The United Arab Emirates has not appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.