According to Section 7 of the Internet of Things (IoT) Regulatory Policy, IoT service providers are required to register with the Telecommunications and Digital Government Regulatory Authority (TDRA) and obtain an IoT Service Provider registration certificate. As a prerequisite, providers must establish a local presence in the UAE or appoint an authorised representative who is physically based in the country and responsible for liaising with the TDRA and other law enforcement agencies. The Regulatory Procedure for Internet of Things (IoT) further specifies the application and approval process.

Under Section 3.1 of the Voice over Internet Protocol Regulatory Policy, any person seeking to provide VoIP services within the United Arab Emirates, insofar as such provision constitutes a regulated activity, must obtain a licence issued by the Telecommunications and Digital Government Regulatory Authority (TDRA) pursuant to Federal Law by Decree No. 3 of 2003. The policy further clarifies that only two licensees are currently authorised to offer VoIP services and that the TDRA does not presently intend to grant additional licences for such services. In addition, under Section 3.2, if a licensee identifies that VoIP services are being offered over its public telecommunications network by an unlicensed party, it is entitled to block access to those services, unless directed otherwise by the TDRA.
In parallel, Art. 28 of Federal Law by Decree No. 3 of 2003 stipulates that a telecommunications licence may only be issued to a corporate entity established under a decision of the Board, thereby precluding foreign companies from providing services on a cross-border basis without first creating a recognised legal entity within the UAE.

According to the UAE Import and Export Guide, import activities require a valid trade licence issued by a competent UAE authority, as well as registration with the Customs Department. It has been reported that such licences are currently issued by the respective local customs authorities; however, efforts are ongoing to establish a unified, UAE-wide licensing system.

Pursuant to Section 7.8.2.1 of the Internet of Things Regulatory Policy, IoT service providers are required to ensure that data classified as secret, sensitive, or confidential in relation to individuals and businesses is primarily stored within the United Arab Emirates. Nevertheless, such data may be stored outside the UAE provided that the host country’s data security and user protection regulations meet or exceed those applicable within the UAE. These provisions equally apply to personal data, as the Telecommunications Regulatory Authority (TRA) designates personal data as secret in the context of individuals.
Section 1.3 of the Policy further defines these classifications based on the potential harm resulting from a breach of confidentiality or uncontrolled disclosure: confidential data is that whose unrestricted disclosure could cause limited harm to individuals, businesses, or the government; sensitive data is that whose disclosure could result in significant harm to these entities; and secret data is that whose disclosure could severely compromise the supreme interests of the State and cause very substantial damage to individuals, businesses, and the government.

In November 2024, the United Arab Emirates signed its first agreement establishing binding obligations to enable cross-border data transfers. The agreement will enter into force in October 2025. Under Art. 12.16 of the Australia–UAE Comprehensive Economic Partnership Agreement (CEPA), the parties acknowledge their respective regulatory frameworks governing electronic information transfers. However, neither party may prohibit or restrict such transfers, including those involving personal data, where necessary for the conduct of business by a covered person. This provision does not preclude the adoption of measures inconsistent with these commitments, provided they pursue a legitimate public policy objective, are not applied in a manner constituting arbitrary or unjustifiable discrimination or a disguised restriction on trade, and do not impose restrictions on information transfers beyond what is necessary to achieve the stated objective.

Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data establishes a comprehensive data protection framework in the United Arab Emirates, overseen by the UAE Data Office. In addition to this federal regime, the Dubai International Financial Centre (DIFC) is governed by DIFC Law No. 5 of 2020, and the Abu Dhabi Global Market (ADGM) is governed by the ADGM Data Protection Regulations 2021. Sector-specific legislation further regulates data handling in banking, telecommunications, and healthcare, including Federal Laws No. 14 of 2018, No. 3 of 2003, and No. 2 of 2019, respectively. Complementing these measures, Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cyber Crimes criminalises unlawful data collection and processing, while Federal Decree-Law No. 33 of 2021 on Employment Relations imposes confidentiality obligations on employees regarding information accessed through their work.

Pursuant to Art. 21 of Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data, where a form of processing involving emerging technologies is likely to pose a significant risk to the privacy and confidentiality of a data subject’s personal information, the data controller is obliged to undertake a data protection impact assessment (DPIA) prior to initiating such processing. Specifically, Art. 21.2 stipulates that the requirement to conduct a DPIA arises in circumstances where: (i) a systematic and comprehensive evaluation of data subjects is carried out through automated processing, including profiling, which produces legal effects or similarly significant consequences for the individuals concerned; or (ii) the processing involves large-scale handling of sensitive personal data.
In addition, in accordance with Arts. 10 and 11, both controllers and processors are required to appoint a data protection officer (DPO) in cases where: (i) the nature of the processing, particularly when employing new technologies or based on the scale of data processed, is likely to result in a high risk to the confidentiality and privacy of personal data; (ii) the processing entails systematic and extensive assessment of sensitive personal data, including profiling and automated decision-making; and/or (iii) the processing involves large-scale operations concerning sensitive personal data. The DPO’s responsibilities include, inter alia, ensuring that the controller or processor complies with the provisions of the legislation and any directives issued by the UAE Data Office. The DPO may be an employee of the controller or processor, or an external individual appointed by the organisation, whether located within or outside the United Arab Emirates.

Art. 5 of Federal Law No. 3 of 2012 defines the competencies of the Signals Intelligence Agency, granting it extensive powers that may include accessing personal data held by private entities. Under Art. 14, the Agency may, in urgent circumstances and following consultation with the National Security Advisor, monitor, infiltrate, disrupt, or block communications networks, information systems, and devices of any person or organisation suspected of engaging in activities that could threaten the United Arab Emirates’ security, public order, social stability, international relations, or critical infrastructure, or endanger life or property, provided that the public prosecution is notified within one week. Additionally, Art. 13 authorises the Agency to take "all necessary measures" to protect national communication networks and information systems from unlawful access and to identify vulnerabilities or malfunctions to prevent breaches of the Law.

A basic legal framework on intermediary liability for copyright infringement is absent in the United Arab Emirates' law and jurisprudence.

Pursuant to Arts. 14.22 and 1.71 of the Retail Payment Services and Card Schemes Regulation, legal entities authorised to provide one or more retail payment services are required to store and maintain personal and payment data within the United Arab Emirates. In addition, a secure and reliable backup of all such data must be established at an alternative location and retained for a mandatory period of five years.

Pursuant to Art. 10.6 of the Stored Value Facilities (SVF) Regulation, an SVF Licensee is required to ensure the adequate protection of customer data, including customer identification details and transaction records, which must be stored and maintained within the United Arab Emirates. The term Stored Value Facility refers to a facility, other than cash, in respect of which a customer, or another person acting on the customer’s behalf, remits a sum of money (including monetary equivalents such as value credits, reward points, crypto-assets, or virtual assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including monetary equivalents such as value credits, reward points, crypto-assets, or virtual assets), in whole or in part, on the facility; and (b) the performance of the "relevant undertaking". The definition of SVF encompasses both device-based stored value facilities and non-device-based stored value facilities.

Art. 13 of Federal Law No. 2 of 2019 establishes a general prohibition on the transfer, storage, generation, or processing of health data relating to health services provided within the United Arab Emirates outside its territory, save where authorised by a resolution issued by an Emirate-level health authority in coordination with the Ministry of Health and Prevention. Ministerial Decision No. 51 of 2021, under Art. 2, enumerates ten exceptions to this prohibition, including, inter alia, overseas treatment, medical diagnostic testing, scientific research (the Decision specifically requires prior approval from the competent health authority for the use of health data in scientific research), insurance claims and coverage, cooperation with governmental or international organisations, the use of wearable health monitoring devices, pharmacovigilance reporting, telemedicine, data expressly approved by a competent health authority, and transfers effected pursuant to a formal written request by the data subject or their legal representative. Arts. 3-5 of the Decision impose stringent conditions on most of these exceptions, such as obtaining the prior written consent of the patient or their representative where applicable, encrypting data prior to transmission, employing secure communication channels, and retaining a complete copy of the data within the State irrespective of any authorised cross-border transfer.

According to Section 7.8.2.2 of the Internet of Things Regulatory Policy, IoT service providers must ensure that all government data classified as secret, sensitive, or confidential is stored exclusively within the United Arab Emirates under all circumstances. Section 1.3 of the Policy further defines these classifications based on the potential harm resulting from a breach of confidentiality or uncontrolled disclosure: confidential data is that whose unrestricted disclosure could cause limited harm to individuals, businesses, or the government; sensitive data is that whose disclosure could result in significant harm to these entities; and secret data is that whose disclosure could severely compromise the supreme interests of the State and cause very substantial damage to individuals, businesses, and the government.

Pursuant to Arts. 22 and 23 of the Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data, the transfer of personal data outside the United Arab Emirates is permissible under specific conditions authorised by the UAE Data Office. Such transfers may occur where the recipient state or territory has enacted legislation ensuring an adequate level of personal data protection, encompassing essential provisions, safeguards, and enforcement mechanisms to uphold confidentiality, privacy, and the data subject’s legal rights, including the imposition of appropriate measures on controllers or processors by a judicial or regulatory authority. Transfers are also permitted where the UAE is party to bilateral or multilateral agreements concerning personal data protection with the destination state. In the absence of adequate protection in the recipient jurisdiction, cross-border transfers may proceed under a binding contractual arrangement obliging the foreign entity to adhere to the requirements of the UAE law and to submit to supervisory or judicial oversight as stipulated in the agreement. Additionally, transfers are allowed with the explicit consent of the data subject, provided such action does not contravene national security or public interest; where necessary for the establishment or defence of legal claims; for the conclusion or performance of a contract involving the data subject or a third party acting in their interest; for the execution of measures related to international judicial cooperation; or where required to safeguard the public interest.

The United Arab Emirates has ratified the World Intellectual Property Organization (WIPO) Copyright Treaty.