CBUAE Cybersecurity Framework Testing Services

Financial services are the most targeted sector in the UAE, and the Central Bank knows it. The CBUAE Cybersecurity Framework doesn’t treat penetration testing as a recommendation buried in guidance; it’s a named control requirement examiners verify with evidence. Nathan Labs delivers CBUAE-aligned penetration testing and vulnerability assessment for UAE banks, finance companies, and payment service providers, producing the test reports and remediation tracking your examiners expect to see.

What Is the CBUAE Cybersecurity Framework?

The Central Bank of the UAE (CBUAE) issues cybersecurity and technology-risk requirements for every entity it licenses and supervises: commercial and Islamic banks, finance companies, exchange houses, insurers, and payment service providers. The framework is built around nine domains covering governance, risk management, architecture, identity management, third-party risk, data protection, threat and vulnerability management, incident management, and security awareness, developed in alignment with international standards like NIST and ISO 27001 but tailored to the UAE financial sector’s threat landscape.

Domain 7, Threat and Vulnerability Management, is where penetration testing sits. The CBUAE Rulebook is explicit: licensees “must regularly assess the necessity to perform penetration and cyber-attack simulation testing,” with coverage based on cyber risk profile and cyber intelligence, extending beyond networks and applications to social engineering and emerging threats. Payment service providers processing AED 10 million or more in monthly transaction value face the same expectation directly under Article 13 of the rulebook.

In practice, most institutions treat this as annual third-party penetration testing and quarterly vulnerability scanning of critical systems, backed by a formal patch management process with defined remediation SLAs. Non-compliance can result in regulatory directives, imposed remediation timelines, financial penalties, and operating restrictions.

web application security testing UAE
  • UAE-licensed commercial, retail, and Islamic banks.
  • Finance companies and money exchange houses.
  • Insurance companies regulated by the Central Bank.
  • Payment Service Providers (PSPs), particularly those above the AED 10 million monthly transaction threshold.
  • Fintechs and digital payment providers, including those under the CBUAE Stored Value Facilities (SVF) Regulation.
  • Institutions using SWIFT messaging who face additional Customer Security Programme (CSP) obligations alongside CBUAE requirements.service providers supplying.

Payment apps, customer portals, and Open Finance APIs are explicitly called out as high-value targets the CBUAE expects to see tested, not just core banking infrastructure.

Who Needs CBUAE Cybersecurity Framework Testing?

web application security testing UAE
  • External and internal network testing: Covering both internet-facing infrastructure and internal systems, as the Rulebook specifically requires both scopes
  • Application and payment system testing: Customer portals, mobile banking apps, and payment processing platforms
  • API security testing: Increasingly critical as the CBUAE Open Finance Framework drives rapid API development across the sector, with broken authorization and excessive data exposure among the most common findings
  • Social engineering assessments: Explicitly named in the Rulebook alongside technical testing
  • Third-party and cloud risk testing: Vendor and cloud oversight is a standalone framework domain
  • SWIFT CSP alignment: For institutions using SWIFT messaging

Testing cadence typically runs annually for penetration testing and quarterly for vulnerability scanning of critical systems, with retesting after major changes and remediation tracked against defined SLAs.

What CBUAE-Aligned Testing Needs to Cover

How Nathan Labs Delivers CBUAE Cybersecurity Framework Testing

Why UAE Financial Institutions Choose Nathan Labs

Frequently Asked Questions

The rulebook requires licensees to regularly assess the necessity of penetration and cyber-attack simulation testing based on risk profile, and in practice, CBUAE examiners treat annual third-party testing as the expected evidence for Domain 7 compliance.

Most institutions perform penetration testing annually and vulnerability scanning quarterly for critical systems, with retesting after significant system changes.

Yes. API security testing is increasingly central to CBUAE compliance as Open Finance drives new integrations, and it's an area examiners scrutinize closely for authorization and data exposure flaws.

Consequences can include regulatory directives, imposed remediation timelines, financial penalties, and operating restrictions from the Central Bank.

They overlap for card-processing institutions; PCI DSS governs cardholder data environments specifically, while CBUAE's framework covers the institution's broader technology risk posture. A well-scoped engagement can generate evidence for both.