CBUAE Cybersecurity Framework Testing Services
Financial services are the most targeted sector in the UAE, and the Central Bank knows it. The CBUAE Cybersecurity Framework doesn’t treat penetration testing as a recommendation buried in guidance; it’s a named control requirement examiners verify with evidence. Nathan Labs delivers CBUAE-aligned penetration testing and vulnerability assessment for UAE banks, finance companies, and payment service providers, producing the test reports and remediation tracking your examiners expect to see.
What Is the CBUAE Cybersecurity Framework?
The Central Bank of the UAE (CBUAE) issues cybersecurity and technology-risk requirements for every entity it licenses and supervises: commercial and Islamic banks, finance companies, exchange houses, insurers, and payment service providers. The framework is built around nine domains covering governance, risk management, architecture, identity management, third-party risk, data protection, threat and vulnerability management, incident management, and security awareness, developed in alignment with international standards like NIST and ISO 27001 but tailored to the UAE financial sector’s threat landscape.
Domain 7, Threat and Vulnerability Management, is where penetration testing sits. The CBUAE Rulebook is explicit: licensees “must regularly assess the necessity to perform penetration and cyber-attack simulation testing,” with coverage based on cyber risk profile and cyber intelligence, extending beyond networks and applications to social engineering and emerging threats. Payment service providers processing AED 10 million or more in monthly transaction value face the same expectation directly under Article 13 of the rulebook.
In practice, most institutions treat this as annual third-party penetration testing and quarterly vulnerability scanning of critical systems, backed by a formal patch management process with defined remediation SLAs. Non-compliance can result in regulatory directives, imposed remediation timelines, financial penalties, and operating restrictions.

- UAE-licensed commercial, retail, and Islamic banks.
- Finance companies and money exchange houses.
- Insurance companies regulated by the Central Bank.
- Payment Service Providers (PSPs), particularly those above the AED 10 million monthly transaction threshold.
- Fintechs and digital payment providers, including those under the CBUAE Stored Value Facilities (SVF) Regulation.
- Institutions using SWIFT messaging who face additional Customer Security Programme (CSP) obligations alongside CBUAE requirements.service providers supplying.
Payment apps, customer portals, and Open Finance APIs are explicitly called out as high-value targets the CBUAE expects to see tested, not just core banking infrastructure.
Who Needs CBUAE Cybersecurity Framework Testing?

- External and internal network testing: Covering both internet-facing infrastructure and internal systems, as the Rulebook specifically requires both scopes
- Application and payment system testing: Customer portals, mobile banking apps, and payment processing platforms
- API security testing: Increasingly critical as the CBUAE Open Finance Framework drives rapid API development across the sector, with broken authorization and excessive data exposure among the most common findings
- Social engineering assessments: Explicitly named in the Rulebook alongside technical testing
- Third-party and cloud risk testing: Vendor and cloud oversight is a standalone framework domain
- SWIFT CSP alignment: For institutions using SWIFT messaging
Testing cadence typically runs annually for penetration testing and quarterly for vulnerability scanning of critical systems, with retesting after major changes and remediation tracked against defined SLAs.
What CBUAE-Aligned Testing Needs to Cover
How Nathan Labs Delivers CBUAE Cybersecurity Framework Testing
- Domain 7-aligned scoping: We map your in-scope systems, core banking, payment infrastructure, customer-facing apps, and APIs against CBUAE's Threat and Vulnerability Management domain, producing exactly the evidence examiners expect.
- Network, application, and API penetration testing: We test external and internal networks, customer portals, mobile banking applications, and Open Finance APIs for exploitable weaknesses, not just known vulnerabilities.
- Payment infrastructure testing: For PSPs and fintechs, we scope testing around transaction processing systems, card data flows, and customer authentication mechanisms the CBUAE specifically requires institutions to validate.
- Exploitation-based validation and reporting: Our testers demonstrate real attack paths and business impact. Every engagement produces a board-ready executive summary plus a technical report your team can act on with defined remediation timelines.
- Retesting and SLA tracking: We retest remediated findings and track closure against remediation SLAs, so your compliance file shows resolved risk rather than open findings carried across audit cycles.
Why UAE Financial Institutions Choose Nathan Labs
- Rulebook-mapped scoping: Testing tied directly to Domain 7 and Article 12/13 requirements, not a generic infrastructure test relabeled for banking.
- Full attack surface coverage: Network, application, API, cloud, and social engineering testing under one engagement.
- Board-ready reporting: Evidence formatted for governance oversight and examiner review, with technical depth for remediation teams.
- Retesting included: Every finding tracked to verified closure with SLA-based remediation.
- UAE-based delivery: Direct familiarity with CBUAE examination expectations across banks, PSPs, and fintechs.
Frequently Asked Questions
The rulebook requires licensees to regularly assess the necessity of penetration and cyber-attack simulation testing based on risk profile, and in practice, CBUAE examiners treat annual third-party testing as the expected evidence for Domain 7 compliance.
Most institutions perform penetration testing annually and vulnerability scanning quarterly for critical systems, with retesting after significant system changes.
Yes. API security testing is increasingly central to CBUAE compliance as Open Finance drives new integrations, and it's an area examiners scrutinize closely for authorization and data exposure flaws.
Consequences can include regulatory directives, imposed remediation timelines, financial penalties, and operating restrictions from the Central Bank.
They overlap for card-processing institutions; PCI DSS governs cardholder data environments specifically, while CBUAE's framework covers the institution's broader technology risk posture. A well-scoped engagement can generate evidence for both.


