What NESA and UAE IA V2 Actually Mean

If you've been through a UAE government tender in the last few years, you've probably seen the letters NESA or UAE IA. You may have been told you need to be "NESA compliant." You may have been told it's different from ISO 27001. You may have been told it's the same.

Here's the plain-English version.

  • NESA is shorthand for the National Electronic Security Authority — the UAE federal body that originally issued the national cybersecurity framework. NESA has since been reorganised under the Signals Intelligence Agency (SIA), but the framework name stuck in industry usage.
  • UAE IA (Information Assurance) Standard V2 is the current version of the national cybersecurity framework issued by SIA. It's the updated, authoritative document. When someone says "NESA V2" they almost certainly mean UAE IA V2.

Think of it this way: NESA is the label; UAE IA V2 is the document.

Who Actually Needs to Comply

UAE IA V2 directly applies to:

  • Critical Information Infrastructure (CII) entities — energy, utilities, telecom, transport, finance, health
  • Federal government entities and their direct suppliers
  • Semi-government entities in Abu Dhabi, Dubai, and other emirates

But the framework has also become a default procurement question across the UAE private sector. Enterprise procurement teams, banks, and government-adjacent clients now routinely ask: "Are you NESA-aligned?" If you sell to any of these, you probably need at least a defensible posture statement.

What the Framework Covers

UAE IA V2 organises controls into domains covering:

  1. Governance — security policies, risk management, roles and responsibilities
  2. Asset management — hardware, software, data classification
  3. Information lifecycle — handling, retention, disposal
  4. Physical and environmental security
  5. Operations security — change, capacity, malware, backups, logging
  6. Communications and network security
  7. Identity and access management
  8. System acquisition, development, and maintenance
  9. Supplier and third-party security
  10. Incident management and business continuity
  11. Compliance with legal and regulatory requirements

If that list sounds familiar, it's because the framework draws heavily from international standards like ISO 27001 and NIST 800-53. The overlap with ISO 27001 is roughly 50 – 60% at the control level — but UAE IA V2 adds UAE-specific controls around cross-border data, national security, and supply-chain assurance that international standards don't explicitly mandate.

NESA vs. ISO 27001 — The Honest Difference

NESA / UAE IA V2 ISO 27001
Type UAE national standard International voluntary certification
Who requires it UAE CII, government, many tenders Global enterprise procurement
Certification body Designated UAE auditors Accredited certification bodies
Control count ~180 controls across domains 93 Annex A controls (2022)
Best for UAE govt-adjacent work International market access

You often need both — and the good news is most control work satisfies both frameworks. We frequently scope combined assessments that save 15 – 20% versus running each sequentially.

What a Gap Assessment Actually Costs

Pricing varies with scope, but for a typical UAE mid-market organisation:

  • UAE IA V2 Gap Assessment alone: AED 20,000 – 50,000
  • ISO 27001 Gap + UAE IA V2 Gap combined: AED 35,000 – 80,000 (vs. ~60,000 – 100,000 sequentially)

The engagement typically takes 3 – 4 weeks: 1 week scoping, 2 weeks fieldwork and assessment, 1 week reporting.

What You Walk Away With

A proper gap assessment delivers:

  • A controls-by-controls assessment report with maturity ratings (0 – 4) for every applicable control
  • Cross-framework mapping showing where your existing ISO 27001 or NIST work already satisfies NESA (avoiding duplicate effort)
  • A prioritised remediation roadmap — 90-day / 6-month / 12-month plan with effort estimates
  • An executive summary with a maturity heat map for your board
  • A procurement-ready posture statement you can use in response to tender and client questions

The One Mistake Everyone Makes

The single biggest mistake we see with UAE IA V2 is treating it as a paper exercise — producing documentation that looks good but isn't operationally meaningful. Auditors and regulators are increasingly asking for evidence of implementation, not just policies. A gap assessment should surface gaps in actual practice, not just gaps in documents.

If you're heading into a NESA assessment or answering a procurement question about UAE IA V2 posture, start with an honest gap view.

Ready to get a real read on your NESA posture? Explore our NESA / UAE IA V2 Gap Assessment service → or book a 30-minute scoping call.