UAE: Technology Outsourcing – Legal and Regulatory Overview

Market overview

The UAE outsourcing market is sophisticated and continues to expand rapidly, driven by federally mandated cloud migration deadlines, sovereign data residency requirements and national digital transformation strategies such as UAE Vision 2031, National AI Strategy 2031 and Smart Government initiatives, as well as by a desire to track international developments in this area particularly within the EU and UK. This is accelerating the modernisation and futureproofing of critical systems across government and private-sector entities and enterprises.

Investments in sovereign cloud infrastructure, AI-enabled data centres, and zero-trust cybersecurity frameworks are expanding revenue opportunities for providers that offer both local data hosting and advanced analytics capabilities.

At the same time, increasing consolidation between regional technology leaders and global ‘hyperscalers’ is transforming service delivery models, while public-sector procurement programs that prioritise citizen-owned SMEs are creating new opportunities for standardised SaaS solutions and managed services.

As with other jurisdictions, outsourcing is widely adopted in the UAE, particularly across financial services, telecommunications, healthcare, aviation, oil and gas, and the public sector.

International IT service providers (including Accenture, IBM, Infosys, HCL Technologies and TCS), alongside regional and local system integrators, play a significant role, particularly in Dubai and Abu Dhabi (including in technology-focused free zones such as the DIFC, ADGM, and Dubai Internet City).

Over the last decade, demand has been strongest in IT outsourcing, business process outsourcing (BPO), managed services, and cloud-based solutions, with an ever-increasing uptake of cybersecurity and AI-enabled services in recent years.

Government and regulatory attitude

The UAE government is broadly supportive of outsourcing, particularly as a means of enhancing efficiency and innovation across the economy. However, regulators in the UAE typically adopt a heavily risk-based approach in regulated sectors.

In financial services, for example, regulators such as the Central Bank of the UAE (CBUAE), the Dubai Financial Services Authority (DFSA – in the Dubai International Financial Centre (DIFC)), and the Financial Services Regulatory Authority (FSRA in the Abu Dhabi Global Market (ADGM)), have issued detailed outsourcing and operational risk frameworks, particularly for material outsourcing arrangements. These frameworks set baseline requirements in multiple areas including compulsory due diligence, audit rights, business continuity planning and exit strategies.

Procurement

Public sector outsourcing is governed by federal and emirate-level procurement frameworks, including Federal Decree-Law No. 11 of 2023 on Procurement in the Federal Government, Decision No. 36 of 2021 on the Abu Dhabi Procurement Standards and Dubai Law No. 12 of 2020 concerning Contracts and Warehouse Management in the Government of Dubai. These frameworks impose a variety of measures including requirements for competitive tendering, transparency and vendor qualification processes.

Private sector outsourcing on the other hand, is primarily contractual, although sector-specific rules (particularly in regulated sectors like financial services, telecoms and healthcare) may require formal vendor selection processes and regulatory oversight.

Applicable laws and sector-specific regimes

Government outsourcing is generally covered under the procurement laws discussed above and there are no specific outsourcing laws that are applicable except in the Emirate of Dubai where the government has issued Dubai Law No. 5/2026 on the Regulation of the Outsourcing of Government Services.

This law establishes a comprehensive framework for delegating public services to private and non-profit entities. For digital service providers, the law mandates rigorous technical integration, including mandatory electronic linkage between the outsourced entity’s operations and the government’s systems. Providers must also ensure that their procedures align with existing government channels, which will continue to operate concurrently alongside the newly outsourced platforms.

Furthermore, these digital providers must adhere to strict data privacy and security standards set by the Dubai Digital Authority and the Dubai Electronic Security Centre, whilst managing services holistically to ensure a seamless experience for end-users.

A landmark requirement is strict ‘Emiratisation’, mandating that providers employ at least one UAE national for every non-national employee. Government entities and outsourced service providers must ensure full compliance with these new regulations by March 2029, though a one-year extension may be granted.

Otherwise, Outsourcing arrangements in the UAE are primarily governed by general legal frameworks, including:

  • Federal Law No. 5 of 1985 (Civil Code);
  • Federal Decree-Law No. 31 of 2021 (Penal Code);
  • Federal Decree-Law No. 46 of 2021 (Electronic Transactions Law)
  • Federal Decree-Law No. 50 of 2022 (Commercial Transactions Law);
  • Federal Decree-Law No. 32 of 2021 (Commercial Companies Law);
  • Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law or PDPL);
  • Federal Decree-Law No. 33 of 2021 (Labour Law);
  • Federal Decree-Law No. 34 of 2021 (Cybercrime Law);
  • Cabinet Decision No. 21/2013 On Information Technology Security Regulations at Federal Government Entities (Federal ISR);
  • UAE Information Assurance Regulation (UAE IAR);
  • National Cybersecurity Accreditation Program (Cybersecurity Accreditation); and
  • National Cloud Security Policy (Cloud Security Policy).

Sector-specific regimes also apply in areas such as financial services, where regulators impose requirements for the oversight, approval, and ongoing monitoring, of outsourcing arrangements. Outsourcing requirements in this sector have been issued by the UAE Central Bank (CBUAE), the Financial Services Regulatory Authority (in the ADGM) and the Dubai Financial Services Authority (in the DIFC).

Other regulated sectors (including healthcare and telecommunications) may also impose data localisation or security requirements in certain circumstances.

Competition law

Outsourcing arrangements generally do not trigger merger control unless they involve a transfer of a business or assets constituting an “economic concentration” under Federal Decree-Law No. 36 of 2023 (Competition Law), which regulates anticompetitive practices, merger control, and the abuse of market dominance to ensure fair competition.

Any contractual provisions must also comply with the competition law prohibitions on anti-competitive agreements and abuse of dominance, particularly in relation to exclusivity or market restriction clauses.

Intellectual property

Outsourcing arrangements frequently involve the creation of intellectual property, including software code, databases, processes and related documentation.

Under UAE law, supplier-created IP does not automatically vest in the customer. Express contractual assignment provisions may therefore be required, in accordance with Federal Law No. 38 of 2021 on Copyright and Neighbouring Rights (Copyright Law).

Both parties should also ensure that any registerable IP created during the outsourcing is properly registered by the agreed owner.

Confidential information and trade secrets are protected both through contractual arrangements and various statutory provisions including:

  • Penal Code – which criminalises unauthorised disclosure of trade secrets, imposing penalties for breaches.
  • Civil Code – which requires employees to maintain confidentiality regarding their employer’s trade secrets, even after their employment ends, and also states that actions related to the disclosure of trade secrets are not subject to any limitation periods.
  • Commercial Companies Law – which imposes penalties for the misuse of company secrets, including imprisonment and fines.
  • DIFC IP Law – which provides a clearer definition of trade secrets and outlines the rights of owners, acts of misappropriation, and available remedies within the DIFC.

As a result, misuse of confidential information or trade secrets can potentially attract both civil and criminal liability.

Data protection and cybersecurity

The PDPL establishes a comprehensive framework governing personal data processing, including requirements for lawful processing, security measures, and cross-border data transfer restrictions.

Separate regimes apply in the DIFC and ADGM, which each have their own data protection frameworks. Outsourcing arrangements typically incorporate data processing agreements and impose wide-ranging compliance obligations on suppliers.

Cybersecurity is governed by the Cybercrime Law and supplemented by both federal and Emirate-specific standards. These include:

Federal

  • Cabinet Decision No. 21/2013 On Information Technology Security Regulations at Federal Government Entities;
  • UAE Information Assurance Regulation;
  • National Cybersecurity Accreditation Program; and
  • National Cloud Security Policy.

Dubai

  • Information Security Regulation; and
  • Cloud Service Provider (CSP) Security Standard.

Abu Dhabi

  • Information Security Policy and Information Security Standards; and
  • Data Management Policy and Data Management Standards.

Outsourcing contracts commonly include detailed provisions on information security, incident response and related audit rights.

There is no overarching regime for non-personal data, although sector-specific rules may apply.

Technology considerations

Cloud computing is widely adopted and subject to regulatory guidance in certain sectors, including the CBUAE’s guidance on cloud outsourcing.

Emerging technologies such as artificial intelligence and automation are encouraged, although a unified regulatory framework for AI is still developing.

Blockchain and ‘distributed ledger’ applications are also regulated in certain financial free zones such as ADGM.

Employment law

There are no specific outsourcing requirements under the Labour Law, and the UAE does not recognise the automatic transfer of employees on outsourcing (i.e. there is no equivalent to the ‘TUPE’ regime found under UK law).

Where relevant, employees must generally be terminated and rehired with consent, in accordance with the Labour Law.

End-of-service benefits must also be paid on termination unless alternative structures (such as secondments or group transfers) are implemented.

Tax

Federal corporate tax was introduced under Federal Decree-Law No. 47 of 2022 and is relevant to outsourcing structures, particularly intra-group arrangements. VAT at 5% also applies to most outsourced services.

Transfer pricing rules may also apply, and cross-border arrangements may require treaty analysis (although withholding taxes are generally limited).

ESG considerations

While there are no outsourcing-specific ESG requirements, broader frameworks are increasingly relevant. These include anti-bribery provisions under Articles 234 and 237 of the Penal Code which criminalise the offering, receiving, or soliciting of bribes, by both public officials and private sector employees, and sustainability initiatives aligned with the UAE’s net-zero strategy.

In addition to federal laws, individual Emirates like Dubai and Abu Dhabi have their own regulations that complement the federal framework. For instance, both Dubai Law No. 4 of 2016 on Financial Crimes and Abu Dhabi Law No. 6 of 2016 on Human Resources include various provisions to combat corruption.

As a result, ESG considerations are increasingly embedded in outsourcing contracts, particularly in relation to supply chain compliance and corporate governance.

Cross-border considerations

Cross-border outsourcing raises a number of issues, including:

  • personal data transfer restrictions under the PDPL and/or free zone data protection regimes;
  • data residency requirements in relation to certain data within specific sectors, including financial services, healthcare and critical national infrastructure;
  • regulatory approval requirements in sectors such as financial services and healthcare;
  • export control and sanctions compliance; and
  • governing law and dispute resolution considerations.

Liability

Liability in outsourcing contracts is generally subject to contractual allocation.

However, limitations of liability may not be enforceable in cases of fraud, gross negligence or certain mandatory statutory liabilities under the Civil Code.

Courts in the UAE also retain discretion to adjust agreed damages.

As a result, and due to the scale of potential damages, many outsourcing contracts are governed by English law to provide additional certainty that liability limits in the contract are applied as agreed between the parties.

Dispute resolution and enforcement

Disputes are commonly resolved through UAE court proceedings for contracts with locally-based service providers. Alternatively, arbitration (including via the Dubai International Arbitration Centre (DIAC) and ADGM arbitration frameworks) is often used for contracts with foreign outsourced service providers, due to it being generally easier to enforce arbitral awards (rather than UAE or free zone court judgments) in foreign jurisdictions.

Remedies include damages, specific performance and/or termination. It is important to note that the UAE’s local courts do not typically award specific performance as a remedy, although courts in the DIFC and the ADGM would do so. Therefore, careful consideration should be given to the forum for dispute resolution.

Regulatory enforcement is particularly relevant in regulated sectors. Authorities such as the CBUAE, DFSA and ADGM FSRA may impose fines, licensing restrictions, or other sanctions for non-compliance.

Data protection breaches under the PDPL and cybersecurity violations under the Cybercrime Law may also give rise to administrative or criminal penalties.

Please reach out to our Technology, Data & Outsourcing team if you have any queries or requirements related to outsourcing in the UAE.