Table of Contents
Frequently Asked Questions
What does activity code 6202.95 permit a cyber risk testing business to do in Dubai
Activity code 6202.95, formally titled "Auditing, Reviewing & Testing Cyber Risks," permits a licensed entity to provide structured assessments of an organisation's digital security posture. Permitted services include penetration testing, vulnerability assessments, security architecture reviews, compliance audits, and red-team engagements.
There is an important operational distinction between passive and active services. Passive work — reviewing policies, assessing configurations, and producing gap analyses — sits comfortably within the licence scope. Active testing that simulates real attacks against live systems requires a clearly scoped, written contractual mandate from the client before work begins.
Is written client authorisation legally required before conducting active penetration tests in the UAE
Yes. Conducting active tests against live systems without written authorisation carries criminal liability under UAE cybercrime law, regardless of commercial intent or the tester's qualifications. A clearly scoped contractual mandate from the client is a non-negotiable prerequisite.
This requirement applies even when both parties have an existing commercial relationship. Each active engagement should be covered by its own documented scope of work specifying the systems, timeframes, and methods permitted.
Which regulatory authority oversees cyber risk testing businesses in the UAE
The Telecommunications and Digital Government Regulatory Authority (TDRA) is the primary body overseeing cybersecurity service providers operating in the UAE. It sets the overarching regulatory framework for firms in this sector.
Depending on the nature of your clients — particularly telecommunications operators or government-adjacent entities — sector-specific approvals or formal registration with the TDRA may be required before you commence active engagements. Firms serving critical national infrastructure operators should confirm their registration obligations early in the setup process.
What is the projected size and growth rate of the UAE cybersecurity market
According to Mordor Intelligence, the UAE cybersecurity market is projected to reach USD 1.3 billion by 2029, growing at a compound annual growth rate (CAGR) of approximately 14%. This growth is being driven by mandatory compliance frameworks, the UAE National Cybersecurity Strategy, and a measurable increase in incident frequency across both public and private sectors.
The UAE also ranks among the top three most targeted countries in the Middle East for cyberattacks, which directly intensifies demand for independent testing and assurance services.
Who are the primary target clients for a cyber risk testing business in Dubai
The main client segments include financial institutions, government contractors, healthcare providers, logistics operators, and mid-market SMEs expanding their digital footprint. Banks and insurance firms face regulatory pressure from the Central Bank of the UAE to demonstrate ongoing security assurance, making them reliable buyers of testing services.
Healthcare entities regulated by the Dubai Health Authority are increasingly required to evidence data security controls. Government contractors and entities operating near critical infrastructure also represent a significant and growing segment as compliance obligations tighten across the region.
What revenue models are common for cyber risk testing firms in the UAE
Revenue models typically combine two structures. Project-based engagements involve a defined deliverable — such as a penetration test report or compliance audit — billed as a one-time fee. These are common for new client relationships and specific regulatory deadlines.
Retainer arrangements are equally standard and arguably more valuable commercially. Clients pay a monthly fee for continuous monitoring, quarterly assessments, or on-call advisory support. Retainers produce predictable recurring revenue and are the preferred model among established cyber risk firms looking to build a stable, scalable business.
How does UAE Federal Decree-Law No. 45 of 2021 affect a cyber risk testing business
UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection imposes compliance obligations on any firm that handles client data during engagements. Because cyber risk testing often involves accessing, reviewing, or processing sensitive organisational data, your business will likely be subject to its requirements as a data processor.
Practically, this means you should have appropriate data handling agreements in place with clients, implement controls to limit data retention, and ensure your team understands their obligations when personal data is encountered during testing activities. Non-compliance can expose both your firm and your clients to regulatory risk.
Why is Meydan Free Zone mentioned as a suitable jurisdiction for setting up a cyber risk testing company in Dubai
Meydan Free Zone is highlighted as a route to establishing a fully-owned entity for cyber risk testing with minimal friction. Free zones in the UAE generally allow 100% foreign ownership, which is a significant advantage for international founders who do not want a local partner.
The activity code 6202.95 for auditing, reviewing, and testing cyber risks can be licensed through Meydan Free Zone, making it a practical starting point for founders targeting the UAE and broader regional market. The free zone structure also typically offers streamlined incorporation processes compared to mainland licensing routes, which can reduce time-to-market for new entrants.
How to Start a Cyber Risk Testing Business in Dubai
Dubai's rapid digital expansion has made cyber risk testing one of the most commercially viable professional services a founder can licence in the UAE right now. As enterprises, government entities, and critical infrastructure operators accelerate their digital transformation, the demand for independent, qualified cyber risk professionals has moved well ahead of supply.
This guide covers what activity code 6202.95 permits, who your clients are, and how to establish a fully-owned entity via Meydan Free Zone with minimal friction.
Key Stats at a Glance
- The UAE cybersecurity market is projected to reach USD 1.3 billion by 2029, growing at a CAGR of approximately 14%, according to Mordor Intelligence.
- The UAE ranks among the top three most targeted countries in the Middle East for cyberattacks, driving urgent demand for independent testing services.
- The Telecommunications and Digital Government Regulatory Authority (TDRA) oversees cybersecurity service providers operating in the UAE.
- UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection imposes compliance obligations relevant to any firm handling client data during engagements.
- Dubai's Digital Dubai strategy positions the emirate as a regional technology hub, directly expanding the addressable market for cyber risk services.
What Cyber Risk Testing Actually Covers in the UAE
Activity code 6202.95 — formally titled "Auditing, Reviewing & Testing Cyber Risks" — permits a licensed entity to provide structured assessments of an organisation's digital security posture. In practice, this covers penetration testing, vulnerability assessments, security architecture reviews, compliance audits, and red-team engagements.
The distinction between advisory consulting and active testing matters operationally. Passive services — reviewing policies, assessing configurations, producing gap analyses — sit comfortably within the licence scope. Active testing, where your team simulates real attacks against live systems, requires a clearly scoped contractual mandate from the client. Conducting active tests without written authorisation carries criminal liability under UAE cybercrime law, regardless of commercial intent.
The TDRA governs cybersecurity service providers in the UAE and sets the overarching regulatory framework. Depending on the nature of clients you serve — particularly telecommunications operators or government-adjacent entities — sector-specific approvals or registration with TDRA may apply before you commence active engagements.
Business Activities List
Explore Over 2,500+Market Opportunity and Target Clients
The UAE cybersecurity market is on a sustained growth curve. According to Mordor Intelligence, regional spend is being driven by mandatory compliance frameworks, the UAE National Cybersecurity Strategy, and a measurable increase in incident frequency across both public and private sectors.
Your primary client segments are financial institutions, government contractors, healthcare providers, logistics operators, and mid-market SMEs expanding their digital footprint. Banks and insurance firms face regulatory pressure from the Central Bank of the UAE to demonstrate ongoing security assurance. Healthcare entities regulated by the Dubai Health Authority are increasingly required to evidence data security controls.
Revenue models in this sector typically combine project-based engagements — a penetration test or compliance audit with a defined deliverable — with retainer arrangements where clients pay a monthly fee for continuous monitoring, quarterly assessments, or on-call advisory support. Retainers produce predictable recurring revenue and are standard practice among established cyber risk firms.
Regulatory Considerations for Cyber Risk Testing in Dubai
TDRA oversight is the primary regulatory consideration. Firms offering cybersecurity services to licensed telecommunications operators or entities operating critical national infrastructure may need to complete a formal registration or approval process with TDRA before commencing work. Confirm your specific client profile against TDRA's current requirements before signing your first contract in those sectors.
UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection applies directly to this business. During any engagement, your team will inevitably access or process client data. You must have documented data handling procedures, retention policies, and data processing agreements in place. Non-compliance is not a theoretical risk — it carries financial penalties.
Scope-of-work agreements are non-negotiable in this sector. Every active testing engagement must be governed by a written contract specifying the systems in scope, the testing window, the authorised methods, and liability limitations. Engagements with government entities or critical infrastructure operators may additionally require security clearances for individual consultants, which can extend onboarding timelines significantly.
Free Business Setup Cost Calculator
Calculate NowSetting Up via Meydan Free Zone: Licence Steps and Costs
Meydan Free Zone issues professional and technology licences that include activity code 6202.95. The structure suits a cyber risk testing firm well: 100% foreign ownership, no local sponsor required, and the entire setup process can be completed remotely.
The core steps are straightforward:
- Name reservation: Select and reserve your company name, ensuring it does not conflict with reserved terms or existing registrations.
- Activity selection: Confirm 6202.95 as your primary activity. You may add complementary activities such as IT consulting if your service model requires it.
- Document submission: Passport copies for all shareholders and directors, a business plan summary, and completed application forms.
- Licence issuance: Once documents are approved, the licence is issued. Timelines are typically five to seven working days for straightforward applications.
- Visa allocation: Your licence package determines how many employment and investor visas you can apply for. Meydan packages are structured to suit sole operators through to small teams.
Licence costs at Meydan Free Zone are competitive relative to other Dubai free zones, with packages designed to include the licence fee, registration, and a defined visa quota. There are no requirements for a physical office to begin; flexi-desk arrangements satisfy the registered address requirement for most professional licences.
Start Your UAE Company Remotely
Get in Touch NowConclusion
Cyber risk testing is a high-margin, scalable professional service with strong and growing demand across Dubai's private and public sectors. The regulatory environment is navigable, the client base is expanding, and the free zone model gives you full ownership and operational flexibility from day one.
Meydan Free Zone offers one of the most straightforward paths to a legitimate, fully-owned licence under activity code 6202.95. Use the cost calculator to estimate your setup investment, or speak directly with the Meydan team to confirm activity eligibility and get your application moving.
References
- Mordor Intelligence (mordorintelligence.com)
- Telecommunications and Digital Government Regulatory Authority (TDRA) (tdra.gov.ae)
- Digital Dubai (digitaldubai.ae)
- Dubai Health Authority (dha.gov.ae)
