Law No. (11) of 2014

Establishing the

Dubai Centre for Electronic Security[1]

ــــــــــــــــــــــــــــــــــــــــــــــ

We, Mohammed bin Rashid Al Maktoum, Ruler of Dubai,

After perusal of:

Federal Law No. (3) of 1987 Issuing the Penal Code and its amendments;

Federal Law No. (7) of 2002 Concerning Copyright and Related Rights and its amendments;

Federal Law No. (1) of 2006 Concerning Electronic Transactions and e-Commerce;

Federal Law by Decree No. (5) of 2012 Concerning Combating Information Technology Crime;

Law No. (2) of 2002 Concerning Electronic Transactions and e-Commerce;

Law No. (27) of 2006 Concerning Management of the Government of Dubai Human Resources and its amendments;

Law No. (7) of 2009 Establishing the Dubai Smart Government and its amendments;

Law No. (8) of 2010 Concerning the Financial Audit Department and its amendments; and

Executive Council Resolution No. (13) of 2012 Concerning Information Security at the Government of Dubai,

Do hereby issue this Law.

Definitions

Article (1)

The following words and expressions, wherever mentioned in this Law, will have the meaning indicated opposite each of them unless the context implies otherwise:

Emirate:

The Emirate of Dubai.

Government:

The Government of Dubai.

Government Entities:

Government departments, agencies, public corporations, councils, and authorities, including free zone authorities, and any other entity affiliated to the Government.

DCES:

The Dubai Centre for Electronic Security established pursuant to this Law.

Board of Directors:

The board of directors of the DCES.

Executive Director:

The executive director of the DCES.

Government Information:

The Government Information, data, documents, and Information resources whether printed, written on paper, Electronically saved, processed, sent by post or Electronic media, appearing in video or audio recordings, or disclosed during face to face conversations or through any other means of communication.

Information System:

A physical or virtual implement or set of interrelated or independent implements that are used to store, sort, organise, retrieve, process, develop, and exchange Information in accordance with saved commands and instructions. This includes all inputs, outputs, and infrastructure related to the Information System. Information Systems are used by Government Entities to manage and process Information.

Establishment of the DCES

Article (2)

Pursuant to this Law, a public corporation named the “Dubai Centre for Electronic Security” is established and will have legal personality, financial and administrative autonomy, and the legal capacity required to undertake all acts and dispositions that ensure the achievement of its objectives.

Head Office of the DCES

Article (3)

The head office of the DCES will be located in the Emirate.

Objectives of the DCES

Article (4)

The DCES aims to:

1.       protect Government Information, telecommunication networks, and Information Systems in the Emirate;

2.       develop, modify, and use the necessary means of Electronic security; and

3.       enhance, through Information Systems or any other Electronic means, the efficiency of Information storage and exchange in all Government Entities in the Emirate.

Functions of the DCES

Article (5)

The DCES is the Government Entity responsible for maintaining Government Information Security in the Emirate. For this purpose, the DCES may:

1.       set and implement the Government Information Security policy of the Emirate;

2.       set, and supervise the implementation of, standards for ensuring Electronic security in the Emirate;

3.       prepare, in coordination with concerned Government Entities, a strategic plan to manage any risks, threats, or attacks on Government Information;

4.       verify the efficiency of the telecommunication network security systems and Information Systems of Government Entities;

5.       monitor compliance by Government Entities with the Information Security requirements issued by the DCES, and follow up implementation of these requirements;

6.       combat various cybercrimes and Information technology crimes;

7.       coordinate with Government, regional, and international entities with respect to the work of the DCES;

8.       provide technical and advisory support to all Government Entities in the Emirate;

9.       receive complaints and suggestions related to Government Information Security;

10.   prepare and finance the studies and research required to develop Electronic security in the Emirate in coordination with Government Entities;

11.   set, in coordination with Government Entities in the Emirate, the necessary rules for authorising the import, export, and use of encryption and jamming software and devices, and provide telecommunication network and Information System penetration testing services;

12.   propose legislation concerning Electronic security;

13.   raise awareness, in coordination with Government Entities, of the importance of Electronic security; and

14.   hold, and participate in, conferences and seminars, and cooperate with regional and international organisations in relation to the work of the DCES.

Board of Directors

Article (6)

1.       The DCES will have a Board of Directors comprised of a chairman, vice chairman, and a number of experienced and competent members appointed pursuant to a resolution of the Ruler. The term of membership of the Board of Directors will be three (3) years, renewable upon expiry.

2.       The Board of Directors will be convened at the invitation of its chairman, or vice chairman where the chairman is absent, at least once every two (2) months, or where necessary. Meetings of the Board of Directors will be valid if attended by the majority of its members provided that the chairman or vice chairman is in attendance.

3.       The Board of Directors will pass its resolutions by majority vote, and in the event of a tie, the chair of the meeting will have a casting vote. Resolutions of the Board of Directors will be recorded in minutes of meetings signed by the chair of the meeting and attending members.

Functions of the Board of Directors

Article (7)

a.       The Board of Directors is the highest authority in charge of managing the affairs of the DCES, and will be responsible for achieving the objectives and implementing the policies for which the DCES is established. The Board of Directors will exercise the authorities and powers required to achieve the objectives of the DCES, and, in particular, may:

1.       set, and oversee the implementation of, the general policy of the DCES;

2.       approve and review the work plans and programmes of the DCES, and assess their applicability on annual basis;

3.       set the strategic goals of the DCES and the procedures required to oversee the implementation of the same, provided that these goals are reviewed, and compliance with them is assessed, on annual basis;

4.       take the necessary action to ensure compliance by the DCES with the laws, the resolutions and regulations issued in pursuance of these laws, and any legislation related to the work and activities of the DCES;

5.       assess and follow up the executive management of the DCES, and ensure that it achieves the objectives of the DCES;

6.       approve the organisational structure of the DCES;

7.       approve the annual budget and final accounts of the DCES;

8.       form permanent and temporary committees and specialised work teams, and determine their duties and powers in order to achieve the objectives of the DCES;

9.       determine the duties of each member of the Board of Directors in a manner that ensures integration of their roles to achieve the objectives of the DCES;

10.   review, and make the necessary comments on, the performance reports submitted by the Executive Director; and

11.   perform any other duties related to the objectives of the DCES.

b.       The Board of Directors may delegate any of the powers stipulated in paragraph (a) of this Article to the chairman or any member of the Board of Directors, or to the Executive Director.

Executive Body

Article (8)

1.       The executive body of the DCES will be comprised of the Executive Director and a number of administrative, financial, and technical employees.

2.       The rights and duties of the DCES employees, and the rules governing their selection and appointment will be determined pursuant to employment regulations approved by the Board of Directors for this purpose.

Executive Director

Article (9)

1.       An Executive Director will be appointed to the DCES pursuant to a resolution of the Board of Directors.

2.       The Executive Director will be directly responsible to the Board of Directors for performing his duties pursuant to this Law and the resolutions issued in pursuance hereof, and for performing any duties assigned by the chairman of the Board of Directors.

Functions of the Executive Director

Article (10)

The Executive Director will supervise the daily work, and manage and regulate the business, of the DCES, and represent it in its relations with third parties and before judicial authorities. In particular, the Executive Director will have the duties and powers to:

1.       propose the policies, strategic, development, and operational plans, initiatives, and programmes that will achieve the objectives of the DCES, and submit these to the Board of Directors;

2.       prepare work plans and programmes, and projects related to these plans and programmes, and submit these to the Board of Directors for approval;

3.       prepare the organisational structure, administrative, financial, and human resources bylaws, and contracting, project, and auction regulations, and submit these to the Board of Directors for approval;

4.       prepare, and submit to the Board of Directors, the draft annual budget and final accounts of the DCES;

5.       appoint the technical and administrative staff required to perform the work of the DCES in accordance with its internal regulations and bylaws;

6.       submit to the Board of Directors annual reports on the performance of the DCES;

7.       implement and follow up the resolutions passed, and the policies, plans, and programmes set by the Board of Directors;

8.       approve financial transactions subject to the rules stipulated by the financial regulations and bylaws applicable in the DCES;

9.       sign, in the name of the DCES and on its behalf, on contracts, agreements, and memoranda of understanding in accordance with the relevant powers granted to the Executive Director by the Board of Directors;

10.   supervise the directorates and organisational units of the DCES, prepare periodic and annual reports on the progress of its work, and submit these reports to the Board of Directors;

11.   contract with experts and advisers, and determine and pay their remuneration, in accordance with the bylaws applicable in the DCES; and

12.   perform any other duties assigned by the Board of Directors.

Confidentiality

Article (11)

All data and Information provided to the DCES by Government Entities in relation to the duties of the DCES will be deemed confidential. Neither the DCES nor any of its personnel may provide or disclose these data and Information to third parties, or use the same for other than their intended purposes.

Obligations of Government Entities

Article (12)

Government Entities and persons must abide by the regulations, standards, and rules issued by the DCES in relation to the field of Electronic Information, and must provide all data and Information required by the DCES to perform its duties. These entities must also meet Electronic security requirements in accordance with the provisions of this Law and the resolutions issued in implementation hereof.

Maintaining Information Security

Article (13)

Government Entities may issue and implement bylaws, regulations, and plans to achieve Information Security in accordance with the nature of their work, provided that these bylaws, regulations, and plans do not contradict the provisions of this Law and the resolutions issued in implementation hereof.

Supervisory Role of the DCES

Article (14)

The DCES may take any action required to monitor telecommunication networks and Information Systems in the Emirate to protect them from unauthorised access. The DCES may identify the flaws in telecommunication network and Information Systems to avoid any breach of the provisions of this Law.

Urgent Measures

Article (15)

1.       The DCES will set the rules required to prevent any attempt to interrupt, disrupt, vandalise, or alter telecommunication networks or contents of Information Systems. It may take any action to prevent any such acts or attempts within and outside of the Emirate.

2.       In emergency and urgent situations, the DCES will be authorised to monitor, penetrate, tackle, cancel, disrupt, or block the telecommunication networks and devices, Information Systems, or Electronic Mail of any person or entity where it is proved to the satisfaction of the DCES that this person or entity participates in any act that may compromise the security, beliefs, economy, heritage, culture, or public order of the Emirate, its relations with others, the vital establishments and public and private entities in the Emirate, or the life or property of any person. In these circumstances, the competent public prosecution authority must be notified, within one (1) week, of the measure taken by the DCES, in order to take the necessary action in respect of that measure.

Financial Resources of the DCES

Article (16)

The financial resources of the DCES will consist of:

1.       support allocated to the DCES in the general budget of the Government;

2.       grants and gifts received by the DCES and accepted by the Board of Directors;

3.       fees and charges for the services provided by the DCES; and

4.       any other resources approved by the Board of Directors.

Accounts and Financial Year of the DCES

Article (17)

1.       In regulating its accounts and records, the DCES will apply the rules and principles of government accounting.

2.       The financial year of the DCES will commence on 1 January and will end on 31 December of each year, except that the first financial year will commence as of the date this Law comes into force and will end on 31 December of the following year.

Law Enforcement Officers

Article (18)

The employees of the DCES nominated by the Board of Directors will have the capacity of law enforcement officers to record the acts committed in breach of the provisions of this Law and the instructions issued in pursuance hereof, and to issue the necessary violation reports.

Issuing Implementing Resolutions and Bylaws

Article (19)

The chairman of the Board of Directors will issue the resolutions and bylaws required for the implementation of this Law.

Transitional Provisions

Article (20)

All powers, duties, and obligations of the Dubai Smart Government Department pursuant to Executive Council Resolution No. (13) of 2012 Concerning Information Security at the Government of Dubai will be transferred to the DCES.

Dissolution

Article (21)

The Information Security Committee formed pursuant to Executive Council Resolution No. (13) of 2012 Concerning Information Security at the Government of Dubai will be dissolved, and the Board of Directors will perform all functions assigned to it.

Repeals

Article (22)

Any provision in any other legislation will be repealed to the extent that it contradicts the provisions of this Law.

Commencement and Publication

Article (23)

This Law comes into force on the day on which it is issued, and will be published in the Official Gazette.

 

Mohammed bin Rashid Al Maktoum

Ruler of Dubai

Issued in Dubai on 4 June 2014    

Corresponding to 6 Shaban 1435 A.H.   


© 2014 The Supreme Legislation Committee in the Emirate of Dubai

[1]Every effort has been made to produce an accurate and complete English version of this legislation. However, for the purpose of its interpretation and application, reference must be made to the original Arabic text. In case of conflict the Arabic text will prevail.