UAE Cyber Security Council's New Recovery Centre: What Gulf Operators Should Read Into It
On 22 June 2026 the UAE Cyber Security Council and Commvault launched an Innovation Center of Excellence in Abu Dhabi focused on cyber recovery and recovery simulation. The signal for Gulf operators is that the regulator is now weighting recoverability, not just prevention. Against a backdrop of 600,000-800,000 daily breach attempts on the UAE, treat tested restore capability as the compliance expectation it is becoming.
On this page
Who this applies to: UAE-based and GCC operators, DPAs, fleet IT and OT managers, and compliance officers handling critical infrastructure or personal data under PDPL.
On 22 June 2026, the UAE Cyber Security Council (CSC) and Commvault launched an Innovation Center of Excellence in Abu Dhabi. It is easy to file this under vendor-partnership news and move on. Don't. The framing the CSC chose around the announcement is the useful part, and it points at where the regulator's expectations are heading.
What actually happened?#
The UAE Cyber Security Council and Commvault launched an Innovation Center of Excellence in Abu Dhabi, said to mark an important step in advancing resilient operations across the UAE. The centre was unveiled during Commvault's SHIFT Dubai roadshow at the Museum of the Future and will serve as a regional hub for cyber-resilience research, innovation and digital infrastructure protection, bringing together government entities, critical infrastructure operators, universities, startups and technology partners.
The language from the top matters more than the venue. H.E. Dr. Mohamed Al Kuwaiti, Head of Cybersecurity for the UAE Government, said cyber resilience is a national imperative that requires more than the ability to defend — it requires the capacity to recover, and that the centre brings enterprise-grade recovery simulation and structured talent certification to government entities and critical infrastructure operators.
There is also a workforce component. The CSC and Commvault will introduce a self-paced e-learning programme giving university students access to cyber-resilience training and certification, with those completing it eligible for a practitioner certification covering enterprise data protection, cloud technologies and cyber-recovery.
Why does a "recovery centre" matter to operators?#
Because the emphasis is deliberate. For years the compliance conversation in the Gulf ran on prevention — firewalls, segmentation, awareness training. The CSC's own framing now explicitly separates defence from recovery and puts weight on the second. When a national cyber authority stands up a facility around recovery simulation, it is telling regulated entities where audit and expectation are drifting.
That drift is grounded in the threat picture the CSC itself has published. In early February 2026, before the regional conflict escalated, the UAE saw roughly 90,000 to 200,000 breach attempts a day; following the start of military operations, the daily average rose to between 600,000 and 800,000 breach attempts, according to CSC chairman Mohammed Al Kuwaiti. The mix also shifted, from denial-of-service boasts by hacktivists to more serious claims of intrusion and compromise.
The attacker toolset has moved too. In February the CSC reported thwarting organised attacks on vital sectors. The Council said the attacks included attempts to infiltrate networks, deploy ransomware and conduct systematic phishing campaigns targeting national platforms, and involved the exploitation of AI to develop more sophisticated offensive tools. Its head has said more than 70% of the threat actors targeting the country are state-sponsored groups.
When the regulator's public message moves from "keep them out" to "prove you can recover," the compliance bar moves with it. Recoverability — tested, timed, evidenced — is becoming the thing you will be asked to demonstrate.
Prevention
BaselineFirewalls, segmentation, MFA, awareness
Still required, but no longer the headline. Phishing remains the dominant entry vector the CSC warns about.
Recovery
RisingBackups, restore testing, recovery simulation
The CSC's explicit new emphasis. Enterprise-grade recovery simulation is now being promoted at national level.
Workforce
PendingCertification, talent pipeline
New e-learning and practitioner certification aimed at closing the regional skills gap.
View as table
| Regime | Who it binds | Status |
|---|---|---|
| Prevention | Firewalls, segmentation, MFA, awareness | Baseline — Still required, but no longer the headline. Phishing remains the dominant entry vector the CSC warns about. |
| Recovery | Backups, restore testing, recovery simulation | Rising — The CSC's explicit new emphasis. Enterprise-grade recovery simulation is now being promoted at national level. |
| Workforce | Certification, talent pipeline | Pending — New e-learning and practitioner certification aimed at closing the regional skills gap. |
How does this connect to PDPL obligations?#
Recoverability is not just an operational nicety in the UAE — it maps onto data protection duties. Under the Federal Decree-Law No. 45 of 2021 (the Personal Data Protection Law), an integrated framework to ensure the confidentiality of information and protect the privacy of individuals, controllers holding personal data are obliged to secure it and maintain its confidentiality and privacy. The PDPL also carries mandatory breach reporting and a requirement for appropriate technical and organisational measures.
For a Gulf operator, that means recovery capability is doing double duty: it limits the operational damage of a ransomware event, and it supports the "adequate security measures" position you need to defend under PDPL if personal data is affected. If your restore process is untested, you are exposed on both fronts at once.
Two caveats worth stating plainly. First, the PDPL's executive regulations and the empowerment of the UAE Data Office have moved unevenly — verify the current position with the UAE Data Office / TDRA before treating any specific article-level deadline as fixed. Second, if you operate in DIFC or ADGM, those free zones run separate data protection regimes with their own regulators; the mainland PDPL does not apply to you in the same way. Check which regime binds each entity.
What should operators do now?#
This is a signal to act on, not a product to buy. The practical work is boring and effective.
Next 30 days
- Confirm you have a current, offline or immutable backup of critical IT and OT systems — not just a backup job that reports success.
- Run one unannounced restore test of a genuinely business-critical system and time it. Record the actual recovery time.
- Map which of your systems hold PDPL-scoped personal data, so a recovery priority order exists before you need it.
Next 90 days
- Write or refresh a recovery and reconstitution plan with named owners and alternates, covering both IT and OT.
- Tabletop a ransomware scenario that assumes backups were targeted — attackers increasingly go for backup systems first.
- Review vendor and third-party remote-access paths; these remain the highest-risk pathway into ship and shore systems alike.
Ongoing
- Track CSC and TDRA-aeCERT advisories and patch against them promptly.
- Build recovery testing into a regular cycle, not a one-off, and keep timestamped evidence for auditors and insurers.
- Close the responsibility gaps — most teams fail on unclear ownership, not on advanced tooling.
The regulator has now said, in as many words, that the capacity to recover is a national priority. For fleet IT managers and DPAs in the Gulf, the honest question is simple: if a critical system were encrypted tonight, do you actually know your recovery time — because you have measured it — or are you guessing? If it is the latter, that is the gap to close first.
If you want an independent, evidence-based assessment of your recovery posture against PDPL obligations and CSC expectations, book a consultation with Solas Security.

Get a security consultation
Bring your environment, your regulators, and your hardest question. We answer control-by-control.
