A forwarded voice note, a screenshot posted in anger, a spoofed invoice paid without a second glance — in the UAE these are not social missteps but potential criminal conduct. Federal Decree-Law No. 34 of 2021 governs a landscape where the boundary between an ordinary online act and a prosecutable offence is narrower than most businesses and residents assume.
The governing statute
Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrimes came into force on 2 January 2022, replacing the earlier Federal Law No. 5 of 2012. It is a deliberately expansive instrument. Where the 2012 law was drafted for an era of desktop hacking and email fraud, the 2021 framework was written for a population that conducts its commercial and personal life through messaging apps, social platforms and cloud systems. The consequence is that a great deal of everyday digital behaviour now sits within reach of the criminal law.
The statute criminalises a wide catalogue of conduct. Broadly, these fall into three families: attacks on systems and data; offences of deception and forgery committed by electronic means; and offences of expression and privacy carried out online.
Attacks on systems and data
- Unauthorised access and hacking — entering a website, network, account or information system without authority, with penalties escalating sharply where the intrusion targets government data or the confidential information of financial, commercial or economic institutions.
- Interception, disruption and damage — obstructing or intercepting data flows, or damaging, deleting or altering electronic information.
- Data theft and misuse of personal data — obtaining, copying or handling data unlawfully, including personal data processed contrary to law.
Deception and forgery
- Online financial fraud and phishing — using a network or IT means to seize money or data by deception, including fraudulent websites, spoofed communications and social-engineering schemes.
- Identity theft and impersonation — assuming another's identity, or creating fake accounts and profiles.
- Electronic forgery — forging electronic documents, whether governmental or private.
Expression and privacy
- Breach of privacy — photographing, recording, copying or publishing images, conversations or information of others without consent, even where the material is true and even where the person recorded it themselves.
- Defamation and insult — attributing to a person facts that expose them to punishment or contempt, or insulting their honour, when done through a network.
- False news and rumours — publishing or re-sharing false information liable to harm public order, public health, national security, the economy or the country's reputation.
Why this matters to business — and to ordinary residents
For companies, the commercial exposure is real and rising. Business email compromise, invoice-redirection fraud and phishing against finance teams are prosecuted as electronic fraud; data breaches and the theft of client databases engage the data-misuse provisions. But the offences that most often ambush otherwise careful people are those of expression and privacy. A manager who circulates a departing employee's photograph, a WhatsApp group where a supplier is called a "fraud", a screenshot of a private chat shared to prove a point — each can found a complaint. Critically, truth is not a complete defence to a privacy charge: publishing someone's image or private communication without consent can be an offence in its own right, independent of whether the content is accurate or defamatory.
Truth is not a shield. Under UAE law, publishing another person's image or private conversation without their consent can be a crime even when every word of it is true.
Penalties and process
The penalty architecture is severe and tiered. Fines commonly run from AED 250,000 upward, with the more serious offences carrying fines into the millions and, for corporate intermediaries, exceptional ceilings. Imprisonment attaches to most categories, temporary imprisonment of seven years or more being reserved for the gravest conduct such as attacks on state data or systems. For expatriates — who form the majority of the population — a conviction frequently carries deportation, often with a re-entry ban, so that a cybercrime finding can end a career and a residence in a single stroke. Courts may also order confiscation of devices and deletion of offending material.
Proceedings are criminal. A complaint is lodged with the police cybercrime units — in Dubai through the eCrime portal, elsewhere through the Ministry of Interior channels, the federal Public Prosecution's reporting tools or the relevant emirate's police service — and, once registered, is investigated and referred to the Public Prosecution, which decides whether to charge. Because many of these offences are complaint-driven, an amicable resolution or a withdrawn complaint can be decisive; in several categories a settlement or waiver by the victim materially changes the trajectory of a case.
Data protection, AML and the evidential dimension
The cybercrime regime does not operate in isolation. It sits alongside the UAE's Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), so that a single incident — the theft or leak of a customer database — can generate both criminal exposure and data-protection consequences. Where online fraud produces proceeds that are moved or layered, the anti-money-laundering framework (Federal Decree-Law No. 20 of 2018 and its amendments) is engaged, and regulated businesses carry reporting duties of their own.
Evidence is where cyber matters are won or lost. Digital proof — messages, logs, headers, transaction trails, device data — is volatile and easily challenged on authenticity and chain-of-custody grounds. Victims should preserve everything early: full screenshots with timestamps and URLs, original files and metadata rather than re-saved copies, banking records and correspondence, and, in fraud cases, immediate notification to the bank to attempt recall of funds. The accused, equally, should resist the instinct to delete: destroying material can compound exposure, and the better course is disciplined preservation and early legal advice.
Practical strategy
For a company that has suffered fraud or intrusion, speed matters more than blame: freeze and trace funds through the bank, preserve the technical evidence, file promptly with the cybercrime unit, and run the internal review in parallel with the criminal complaint. For an individual or business that finds itself accused — most commonly over a social-media post or a shared recording — the priorities are restraint and negotiation: say nothing further online, preserve context, and explore, where the offence permits, a settlement or withdrawal of complaint before positions harden. In both roles, the decisive advantage lies in acting within days, not weeks.
Instruments referenced: Federal Decree-Law No. 34 of 2021 on Combating Rumours and Cybercrimes (replacing Federal Law No. 5 of 2012); Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data; Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering (as amended). This page is general information, not legal advice.