Cloud Compliance Guide for Pakistan & UAE: SBP, NESA, and International Standards

Cloud adoption is speeding up across Pakistan and the UAE. However, for businesses in regulated industries, moving to the cloud goes beyond a technology decision. It is fundamentally a compliance decision.

Banks, FinTech companies, government agencies, and enterprises that handle sensitive data face strict rules. They must meet these requirements before, during, and after their cloud migration.

Pakistan’s Regulatory Landscape

In Pakistan, the State Bank of Pakistan (SBP) controls how financial institutions outsource workloads to cloud providers. The SBP released its 2023 Framework on Outsourcing to Cloud Service Providers. This framework sets clear rules on data residency, risk management, vendor due diligence, and security controls. As a result, every bank, microfinance institution, digital bank, and payment service provider must follow these guidelines.

UAE’s Regulatory Landscape

In the UAE, the National Electronic Security Authority (NESA) operates under the Signals Intelligence Agency (SIA). NESA created the Information Assurance Standards (IAS). These standards include 188 cybersecurity controls for government entities and critical infrastructure operators.

Additionally, the Telecommunications and Digital Government Regulatory Authority (TDRA) sets rules for cloud security and data residency. The Personal Data Protection Law (Federal Decree Law No. 45 of 2021) also governs how organizations collect, store, and transfer personal data.

The Cost of Non-Compliance

Failing to comply with these regulations carries serious consequences. Organizations risk financial penalties, operational restrictions, and loss of banking licenses. In severe cases, they may face suspension of business operations.

This guide breaks down the cloud compliance landscape for both countries. Whether you run a bank considering cloud migration, a FinTech startup, or an enterprise expanding into the Gulf, you will find the specific regulations, requirements, and practical steps you need here.

The State Bank of Pakistan (SBP) released its Framework on Outsourcing to Cloud Service Providers in January 2023 (BPRD Circular No. 01 of 2023). This framework replaced earlier directives from 2017 and 2020. Consequently, it now serves as the single governing document for all cloud outsourcing by SBP-regulated entities.

Who Must Comply

The framework covers all SBP-Regulated Entities (REs). Specifically, this includes commercial banks, Islamic banks, digital banks, and microfinance banks. It also applies to development finance institutions (DFIs), electronic money institutions (EMIs), payment system operators (PSOs), and payment system providers (PSPs). Furthermore, it covers all cloud service models (SaaS, PaaS, and IaaS) and all deployment models (public, private, community, and hybrid).

Data Residency and Offshore Rules

One of the most critical aspects of the SBP framework is its tiered approach to data location. Organizations can outsource all workloads to reputable onshore (domestic Pakistani) cloud providers without restriction. However, the rules differ for offshore providers based on entity type and workload criticality.

Banks, microfinance banks, digital banks, DFIs, and designated PSOs/PSPs can outsource their non-material workloads to offshore CSPs. In contrast, outsourcing material workloads offshore requires prior SBP approval on a case-by-case basis. EMIs and non-designated PSOs/PSPs enjoy more flexibility here. They can outsource both material and non-material workloads offshore.

So what counts as a material workload? The SBP defines these as all systems, applications, and services that are fundamental to the entity’s business. If disrupted, they could significantly impact operations, reputation, or profitability.

Key Compliance Requirements

Governance: Every regulated entity must set up a dedicated governance structure for cloud outsourcing. The board of directors and senior management hold ultimate responsibility for all information assets in the cloud.

Due Diligence: Before signing any cloud outsourcing deal, entities must conduct thorough due diligence. Specifically, they should evaluate the provider’s technical competence, financial strength, reputation, and business continuity capabilities. They should also review SOC Reports (levels 1, 2, and 3) during evaluation.

Data Security: Organizations must encrypt all data at rest (including backups) and in transit. They should use strong, current encryption methods for this purpose. Additionally, data in the cloud must stay identifiable and logically separate from other customers’ data. The entity keeps full responsibility for data confidentiality and integrity.

Cryptographic Key Management: Regulated entities must maintain sole control over their encryption keys and hardware security modules (HSMs). They should change keys periodically, following international best practices.

Audit Rights: Internal auditors, external auditors, and SBP staff all have the right to conduct audits and on-site inspections. No restrictions should limit access to cloud-related information assets.

Contingency Planning: Each entity must develop contingency plans for cloud workloads. These plans should include defined Recovery Point Objectives (RPOs) and disaster recovery procedures.

Existing Arrangements: The SBP required all pre-existing cloud arrangements to reach full compliance by December 31, 2023.

Learn more about our Cloud & DevOps Consulting services for SBP-compliant cloud migration.

The National Electronic Security Authority (NESA) now operates as part of the UAE Signals Intelligence Agency (SIA). It serves as the federal authority that protects the UAE’s critical information infrastructure. NESA created the Information Assurance Standards (IAS). This comprehensive framework defines cybersecurity requirements for government entities, critical infrastructure operators, and regulated businesses across the UAE.

Who Must Comply

NESA compliance applies to all UAE government entities and critical national infrastructure operators. Specifically, this includes organizations in energy, finance, healthcare, telecommunications, transportation, and water. For private companies outside these sectors, NESA compliance is not mandatory. Nevertheless, it is increasingly becoming a market expectation and a competitive differentiator for government contracts.

The NESA IAS Framework

The IAS framework contains 188 security controls. These are split into Management Controls and Technical Controls. Of the total, 35 controls carry a mandatory (Priority 1 or P1) classification. Every organization must implement these foundational cybersecurity capabilities. The remaining 153 controls apply based on each organization’s specific risk assessment results.

The framework organizes controls into two families. Management Controls cover governance, risk management, compliance, human resource security, and performance evaluation. Meanwhile, Technical Controls address asset management, access control, cryptography, physical security, communications security, operations management, and incident management.

Cloud-Specific Requirements

Several NESA and related regulatory requirements apply to cloud services in the UAE. For instance, the UAE government introduced the National Cloud Security Policy in 2023. This policy sets clear principles for secure cloud adoption and delivery. It also identifies which entities oversee and enforce cloud security regulations.

In addition, the TDRA regulates cloud computing and telecom security. Organizations must comply with TDRA rules, ensure data residency compliance, and obtain TDRA digital licensing. Telecom providers face strict data residency rules. As a result, they must store confidential data locally within the UAE.

Furthermore, the Personal Data Protection Law (Federal Decree Law No. 45 of 2021) sets additional requirements. Organizations must obtain consent before collecting personal data. They must also implement proper protection measures and report breaches to the UAE Data Office within 48 to 72 hours. Recent executive rules now require most personal data to stay in UAE-compliant data centers.

NESA Audit and Certification

The NESA compliance audit typically takes 4 to 6 weeks. The timeline depends on the organization’s size and system complexity. During this process, organizations must identify critical services, assess gaps against NESA standards, implement controls, and pass the audit. After success, they receive a Certificate of Compliance valid for one year. Annual audits maintain the certification.

Failing NESA standards carries real consequences. Organizations face financial penalties, operational restrictions, and increased regulatory scrutiny. In some cases, they risk suspension of operations.

Notably, Alibaba Cloud has passed a third-party audit for P1 level NESA compliance. Therefore, it offers a strong option for UAE organizations seeking a compliant cloud platform.

Explore our Security Audit Services for NESA compliance assessment.

SBP and NESA set the regional compliance baseline for Pakistan and the UAE. However, international standards play a complementary role. Both the SBP and NESA frameworks reference many of these standards. As a result, demonstrating compliance with them strengthens your security posture and simplifies regulatory audits.

SOC 2 (Service Organization Control 2)

SOC 2 is an auditing standard from the American Institute of CPAs. It evaluates how cloud providers manage customer data across five areas: security, availability, processing integrity, confidentiality, and privacy. Importantly, the SBP framework specifically mentions SOC Reports (levels 1, 2, and 3) as valid evidence during cloud provider due diligence. Therefore, choosing a provider with SOC 2 Type II certification demonstrates a proven track record.

ISO 27001

ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive information. Both NESA and the SBP framework align closely with ISO 27001 principles. In fact, the NESA IAS framework incorporates many elements of ISO 27001. Consequently, organizations with existing ISO 27001 certification will find significant overlap with NESA requirements.

GDPR (General Data Protection Regulation)

Although GDPR is a European Union regulation, it has a global reach. Any organization in Pakistan or the UAE that handles personal data of EU residents must comply. Similarly, the UAE’s Personal Data Protection Law follows GDPR principles. The financial free zones of DIFC (Dubai) and ADGM (Abu Dhabi) also maintain their own GDPR-aligned rules. Therefore, organizations working across multiple regions should account for GDPR alongside local regulations.

PCI DSS (Payment Card Industry Data Security Standard)

PCI DSS applies to any organization that stores, processes, or transmits payment card data. This standard is especially relevant for banks, FinTech companies, and e-commerce businesses. It requires encryption of cardholder data, network security controls, vulnerability management, access control, and regular testing. In addition, cloud providers that handle payment processing must hold PCI DSS certification. The responsibility for compliance falls on both the merchant and the cloud provider.

Cloud compliance is not a one-time event. Instead, it is an ongoing process that requires planning, execution, and continuous monitoring. Whether you target SBP compliance in Pakistan, NESA compliance in the UAE, or both, these steps provide a practical roadmap.

Step 1: Assess Your Current State

First, start with a thorough assessment of your existing IT infrastructure, data flows, and cloud usage. Identify where your data lives and how it moves between systems. Then, classify your workloads as material or non-material (for SBP purposes). Also identify which systems qualify as critical national infrastructure (for NESA purposes). This assessment creates the baseline for your compliance roadmap.

Step 2: Identify Applicable Regulations

Next, determine which regulations apply to your organization. Consider your industry, geography, and data types. For example, a Pakistani bank must follow the SBP Cloud Outsourcing Framework. A UAE government entity must meet NESA IAS standards. A FinTech operating in both markets must satisfy both, plus potentially PCI DSS and GDPR. Map each regulation to specific controls and requirements.

Step 3: Conduct a Gap Analysis

After identifying your regulations, compare your current security posture against the required controls. For SBP, review governance, due diligence, data security, encryption, key management, and contingency planning. For NESA, map your existing controls against the 188 IAS controls. Start with the 35 mandatory P1 controls. Then, document every gap between your current state and the requirements.

Step 4: Select a Compliant Cloud Provider

Choose a cloud provider that meets your target markets’ regulatory needs. Check for SOC 2, ISO 27001, and PCI DSS certifications. For Pakistan, confirm onshore data center availability. If the provider only offers offshore hosting, check whether SBP approval is needed for material workloads. For the UAE, verify NESA compliance and data residency within UAE borders. Alibaba Cloud, for instance, holds NESA P1 compliance and operates regional data centers in the Middle East.

Step 5: Implement Required Controls

Now, deploy the technical and organizational controls from your gap analysis. This includes encryption at rest and in transit, access management with multi-factor authentication, and network security configurations. Additionally, set up incident response procedures, business continuity plans, and employee security training. Document every implementation for audit purposes.

Step 6: Audit, Certify, and Monitor

Finally, engage qualified auditors to verify your compliance. For SBP, confirm your auditors can inspect the cloud provider. For NESA, schedule the formal 4-to-6-week audit. After certification, set up continuous monitoring. This should include regular security assessments, automated compliance checks, and periodic control reviews. Remember that NESA certification requires annual renewal. Likewise, the SBP expects ongoing oversight of cloud outsourcing arrangements.

Partner with Sherdil Cloud for expert cloud compliance consulting.

Navigating cloud compliance across Pakistan and the UAE demands deep regulatory knowledge and hands-on experience. As an Official Alibaba Cloud Partner with offices in Karachi, Abu Dhabi, and the United States, Sherdil Cloud helps organizations in both markets achieve and maintain compliance.

Compliance Assessment and Gap Analysis

Our certified cloud architects assess your current infrastructure against SBP, NESA, and international requirements. We identify gaps, prioritize fixes, and deliver a clear compliance roadmap. This roadmap includes timelines and resource estimates for every step.

Cloud Architecture and Migration

Our team designs cloud architectures that meet compliance standards from day one. For example, we can set up an onshore deployment in Pakistan for SBP data residency. We also build UAE-based infrastructure for NESA compliance. In addition, we create hybrid multi-cloud setups that satisfy both. Throughout the process, we handle planning, execution, and validation to prevent compliance gaps.

Security Implementation

We implement the full stack of security controls that SBP and NESA require. This covers encryption, identity and access management, network security, and vulnerability management. It also includes incident response procedures and business continuity planning. We use best practices across AWS, Azure, GCP, and Alibaba Cloud to deliver security that meets regulatory standards.

Ongoing Monitoring and Audit Support

Compliance is not a one-time achievement. Therefore, we provide ongoing monitoring, regular security assessments, and audit preparation support. This ensures your organization stays compliant as regulations evolve and your cloud environment grows.

Schedule a free compliance consultation with our cloud experts to discuss your requirements and get a customized compliance roadmap.