Endida
Home Solutions Sectors About Contact Get in Touch
Home / Solutions / Operational Resilience — UAE & Dubai
Dubai · DIFC · Abu Dhabi · ADGM · UAE Onshore

Resilience isn't
optional in the
UAE anymore.

Iranian drone strikes physically destroyed AWS data centres in the UAE. GPS spoofing disrupted over 1,100 ships across Gulf waters. Sixty-plus pro-Iranian hacktivist groups are actively targeting UAE financial services. The CBUAE, DFSA and ADGM have responded with mandatory operational resilience frameworks. Endida helps regulated firms in the Gulf build programmes that meet the regulatory standard — and hold up when the threat is real.

Request a Resilience Assessment View Our Approach
Recent Disruptions — UAE
Jul
2024
CrowdStrike Global OutageUAE government portals, MoFA, MOHRE, Dubai Airport and major airlines disrupted. Recovery time: hours to days.
Critical
Sep
2025
Red Sea Cable CutsSMW4 & IMEWE cables severed near Jeddah. e& and du disrupted. Azure rerouted. UAE banking apps degraded.
Critical
Jun
2025
Iran–Israel War Cyber Campaign700% surge in attacks. Iranian APT groups (APT33, APT34, Pioneer Kitten) actively targeting UAE finance and energy.
Critical
Mar
2026
AWS UAE & Bahrain — Drone StrikesIranian drones physically destroyed 3 AWS data centres. UAE banking, payments and enterprise services disrupted. AWS advised workload migration.
Critical
Feb–Mar
2026
GPS Spoofing — 1,100+ ShipsElectronic warfare disrupted navigation across UAE, Qatari and Omani waters. AIS systems compromised. Maritime and logistics operations impacted.
Major
2026
Active
60+ Hacktivist Groups — UAE TargetsPro-Iranian groups targeting UAE government, finance and critical infrastructure. AI-enhanced attacks on daily basis. Daily detection and response required.
Ongoing
Active Threat — March 2026: Following Operation Epic Fury (28 Feb 2026), Iranian drone strikes physically destroyed three AWS data centres in the UAE and Bahrain. 60+ pro-Iranian hacktivist groups remain active against UAE targets. AWS has advised customers to migrate workloads out of Middle East regions. Your DR plan must now account for full regional cloud outage — not just single-zone failure.
View Incident Timeline →
Why This Matters Now

The UAE's Digital Ambition
Has Become a Strategic Target.

01
Kinetic attacks on cloud infrastructure. The Iran–Israel conflict introduced something new: Iranian drones physically destroyed AWS data centres in the UAE and Bahrain. Commercial cloud infrastructure is now a legitimate military target. Your AWS or Azure dependency is a war risk.
02
60+ active hacktivist groups targeting UAE. The Islamic Resilience Cyber Axis — a coordinated network of Iranian-aligned groups including APT33, APT34 (OilRig), Pioneer Kitten, DieNet, and Cyber Fattah — is actively running DDoS, wiper, ransomware and espionage campaigns against Gulf financial services.
03
GPS and electronic warfare in UAE waters. Electronic warfare has disrupted AIS systems on 1,100+ ships across UAE, Qatari and Omani waters. Maritime logistics, supply chains, and physical security dependencies of Dubai's trade infrastructure are in scope.
04
Red Sea chokepoint remains severed. The Houthi campaign in the Red Sea has made subsea cable repair vessel access dangerous. SMW4, IMEWE and FALCON GCX cuts in September 2025 demonstrated that the Gulf's internet spine can be compromised for weeks — while the war continues.
05
Supply chain compromise through Israeli tech vendors. Major UAE-deployed vendors including AWS, Google, Nvidia and Check Point have operations under duress in the conflict zone. Snowflake and Red Hat have issued failover advisories. Your vendor map is your blast radius map.
06
BCM frameworks were built for peace-time scenarios. Most regulated firms in the UAE have Business Continuity Plans designed around IT failures, pandemics and power outages. Almost none have been tested against a simultaneous regional cyber campaign, data centre destruction, GPS spoofing, and Strait of Hormuz blockade.
700%
Surge in attacks on Gulf since Iran–Israel war (June 2025)
3
AWS data centres physically destroyed by Iranian drones — UAE & Bahrain
1,100+
Ships GPS-spoofed across UAE, Qatari & Omani waters
60+
Active pro-Iranian hacktivist groups targeting UAE
The Evidence

What Has Already
Happened — and Is Happening Now.

The Gulf's digital resilience has been tested repeatedly and publicly — most recently by kinetic warfare. Understanding what failed, and the BCM lessons from each incident, is the foundation of a credible resilience programme.

19 July 2024 Critical — Global
CrowdStrike / Microsoft Falcon Outage
A faulty content update to CrowdStrike's Falcon sensor caused mass Windows blue-screen-of-death events globally. In the UAE, the Ministry of Foreign Affairs (MoFA) took its portals offline, instructing the public to make no online transactions. MOHRE (work permits) reported "difficulties." Dubai Airport recorded disruptions. Emirates, Flydubai and Etihad all issued alerts. Authentication services were among the first casualties — a stark reminder that security tooling itself is an operational dependency.
Government Portals Airports Airlines Authentication HR Services
BCM Lesson: Third-party security software is a critical dependency. Single-vendor endpoint protection without rollback controls is a systemic vulnerability — not a security asset.
8 February 2025 Major — Dubai
Du Network Outage — Dubai
Du, one of the UAE's two main telecoms providers, reported a network outage affecting home broadband and mobile services across Dubai. DownDetector recorded 213 affected customers within 90 minutes, predominantly home internet and mobile signal. Etisalat (e&) customers also reported disruption simultaneously. Residents who remained connected were those who could switch to an alternative network — a privilege of dual-SIM capability, not a managed BCM strategy.
Broadband Mobile Services Streaming Remote Working
BCM Lesson: Single-carrier internet dependency is a BCM failure for any critical service operation. Diverse connectivity (dual-carrier, satellite backup, alternative routing) must be part of resilience architecture.
March 2025 Major — UAE Banking
UAE Banking App Outages — Cloud Disruption
Emirates NBD, Emirates Islamic, First Abu Dhabi Bank and ADCB all experienced disruptions to digital banking services. ADCB's retail mobile banking app was down for approximately 48 hours — though branches, ATMs, card services and internet banking remained operational. The incident demonstrated both the fragility of cloud-hosted app layers and the importance of channel diversification in BCM planning. Critically, multiple banks issued fraud warnings simultaneously — opportunistic attackers exploited the confusion to impersonate official channels.
Mobile Banking Contact Centres Cloud Platforms Customer Trust
BCM Lesson: Cloud-hosted services require dedicated resilience architecture — not just cloud availability SLAs. Channel diversification (branch, ATM, web, app) is a BCM essential for financial services, not a UX preference.
June 2025 — March 2026 Critical — Active Conflict
Iran–Israel War: Coordinated APT & Hacktivist Campaign Against UAE
Following Israeli military strikes on Iran beginning 13 June 2025, the Islamic Resilience Cyber Axis — a coordinated network of Iranian state-backed and affiliated groups — launched one of the most sustained cyber campaigns against Gulf targets in history. Iranian APT groups including APT33, APT34 (OilRig), MuddyWater, and Pioneer Kitten ran concurrent DDoS, ransomware (Pay2Key.I2P), wiper, espionage and credential-theft operations targeting UAE government, financial services, energy, and critical infrastructure. The UAE Cyber Security Council reported that government and financial sector targets faced daily sophisticated and AI-enhanced attacks between 21–26 February 2026 — which national authorities stated were "systematically detected and foiled." The operative word is "this time."
UAE Financial Services Government Systems Energy Sector Critical Infrastructure APT33 · OilRig
BCM Lesson: Iranian APT groups have maintained persistent footholds in UAE critical infrastructure via credential theft and VPN compromise since early 2025. Assumed breach posture — not perimeter defence — is the only credible response. Wiper malware is the weapon of choice in conflict-adjacent operations; offline, air-gapped backups are no longer optional.
1 March 2026 Critical — Kinetic + Digital
Iranian Drone Strikes Destroy AWS Data Centres — UAE & Bahrain
In a historic first, Iranian drone strikes physically destroyed three Amazon Web Services data centre facilities in the UAE and Bahrain — causing fires, power disruptions, water damage from fire suppression, and prolonged service outages. The strikes came within 24 hours of Operation Epic Fury (Operation Roaring Lion), the coordinated US-Israel strikes on Iranian targets launched 28 February 2026. The AWS incidents disrupted digital services across the Gulf including banking providers, payment services and consumer apps. AWS subsequently advised customers with Middle East workloads to migrate to alternative regions. Snowflake, Red Hat and other SaaS vendors issued failover advisories. Nvidia temporarily closed its Dubai offices. The incident demonstrated that physical distance from a conflict zone provides no insulation from kinetic impacts on shared cloud infrastructure.
AWS UAE Region Banking Services Payment Platforms SaaS Vendors Enterprise Tools
BCM Lesson: Cloud DR plans built around single-zone or regional failover are insufficient when the region itself is a military target. Firms must test full-region cloud outage scenarios, maintain offline-accessible emergency plans, and validate that DR workloads can genuinely run in geographically separate regions with no Middle East dependency.
February–March 2026 Major — Electronic Warfare
GPS Spoofing — 1,100+ Ships Across Gulf Waters
Electronic warfare operations attributed to the Iran–Israel conflict disrupted GPS and Automatic Identification System (AIS) signals for more than 1,100 vessels across UAE, Qatari and Omani territorial waters. CSIS analysts noted the interference was consistent with the electronic operations pattern accompanying the broader conflict. For UAE-based firms, the spoofing directly impacted maritime logistics, physical security systems dependent on GPS timing, and supply chain operations — with implications for financial services firms processing trade finance and commodity transactions reliant on vessel tracking data.
Maritime Logistics GPS-Dependent Systems AIS Tracking Trade Finance Supply Chains
BCM Lesson: GPS-dependent systems — including timing infrastructure, physical security, logistics platforms and some financial transaction systems — require spoofing-resilient alternatives. Firms processing trade finance or commodity transactions should review their data-source dependencies for vessel tracking and origin verification.
2024–2026 Ongoing Ongoing — Escalating
DDoS Surge — Geopolitical Weaponisation
The UAE Cyber Security Council's 2025 report confirmed 373,429 DDoS incidents in 2024 — an 862% increase since 2019. The Iran–Israel conflict has further accelerated this trend, with hacktivist groups on both sides using DDoS as their primary low-cost, high-visibility weapon against Gulf financial and government infrastructure. Average attack duration in H1 2025 exceeded 27 minutes — long enough to trigger CBUAE Article 149 breach notification obligations and cause material customer impact to digital banking services.
Financial Services Government Telecoms Critical Infrastructure
BCM Lesson: DDoS mitigation must be built into resilience architecture. Pre-contracted scrubbing, tested traffic rerouting, and customer communications playbooks are standard requirements for any UAE financial services firm. The 27-minute average attack duration is long enough to require regulatory notification.
The Regulatory Landscape

What Your Regulator
Now Requires.

Operational resilience obligations in the UAE have hardened significantly. CBUAE, DFSA and ADGM have each issued frameworks that go beyond IT disaster recovery — requiring firms to demonstrate end-to-end resilience of important business services.

CBUAE — Onshore UAE
Central Bank of the UAE
The CBUAE's new Banking Law (effective September 2025) and its operational resilience standards represent the most significant upgrade to UAE financial sector BCM obligations. 24/7 monitoring capability is now mandatory for licensed digital banks.
  • Mandatory fraud and breach reporting under Article 149 — prompt notification required
  • Recovery Time Objectives (RTOs) for all critical services — must be documented and tested
  • 24/7 monitoring capability mandated for digital banking operations
  • Strict liability for management negligence in respect of consumer funds
  • Third-party and outsourced service resilience oversight requirements
  • CBUAE Recovery Planning Regulations — all critical services in scope
DFSA — DIFC
Dubai Financial Services Authority
The DFSA's GEN Module and its cloud and outsourcing requirements place DIFC-authorised firms under a comprehensive operational resilience framework — with material outsourcing arrangements requiring advance DFSA notification.
  • Operational resilience framework required — covering technology failures, cyber threats and BCM
  • Annual policy and control reviews — mandatory, not discretionary
  • Material outsourcing and cloud arrangements notifiable to the DFSA
  • Business continuity and record-keeping requirements under DIFC Law
  • Cyber risk management framework — exposed infrastructure explicitly in scope
  • Crypto-specific operational resilience requirements under tokenisation rules
ADGM / FSRA — Abu Dhabi
Abu Dhabi Global Market
ADGM's FSRA announced its comprehensive cyber and operational resilience framework in July 2025, effective January 2026. All authorised financial firms must comply — including a new focus on vendor and third-party risk.
  • New ICT Risk Management framework effective January 31, 2026
  • All authorised firms in scope — no size or sector exemptions
  • Vendor and third-party risk management explicitly required
  • Cyber risk assessment mandatory — including exposed infrastructure
  • Credential monitoring — regulators expect awareness of compromise
  • Incident response capability and escalation protocols required
VARA — Dubai (Virtual Assets)
Virtual Assets Regulatory Authority
VARA's rulebook for Dubai VASPs includes operational resilience requirements specific to blockchain infrastructure — recognising that the technology risks of virtual asset operations differ from traditional financial services.
  • Technology resilience evaluation required for blockchain infrastructure
  • Smart contract security and operational stability assessments
  • Business continuity plans required for all licensed VASP operations
  • Marketing regulation compliance — operational continuity during outages
  • AML infrastructure resilience — transaction screening must be available
  • Key management and custody operational resilience standards
UAE Federal — National
UAE National Cybersecurity Council
The UAE Cybersecurity Council sets national standards applying to critical infrastructure operators and public sector entities — with clear expectations that private sector regulated firms align their resilience programmes to national frameworks.
  • Critical infrastructure protection obligations — operational resilience in scope
  • Incident reporting to relevant national authorities for significant events
  • Alignment with UAE Cybersecurity Strategy and national framework
  • Consumer data breach notification — CBUAE-aligned LFI obligations
  • Network information security requirements beyond internal perimeter
  • IoT and digital product resilience standards under development
ISO / DORA / BCI Aligned
International Standards
For firms with EU or UK regulatory obligations alongside UAE requirements, Endida aligns BCM programmes to international standards — ensuring programmes satisfy multiple frameworks simultaneously without duplication of effort.
  • ISO 22301 — Business Continuity Management Systems
  • ISO 27001 / ISO 27031 — ICT readiness for business continuity
  • EU DORA alignment for firms with EU digital operational resilience obligations
  • NIST Cybersecurity Framework — resilience function alignment
  • BCI Good Practice Guidelines — BCM programme structure
  • ITIL service continuity alignment for technology-heavy operations
What We Deliver

End-to-End Operational
Resilience Programme Design.

Endida builds operational resilience and BCM programmes that are calibrated for the real disruption risks facing organisations in the UAE — not generic frameworks copied from UK or EU templates.

Business Impact Analysis (BIA)
Identification and mapping of all important business services, their dependencies, and the financial, operational and reputational impact of disruption at different timescales. UAE-specific impact modelling includes regional infrastructure dependencies and regulatory notification timelines.
Service MappingRTO / RPO DefinitionImpact Modelling
BCM Programme Design & Documentation
Comprehensive business continuity management programme aligned to CBUAE, DFSA and ADGM requirements and international standards. Business Continuity Plans, Crisis Management Plans, IT Disaster Recovery Plans, and Communication Playbooks — documented and governance-ready.
ISO 22301CBUAE AlignedDFSA Aligned
Third-Party & Outsourcing Resilience
Comprehensive review of your critical third-party dependencies — cloud providers, telecoms, payment processors, core banking systems, and security vendors. Includes CrowdStrike-style concentration risk assessment, SLA gap analysis, and vendor resilience due diligence aligned to DFSA material outsourcing requirements.
Vendor RiskCloud ResilienceDFSA Outsourcing
Scenario-Based Testing & Exercises
Tabletop exercises, simulation drills, and technical recovery tests using scenarios drawn directly from the UAE's incident history — Red Sea cable cuts, cloud provider outages, DDoS attacks, telecoms failures, third-party vendor crashes, and geopolitically-motivated cyber incidents.
Tabletop ExercisesUAE ScenariosTechnical Drills
Crisis Management & Communications
Crisis management framework design including roles, escalation structures, decision authorities and stakeholder communication protocols. Includes regulatory notification playbooks aligned to CBUAE Article 149 breach reporting and DFSA incident disclosure timelines.
Crisis PlaybooksRegulatory NotificationComms Plans
Regulatory Gap Assessment & Readiness
Independent assessment of your current BCM programme against CBUAE, DFSA, ADGM and VARA requirements — identifying gaps, prioritising remediation, and producing a board-ready resilience posture report. Includes regulatory examination readiness review.
Gap AnalysisBoard ReportingExam Readiness
Our Approach

From Assessment
to Tested Resilience.

We don't produce BCM documentation and leave. We build programmes that function under realistic Gulf-region disruption conditions — and we test them to prove it.

01
Resilience Discovery
We assess your current BCM posture against your regulatory obligations and the specific disruption scenarios relevant to your geography, sector and operating model. We identify gaps and quantify exposure.
02
Programme Design
We design a BCM and operational resilience programme calibrated to your organisation — identifying important business services, mapping dependencies, defining RTOs/RPOs, and building governance structures that satisfy your regulator.
03
Documentation & Controls
We produce the full BCM documentation set — BCP, IT DRP, Crisis Management Plan, Communication Playbooks, and regulatory notification templates. All aligned to CBUAE, DFSA, ADGM or VARA as appropriate.
04
Testing & Continuous Improvement
We design and facilitate scenario-based exercises drawn from real UAE incidents — and help you embed annual testing, lessons-learned processes, and board-level resilience reporting into your governance calendar.
Who We Serve

Resilience Built for
Your Sector.

Operational resilience obligations and the disruption risks that matter most differ significantly by sector. Our programmes are built around your specific regulatory obligations and operational dependencies.

Financial Services — DIFC & Onshore
Banks, Wealth Managers & Payment Firms
UAE financial services firms face the most stringent operational resilience obligations — from CBUAE Recovery Planning Regulations to DFSA's comprehensive BCM requirements. The 2025 banking app outages demonstrated that cloud-hosted services require dedicated resilience architecture, not just availability SLAs.
  • CBUAE RTO compliance for all critical banking services
  • DFSA material outsourcing notification and oversight framework
  • Cloud and multi-cloud resilience architecture review
  • Article 149 breach reporting playbook — mandatory under new Banking Law
  • DDoS resilience and financial transaction protection
  • Channel diversification BCM — branch, app, web, ATM continuity
Crypto & VASP — VARA & ADGM
Exchanges, Custodians & DeFi Platforms
Virtual asset businesses operating in Dubai under VARA or in ADGM under FSRA face operational resilience requirements that span blockchain infrastructure, key management systems, AML infrastructure availability, and the inherent 24/7 nature of crypto markets — where outages during volatility events have outsized financial impact.
  • Blockchain infrastructure resilience evaluation — VARA aligned
  • ADGM FSRA ICT Risk Management compliance (effective Jan 2026)
  • Key management and cold/hot custody BCM procedures
  • Transaction screening availability — AML obligation during outages
  • Smart contract pause and recovery procedures
  • 24/7 monitoring and incident escalation for continuous markets
iGaming — Dubai & Gulf
Operators, Platforms & B2B Providers
iGaming operations in the Gulf region face a unique resilience profile — high-volume peak events (World Cup, Ramadan), 24/7 player-facing platform requirements, real-time payment processing dependencies, and compliance obligations that cannot be suspended during outages without triggering regulatory risk.
  • Peak event resilience planning — seasonal and sports calendar mapping
  • Payment processor and PSP continuity planning
  • AML and fraud tool availability during platform incidents
  • Multi-jurisdictional regulatory notification during outages
  • CDN and DDoS resilience for player-facing platforms
  • Third-party game provider dependency mapping and fallback
Enterprise — Dubai & UAE
Multinationals, Fintechs & Professional Services
For multinational firms with UAE operations, operational resilience must bridge the gap between global BCM frameworks and the specific risks of Gulf-region infrastructure — including Red Sea connectivity dependencies, regional cloud provider exposure, and geopolitical disruption scenarios not typically captured in European or US enterprise BCM programmes.
  • UAE operational resilience gap analysis — global programme alignment
  • Red Sea connectivity contingency planning and satellite fallback
  • Regional cloud provider redundancy and failover architecture
  • Staff safety and office continuity in geopolitical disruption scenarios
  • Cross-jurisdiction regulatory notification coordination
  • Merger, acquisition and expansion resilience integration
Build Your Resilience

Drones Hit AWS.
Hacktivists Are Active.
Is Your BCM Ready?

Iranian drones have physically destroyed UAE cloud infrastructure. 60+ hacktivist groups are targeting Gulf financial services daily. Every disruption event has produced the same finding: firms with tested BCM programmes recovered faster and avoided regulatory scrutiny. Firms without them scrambled.

Request a Resilience Assessment Speak to Our Team
STEP 01
Resilience Discovery
A 60-minute structured conversation to map your current BCM posture, regulatory obligations and the disruption scenarios that matter most for your organisation.
STEP 02
Gap Assessment
We assess your programme against CBUAE, DFSA, ADGM or VARA requirements and produce a prioritised gap report with a clear remediation roadmap.
STEP 03
Programme Build
We design, document and test your BCM and operational resilience programme — governance-ready, regulator-aligned, and calibrated for Gulf-region risk.
STEP 04
Ongoing Assurance
Annual testing, programme maintenance, regulatory monitoring, and board-level reporting — ensuring your resilience programme keeps pace with evolving obligations and threats.