Breaking point or breakthrough: the borderless adversary

The accelerating convergence of geopolitical instability, digital dependency, and artificial intelligence has led to seismic shifts in the cybersecurity landscape. Across the Middle East, and particularly within the UAE, recent regional conflict has reinforced the need for cyber resilience, which is tied directly to economic continuity, national stability, and organizational survival.

In recent months, cyberattacks targeting critical infrastructure across the region have increased significantly in both frequency and sophistication. Financial institutions, telecommunications providers, transport infrastructure, energy operators, cloud platforms, and government services have all experienced heightened threat activity. These attacks have not been limited to espionage or isolated disruption. Increasingly, threat actors — including nation-state aligned groups — are pursuing campaigns designed to create operational instability, undermine confidence in digital systems, and exploit the interconnected nature of modern infrastructure.

The scale of this shift has exposed the limitations of traditional cybersecurity approaches. The modern threat environment demands resilience: the ability not only to prevent attacks, but to withstand disruption, adapt in real time, and recover rapidly while maintaining critical operations. This is reflected in the UAE’s increasingly mature national cybersecurity ecosystem. Over recent years, the UAE Cyber Security Council has introduced a comprehensive suite of mandates- frameworks, policies and standards designed not merely to regulate cybersecurity, but to institutionalize resilience across government and critical sectors. What is particularly notable is how closely these frameworks align with the operational challenges organizations are now facing in real time.

Within this context of geo-political instability, we are also seeing the emergence of advanced AI models such as Anthropic’s “Project Mythos” or ChatGPT Cyber, that are profoundly reshaping how organizations can enhance cyber resilience. These technologies are creating new opportunities for real-time threat detection, autonomous response, predictive analysis, and continuous exposure management at a scale previously unattainable through traditional security operations. As cyberattacks become faster and increasingly AI-driven, defensive capabilities are evolving toward more intelligent, adaptive, and automated models to enhance the resilience of critical services.

The recent escalation in cyberattacks has, in many ways, validated the assumptions underpinning the UAE’s national cybersecurity strategy. Critical sectors identified within national mandates, including finance, transportation, energy, space, telecommunications, cloud infrastructure, and government services, have all emerged as active targets within the current threat environment. This has reinforced the importance of frameworks that move beyond theoretical governance and instead provide practical operational guidance.

At the center of this ecosystem sits the updated UAE Information Assurance Standard, which continues to serve as the foundational cybersecurity framework for organizations operating within the country. The revised standard reflects a significant evolution in both philosophy and design. While earlier cybersecurity models focused heavily on control implementation and technical hardening, the updated framework places greater emphasis on resilience, automation, operational readiness and protecting widely adopted emerging technologies such as artificial intelligence.

Importantly, the revisions recognize that cybersecurity can no longer function as a siloed technical discipline. Risk management and cyber resilience are expected to integrate directly into enterprise-wide governance, project management and continuity structures. Cybersecurity leadership must operate with greater independence and visibility, while organizations are increasingly expected to demonstrate active oversight, continuous compliance monitoring, and executive accountability.

On the technical side, the updated framework reflects contemporary realities around identity governance, threat intelligence, supply chain exposure, and cloud security. The introduction of explicit data classification guidance is particularly significant. In an era where cloud adoption, cross-border data flows, and sovereign infrastructure have become strategic priorities, organizations cannot afford ambiguity around what data they hold, how sensitive the data is, where it resides, and under whose jurisdiction it falls.

This becomes especially critical when viewed alongside the UAE’s National Cloud Security Policy. Cloud adoption across the region continues to accelerate, but recent disruptions affecting cloud infrastructure have demonstrated how deeply dependent organizations have become on external digital ecosystems. Resilience must therefore be designed intentionally into cloud architecture from the outset.

The policy reflects this by framing cloud security not only as a matter of technical configuration, but as a question of sovereignty, operational continuity, and strategic control. Organizations are expected to classify their data rigorously, align workloads to appropriate sovereignty tiers, and understand precisely where sensitive information is stored and processed. Particularly for highly sensitive data, sovereignty requirements now extend beyond storage into processing, ensuring that critical information remains under UAE jurisdiction.

The emphasis on “Hold Your Own Key” encryption models further illustrates the growing recognition that organizations must retain meaningful control over their digital assets, even within outsourced or third-party environments. Perhaps most importantly, the policy makes clear that accountability cannot be outsourced. Responsibility for compliance, security and resilience ultimately remains with the organization consuming the service.

Alongside cloud transformation, artificial intelligence has emerged as both an opportunity and a significant source of cyber risk. AI adoption is accelerating rapidly across industries, driven by ambitions around automation, productivity, and innovation. In the UAE, AI has evolved beyond a technology initiative into a core component of national economic strategy, positioning the country as one of the leading adopters of AI-driven transformation globally.

However, the rapid adoption of AI is also expanding the cyber threat surface at extraordinary speed. Threat actors are increasingly leveraging AI to automate attacks, personalize phishing campaigns, accelerate malware development, and generate highly convincing deepfakes and disinformation campaigns. The operational implications are profound. Attacks are becoming faster, more scalable, and more difficult to detect using conventional methods.

One of the most pressing concerns is the widening gap between AI adoption and AI security readiness. Many organizations are deploying AI capabilities without fully understanding the associated risks, governance requirements, or operational dependencies. Recognizing this, the UAE has introduced a dedicated National Cybersecurity Policy for Artificial Intelligence, focused specifically on securing AI systems throughout their lifecycle.

What distinguishes the policy is its practical orientation. Rather than approaching AI security as an abstract governance issue, the framework addresses the operational realities organizations now face. It introduces expectations around secure AI governance, infrastructure protection, model security, adversarial threat management, operational resilience, and continuous monitoring. Importantly, the policy acknowledges that resilience must extend directly into AI systems themselves. AI capabilities must remain secure and operational even during cyber incidents, system failures, or broader geopolitical disruptions.

This reflects a broader shift occurring across cybersecurity more generally. Resilience is increasingly replacing compliance as the defining objective. Organizations are being forced to reconsider what constitutes their true “Tier Zero” infrastructure: the minimum set of capabilities required to continue operating during major disruption. This extends beyond business applications into the foundational technology backbone itself: identity systems, networks, cloud dependencies, operational technology environments, backup infrastructure, and communication channels.

Supply chain resilience has become equally critical. Modern organizations operate within deeply interconnected digital ecosystems, often relying on overlapping providers, cloud regions, and infrastructure layers. As recent incidents have demonstrated, vulnerabilities within a single provider or region can rapidly cascade across multiple organizations and sectors. Organizations must understand where their single points of failure exist and develop contingency plans capable of sustaining operations during third-party disruption.

At the same time, the speed of cyber conflict is accelerating. AI-enabled attacks are compressing the timeline between compromise and impact, leaving organizations with increasingly narrow windows to detect, respond, and recover. This is driving a broader industry shift away from static annual assessments toward continuous exposure validation, real-world attack simulation, and live threat intelligence modeling.

The UAE’s evolving cybersecurity policies reflect a sophisticated understanding of current needs. Rather than positioning regulation as a restrictive force, the national approach increasingly seeks to enable secure innovation, sovereign digital growth, and resilient transformation. In doing so, it offers organizations a blueprint for operating confidently in an era defined by uncertainty, interconnected risk, and continuous disruption.