GCC Financial Crime and Cybersecurity Risks: Regulatory Responses

Posted by Written by Giulia Interesse

Financial crimes and cybersecurity risks are rising across the GCC as digital transformation surfaces across key sectors. Regulators are responding with tighter oversight and stronger cybersecurity and financial crime compliance requirements.

Gulf Cooperation Council (GCC) countries are facing a sharp escalation in cyber-enabled financial crime, as rapid digital transformation, expanding fintech ecosystems, and heightened geopolitical tensions expose critical vulnerabilities across government, financial services, and strategic industries.

Throughout 2024 and  2025, the Gulf has emerged as one of the most actively targeted regions globally, prompting regulators to tighten oversight, enhance cybersecurity mandates, and integrate cyber risk more deeply into financial crime frameworks.

In this article, we examine the key cyber and financial crime risks emerging across the Gulf, assess how regulatory authorities are responding, and outline the practical implications for businesses, financial institutions, and foreign investors operating in the region.

Key financial crime and cyber risks in the GCC

Cyber threats across the Gulf have grown both in scale and sophistication. Distributed denial-of-service (DDoS) attacks now account for more than two-thirds of reported incidents, while ransomware, phishing campaigns, and data breaches increasingly target financial institutions, government agencies, and critical infrastructure operators.

Find Business Support
Get help with business matchmaking, location analysis, market entry strategy, market research, and supply chain re-engineering in GCC.

The convergence of cyber risk and financial crime is particularly evident. Phishing, credential theft, and business email compromise schemes are increasingly used to facilitate fraud, money laundering, and unauthorized access to payment systems. At the same time, ransomware groups have refined their monetization strategies, combining data theft with extortion and dark web resale.

Geographic concentration of cyber and financial crime risks across the GCC

Threat activity is unevenly distributed across the Gulf, reflecting differences in economic scale, digital maturity, and geopolitical exposure.

  • United Arab Emirates (UAE) has emerged as the primary regional target, driven by its advanced digital infrastructure, large financial sector, and smart city initiatives. Financial institutions and government entities face sustained ransomware and DDoS campaigns, alongside large-scale data breaches affecting residents and investors.

  • Saudi Arabia faces persistent threats to its energy sector and manufacturing base, with cybercrime intersecting with economic espionage and critical infrastructure risks under Vision 2030.

  • Kuwait has seen heightened exposure in its banking sector, where phishing and payment fraud campaigns increasingly exploit digital banking adoption.

  • Qatar continues to address vulnerabilities exposed during major international events, with lingering risks to government systems and energy-related infrastructure.

  • Bahrain and Oman face comparatively lower volumes but remain exposed through financial services, telecommunications, and government platforms.

Sectoral exposure and financial crime linkages

  • Government and public administration sector: Remains the most targeted across the GCC, reflecting its strategic value for intelligence gathering, service disruption, and access to citizen data. Attacks increasingly rely on spear phishing, supply-chain compromise, and long-term persistent access.
  • Financial services: Have experienced the fastest growth in cyber incidents over the past five years. Rapid fintech expansion, open banking frameworks, and cross-border payment flows have widened attack surfaces, while stolen credentials and compromised APIs are increasingly used to facilitate fraud and illicit financial flows.
  • Energy and critical infrastructure sectors: represent high-impact targets, where cyber incidents carry systemic economic and geopolitical consequences. Operational technology vulnerabilities, legacy systems, and remote monitoring capabilities have become focal points for both criminal and state-linked actors.

Country-level regulatory responses

United Arab Emirates

The UAE has significantly strengthened its regulatory stance to address the dual challenges of financial crime and cyber risk. Regulators have expanded anti-money-laundering and counter-terrorist financing (AML/CFT) frameworks, with enhanced supervisory powers granted to the Central Bank of the UAE (CBUAE) and independent financial free zones such as ADGM and DIFC, which enforce robust Know-Your-Customer (KYC), sanctions compliance, and technology risk controls to mitigate cyber-enabled financial crime across the banking and fintech sectors.

Find Business Support
Our Business Intelligence team can help you find the optimal location for your next investment in the UAE.

Financial firms now must establish effective technology and cybersecurity risk frameworks as part of licensing and ongoing supervision, reflecting a broader integration of cyber risk into financial crime controls. The UAE has also published national risk assessments and analytical reports on cyber-enabled crime, underscoring public-private collaboration to manage evolving threats.

See also: UAE Enacts Comprehensive Anti-Money Laundering (AML) Law to Reinforce Global Financial Integrity and Enforcement Accountability

Saudi Arabia

In Saudi Arabia, regulatory responses align with the kingdom’s Vision 2030 reforms, which aim to modernize the financial sector while ensuring resilient risk controls.

The Saudi Central Bank (SAMA) has integrated cybersecurity requirements into financial institution licensing and operational rules, emphasizing cyber risk control alongside AML/CFT supervision.

Enhanced oversight of fintechs, digital banks, and payment service providers reflects the expanding scope of regulatory scrutiny, with technology risk and data protection increasingly embedded in enforcement frameworks. These changes are part of a broader effort to protect the rapidly digitizing financial ecosystem from both financial crime and sophisticated cyber threats.

Qatar

Qatar’s approach focuses on bolstering financial crime controls in anticipation of increased foreign investment and cross-border financial activity. Regulatory authorities, including the Qatar Financial Information Unit (QFIU) under the Qatar Central Bank, enforce suspicious transaction reporting and financial intelligence exchange to counter money laundering and terrorism financing.

Cybersecurity compliance has become a growing priority, particularly for institutions operating within the Qatar Financial Centre. Cross-border cooperation and adherence to international standards underpin Doha’s efforts to balance growth with strengthened financial integrity.

Bahrain and Oman

Bahrain and Oman have adopted, respectively, proportionate regulatory strategies that balance financial innovation with risk mitigation.

In Bahrain, regulatory authorities and the central bank have taken targeted steps to enhance cyber resilience and digital risk management, particularly for the burgeoning fintech sector, while aligning AML/CFT expectations with international best practice.

Oman’s regulators are similarly focused on strengthening internal controls and governance research, emphasizing a risk-based approach that supports innovation without compromising oversight. Both nations are increasing expectations around internal risk frameworks and compliance culture better to manage the intersection of financial crime and cyber threats.

Implications for businesses and financial institutions

At the governance level, regulators are placing growing emphasis on board and senior management accountability for financial crime and cyber risks. Boards are expected to exercise active oversight of risk frameworks, approve cybersecurity and AML/CFT strategies, and ensure that cyber risk is integrated into enterprise-wide risk management. This marks a shift away from treating cybersecurity as a purely technical issue, toward recognizing it as a core governance and financial integrity concern.

Operationally, firms are under increasing pressure to implement real-time monitoring, robust data protection measures, and well-tested incident response plans. Regulators now expect institutions to detect suspicious activity and cyber incidents promptly, contain breaches effectively, and report incidents within prescribed timelines. Weaknesses in data governance, third-party risk management, or response preparedness are increasingly viewed as compliance failures rather than operational shortcomings.

At the same time, the risks of non-compliance have intensified. Regulatory authorities across the Gulf are making greater use of administrative penalties, public enforcement actions, and license restrictions to address deficiencies in financial crime and cybersecurity controls.

Beyond financial sanctions, reputational damage following cyber incidents or regulatory action can undermine customer trust and investor confidence, particularly in highly digitalized and competitive markets. As a result, proactive investment in compliance, governance, and cyber resilience is becoming a critical requirement for sustaining operations in the region rather than a discretionary cost.

Strategic outlook: What comes next

Regulatory standards across the Gulf are expected to continue tightening, with cyber risk increasingly embedded into financial supervision and enforcement frameworks. Authorities are also likely to expand enforcement actions against firms with weak compliance cultures, making a shift from reactive compliance to proactive, risk-based management essential for businesses operating in the region.

 

About Us

Middle East Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Dubai (UAE). Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China (including the Hong Kong SAR), Indonesia, Singapore, Malaysia, Mongolia, Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to Middle East Briefing’s content products, please click here. For support with establishing a business in the Middle East or for assistance in analyzing and entering markets elsewhere in Asia, please contact us at dubai@dezshira.com or visit us at www.dezshira.com.

Related reading
DEZAN SHIRA & ASSOCIATES

DEZAN SHIRA & ASSOCIATES

Meet the firm behind our content. Visit their website to see how their services can help your business succeed.

About Us Find an Advisor
Want the Latest Sent to Your Inbox?

Subscribing grants you this, plus free access to our articles and magazines.

SUBSCRIBE
Back to top