A UAE buyer about to share financial data with a target company. An employer onboarding a senior hire who will see client lists and pricing. A SaaS vendor opening its source code architecture to a prospective channel partner. Each of these relationships starts with someone signing an NDA. The document delivers only if it tracks the standards of three overlapping UAE legal regimes, and the onshore court the parties may end up in cannot grant the immediate restraint most signatories assume it can.

UAE law protects confidential information through three overlapping regimes

Confidentiality protection in the UAE sits across the Civil Code, the Penal Code and the Labour Law, with additional layers under the Cybercrimes Law and the Industrial Property Rights Law for digital data and trade secrets. Each regime carries different burdens of proof, different remedies and different timing. A well-drafted NDA cuts across all three.

  • NDAs enforce in onshore UAE courts as ordinary contracts, with damages as the only remedy and the burden of proof firmly on the party disclosing the breach.
  • Disclosure of work secrets is also a criminal offence under the new Penal Code, carrying imprisonment of at least one year and a fine starting at AED 20,000.
  • Onshore courts cannot grant injunctions, so DIFC or ADGM jurisdiction is the route to immediate restraint of an ongoing breach.
  • A penalty clause is enforceable only when the figure tracks genuine loss, because the court can reduce a sum it considers excessive.

Who needs a UAE-grade NDA

Three reader situations trigger this question more than any other.

The first is the M&A buyer or seller. Every transaction opens with the disclosure of financial models, customer pipelines, employee data and forward forecasts. The NDA covers everything that flows out of the data room and through to signing. The standards for that document differ sharply from a generic template, and the failure point is usually the same: the M&A due diligence process goes ahead before either side notices the NDA is silent on residuals, return obligations or use in a competing transaction.

The second is the employer hiring senior staff. Engineers with access to source code, sales directors with the customer book, and finance heads with margin data each need a confidentiality obligation that survives termination. The Labour Law gives the employer some statutory cover, but the contractual document fills the gaps the statute leaves open and pairs naturally with a non-compete clause under the 2026 Labour Law framework.

The third is the vendor or customer entering a commercial negotiation. Tech licensing, manufacturing supply, and joint venture discussions all run on the assumption that early-stage information cannot be used by the counterparty in a parallel deal or recycled internally if the transaction collapses.

The three legal layers behind a UAE NDA

Civil and contractual: the UAE Civil Code

Federal Law No. 5 of 1985 (the Civil Transactions Law, or Civil Code) sets the contract framework that every onshore NDA falls under. The general principles of offer, acceptance, lawful object and mutual consent apply without modification. Article 246 imposes a good faith standard on contractual performance, which the UAE courts have used to read confidentiality obligations into commercial relationships even where the contract itself is thin.

Two provisions matter for confidentiality specifically. Article 905(5) obliges an employee to safeguard the industrial and commercial secrets of the employer's business, including after the contract ends. Article 909 sets the framework for non-compete clauses, with the requirement that they be limited in time, place and scope of business. Article 910 allows a penalty clause for breach, but the court has discretion to reduce the sum if it considers it disproportionate to actual loss.

A point that catches most parties off guard: trade secret claims under the Civil Code are not subject to the standard one-year limitation period that applies to ordinary employment claims. A breach discovered five years after the fact remains actionable.

Criminal: the new Penal Code

Federal Decree-Law No. 31 of 2021, which came into force on 2 January 2022, replaced the 1987 Penal Code. Article 432 of the new code criminalises the disclosure or unauthorised use of any secret entrusted to a person by virtue of profession, occupation, position or expertise. The penalty is imprisonment of at least one year, a fine of at least AED 20,000, or both. Where the offender is a public servant, imprisonment can run to five years.

Federal Decree-Law No. 32 of 2021 (the Commercial Companies Law) adds Article 369, which sanctions corporate insiders who use or disclose company secrets with imprisonment and fines from AED 50,000 to AED 500,000.

The criminal route gives a UAE company a tool that civil litigation does not: the police or the Ministry of Economy and Tourism can raid the suspect's premises and seize evidence. A criminal conviction can then anchor a civil claim for damages.

Labour: the 2021 Labour Law

Federal Decree-Law No. 33 of 2021 governs employment relationships outside the financial free zones. Article 16 imposes a duty on the employee to keep work secrets confidential and to surrender all work-related documents on termination. Article 44(5) entitles the employer to dismiss an employee without notice and without end-of-service gratuity for divulging company secrets, subject to procedural requirements. Article 10 caps post-employment non-compete restrictions at two years and requires them to be limited in time, place and nature of work.

Digital: the Cybercrimes Law

Federal Decree-Law No. 34 of 2021 covers electronic data. Article 6 makes unauthorised access to or disclosure of electronic personal data a criminal offence. Article 13 criminalises the storage or processing of UAE personal data in violation of applicable legislation. Article 44 covers the publication of private images, communications or information through IT systems. For any NDA where the underlying data sits in cloud storage, on a corporate device, or in shared drives, the cybercrime layer can apply alongside the contractual breach.

Trade secrets: the Industrial Property Rights Law

Federal Law No. 11 of 2021 protects undisclosed information and know-how under Articles 61 to 63. Protection is conditional. The holder must show that the information was secret, that it had commercial value because it was secret, and that the holder took effective measures to keep it secret. An NDA, an internal information classification policy and access controls together form the evidence that the courts look for.

Talk to us

Drafting an NDA, or chasing a counterparty who has breached one?

We draft NDAs for M&A, employment, joint ventures and commercial negotiations, and we act for owners pursuing breach claims and counterparties defending them in onshore, DIFC and ADGM forums.

Speak with a UAE confidentiality lawyer

What an enforceable UAE NDA must contain

A UAE court asked to enforce an NDA looks first at whether the document is precise enough to be applied as a contract. Vague language is the most common reason an otherwise legitimate claim fails at the first hurdle.

Definition of confidential information

The clause should list categories rather than rely on a single catch-all phrase. Financial information, customer and supplier lists, technical drawings, pricing models, source code, business plans, employee data and the existence of the underlying transaction itself each need to be named. The clause should also confirm that information disclosed in any form, written, oral, visual or electronic, falls within scope, and that information disclosed orally is treated as confidential whether or not it is later confirmed in writing.

Permitted purpose

The receiving party should be allowed to use the information only for a defined purpose: evaluating a transaction, performing a service, or carrying out specified employment duties. A purpose statement narrows the field of permitted use and makes any deviation actionable on its own terms.

Standard exclusions

The clause should carve out information that is or becomes publicly known through no fault of the receiving party, was already in the receiving party's possession before disclosure, was independently developed without reference to the disclosed information, or was lawfully obtained from a third party who was not under a confidentiality obligation. A separate carve-out should permit disclosure required by law, court order or regulator demand, with prior notice to the disclosing party where lawful to give notice.

Term

Two periods need to be set. The first is the period during which information may be disclosed under the NDA. The second is the period during which the confidentiality obligation continues. The two are not the same. Information disclosed in the final week of a one-year disclosure period may need to remain confidential for a further three or five years, or indefinitely in the case of trade secrets.

Return and destruction

On termination or completion of the purpose, the receiving party should return or destroy the confidential information, including copies, extracts and notes derived from it, and certify destruction in writing. A residuals clause carving out information retained in the unaided memory of the receiving party's personnel is a common compromise but should be drafted with care because it can swallow the substantive obligation.

Remedies and penalty clause

A penalty clause under Article 910 of the Civil Code can pre-quantify damages and remove the burden of proving loss item by item. The figure must reflect a genuine pre-estimate of loss. A round number that is plainly punitive will be reduced by the court. Liquidated damages of, for example, three times the value of the underlying transaction is more likely to survive than a flat AED 1 million figure that bears no relation to the deal.

Governing law and jurisdiction

The choice between onshore UAE law and a financial free zone (DIFC or ADGM) is the single most important drafting decision the parties make. The available remedies differ significantly between the two forums.

Onshore UAE versus DIFC and ADGM enforcement

Feature Onshore UAE courts DIFC and ADGM courts
Governing legal tradition Civil law, statutory framework with limited binding precedent Common law, English-language proceedings, full doctrine of precedent
Injunctive relief Not available; courts can issue stop orders but cannot prevent future conduct Available, including interim and permanent injunctions to restrain ongoing breach
Damages Granted on proof of specific loss; speculative damages are rejected Granted on common law principles, including loss of bargain and consequential loss
Penalty clauses Enforceable but subject to reduction by the court if disproportionate Liquidated damages enforceable if a genuine pre-estimate; penalties unenforceable
Criminal route Available through police complaint or referral to the Ministry of Economy and Tourism Civil only; criminal complaints still channelled through onshore federal authorities
Typical timeline to first decision 9 to 18 months at first instance 4 to 9 months at first instance

Note: A DIFC or ADGM choice of jurisdiction is binding only where one of the parties has a sufficient connection to the relevant free zone. The DIFC opt-in regime allows parties without a DIFC presence to choose DIFC jurisdiction by agreement; ADGM operates a similar opt-in framework.

When to combine civil and criminal action

A UAE company that discovers a breach has a strategic choice. The civil route through the onshore courts produces damages but takes time and cannot stop ongoing disclosure. The criminal route produces investigative leverage and a deterrent conviction, with the police or the Ministry of Economy and Tourism able to seize evidence that civil litigants cannot reach. The DIFC or ADGM route, where available, produces immediate injunctive relief.

In a high-stakes case, the standard sequence is: file a criminal complaint to trigger the investigation and any seizure, file in DIFC or ADGM (where the contract permits) for an injunction, and pursue civil damages once liability is established. In a lower-stakes case where the relationship still has commercial value, a cease-and-desist letter and a negotiated settlement is usually faster than any of the three forums.

Drafting mistakes that cost UAE companies the case

Five errors recur often enough that they account for most enforcement failures.

The definition of confidential information is too vague to apply. A clause that says "all information that the receiving party knows or should know is confidential" gives the court nothing to anchor on. A clause that lists categories with examples gives the court the framework it needs.

The duration is unlimited or set at an unreasonable figure. A perpetual confidentiality obligation against a junior employee is unlikely to be enforced. A five-year obligation tied to defined trade secrets is likely to be enforced.

The carve-outs are missing or incomplete. An NDA without a regulator-disclosure carve-out forces the receiving party into a position where compliance with a tax authority or court order itself becomes a contractual breach. UAE courts read this kind of obligation against the disclosing party.

The governing law and forum clause are inconsistent or absent. A clause that selects DIFC law but onshore Dubai courts as the forum produces years of preliminary jurisdictional argument before the substantive case begins. The two should match.

The penalty clause is set without reference to actual loss. A flat AED 5 million liquidated damages figure attached to an employment NDA covering a junior staff member will be reduced by the court to whatever the court considers fair. A figure calibrated to defined commercial loss survives.

How should UAE companies approach NDAs in 2026?

The cost of a properly drafted NDA is small relative to the cost of recovering from a breach without one. The framework UAE courts apply is workable, but it favours the party that brought a precise, well-evidenced document to the table and made a deliberate forum choice before signing. The companies that struggle in confidentiality litigation are usually the ones that signed a generic template at the start of a relationship and never revisited it.

For UAE businesses preparing for an M&A process, expanding into licensing or franchising, hiring senior staff with access to commercial data, or moving sensitive data through cloud systems and third-party platforms, the NDA is the document that anchors every downstream remedy. Without it, the civil route weakens, the criminal route still works but produces no contractual damages, and the injunctive route through DIFC or ADGM closes off entirely.

Companies facing an active breach should obtain advice on the strategic combination of civil, criminal and free-zone routes before sending the first cease-and-desist letter. The order of those steps matters, and the wrong order can foreclose options that might otherwise have produced a faster, cheaper outcome.

Let’s talk

Your success starts with the right guidance.

Whether it’s business or personal, our team provides the insight and guidance you need to succeed.

contact us