Quantum Universum Policy Brief – Abu Dhabi, 27 November 2025
According to the Emirates News Agency (WAM), the United Arab Emirates has announced the approval of the National Encryption Policy and the issuance of its executive regulation, which calls on government entities to develop clear, well-defined, and officially approved transition plans from traditional encryption methods to post-quantum cryptography (PQC).
WAM reports that this step aims to support a safer and more technologically prepared future amid the rapid advancements in quantum computing. This milestone reflects the vision and directives of the UAE’s wise leadership to build a secure and modern digital infrastructure, reaffirming the nation’s commitment to keeping pace with major technological transformations and anticipating future developments. It also strengthens the UAE’s position as a global hub for artificial intelligence (AI) and digital innovation.
The National Encryption Policy mandates that the UAE Cybersecurity Council will continue to oversee the national migration efforts, working closely with government bodies to ensure the successful implementation of post-quantum encryption standards. The Council aims to reinforce data protection and safeguard digital assets in accordance with the highest international best practices.
Under its forward-looking leadership, the UAE, through the UAE Cybersecurity Council, is formulating comprehensive national strategies for post-quantum encryption, enhancing the country’s readiness to confront emerging challenges and align with global advancements in this field. WAM notes that the UAE is now considered one of the leading nations worldwide in adopting and transitioning toward post-quantum encryption, driven by its proactive approach, sustained investment in advanced technologies, and commitment to building a secure and sustainable digital ecosystem.
The UAE Cybersecurity Council is responsible for strengthening national information security, protecting data from unauthorised access, and proposing legislation, policies, and regulations related to encryption. It also sets forth procedures and standards to ensure proper implementation, with recommendations submitted to the National Security Advisor for approval.
Furthermore, the Council proposes mechanisms to mitigate the risks posed by quantum computing to sensitive systems with weak cryptographic components and prepares plans for the migration of these systems. It will conduct technical and analytical assessments to support government and private entities in evaluating the readiness and integrity of digital systems prior to wide-scale adoption and deployment. These assessments include evaluating the efficiency, quality, and preparedness of AI systems, applications, software, hardware, and technical components to ensure compliance with national and international standards, enabling institutions to obtain technical accreditation and validate their solutions with confidence.
The UAE Cybersecurity Council has structured its testing and verification activities around four main pillars: AI reliability testing, software reliability testing, hardware reliability testing, and signal reliability testing.
Dr. Mohammed Al-Kuwaiti, Head of Cybersecurity for the UAE government, stated that the approval of the National Encryption Policy and its executive regulation represents a major advancement in the national cybersecurity framework. He emphasised that this achievement reflects the leadership’s commitment to strengthening the UAE’s status as a trusted global hub for artificial intelligence and advanced technologies, noting that encryption and information security have become critical challenges for countries, institutions, and communities in the era of comprehensive digital transformation, with growing reliance on secure and resilient digital infrastructure.
This Quantum Universum brief is based on the official announcement by the Emirates News Agency (WAM) dated 27 November 2025, “UAE announces approval of National Encryption Policy, issuance of executive regulation.”
Note by Quantum Universum
Building on the announcement by the Emirates News Agency (WAM) and the mandate assigned to the UAE Cybersecurity Council, the United Arab Emirates now stands among the first wave of countries that have framed the transition to post-quantum cryptography (PQC) as a matter of national policy and regulatory design, rather than a purely technical upgrade carried out in isolation by individual organisations. WAM explicitly situates the National Encryption Policy within a broader national strategy for digital security and identifies the UAE Cybersecurity Council as the central authority overseeing PQC migration across government systems (Emirates News Agency, 2025).
At the international level, only a limited number of states have taken similarly structured steps. In the United States, National Security Memorandum 10 (NSM-10), the National Cybersecurity Strategy, and the implementation work led by the National Institute of Standards and Technology (NIST) and other federal bodies direct agencies to coordinate the migration of National Security Systems to quantum-resistant cryptography, with the goal of mitigating as much quantum risk as feasible by 2035 (Moody et al., 2024; The White House, 2022, 2023). In Canada, the Roadmap for the migration to post-quantum cryptography for the Government of Canada (ITSM.40.001), together with the Security Policy Implementation Notice SPIN 2025-01, sets out a multi-phase migration programme for non-classified federal systems, with milestones that culminate in full PQC transition by the end of 2035 (Canadian Centre for Cyber Security, 2025; Government of Canada, 2025). In the United Kingdom, the National Cyber Security Centre (NCSC) has issued a white paper on preparing for quantum-safe cryptography and subsequent guidance on migrating to PQC, and analyses of its “Timelines for migration to PQC” indicate a planning horizon in which critical organisations identify required changes by the late 2020s and aim to complete migration around 2035 (IA Cyber Resilience Committee, 2025; National Cyber Security Centre, 2020, 2023).
In parallel, the United States National Institute of Standards and Technology (NIST) has standardised the first set of post-quantum algorithms in Federal Information Processing Standards (FIPS) 203, 204, and 205, and has published a migration roadmap in NIST IR 8547 that reiterates a 2035 horizon for phasing out quantum-vulnerable algorithms in National Security Systems (Moody et al., 2024; National Institute of Standards and Technology, 2024a, 2024b, 2024c). Alongside this, the NIST Post-Quantum Cryptography (PQC) project and guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the United States Department of Homeland Security (DHS) have created a baseline that emphasises cryptographic inventories, crypto agility, and staged migration as core elements of quantum readiness (Cybersecurity and Infrastructure Security Agency et al., 2023; National Institute of Standards and Technology, 2025; U.S. Department of Homeland Security, 2025a, 2025b).
Within this emerging global pattern, the UAE National Encryption Policy (NEP) has several distinctive characteristics when read in conjunction with the WAM announcement and the role defined for the UAE Cybersecurity Council. First, the NEP is issued as a dedicated national policy with an executive regulation that explicitly requires government entities to prepare clear, well-defined, and officially approved migration plans from traditional encryption to PQC under the oversight of the UAE Cybersecurity Council (Emirates News Agency, 2025). This creates a formal public-law anchor for PQC migration and sets common expectations for ministries, regulators, and operators of critical systems, similar in intent to NSM-10 and Canada’s ITSM.40.001, but adapted to the UAE’s institutional architecture.
Second, the NEP connects encryption directly to a broader national security and trust architecture. The UAE Cybersecurity Council is tasked not only with recommending encryption standards and migration plans, but also with conducting technical and analytical assessments of AI systems, software, hardware, and other technical components, and with structuring its work around four testing and verification pillars: AI reliability testing, software reliability testing, hardware reliability testing, and signal reliability testing (Emirates News Agency, 2025). This approach recognises that quantum resilience does not depend on algorithms alone. It requires a system-level view that considers how cryptography is implemented in code, how it interacts with AI-enabled decision systems, how it is embedded in hardware, and how signals and communications channels are generated, transmitted, and monitored, which aligns with the broader direction of international PQC guidance (Cybersecurity and Infrastructure Security Agency et al., 2023; National Cyber Security Centre, 2020, 2023).
Third, by positioning the UAE Cybersecurity Council as a central node that can support both government and private entities in assessing readiness and obtaining technical accreditation, the NEP provides a potential mechanism for harmonising expectations across sectors that are already strategic for the UAE, such as cloud services, financial infrastructure, telecommunications, energy, and space-based communications. While the WAM announcement does not yet set out sector-specific timelines or detailed technical baselines, the combination of a national policy, an executive regulation, and a structured testing framework places the UAE in a position to issue more granular guidance that aligns domestic practice with NIST PQC standards and other international benchmarks as they evolve (Emirates News Agency, 2025; National Institute of Standards and Technology, 2024a, 2024b, 2024c, 2025; PQShield, 2025).
In practical terms, as in other early-moving jurisdictions, the effectiveness of the National Encryption Policy will depend on implementation choices made within this framework. These include building and maintaining comprehensive cryptographic inventories, prioritising systems that protect long-lived or high-value data, introducing crypto-agile architectures that can accommodate future algorithm changes, and coordinating closely with vendors so that hardware, software, and managed service offerings converge on compatible quantum-safe profiles (Canadian Centre for Cyber Security, 2025; Cybersecurity and Infrastructure Security Agency et al., 2023; Moody et al., 2024; National Cyber Security Centre, 2020, 2023). With the NEP and the mandate given to the UAE Cybersecurity Council, the UAE has created the institutional and regulatory structure within which these measures can be defined and enforced. Quantum Universum will monitor how this structure is translated into concrete roadmaps, sectoral guidance, and accreditation mechanisms as the UAE advances its PQC agenda.
References
Canadian Centre for Cyber Security. (2025, June 24). Roadmap for the migration to post-quantum cryptography for the Government of Canada (ITSM.40.001). Government of Canada.
Cybersecurity and Infrastructure Security Agency. (n.d.). Post-quantum cryptography (PQC) initiative.
Cybersecurity and Infrastructure Security Agency, National Security Agency, & National Institute of Standards and Technology. (2023, August 21). Quantum-readiness: Migration to post-quantum cryptography (cybersecurity information sheet).
https://www.cisa.gov/resources-tools/resources/quantum-readiness-migration-post-quantum-cryptography
Emirates News Agency. (2025, November 27). UAE announces approval of National Encryption Policy, issuance of executive regulation.
https://www.wam.ae/en/article/15w563h-uae-announces-approval-national-encryption-policy
Government of Canada. (2025, October 9). Migrating the Government of Canada to post-quantum cryptography: Security Policy Implementation Notice (SPIN 2025-01).
IA Cyber Resilience Committee. (2025, October). Quantum security threats. Investment Association.
Moody, D., Alperin-Sheriff, J., Barker, E., Dang, Q., Garcia-Morchon, O., Kampanakis, P., & Miller, C. (2024, November 12). Transition to post-quantum cryptography standards (NIST IR 8547, initial public draft). National Institute of Standards and Technology.
https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
National Cyber Security Centre. (2020, November 11). Preparing for quantum-safe cryptography.
https://www.ncsc.gov.uk/whitepaper/preparing-for-quantum-safe-cryptography
National Cyber Security Centre. (2023, November 3). Migrating to post-quantum cryptography (PQC).
https://www.ncsc.gov.uk/blog-post/migrating-to-post-quantum-cryptography-pqc
National Institute of Standards and Technology. (2024a, August 13). Module-lattice-based key-encapsulation mechanism standard (FIPS 203). U.S. Department of Commerce.
https://csrc.nist.gov/pubs/fips/203/final
National Institute of Standards and Technology. (2024b, August 13). Module-lattice-based digital signature standard (FIPS 204). U.S. Department of Commerce.
https://csrc.nist.gov/pubs/fips/204/final
National Institute of Standards and Technology. (2024c, August 13). Stateless hash-based digital signature standard (FIPS 205). U.S. Department of Commerce.
https://csrc.nist.gov/pubs/fips/205/final
National Institute of Standards and Technology. (2025, November 19). Post-quantum cryptography (PQC). Computer Security Resource Center.
https://csrc.nist.gov/projects/post-quantum-cryptography
PQShield. (2025). Industry insights: Post-quantum cryptography regulatory landscape and migration roadmaps.
https://pqshield.com/industry-insights/
U.S. Department of Homeland Security. (2025a, January 28). Post-quantum cryptography.
U.S. Department of Homeland Security. (2025, April 10). Post-Quantum Cryptography Frequently Asked Questions.
https://www.dhs.gov/publication/post-quantum-cryptography-frequently-asked-questions
The White House. (2022, May 4). National Security Memorandum on promoting United States leadership in quantum computing while mitigating risks to vulnerable cryptographic systems (NSM-10). Biden White House Archives.
The White House. (2023). National Cybersecurity Strategy. Biden White House Archives.
Disclaimers
The references to the United States, Canada, and the United Kingdom in this note are provided as a non-exhaustive comparison and serve purely as illustrative examples of government-level post-quantum cryptography (PQC) migration frameworks. They do not constitute a comprehensive survey of all national initiatives in this area and do not reflect any prioritisation or ranking among jurisdictions.
This analytical note reflects Quantum Universum’s independent interpretation of the National Encryption Policy, the mandate of the UAE Cybersecurity Council, and the foreign policy and standards documents cited. It does not represent an official position of the Emirates News Agency (WAM), the UAE Cybersecurity Council, any UAE governmental body, or any foreign government or standards organisation mentioned in this brief.
