This is part six of a six part series, to read the previous insights please view the series navigation at the bottom of this page.

Regarding the security levels of the Electronic Identification System, Article 33 of the Decree Law outlines the following:

• The security and trust levels of the Electronic Identification System and the associated Digital Identity are categorized into three degrees: Low, average, and high. These classifications are defined as follows:
  (i) Low Degree: This corresponds to a low security and trust level within the Electronic Identification System. It offers limited trust and acceptance of an individual's claimed identity. It involves the implementation of technical and administrative standards and procedures to minimize the risks of identity misuse or manipulation.
  (ii)Average Degree: This refers to an intermediate security and trust level within the Electronic Identification System. It provides a moderate level of trust and acceptance of an individual's claimed identity. It involves the adoption of technical and administrative standards and procedures primarily aimed at reducing the risks of identity misuse or manipulation.
  (iii) High Degree: This signifies a high security and trust level within the Electronic Identification System. It ensures a significant level of trust and acceptance of an individual's claimed identity. It involves the implementation of comprehensive technical and administrative standards and procedures to completely eliminate risks and prevent the misuse or manipulation of the provided identity.
• The Licensee is required to:
  (i) Display the security and trust levels associated with the Digital Identity issued through the Electronic Identification System to the Approved Party.
  (ii) Ensure adherence to the specifications, standards, and technical procedures corresponding to the relevant security level in the Electronic Identification System and Digital Identity as approved by the Authority.
• The Digital Identity used within the scope of Approved Trust Services must adhere to the high security and trust level.
• The Authority, in collaboration with relevant Concerned Entities, shall establish the technical conditions and standards that need to be met in terms of security and trust levels. The following aspects shall be taken into consideration:
  (i) Development of standards to distinguish between various security and trust levels based on the level of trust and acceptance.
  (ii)Verification procedures for individuals requesting the issuance of a Digital Identity.
  (iii) Technical and security specifications of the Digital Identity, along with procedures for its issuance and the responsible entity.
  (iv) Verification processes to confirm the identity of any individual to the Approved Party.
  (v)Types of transactions and services offered by governmental or private entities.

In relation to Penalties, as outlined in Article 39 of the decree law, individuals who engage in forgery or participate in the forgery of Electronic Documents, Electronic Signatures, Electronic Stamps, authentication certificates, Trust Services, and other Approved Trust Services shall face penalties of imprisonment and/or a fine. The fine shall not be less than one hundred thousand Dirhams (AED 100,000) and not more than three hundred thousand Dirhams (AED 300,000).

Individuals found guilty of forgery or participation in forgery of Electronic Documents, Electronic Signatures, Electronic Stamps, authentication certificates, Trust Services, and other Approved Trust Services associated with federal or local government, federal or local authorities, or public institutions will face penalties of temporary imprisonment and a fine. The fine shall not be less than one hundred fifty thousand Dirhams (AED 150,000) and not more than seven hundred and fifty thousand Dirhams (AED 750,000).

Furthermore, anyone knowingly using a forged Electronic Document shall be subject to the same penalty as imposed for the act of forgery, as appropriate.

According to Article 40 of the decree law, those who exploit Trust Services or Approved Trust Services without legitimate authorization shall face imprisonment for a term not exceeding one year and/or a fine ranging from one hundred thousand Dirhams (AED 100,000) to one million Dirhams (AED 1,000,000).

Moreover, individuals who employ deceptive techniques, assume a false identity, or provide incorrect information to gain access to Approved Trust Services will also be subject to the same penalties. Committing any of these acts with the intention of committing a crime will be considered an aggravating factor.

As per Article 41 of the decree law, those who knowingly create, publish, or provide someone else with an authentication certificate under specific circumstances shall face imprisonment for a period not exceeding one year and/or a fine ranging from fifty thousand Dirhams (AED 50,000) to five hundred thousand Dirhams (AED 500,000). These circumstances include:

• The certificate is not issued by the Licensee whose name is displayed on it.
• The Signatory whose name is on the certificate has rejected it.
• The certificate has been revoked, except if it's being used to validate any Electronic Signature or Electronic Stamp that was
• The certificate contains incorrect or inaccurate information.

As outlined in Article 42 of the decree law, any individual who, with authority granted by this Decree-Law, accesses confidential and sensitive information found in records, documents, or electronic correspondence, and intentionally divulges any of this information contrary to the provisions of the Decree-Law, shall face the following penalties:

• Temporary imprisonment and/or a fine not less than five hundred thousand Dirhams (AED 500,000) if the confidential information is of sensitive nature.
• Imprisonment and/or a fine not less than two hundred and fifty thousand Dirhams (AED 250,000) and not more than five hundred thousand Dirhams (AED 500,000) if the confidential information is not of sensitive nature.
• In cases where the disclosure of sensitive or non-sensitive confidential information is caused by negligence, the offender shall be subject to imprisonment and/or a fine not exceeding five hundred thousand Dirhams (AED 500,000).

It's important to note that instances of information disclosure made for the purpose of implementing the provisions of this Decree-Law or as part of any judicial procedure are exempt from these penalties.

As stated in Article 43 of the decree law, any individual who intentionally provides inaccurate data to the Licensee with the intention of obtaining or revoking an authentication certificate shall be subject to the following penalties:

• Imprisonment for a period not exceeding six months.
• A fine not less than twenty thousand Dirhams (AED 20,000) and not more than one hundred thousand Dirhams (AED 100,000).

According to Article 44 of the decree law, individuals who are licensed to provide Trust Services or Approved Trust Services and violate the provisions outlined in this Decree-Law, its Implementing Regulation, or the decisions issued in its implementation related to these services, shall face the following penalties:

• A fine not less than fifty thousand Dirhams (AED 50,000) and not exceeding two hundred and fifty thousand Dirhams (AED 250,000).
• Refusing to subject their systems and operations, which belong to Trust Service Providers or Approved Trust Service Providers, to an audit by compliance assessment entities as per the regulations of this Decree-Law, its Implementing Regulation, and the decisions issued to enforce it.
• Publishing advertisements or descriptions about Trust Services, Approved Trust Services, or Approved Trust Marks with the intention of promotion or misleading, contrary to the decisions issued by the Authority.

According to Article 45 of the decree law, individuals who commit the following actions shall face penalties of imprisonment and/or a fine not less than five hundred thousand Dirhams (AED 500,000) and not exceeding one million Dirhams (AED 1,000,000):

• Engaging in any of the Trust Services or Approved Trust Services without being licensed or exempted from obtaining a license as stipulated by the provisions of this Decree-Law. This applies whether the individual is performing these services for themselves or for others, or assisting others in doing so.
• Deliberately altering, destroying, or concealing any document or information that the Authority has requested in accordance with the provisions of this Decree-Law.

As outlined in Article 46 of the decree law, the Court has the authority to order the confiscation of tools and devices that were employed in the commission of any of the offenses specified within this Decree-Law. This action will be taken without impacting the rights of innocent third parties.

Concerning Administrative Violations and Penalties, Article 48 of the decree law establishes that the Cabinet will make a decision outlining the actions that qualify as violations of the regulations within this Decree-Law, along with its Implementing Regulation and the decisions made to put it into practice. This decision will also define the administrative penalties that should be imposed in such cases.

Regarding Law Enforcement Officers, Article 49 of the decree law establishes that employees of the Authority, as designated by a decision from the Minister of Justice in agreement with the Chairman, will possess the authority to enforce the law by substantiating violations that have occurred concerning the regulations outlined in this Decree-Law, its Implementing Regulation, and the decisions made to put it into practice. Each officer will exercise this authority within their respective jurisdiction.

Lastly, Article 50 of the decree law mandates that individuals subject to the regulations of this Decree-Law must align their circumstances with its provisions and those of its Implementing Regulation within a maximum timeframe of one year from the date it becomes effective. This timeframe can be extended for additional periods as determined by a Cabinet decision, following a recommendation from the Chairman.

We've now come to the end of this guide. Thank you for reading, if you have any questions please don't hesitate to contact Hesham ElSamra.