MOHAP / DHA / DoH

United Arab Emirates — MOHAP / DHA / DoH

MandatoryLast updated · 2024Verified · 2026-05-28

MOHAP Medical Device Regulation + DoH / DHA cybersecurity standards

Authority

Ministry of Health and Prevention; Dubai Health Authority; Department of Health Abu Dhabi

Enforced

2020 (DoH ADHICS)

Legal framework

MOHAP Medical Devices Regulation + DoH ADHICS + DHA ISR + UAE IA

FDA package reuse

~85%

Editorial estimate · how →

Scope

All medical devices and connected health products marketed in the UAE. Emirate-level cyber standards layer on top of federal device rules.

Pre-market

Conformity to recognised standards (FDA/CE typically accepted), cybersecurity risk dossier, ADHICS / ISR alignment for hospital-deployed systems.

Post-market

Adverse-event reporting, coordinated disclosure, ADHICS audit cycles for Abu Dhabi entities.

SBOM

Recommended

Encouraged for connected devices; mirrors FDA expectations.

Vulnerability disclosure

UAE Cyber Security Council coordination expected.

Penalty

Registration cancellation, fines under federal cybercrime law and ADHICS / ISR sanctions.

Unique requirements

01Local Authorised Representative
02ADHICS v2 compliance for Abu Dhabi
03DHA ISR compliance for Dubai
04Arabic labelling for end users

Highlights

ADHICS v2 mandatory in Abu Dhabi healthcare
DHA ISR for Dubai hospital deployment
FDA / CE recognition shortens path

Aligns with

IMDRF N60 FDA 2023 Guidance ISO 27001 NIST CSF

Timeline

2014

DoH HIIP precursor introduced
2020

ADHICS v1 published
2024

ADHICS v2 enforcement extended

Key documents

MOHAP Digital Security

https://mohap.gov.ae/en/references/digital-security

Department of Health Abu Dhabi (ADHICS)

https://www.doh.gov.ae/en/

Dubai Health Authority (DHA ISR)

https://www.dha.gov.ae/

Related markets

Israel

~90% FDA reuse

Canada

~95% FDA reuse

United States

~100% FDA reuse

Japan

~70% FDA reuse

Frequently asked about United Arab Emirates

Is SBOM required for medical devices in United Arab Emirates?

Recommended. Encouraged for connected devices; mirrors FDA expectations.

What does MOHAP / DHA / DoH require for pre-market cybersecurity?

Conformity to recognised standards (FDA/CE typically accepted), cybersecurity risk dossier, ADHICS / ISR alignment for hospital-deployed systems.

What are the post-market cybersecurity obligations under MOHAP / DHA / DoH?

Adverse-event reporting, coordinated disclosure, ADHICS audit cycles for Abu Dhabi entities.

What is the penalty for non-compliance with MOHAP / DHA / DoH cybersecurity rules?

Registration cancellation, fines under federal cybercrime law and ADHICS / ISR sanctions.

How much of my FDA cybersecurity package is reusable in United Arab Emirates?

Roughly 85% — an editorial estimate based on overlapping evidence requirements (threat model, SBOM, security risk assessment, pen-test report).