Security Robots in the UAE: SIRA Licensing and Real Compliance

A security robot operating inside Dubai is not a product. It is a licensed security service, and that distinction governs everything that follows.

The Emirate of Dubai treats every patrolling unit, fixed or mobile, manned or autonomous, as a regulated activity under the Security Industry Regulatory Agency. The robot does not have a separate legal category. It inherits the obligations of a guard, a camera system, and a control room operator at once. Operators arriving from Europe, North America or East Asia frequently underestimate this point. They treat the machine as hardware. The regulator treats it as a function. The function is licensed, audited, suspended and, in the wrong configuration, prosecuted.

What follows is a structured account of the regime, drawn from manufacturer practice and from the chapters on autonomous systems and integration in BOSWAU + KNAUER. From Building to Security Technology. The aim is to give operators a usable map of what compliant deployment in Dubai actually requires, rather than what marketing material in the wider Gulf market suggests.

The legal frame: Federal Law 19 of 2007 and the SIRA mandate

UAE Federal Law No. 19 of 2007 established the framework for private security services in the Emirates. The law is short on technological detail and deliberately broad on scope. Any commercial activity that involves the protection of persons, property, premises or information by non-state actors falls under its provisions. The federal text was followed by emirate-level implementation, and in Dubai the implementing authority is SIRA, the Security Industry Regulatory Agency, established in 2016 under Law No. 12 of 2016.

SIRA operates with a logic that should be familiar to operators who have worked under IEC 62443 zone and conduit thinking, or under ISO 27001 control mapping. Every actor in the chain carries a license. The security company carries an operating license. The individual guard carries a personal license. The training provider carries an accreditation. The technology system carries a product approval. When an autonomous patrol is introduced, it does not bypass this chain. It must be inserted into it at every layer simultaneously.

The practical consequence is that a manufacturer cannot simply sell a security robot to a Dubai end customer and walk away. The end customer, if it is a security services provider, must already hold the relevant SIRA category. The robot must be registered as an approved security system. The personnel who supervise the robot must hold individual licenses. The control room receiving the robot's alerts must itself be a SIRA-recognised facility. Any gap in this chain renders the entire deployment unlicensed, and unlicensed security activity in Dubai is not a soft administrative matter. It carries fines, equipment seizure and, in repeat cases, criminal exposure for the directors of the operating entity.

This is why the manufacturer's posture in the UAE is necessarily different from the European posture. In Germany, a security robot is sold as a product and integrated by the customer's security department under their own GewO Section 34a regime. In Dubai, the manufacturer is drawn into the licensing chain because the regulator wants to see a named entity that takes responsibility for the technology's behaviour in the field. The distinction between supplier and operator blurs, and contracts must reflect this from the first page.

What SIRA actually inspects in an autonomous system

SIRA's technical evaluation of an autonomous patrol covers four blocks. The first is identification and traceability. Every device must carry a serial identity that maps to a registered owner, a registered operator and a registered control room. The robot must be capable of producing this identity on demand, both physically through a visible plate and digitally through its communications layer. This is not a courtesy for the inspector. It is the prerequisite for any post-incident reconstruction the regulator may order.

The second block is data handling. Footage, audio and telemetry produced by the robot are regulated personal data under UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, and within Dubai under the additional layer of DIFC Data Protection Law No. 5 of 2020 where applicable. SIRA wants to see retention periods declared, storage locations identified, access logs maintained, and lawful basis documented. A robot streaming video to a server in Frankfurt without explicit declaration of cross-border transfer is a finding waiting to happen. NIST 800-53 control families covering audit and accountability, AU-2 through AU-12, map cleanly onto what SIRA inspectors want to see, even though SIRA does not cite NIST directly.

The third block is operational safety. The robot must demonstrate that it cannot cause harm to bystanders under foreseeable failure modes. This includes emergency stop behaviour, obstacle response, behaviour on loss of communication and behaviour at battery exhaustion. CISA guidance on operational technology safety and the IEC 62443-3-3 system requirements provide a defensible reference frame. The inspector will not ask for the standard by name. The inspector will ask what happens when the robot encounters a child, a wheelchair user or a parked emergency vehicle, and the answer must be backed by documented test evidence.

The fourth block is intervention capability. An autonomous patrol that detects an incident but cannot trigger a licensed human response is, in regulatory terms, a surveillance camera on wheels. SIRA wants to see the full chain from detection to deployed guard, with response times committed in writing and with the responding entity itself licensed. This is where many proposals fail. The technology works. The chain behind it does not exist. The license is refused not because of the robot but because of what stands or fails to stand behind it.

ESMA standards and the parallel technical track

Alongside the security licensing regime, the Emirates Authority for Standardization and Metrology, now operating within the Ministry of Industry and Advanced Technology, sets the technical conformity expectations for equipment placed on the UAE market. ESMA, or its successor function, governs electromagnetic compatibility, radio emissions, electrical safety and increasingly the conformity assessment of robotic and AI-enabled systems. A security robot must carry the appropriate ECAS or equivalent conformity marking before it can be commercially deployed.

The ESMA regime runs in parallel to SIRA. It does not substitute for SIRA approval, and SIRA approval does not substitute for ESMA conformity. Operators who treat the two as interchangeable produce deployments that pass one inspection and fail the next. The manufacturer's job is to present a dossier that satisfies both regimes simultaneously, which in practice means harmonising European CE evidence, FCC-style emissions data, IEC 62443 cybersecurity documentation and ISO 27001 information security controls into a single technical file that can be reformatted for either regulator.

The radio layer deserves particular attention. A robot using 4G or 5G uplinks, Wi-Fi for local diagnostics, Bluetooth for maintenance and proprietary radio for tag-based localisation can easily breach UAE Telecommunications and Digital Government Regulatory Authority requirements without anyone noticing during a demonstration. The TDRA controls which frequencies may be used commercially, at what power levels, and under what licensing arrangement. A robot importing a European radio profile unchanged will, in many configurations, transmit on bands that require a separate UAE authorisation. This is not a theoretical problem. It is the most common technical finding in initial inspections.

Manufacturers familiar with the German BSI catalogue, the BSI IT-Grundschutz compendium and the wider European cybersecurity framework will recognise the underlying logic. The UAE has not invented a parallel universe. It has selected from international practice and assembled a regime that fits its enforcement priorities. The work for the manufacturer is mapping, not invention.

Licensing a robot in practice: the procedural path

The procedural path from a sealed crate at Jebel Ali to an operating robot on a Dubai site typically runs through six stages, and the sequence matters. Reversing any two of them produces delay and, in some cases, outright refusal.

Stage one is the commercial license of the operating entity. The company that will run the robot, whether it is a manufacturer's UAE subsidiary, a local security services partner or an end customer with an in-house security function, must hold the appropriate Department of Economy and Tourism license with the right activity codes. Without this, no SIRA file can be opened. Stage two is the SIRA company license for security services, in the category matching the intended use, typically Security Systems Installation and Maintenance combined with Manned Guarding where applicable. Stage three is product registration, in which the robot is submitted to SIRA for evaluation as an approved security technology, with the technical file, test reports and operational procedures.

Stage four is personnel licensing. Every operator, supervisor and maintenance technician who will interact with the robot in a security function must hold individual SIRA cards. Stage five is the site permit, granted per deployment location, in which SIRA confirms that the specific site, the specific configuration and the specific response chain meet the regulator's expectations. Stage six is the operational audit, which occurs after deployment and which validates that what was promised on paper is what happens in the field. The audit is recurring, not one-off.

Each stage has its own timeline. The realistic expectation, for a manufacturer entering Dubai for the first time, is six to nine months from first filing to first compliant deployment, assuming the technical file is complete and the local entity is already established. Compressing this is possible but expensive, and the compression usually shows up later as findings during the operational audit. The discipline of Path II in our practice, a three to five day audit, exists precisely to map this terrain before commitments are made.

The cybersecurity overlay and the international standards anchor

Cybersecurity of autonomous security systems is increasingly treated by SIRA and by the UAE Cyber Security Council as a precondition for licensing rather than an optional improvement. The Council, established in 2020, has issued guidance that points operators toward NIST CSF 2.0 and ISO 27001 as the assumed baseline. IEC 62443, originally developed for industrial control systems, has become the de facto reference for the operational technology layer of security robots. ASIS International's guidelines on the convergence of physical and information security inform how the regulator thinks about the boundary between the two domains.

The practical implication for the manufacturer is that the robot must be defensible not only as a mechanical and optical system but as a networked information system. Identity and access management on the robot's onboard systems, segmentation of its communications, hardening of its update mechanism, logging of all administrative actions and the existence of an incident response procedure are all subjects of inspection. The General Insurance Association of Germany, the GDV, has issued comparable expectations for security technology deployed at insured sites in Europe, and the NICB tracks similar concerns in the North American property protection context. None of this is exotic. It is the consolidation of practice that has been developing for a decade.

What is specific to Dubai is the speed of enforcement and the seriousness of consequence. A finding of inadequate cybersecurity on a deployed security robot is not addressed through a polite letter. It is addressed through suspension of the site permit, which in turn means the robot stops operating until the finding is closed. For an operator who has built a service contract around the robot's availability, this is a commercial event, not a technical one. The manufacturer who has not anticipated this in the contract structure will find itself in a difficult conversation with its customer.

What holds

A security robot in Dubai operates in a regulated space that does not forgive the assumption that hardware quality alone constitutes compliance. SIRA licensing, ESMA conformity, TDRA radio authorisation, data protection compliance and cybersecurity assurance are not parallel options. They are concurrent obligations, and they must be carried by named entities with documented capability.

The manufacturer that wants to operate in the Emirate does not arrive with a product. It arrives with a system of obligations that it is prepared to enter, and with a partner architecture that allows those obligations to be discharged in a way the regulator can verify. The work is procedural, technical and contractual in equal measure. None of the three substitutes for the others.

For operators considering entry, the first useful step is rarely a purchase. It is a conversation, sixty minutes, in which the actual posture of the intended deployment is examined against the regulatory regime as it stands. Path I in our practice exists for this purpose. Where the posture warrants it, a three to five day audit follows, and a ninety-day pilot under SIRA conditions can be designed once the audit is closed. The order matters. Reversing it produces the failures that fill the regulator's quarterly reports.

Frequently asked questions

What does SIRA require from autonomous systems?

SIRA requires that an autonomous security system be traceable, accountable, safe under foreseeable failure, and embedded in a licensed response chain. Concretely this means a registered owner, a registered operator, a documented data handling regime under UAE Federal Decree-Law 45 of 2021, demonstrated operational safety with test evidence, and a verified link to a licensed control room with named personnel. The robot itself must carry product approval. Personnel interacting with it must carry individual SIRA cards. The site of deployment must hold a current permit. All four layers operate concurrently.

How is a robot licensed in Dubai?

The path runs in six stages. First, the operating entity secures the correct commercial license from the Department of Economy and Tourism. Second, it obtains the SIRA company license for the relevant security activity. Third, the robot is submitted for product approval with full technical file. Fourth, personnel licenses are issued for operators and supervisors. Fifth, a site permit is granted for the specific deployment location. Sixth, the operational audit validates that field practice matches the file. Realistic timeline from first filing to compliant operation is six to nine months.

Which standards apply alongside SIRA?

ESMA conformity governs electrical safety, electromagnetic compatibility and product marking. TDRA authorisation governs radio emissions and spectrum use. UAE Federal Decree-Law 45 of 2021 and, where relevant, DIFC Data Protection Law govern personal data. NIST CSF 2.0, NIST 800-53, ISO 27001 and IEC 62443 form the assumed cybersecurity baseline referenced by the UAE Cyber Security Council. ASIS International guidance informs the physical-information security convergence. GDV and NICB practices provide useful international comparators. CISA operational technology guidance applies to the OT layer of the robot.

What happens if a robot operates without license?

Unlicensed security activity in Dubai is not treated as an administrative oversight. SIRA can impose fines, seize equipment and suspend the operating entity's license. The site permit is withdrawn, which terminates the robot's right to operate at that location immediately. Directors of the operating entity carry personal exposure, including potential criminal liability in cases of repeated or willful non-compliance. Insurance coverage for incidents during unlicensed operation is typically void. The reputational consequence for a manufacturer associated with such a deployment extends well beyond the immediate case and affects future filings.