Dawn Raids and Digital Evidence Seizure in the UAE: The First Hour

What this guide covers

  1. The Legal Framework: Search and Seizure Powers Under CPL 38/2022
  2. The First Hour: What Your Team Must Do Immediately
  3. Device Seizure and Digital Evidence: Scope, Procedure and Vulnerabilities
  4. Legal Professional Privilege: Assertion, Limits, and Practical Challenges
  5. Challenging the Chain of Custody: Admissibility and Defence Strategy
  6. Post-Raid Obligations, Personal Exposure, and Regulatory Consequences
  7. Pre-Raid Preparedness: Building a Defensible Corporate Response Programme
  8. Practical checklist
  9. What we'd typically advise
  10. Frequently asked questions

When investigators arrive unannounced, the decisions made in the first sixty minutes determine the shape of every proceeding that follows. This guide sets out the precise legal framework, practical response steps, and strategic considerations for executives, GCs and boards facing a dawn raid in the UAE.

The primary statute governing search and seizure in the UAE is Federal Decree-Law 38/2022 (Criminal Procedure Law, "CPL"), which came into force on 1 March 2023 and was subsequently amended by Federal Decree-Law 45/2023. This law replaced the former CPL and contains materially expanded powers for public prosecutors and delegated investigators, including dedicated provisions addressing electronic and digital evidence — a significant departure from the prior framework. Executives must understand that the CPL does not restrict enforcement to the courts: the Public Prosecution has independent authority to order searches under Articles 53 to 60 of the CPL, and in urgent cases investigators may act on the orders of senior prosecutors without a separate judicial warrant.

Under CPL Article 53, a search warrant must ordinarily specify the premises, the suspected offence, and the items sought. However, Article 54 permits oral authorisation by a prosecutor in circumstances of urgency or where delay might result in the concealment or destruction of evidence — a provision frequently relied upon to justify unannounced raids. Critically, CPL Article 56 empowers investigators to seize any item found during a lawful search that may constitute evidence, even if not specified in the original warrant, provided they record it contemporaneously. This broad incidental seizure power means that electronic devices, cloud-storage tokens, personal mobile phones, and portable hard drives that were never mentioned in the warrant can be lawfully retained.

Sector-specific investigators — including those from the Central Bank (operating under CBUAE Law No. 6/2025) and financial intelligence units conducting AML investigations under Federal Decree-Law 10/2025 — have delegated prosecutorial powers and may exercise CPL search authorities independently. Since FDL 10/2025 came into force on 14 October 2025, proliferation financing and tax evasion are now express predicate offences for money laundering, and the personal liability of managers who fail to prevent AML violations is codified. This substantially widens the category of individuals who may find themselves the subject of a dawn raid rather than merely a witness.

Searches of private dwellings attract additional procedural protection under CPL Article 55: the occupant or a representative must be present, and where that is not possible, two adult witnesses must attend. Commercial premises do not benefit from the same formality requirement, and in practice raids on corporate offices proceed rapidly and with considerable discretion afforded to the lead investigator. Understanding these distinctions is critical because challenges to admissibility frequently turn on whether the procedural requirements for the category of premises were actually observed.

The First Hour: What Your Team Must Do Immediately

The moment investigators present credentials at reception, a clear internal protocol should activate without hesitation. The single most important instruction is this: no employee should speak substantively with investigators, hand over any document or device, or grant access to any system until a lawyer is present or has been contacted by telephone. This is not obstructiveness — it is the responsible exercise of procedural rights. Under CPL Article 63, a person being questioned is entitled to seek legal assistance, and that right should be asserted immediately and calmly by a senior representative such as the General Counsel or CEO.

Designate one senior person — typically the GC or a board-level officer — as the sole point of contact with investigators. That person's role is to verify credentials, receive and read the warrant or authorisation carefully (noting its scope, the named prosecutor, the date and time of issue, and the specific offences cited), and to request a brief delay to allow legal counsel to attend. In practice, investigators will rarely grant more than 30 to 60 minutes, and they are not legally obliged to do so under the CPL — but a polite, professional request citing the need to instruct counsel rarely results in an immediate refusal. Do not place obstacles in investigators' path or deny physical access once a valid warrant is produced, as obstruction constitutes an independent criminal offence under Federal Decree-Law 31/2021 (Penal Code), Article 257.

While awaiting counsel, ensure that a contemporaneous log is started immediately: record the names and badge numbers of all investigators, the time of arrival, what credentials and documents they produce, and every action they take. This log becomes critical evidence in any subsequent challenge to admissibility or chain of custody. Assign a second employee solely to this documentation task — they should follow investigators through the premises, observing without interfering, and recording every item examined, copied or seized. Photographs of the scene, if permitted, should be taken; if investigators object, the objection itself should be noted in writing.

Instruct all staff not to delete, move, or alter any document, record or electronic file. This instruction must be unambiguous and documented, both to demonstrate good faith and to ensure that no employee inadvertently creates an obstruction or evidence-tampering exposure. Under CPL Article 60, interference with seized or seizable evidence is an offence, and following a raid there is a heightened prosecutorial focus on communications made in the hours immediately after investigators depart.

Device Seizure and Digital Evidence: Scope, Procedure and Vulnerabilities

Digital evidence seizure is now the central battleground in UAE white-collar investigations. CPL 38/2022 for the first time introduced a dedicated chapter on electronic evidence, reflecting both the sophistication of modern financial crime and the recommendations arising from the UAE's FATF grey-listing period (2022–2024). Under CPL Article 70, investigators are empowered to seize computers, servers, smartphones, tablets, external storage media, and any device capable of storing or transmitting data relevant to the investigation. Crucially, this power extends to imaging — creating a forensic bit-for-bit copy of a device — and to the compelled disclosure of access credentials where a court order is obtained under CPL Article 72.

The standard forensic protocol requires investigators to: (a) seal the original device and create a verified forensic image; (b) generate a hash value for both the original and the image to establish integrity; (c) record the seizure in the search register under CPL Article 57; and (d) provide the seized-item receipt to the occupant. In practice, compliance with this protocol is inconsistent, and each point of non-compliance is a potential admissibility challenge. Defence counsel should scrutinise whether proper chain-of-custody documentation was maintained from the moment of seizure, and whether the hash values were independently verified. Any break in the documented chain of custody weakens the probative value of digital evidence at trial and may provide grounds to exclude it under CPL Article 208, which empowers courts to exclude unlawfully obtained evidence where admission would violate rights guaranteed by the CPL.

Cloud data and SaaS platforms present distinct complications. If corporate data is stored on servers outside the UAE — common for multinationals using US or EU cloud infrastructure — investigators may issue a Mutual Legal Assistance request under Federal Law 39/2006 as amended by FDL 38/2023 to compel foreign disclosure. Alternatively, if an employee's local device is synchronised with a cloud account, investigators may access cloud data through that device without a separate MLA request. Counsel should assess the synchronisation state of all seized devices immediately and advise the company's cloud providers to preserve logs while taking no further action pending legal advice. For DIFC and ADGM entities, additional data protection obligations under DIFC Law No. 5 of 2020 and ADGM Data Protection Regulations 2021 apply to how cloud data is disclosed to third parties including investigators.

Where the company operates in the virtual asset space, the Travel Rule obligations under Cabinet Resolution 134/2025 (AED 3,500 threshold for originator/beneficiary data) mean that VARA-regulated entities will have extensive transaction records that investigators can access, and the VARA Rulebooks 2.0 (May 2025) require record retention that effectively creates a ready-made evidentiary archive. DIFC entities should also note that DIFC Digital Assets Law 2/2024 classifies crypto assets as property, giving courts clear jurisdiction to freeze and seize them — a power likely to be exercised during or immediately following a raid.

Legal professional privilege (LPP) is the most frequently contested issue during a UAE dawn raid, and its parameters under UAE law are narrower and less clearly codified than under English law. The UAE does not have a single statute comprehensively defining LPP. The closest statutory expression is found in Federal Decree-Law 31/2021 (Penal Code), Article 379, which criminalises disclosure of professional secrets, and in the UAE Advocates Law (Federal Law 23/1991 as amended), which establishes the duty of confidentiality for licensed advocates. The CPL does not contain an express privilege clause, but CPL Article 68 recognises that communications between an accused and their defence counsel are not to be used as evidence against the accused, providing a functional (if narrower) form of protection.

In practice, the assertion of privilege during a raid requires immediate, specific, and documented action. The designated company representative must clearly identify privileged materials — legal advice memoranda, counsel instructions, draft pleadings, external counsel correspondence — and physically separate them before investigators can review their content. The representative should state formally, on the record, that the identified materials are subject to legal professional privilege and are not available for inspection pending a court ruling. Investigators are not empowered under the CPL to make privilege determinations in the field; that is a judicial function. If investigators insist on seizing potentially privileged materials, the appropriate response is to request that the materials be sealed in the presence of a representative and lodged with the prosecution pending a judicial ruling, rather than permitting immediate inspection.

A critical vulnerability is in-house counsel communications. UAE law does not extend the same privilege protection to in-house lawyers as to external advocates, because in-house counsel are employees rather than independent practitioners. Advice memoranda drafted by an in-house legal team may not attract privilege and can be seized and reviewed. This distinction, well-established in common law systems, is acutely important in the UAE context and argues strongly for routing sensitive legal work through external, UAE-licensed advocates. Following the raid, counsel should seek an urgent application before the relevant court to determine the privileged status of any seized materials before investigators access them.

For financial institutions operating under CBUAE Law No. 6/2025, regulatory examination powers sit alongside criminal investigation powers, and materials shared with the Central Bank in a supervisory context may later be transmitted to the Public Prosecution. The boundary between supervisory confidentiality and investigative disclosure is not clearly legislated and requires case-by-case assessment. Similarly, suspicious transaction reports filed under FDL 10/2025 Article 15 are expressly protected from disclosure by the reporting entity — the tipping-off prohibition — but investigators with a warrant can compel disclosure of the underlying transaction records through which an STR was generated.

Challenging the Chain of Custody: Admissibility and Defence Strategy

A chain-of-custody challenge is one of the most effective tools available to defence counsel in UAE white-collar proceedings, particularly given the relatively nascent state of digital forensics protocols in some investigative units. Under CPL Article 208, evidence obtained in violation of the rights guaranteed by the CPL or the Constitution may be excluded by the court if admission would produce an unjust result. While UAE courts historically applied a more generous admissibility standard than common law courts, the reforms introduced by CPL 38/2022 have moved toward a more rights-protective approach, creating greater scope for exclusionary arguments.

Effective chain-of-custody challenges require the defence to obtain and scrutinise: (a) the original seizure register prepared under CPL Article 57; (b) the forensic imaging logs including hash values at each stage; (c) the evidence storage protocols at the prosecution's facility, including access logs; (d) any transfers of evidence between investigative units or to foreign counterparts under MLA arrangements; and (e) the credentials and qualifications of the forensic examiner who analysed the digital material. Each of these documents can be requested through formal disclosure applications under CPL Article 250, which requires the prosecution to disclose material in its possession that is relevant to the defence, including exculpatory evidence.

Where evidence has passed through multiple investigative authorities — for example, where a CBUAE supervisory referral becomes a Public Prosecution investigation, or where FATF-mandated information sharing with a foreign financial intelligence unit has occurred — the custody chain becomes particularly complex. Defence counsel should map the complete history of each piece of evidence, identify every transfer point, and demand contemporaneous documentation for each. Gaps in that documentation, particularly where digital evidence was accessed without a logged entry, support an inference of potential contamination that the prosecution must address.

Practical experience in UAE proceedings demonstrates that challenges are most likely to succeed where: the original device was not properly sealed; where different hash values appear between the original and working copies; where investigators accessed cloud accounts without judicial authorisation; or where there is evidence that devices were powered on (and therefore potentially altered) before imaging. Engage an independent digital forensics expert at the earliest opportunity — their ability to test the prosecution's forensic methodology is decisive in contested proceedings.

Post-Raid Obligations, Personal Exposure, and Regulatory Consequences

The immediate aftermath of a raid generates a cascade of concurrent obligations that must be managed simultaneously. For listed companies or regulated entities, disclosure obligations may be triggered immediately. Entities regulated by the CMA (formerly SCA) under Federal Decree-Law 32/2025 (effective 1 January 2026) are subject to continuous disclosure requirements, and a material regulatory investigation may constitute a price-sensitive event requiring prompt announcement. Separately, insider-dealing restrictions under Federal Decree-Law 33/2025 apply: once employees are aware of an investigation, trading in the company's securities on the basis of that non-public information carries criminal penalties of up to AED 200 million and personal imprisonment.

For entities regulated by the CBUAE under Law No. 6/2025, a dawn raid by the Public Prosecution will typically trigger a concurrent obligation to notify the Central Bank. Failure to make that notification can itself constitute a regulatory breach attracting administrative fines of up to AED 1 billion. Similarly, VARA-regulated virtual asset service providers must consider their regulatory notification obligations under the VARA Rulebooks 2.0 (May 2025), which require prompt reporting of material adverse events including law enforcement contact. Boards should seek specific advice on each applicable regulatory notification obligation within 24 hours of the raid concluding.

Personal exposure for individual executives is a growing feature of UAE enforcement, and it is substantially widened by FDL 10/2025, which codifies the personal criminal liability of managers who knew or ought to have known of AML/CFT violations and failed to act. Under the Penal Code FDL 31/2021, Article 65, corporate criminal liability does not extinguish personal liability — both the company and responsible individuals may be prosecuted. There is no statute of limitations for money laundering under FDL 10/2025, meaning that historic conduct remains indefinitely exposed to prosecution. Executives who are also beneficial owners should note that Cabinet Decision 109/2023 (the 25% beneficial ownership test) creates a documented record that investigators will use to establish control and knowledge.

Where a raid is connected to cross-border asset recovery — an increasingly common pattern — the DIFC Court's jurisdiction under DIFC Court Law 2/2025 to grant worldwide freezing orders without any local asset nexus, confirmed by the ADGM in A17 v B17 [2025], means that assets in multiple jurisdictions may be frozen within hours of investigators identifying the target. This creates acute personal liquidity risk for HNW individuals and argues for proactive asset structuring and legal advice well before any investigation becomes public.

Pre-Raid Preparedness: Building a Defensible Corporate Response Programme

The most effective dawn raid response is one rehearsed before investigators ever arrive. A corporate dawn raid protocol should be a living document embedded in the company's crisis-management framework, reviewed at least annually and updated to reflect legislative changes — the transition from CPL 35/1992 to CPL 38/2022 caught many companies with outdated protocols that had been calibrated to powers and procedures that no longer exist. The protocol should designate a named response team (with deputies), pre-identify external criminal counsel and digital forensics experts with retainer agreements in place, and establish clear escalation paths to the board and, where applicable, to regulators.

Staff training is not optional. Receptionists, IT administrators, office managers, and personal assistants are likely to be the first employees investigators encounter. Each should be trained to: verify credentials without confrontation; immediately contact the designated response officer; not discuss the company's business; and not permit access to systems pending senior direction. A single uninstructed employee who answers an investigator's questions or hands over a laptop can inadvertently waive important procedural protections that counsel would otherwise have preserved.

Document management and legal hold procedures should be robust and tested. Under CPL Article 60, destruction of documents after an investigation is known or anticipated is a criminal offence. This means that routine document destruction schedules must be suspended at the first credible indication of an investigation, which may precede a raid by weeks or months. A properly implemented legal hold, documented in writing and distributed to relevant custodians, demonstrates good faith and may mitigate sentencing considerations under the Penal Code FDL 31/2021 if matters ultimately proceed to trial.

For companies operating across the financial services, virtual assets, or capital markets sectors, the convergence of the post-FATF enforcement environment — the UAE was removed from the FATF grey list in February 2024 and faces its next mutual evaluation in 2026 — with the new legislative framework means that regulatory and criminal investigations are proceeding concurrently with greater frequency. A pre-raid preparedness programme must therefore address not only the immediate criminal response but also the parallel regulatory engagement strategy, including the potential benefits and risks of voluntary cooperation with the Central Bank, VARA, or the CMA in advance of a formal investigation.

Practical checklist

  • Verify investigator credentials and read the warrant scope before allowing access to any area.
  • Immediately contact external criminal counsel and activate the pre-designated response team.
  • Designate one senior officer as sole liaison; instruct all other staff to remain silent.
  • Begin a contemporaneous written log of all investigator actions, items examined, and devices seized.
  • Assert legal professional privilege over identified materials and request judicial determination before inspection.
  • Preserve all forensic receipt documentation and hash verification records from the moment of seizure.
  • Issue an immediate legal hold suspending all document destruction schedules company-wide.
  • Assess concurrent regulatory notification obligations to CBUAE, VARA or CMA within 24 hours.

What we'd typically advise

Our approach in the first hour is to place experienced criminal counsel physically on site as rapidly as possible, while a second team member simultaneously begins the regulatory notification analysis. The single most common error we see is a well-meaning senior employee who speaks with investigators before counsel arrives — those statements are recorded, rarely help, and frequently cause damage that is difficult to undo.

We advise clients to retain us on a standing crisis-response arrangement precisely so that the first call reaches a UAE-qualified criminal lawyer who knows the file, not a call-centre. Once we are present, we focus immediately on three things: the precise scope of the warrant, the integrity of the seizure process, and the identification of privileged materials — because those three issues determine the entire trajectory of the proceedings that follow.

Frequently asked questions

Do investigators need a court-issued warrant, or can a prosecutor authorise a search directly?

Under CPL 38/2022 Article 53 and 54, the Public Prosecution can authorise searches without a separate court order. In urgent cases, oral authorisation by a senior prosecutor suffices. You are entitled to see the written or oral authorisation document — insist on this before cooperating with any search.

Can investigators seize my personal mobile phone, even if it is not a company device?

Yes. Under CPL Article 56, investigators may seize any item found during a lawful search that may constitute evidence, whether or not it was specified in the warrant. Personal devices are not categorically excluded. Counsel should immediately note the seizure in the log and consider an urgent application to the prosecution for return of personal items not relevant to the stated offence scope.

Are communications with our in-house legal team privileged during a raid?

Not with certainty under UAE law. Privilege protections in the UAE attach most clearly to external, UAE-licensed advocates. In-house counsel are employees, and their advice memoranda may be seized and reviewed. We strongly recommend routing sensitive legal analysis through external counsel, particularly in advance of any known regulatory risk.

We are a VARA-regulated entity. Does the regulator get notified automatically if the police raid our offices?

Not automatically, but you likely have a proactive obligation. The VARA Rulebooks 2.0 (May 2025) require prompt notification of material adverse events. A Public Prosecution raid almost certainly qualifies. Failure to notify can constitute a separate regulatory breach. We advise assessing this obligation within 24 hours of the raid concluding.

What if investigators demand the password to our encrypted server?

Under CPL Article 72, a court order is required to compel disclosure of access credentials to encrypted systems. Investigators cannot demand passwords without that order. If presented with such a demand, request sight of the court order. If none exists, politely decline on the basis that no court authorisation has been produced, and note this in your contemporaneous log.

Our CEO is personally named in the warrant. Does she have to answer questions on-site?

No. Under CPL Article 63, a person subject to questioning is entitled to seek legal assistance before responding. The CEO should calmly state that she is exercising this right, provide basic identification if required, and decline to answer substantive questions until counsel is present. She should not be physically detained unless investigators have a separate arrest order.

What is the risk of money laundering charges, and has the limitation period changed?

Substantially heightened. Under Federal Decree-Law 10/2025 (in force 14 October 2025), there is no statute of limitations for money laundering, and tax evasion is now an express predicate offence. Personal managerial liability is codified. Fines reach AED 100 million. Historic conduct — regardless of when it occurred — remains prosecutable indefinitely. Any raid with an AML dimension should be treated as carrying the maximum personal risk to named managers.

Can we challenge the admissibility of evidence that investigators seized using flawed forensic procedures?

Yes. Under CPL Article 208, courts may exclude evidence obtained in violation of CPL rights. Challenges focus on whether proper seizure registers were maintained under Article 57, whether hash values were correctly generated and preserved, and whether cloud data was accessed without judicial authorisation under Article 72. Engage an independent digital forensics expert immediately — their analysis of the prosecution's methodology is critical to building this argument.

Related guides


Published 15 July 2026. General information only — not legal advice. Contact us for matter-specific advice.

Need this matter handled?

A partner can review the specifics and respond with a scoped engagement note within one working day.

Speak to us →