Telecom and Voice Compliance in UAE & GCC: What IT Teams Need to Know in 2026
Enterprise voice infrastructure is not just an IT decision in the UAE and GCC, it is a regulatory one. Every organisation deploying VoIP, SIP trunking, unified communications, or a cloud contact center solution in the region must operate within a tightly governed framework. The consequences of getting this wrong are material; unlicensed VoIP operation in the UAE carries fines of up to AED 500,000 under Federal Decree-Law No. 3 of 2003, and using a VPN to bypass restrictions is a criminal offence under Federal Decree-Law No. 34 of 2021.
In 2026, enterprise voice architecture is increasingly intersecting with telecom regulation, cybersecurity, cloud infrastructure, and data residency requirements across the GCC.
This blog covers what IT teams across the UAE, Saudi Arabia, and the wider GCC need to understand about telecom compliance, from Telecommunications and Digital Government Regulatory Authority (TDRA) licensing and carrier requirements to the architectural role of Session Border Controllers and what cloud telephony deployments require to be fully compliant.
The Core Principle: VoIP Is a Regulated Service, Not Just a Technology
The most important thing for any IT team deploying voice services in the UAE or GCC to understand is this: VoIP is classified as a regulated telecommunications service, not a software feature. This distinction matters enormously.
Country-by-Country: The GCC Regulatory Landscape
- UAE — TDRA Framework:
The TDRA governs enterprise voice and VoIP services in the UAE. Under UAE TDRA policy, all voice and video calling services must be provided by a licensed carrier or in active collaboration with one. The UAE has two licensed carriers: e& (Etisalat) and du. Any VoIP service whether delivered via a UCaaS platform, a cloud IP PBX or cloud PBX environment, a SIP trunk, or a contact center solution, must route through one of these two licensed carriers. Services that do not comply are classified as illegal communications and are actively blocked at the ISP level.
Enterprises must also ensure that Session Border Controllers, call routing, recording retention, and cloud voice deployments align with TDRA requirements and applicable UAE data protection regulations. - Saudi Arabia — CST Framework:
In Saudi Arabia, enterprise VoIP and UCaaS deployments are governed by the Communications, Space and Technology Commission (CST). SIP trunking and PSTN connectivity must operate through licensed carriers such as STC, Mobily, and Zain.As cloud communications adoption accelerates under Vision 2030, enterprises deploying unified communications, cloud PBX, or contact center solutions in KSA must ensure that carrier routing, SBC configuration, and data handling comply with local telecom regulations. - Wider GCC — Oman, Qatar, and Bahrain:
Across Oman, Qatar, and Bahrain, enterprise VoIP deployments follow a similar principle: PSTN voice services must operate through licensed national carriers and within each country’s telecom regulatory framework. For organisations deploying UCaaS or cloud contact center solutions across multiple GCC countries, compliance architecture must be designed country-by-country rather than treated as a single regional deployment.
The Session Border Controller: The Compliance Architecture Layer
A Session Border Controller (SBC) is a dedicated network device, hardware or software-defined, that sits at the boundary of an enterprise voice network and, for most PSTN-enabled deployments in the UAE and GCC, is effectively a mandatory compliance layer. It controls all SIP signalling and media traffic entering and leaving the organisation’s environment. In a UAE compliance context, the SBC performs several functions that are directly relevant to regulatory adherence.
Carrier routing enforcement: The SBC routes all outbound PSTN calls through the designated licensed carrier (e& or du in UAE, STC/Mobily/Zain in KSA). This ensures no voice traffic bypasses the licensed carrier framework.
Beyond carrier routing, the SBC enforces SRTP media encryption for all voice streams, handles SIP protocol translation between carrier and UCaaS environments, and maintains detailed call records, all of which are directly relevant to UAE compliance and audit requirements.
Microsoft Teams Direct Routing has become increasingly common across UAE enterprises that want to retain local carrier connectivity while standardising collaboration through Teams. In these deployments, a certified SBC is a mandatory technical requirement. The SBC sits between the Teams environment and the licensed carrier, ensuring PSTN traffic routes securely and compliantly.
UCaaS and Cloud Contact Center Compliance: What to Verify
When deploying unified communications or cloud contact center solutions in the GCC, IT teams need to verify several things that are frequently overlooked in standard procurement processes:
- Platform approval status: Confirm that the UCaaS platform is on the TDRA approved list for UAE, or that your deployment model routes voice through a licensed carrier in each GCC country where users operate.
- SIP trunk origin: Your SIP trunks must originate from a licensed carrier in each country. Global SIP trunk providers that are not in active partnership with a licensed carrier cannot legally carry your PSTN voice traffic.
- Number assignment: UAE (+971) and KSA (+966) DDI numbers must be allocated through a licensed local carrier. Global UCaaS providers that assign virtual numbers outside licensed carrier channels may create a numbering compliance exposure.
- Recording and retention: If your contact center records calls, as most cloud contact center solutions do, you must ensure that recordings are stored in a manner compliant with UAE data protection requirements, including the PDPL (effective January 2026, full compliance by January 2027) and applicable sector-specific rules.
- Emergency services routing: Cloud PBX and UCaaS platforms must maintain a compliant path to emergency services (999 in UAE, 911/999 in KSA). Cloud voice deployments must be configured to route emergency calls through the local PSTN not via international trunks, which will fail or be delayed.
Common Compliance Mistakes IT Teams Make
Based on patterns across enterprise deployments in the region, the most frequent compliance failures in GCC voice deployments are:
- Using a global UCaaS provider’s standard deployment without verifying UAE/KSA carrier routing, assuming that because Teams or Zoom is approved globally, it is automatically compliant in UAE without carrier-specific configuration.
- Deploying SIP trunks from a non-GCC carrier and routing them directly to an on-premise IP PBX or cloud PBX without an SBC, leaving the deployment both technically unprotected and potentially non-compliant.
- Treating a multi-country GCC deployment as a single regional configuration and using one SBC and one carrier SIP trunk for UAE, KSA, and Oman simultaneously rather than designing per-country carrier routing as each country’s regulatory framework requires.
The Bottom Line
Voice infrastructure in the UAE and GCC has a compliance dimension that is just as important as the technical one. TDRA, CST, and their GCC counterparts operate active enforcement regimes and services that do not comply are blocked, and organisations that knowingly operate outside the licensed framework face significant financial and legal consequences.
A correctly configured SBC connected to licensed carrier SIP trunks helps ensure that enterprise voice traffic remains secure, auditable, and compliant across UAE and GCC deployments.
In 2026, as enterprises across the UAE and GCC accelerate their moves to unified communications and cloud telephony, the organisations that get this architecture right from the start will avoid costly remediation work and the reputational risk of a non-compliant voice infrastructure.
How EthicIT Can Help
Ethic IT delivers Session Border Controller deployments, UCaaS implementations, and cloud contact center solutions for enterprises across UAE, KSA, Qatar, and Oman in full compliance with TDRA, CST, and GCC carrier requirements. Our SBC and UCaaS practice covers the full deployment lifecycle: licensed SIP trunk provisioning through licensed carriers, SBC configuration and certification, Microsoft Teams Direct Routing integration, cloud IP PBX migration, and ongoing compliance support.
Every deployment we implement is architected for the regulatory environment of the country it operates in and not adapted from a global template. If your organisation is planning a UCaaS migration, a contact center modernisation, or a Teams Direct Routing deployment in the UAE or GCC, we can design and implement an architecture that is compliant from day one.
Get in touch: ethic-it.com/contacts | sales_mena@ethic-it.com
Frequently Asked Questions
- Is VoIP legal in the UAE for enterprise use?
Yes but only when delivered through platforms approved by TDRA or routed via a licensed UAE carrier (e& or du). Enterprise platforms including Microsoft Teams, Zoom, and Cisco Webex are permitted when deployed through approved and compliant carrier frameworks. Using a VPN to bypass VoIP restrictions is a criminal offence under Federal Decree-Law No. 34 of 2021. - What is a Session Border Controller and why is it required in the UAE?
A Session Border Controller (SBC) is a dedicated network appliance that controls and secures SIP voice traffic at the boundary of an enterprise network. In the UAE, an SBC is required to ensure all PSTN call traffic routes through a TDRA-licensed carrier (e& or du), to enforce media encryption (SRTP), and to maintain the call audit records required for regulatory compliance. For Microsoft Teams Direct Routing deployments, a certified SBC is a mandatory technical requirement. - Can I use a global UCaaS provider in the UAE without a local SBC?
For internal voice and video collaboration (Teams meetings, Zoom calls between users), a local SBC is not always required. However, for PSTN connectivity, making and receiving calls to and from standard phone numbers in the UAE, a SIP trunk from a licensed UAE carrier is required, and an SBC is needed to connect that trunk to your UCaaS platform securely and compliantly.