20 April 2026 · 8 min read
What UAE e-commerce sites are legally required to display — trade license, VAT registration, consumer protection policies, payment gateway compliance — and an honest note on where most Dubai SMBs actually stand.
Most Dubai e-commerce sites are not fully legally compliant. That's not a scare tactic — it's just accurate. The requirements exist, enforcement is increasing, and many business owners set up their stores without knowing what's required. This post covers what you actually need to have, why it matters, and what "minimum viable compliance" looks like for a small business.
The UAE's e-commerce regulatory environment has two primary pillars:
TDRA (Telecommunications and Digital Government Regulatory Authority) — Formerly the TRA (Telecommunications Regulatory Authority), the TDRA oversees the digital economy regulatory framework in the UAE, including e-commerce standards. UAE Cabinet Resolution No. 21 of 2021 established formal e-commerce guidelines that apply to all online businesses operating from or selling to UAE consumers.
Consumer Protection Law (Federal Decree-Law No. 5 of 2023) — The updated consumer protection framework covers online sales explicitly. Return rights, refund timelines, and disclosure requirements all sit under this law.
Understanding which applies when: TDRA e-commerce guidelines cover how you operate your website (disclosure, contracts, data). Consumer protection law covers your obligations to customers after purchase.
If you're selling products or services in the UAE, you need a trade license. And if you have one, you need to display the license number on your website. This is not optional — it's a requirement under UAE commercial law and the e-commerce framework.
Where to put it: the website footer is the standard location. Include the issuing authority (Dubai Economic Department, DIFC, DMCC, Abu Dhabi Department of Economic Development, etc.) alongside the number.
What I see constantly: UAE e-commerce stores that have a valid trade license but don't display it on their website because no one told them they had to. This is an easy fix with an immediate compliance benefit.
If your annual taxable turnover exceeds AED 375,000, you are required to register for VAT and charge 5% VAT on applicable sales. Once registered, your Tax Registration Number (TRN) must be displayed on your website and on all invoices and receipts.
Even below the mandatory registration threshold, voluntary registration is sometimes beneficial. Either way, if you have a TRN, it needs to be visible — typically in the footer alongside your trade license, or on a dedicated "Legal" page.
Pricing on your website should clearly indicate whether VAT is included or excluded. "Price: AED 100 (VAT inclusive)" or "Price: AED 100 + VAT" — either is acceptable, but ambiguity is not.
This is not just boilerplate. Your T&Cs are a contract with your customers and need to cover:
Many UAE small e-commerce stores copy T&Cs from international sites. This is a problem because the governing law and consumer rights referenced are wrong (UK Consumer Rights Act doesn't apply to a UAE business). Have T&Cs drafted or reviewed for UAE law compliance.
Required under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, effective September 2021). If you're collecting any personal data — names, emails, phone numbers, addresses — you need a privacy policy that explains:
Consent for marketing communications is also required. If you're adding customers to a WhatsApp broadcast list or email newsletter after purchase, you need explicit opt-in, not assumed consent.
The UAE Consumer Protection Law gives consumers the right to return defective goods and in some cases goods that don't match the description. Your return policy needs to be clearly accessible — before checkout, not just in the footer.
Minimum to include:
A policy hidden in your T&Cs isn't sufficient — it should be a standalone page linked from every product page and the checkout flow.
Payment Card Industry Data Security Standard (PCI-DSS) compliance is required if you're accepting card payments. In practice for small businesses, the main rule is simple: don't store card numbers yourself. Use a payment gateway that handles card data, and you inherit their compliance for the payment processing piece.
The UAE has several well-established, PCI-DSS compliant payment gateways:
| Gateway | Strengths | Setup Cost | Transaction Fees | |---------|-----------|-----------|------------------| | PayTabs | UAE-focused, Arabic support, local bank connections | AED 0–500 setup | 2.5–3.5% + AED 1–2 | | Telr | Strong WooCommerce/Shopify integration, MENA focus | AED 0 setup | 2.49–2.99% | | Checkout.com | Enterprise-grade, multi-currency, lower fees at volume | Varies | 1.5–2.5% (volume-based) | | Network International | Oldest UAE gateway, bank-grade reliability, supports all UAE banks | AED 1,000–3,000 setup | Negotiated | | Stripe | Limited UAE presence, no direct AED settlement for most UAE businesses | N/A | Not recommended for UAE-primary businesses |
Stripe deserves a specific note: Stripe does operate in the UAE, but direct AED settlement is not available to all business types, and setup requires workarounds. For a UAE-primary business, PayTabs or Telr is a simpler, better-supported choice.
Never build a custom payment form that sends card data to your own server. This is both a PCI-DSS violation and a serious liability. Always redirect to or embed a certified gateway's payment form.
Both are supported by PayTabs and Telr. Worth enabling — mobile payment adoption in the UAE is high, particularly among younger shoppers.
There is a question that comes up regularly: "Do I need to store UAE customer data on UAE-based servers?"
For most UAE SMBs, the answer is: not strictly required. The UAE Personal Data Protection Law allows cross-border data transfers with appropriate safeguards, and using reputable cloud infrastructure (AWS, Google Cloud, Vercel with edge routing) is generally acceptable.
Where it becomes relevant: government contracts, healthcare data, and financial services all have stricter data localisation requirements. For a standard e-commerce store selling physical products, data residency is not a compliance crisis.
Most Dubai e-commerce stores have the product, the photos, and the marketing. What they're missing:
None of these are catastrophic, and most aren't actively enforced for small businesses right now. But enforcement is increasing, and the cost of getting it right at setup is far lower than retrofitting compliance into a live store.
The minimum viable compliance checklist:
That's not a huge amount of work. Most of it is content and configuration, not technology.
When we build e-commerce sites, legal compliance is part of the brief from day one — not a checkbox at the end. See how we approach e-commerce builds or take a look at our pricing if you want to understand what's included.
Get a fully SEO-optimised website in 5 days. One payment, no monthly fees.
