A practical guide for procurement leaders across the MEA region.
Why Procurement Platforms Are Now a Cybersecurity Target
For years, cybersecurity in the Middle East and Africa was primarily an IT conversation. Firewalls, endpoint protection, network monitoring: the responsibility sat with technology teams, and procurement leaders were rarely in the room.
That separation no longer holds.
Procurement platforms today sit at the centre of an organisation’s external relationships. They connect buyers to hundreds, sometimes thousands, of suppliers, each with their own login credentials, data access levels, and activity trails. Across the GCC and key African markets, these platforms manage tenders worth hundreds of millions of dirhams, riyals, and Egyptian pounds. They hold sensitive pricing data, strategic sourcing decisions, and confidential contract terms.
That combination of high value, broad access, and many external users makes procurement platforms one of the more attractive targets for credential-based cyberattacks.
The question for any CPO or procurement director in the region is not whether this risk exists. It is whether their organisation is doing enough to address it.
“If one of your supplier accounts was compromised today, how quickly would you know?”
What Attackers Are Looking For and Where They Find It
The most common vulnerability in procurement platforms is not a software flaw. It is the supplier account.
Large organisations in the MEA region can have thousands of registered suppliers in their procurement systems. Each account is a potential entry point. Attackers who gain access to even a low-privilege supplier account can often observe bid structures, identify upcoming tenders, monitor competitor activity, or use the access as a foothold for further intrusion.
The Regulatory Landscape: What Is Required, Country by Country
MFA is moving from best practice to regulatory expectation across the MEA region. Procurement leaders should be aware of the following confirmed requirements:
United Arab Emirates
The UAE has been among the most proactive in the region on this issue. The Cabinet approved a National Cybersecurity Strategy in early 2025 that explicitly positions MFA as a key security control. The UAE Information Assurance Standard (IAS), published by TDRA, requires multi-layered identity controls for government and semi-government entities. NESA mandates MFA for privileged, remote, and cloud access. In May 2025, the Central Bank of UAE issued Notice CBUAE/FCMCP/2025/3057, requiring financial institutions to move beyond weak single-factor authentication, a direct signal that credential security is now a supervisory priority.
Sources: UAE National Cybersecurity Strategy (UAE Cabinet, 2025); UAE Information Assurance Standard, TDRA (tdra.gov.ae); NESA Information Assurance Standards; Central Bank of UAE Notice CBUAE/FCMCP/2025/3057 (May 2025).
Saudi Arabia
Saudi Arabia’s National Cybersecurity Authority (NCA) Essential Cybersecurity Controls reference strong authentication requirements across government and critical infrastructure. For organisations managing large public procurement contracts under Vision 2030, alignment with NCA controls is increasingly expected rather than optional.
Sources: Saudi NCA Essential Cybersecurity Controls (ECC-1:2018); NCA Cloud Cybersecurity Controls (CCC-1:2020), nca.gov.sa.
Qatar
Qatar’s National Cyber Security Strategy is aligned with its broader digital transformation ambitions. Organisations operating through the Qatar Financial Centre (QFC) or managing post-World Cup infrastructure investment are expected to maintain authentication standards consistent with international frameworks.
Sources: Qatar National Cyber Security Strategy, MOTC; Qatar Financial Centre Regulatory Authority (QFCRA) cybersecurity guidance.
Kuwait and Bahrain
Both markets have national cybersecurity frameworks that reference authentication controls. Financial sector regulators in both countries are actively monitoring compliance, and procurement platforms used by regulated entities are within scope of these expectations.
Sources: Kuwait National Cybersecurity Strategy, CITRA; Central Bank of Bahrain (CBB) Rulebook, Technology Risk Management Module; Bahrain National Cybersecurity Strategy.
Egypt and Morocco
Egypt’s NTRA and Morocco’s DGSSI are both pushing organisations toward stronger access controls. Formal MFA mandates are not yet fully in place in both markets, but the direction of travel is clear. Organisations in Egypt and Morocco that want to maintain readiness for future regulatory requirements, and to avoid being caught underprepared, should treat MFA implementation as an immediate priority rather than a future one.
Sources: Egypt National Telecommunications Regulatory Authority (NTRA), cybersecurity guidelines; Morocco DGSSI (Direction Générale de la Sécurité des Systèmes d’Information), cybersecurity framework and directives (dgssi.gov.ma).
Why MFA Matters Specifically for Procurement, Not Just General IT
Multi-factor authentication is discussed widely in the context of email security, banking apps, and remote access. The case for MFA in procurement platforms deserves its own conversation.
Procurement platforms are different from most enterprise systems in one critical way: a significant proportion of their users are external. Internal staff can be managed through corporate identity systems and single sign-on. Suppliers cannot. They use their own devices, their own networks, and their own passwords, none of which your security team controls.
This creates a structural vulnerability. A supplier with a weak or reused password, whose credentials have been exposed in a previous data breach elsewhere, represents a direct entry point into your organisation’s sourcing activity. The attacker does not need to break through your perimeter. They walk in through the supplier portal.
MFA closes that gap. By requiring suppliers to verify their identity through a second factor such as a code, a push notification, or a biometric, you ensure that stolen credentials alone are not sufficient for access. It is one of the most effective controls available against credential-based attacks, and it operates at the exact point of vulnerability in procurement systems.
The additional benefit in the MEA context is auditability. Regulatory frameworks in the UAE, Saudi Arabia, and Qatar increasingly require organisations to demonstrate not just that controls are in place, but that they are enforced. MFA provides a clear, auditable record of authentication events across every supplier interaction.
What Procurement Leaders Should Be Asking Right Now
If you are a CPO or procurement director in the MEA region, these are the questions worth bringing into your next security or governance conversation:
- Do we know how many supplier accounts in our procurement platform are currently active, and when each one last authenticated?
- How many of those accounts are protected only by a username and password?
- If a supplier account were compromised today, what access would that give an attacker? What data would they be able to see?
- Do our current authentication controls meet the requirements of the regulatory frameworks that apply to our organisation: UAE IAS, NCA controls, CBUAE Notice 3057, or others?
- How quickly could we enforce MFA across our entire supplier base if required to do so?
- Do we have a process for deactivating dormant supplier accounts, or do we have thousands of inactive credentials sitting in the system?
These are not purely IT questions. They are governance questions. And they belong in a procurement leadership conversation.
Practical Steps: Getting Started with MFA in Your Procurement Platform
Implementing MFA across a large supplier base does not need to be disruptive. The most effective approach is structured, phased, and begins with the highest-risk accounts.
Step 1: Audit Your Supplier Account Base
Before enabling MFA, understand what you are working with. How many supplier accounts are active? How many have logged in within the past 12 months? Dormant accounts should be reviewed and deactivated before new controls are applied, as they are both a security risk and an unnecessary compliance burden.
Step 2: Prioritise by Risk and Access Level
Not all supplier accounts carry the same risk. Suppliers with access to high-value tenders, sensitive contract data, or strategic sourcing categories should be prioritised for MFA enforcement. Configure controls by user role, access level, and supplier type to focus initial effort where it matters most.
Step 3: Use Bulk Controls Where Available
Modern procurement platforms allow administrators to enforce MFA and reset passwords at scale, across thousands of accounts simultaneously. This is significantly more efficient than managing authentication supplier by supplier and should be the default approach for large supplier bases common in the GCC and broader MEA region.
Step 4: Communicate Clearly to Suppliers
Supplier adoption depends on clear communication. Notify suppliers in advance, explain the reason for the change, and provide straightforward guidance on how to set up their second factor. Framing the change as a security upgrade that protects them as well as your organisation typically reduces resistance significantly.
Step 5: Monitor, Report, and Demonstrate Compliance
Once MFA is active, ensure your platform provides a full access monitoring and audit trail. This is the evidence your compliance and risk teams will need when demonstrating alignment with UAE IAS requirements, NCA controls, or Central Bank guidelines. It also gives your procurement leadership team real-time visibility into authentication activity across your supplier network.
Frequently Asked Questions
Both. Internal users should be covered through your corporate identity and SSO infrastructure. The greater risk, and the gap most commonly overlooked, is the supplier side. Supplier accounts operate outside your internal security controls, making them a priority for MFA enforcement.
Yes. Procurement platforms that support bulk account controls allow administrators to enforce MFA and trigger password resets across thousands of accounts simultaneously. The process is more manageable than most organisations expect, particularly when phased by risk tier, starting with high-value or high-access suppliers before extending to the broader base.
Some initial friction is normal during any authentication change. In practice, supplier adoption is much smoother when the change is communicated clearly and framed as a security improvement that benefits them as well. In our experience working across MEA markets, well-communicated MFA rollouts have minimal long-term impact on supplier engagement.
The NCA Essential Cybersecurity Controls reference strong authentication requirements for government and critical infrastructure organisations. Procurement systems that handle sensitive public contracts are within scope of these expectations. Organisations seeking alignment with NCA controls should review their procurement platform authentication as part of that assessment.
Egypt’s NTRA and Morocco’s DGSSI are both moving organisations toward stronger access controls, though formal MFA mandates are not yet uniformly in place. The direction of regulatory travel in both markets is clear. Organisations that implement MFA now will be better positioned when formal requirements are established, and will be demonstrating security maturity to both regulators and their own clients in the meantime.
A procurement platform with MFA enabled generates a complete audit trail of authentication events: who accessed what, when, and from where. This gives compliance teams the evidence they need to demonstrate adherence to regulatory frameworks such as UAE IAS, CBUAE guidelines, or NCA controls. It also supports internal governance reviews and external audit processes.
Speak to Our Team
Cybersecurity in procurement is no longer a topic that can wait for the next IT review cycle. Across the region, the regulatory expectation is shifting and the threat environment is evolving.
If you want to understand where your procurement platform stands, what your current authentication controls cover, where the gaps are, and how to address them at scale, our team is available to walk through it with you.
Book a conversation with our team today.
