Testing & Certification Overview 3 min read
Before a Third Party Provider (TPP) can connect to a live Licensed Financial Institution (LFI) in production, it must satisfy two independent sets of requirements: regulatory licensing and Nebras technical certification.
A valid CBUAE licence is required before production access
TPPs must hold a valid licence issued by the Central Bank of the UAE (CBUAE) before being granted access to production. Nebras certification is a separate, technical requirement and does not replace or supersede any CBUAE licensing obligation. You must contact the CBUAE directly to understand the licensing requirements applicable to your proposition and business model.
Production access will not be granted until a valid CBUAE licence has been confirmed. You may work through the Nebras certification process in parallel with your licensing application, but both must be satisfied before go-live.
Four certification areas, all mandatory before go-live
Nebras requires all TPPs to complete the following certification areas before production access is granted. These requirements apply regardless of which LFI you are connecting to and are in addition to any requirements that individual LFIs may impose. Each area maps to a Certification Type in the Service Desk evidence ticket.
Functional Evidence
Documented proof that your proposition calls only the APIs it needs, requests only the minimum permissions required, and handles consent states correctly.
User Experience Evidence
Evidence that your consent and authorisation flows meet Nebras user experience requirements.
FAPI Conformance
Results from running the OpenID Foundation FAPI conformance test suite against your client configuration.
Security Validation
Confirmation that your key management, certificate handling, and data security practices meet Nebras policy requirements.
All four areas must be satisfied before Nebras will grant production access to a live LFI environment.
Raise one Service Desk ticket per certification area
Certification evidence is submitted to Nebras through the Service Desk, using the dedicated Providing certification evidence request type. The link is the same for every area, but each area is its own ticket: raise four tickets — one for Functional, one for User Experience, one for FAPI, and one for Security — and pick the matching Certification Type from the dropdown on each.
The Service Desk is gated by Sandbox Trust Framework SSO — see Support & Service Desk for access prerequisites, what to include in a ticket, and the alternative email and telephone channels.
Certification at go-live is the entry bar, not the finish line
Once in production, the TPP MUST maintain its certified state across every area continuously, not only at the point of certification. Material changes to the TPP's platform, to the Open Finance standards, or to the FAPI profile may trigger re-certification of the affected area; Nebras may also request fresh evidence at any time after go-live.
- Functional conformance — the TPP MUST continue to call only the APIs required by its proposition, request only the minimum permissions needed, and handle consent state changes correctly as the Open Finance specification evolves.
- User experience — consent and authorisation flows MUST continue to meet Nebras CX requirements as those requirements are updated.
- Security of the TPP's systems — the TPP MUST keep dependencies patched, monitor for vulnerabilities, respond to incidents, and repeat penetration testing whenever significant changes are made to the application or its Open Finance integration.
- FAPI alignment — the TPP MUST maintain a current OIDF CBUAE FAPI 2.0 RP Message Signing certification, and re-certify against each new major version of the standards.
What these requirements do and do not cover
The certification requirements in this section are set by Nebras and govern technical and operational readiness for participation in the Open Finance UAE ecosystem. They do not constitute legal or regulatory advice. TPPs are solely responsible for ensuring they hold the appropriate regulatory authorisations for their proposition before going live.