Crypto Regulations in Dubai

1) WHO REGULATES CRYPTO IN DUBAI?

Dubai’s dedicated crypto regulator is the Virtual Assets Regulatory Authority (VARA). VARA’s mandate covers all zones of the Emirate of Dubai – including free zones – but excludes the Dubai International Financial Centre (DIFC), which has its own financial regulator and rulebook. The statutory basis and jurisdiction appear in the Virtual Assets and Related Activities Regulations 2023 (the “Regulations”), read with Law No. (4) of 2022. VARA is empowered to issue binding Rules, Directives, and Guidance, supervise licensed entities, and enforce against violations.

DIFC exception. Within the DIFC, the Dubai Financial Services Authority (DFSA) operates a separate Crypto Token regime that relies on a token recognition concept; only Recognised Crypto Tokens may be used for regulated activities in DIFC markets. The DFSA maintains and publishes recognition notices and a running list of recognised tokens. 

Payment tokens and the CBUAE. If your business model touches payment tokens (stablecoins), or UAE CBDC, the Central Bank of the UAE (CBUAE) becomes relevant. The Payment Token Services Regulation (PTSR) (2024) governs payment token issuance, conversion, custody and transfer across the UAE (excluding financial free zones for prudential licensing), and CBUAE confirms this framework in its public rulebook.

2) WHAT ACTIVITIES ARE REGULATED BY VARA?

VARA regulates a defined menu of “VA Activities”. The 2023 Regulations (Schedule 1) list activity headings, with corresponding activity-specific rulebooks that sit on top of the compulsory rulebooks. The fee table in Schedule 2 confirms the regulated activity set:

1. VA Advisory Services
2. VA Broker-Dealer Services
3. VA Custody Services
4. VA Exchange Services
5. VA Lending & Borrowing Services
6. VA Management & Investment Services
7. VA Transfer & Settlement Services
8. Category 1 VA Issuance (fee line item; issuance is further governed by the VA Issuance Rulebook)

Licensing trigger (Part IV). No person may carry out a VA Activity in/from Dubai without a VARA licence, and a licence is required per activity. Exempt categories exist, but an Exempt Entity must notify VARA, obtain confirmation of status and a no-objection certificate before acting. Holding out as licensed is itself restricted.

Absolute prohibitions. The issuance of anonymity-enhanced cryptocurrencies and all VA Activities related to them are prohibited in the Emirate of Dubai.

3) THE RULEBOOK STACK YOU MUST BUILD AGAINST

Compulsory rulebooks (apply to all VARA licensees):

• Company Rulebook (governance, capital/prudentials, UBO, ESG disclosure baselines)
• Compliance & Risk Management Rulebook (compliance function, customer asset protections, reconciliations, incident reporting, onboarding/ongoing monitoring)
• Technology & Information Rulebook (cybersecurity, data protection, TLPT, incident notifications, BCDR)
• Market Conduct Rulebook (fair dealing, conflicts, promotions hook-ins)

Activity-specific rulebooks then set bespoke obligations for each licensed activity (e.g., Exchange, Custody, Transfer & Settlement, etc.). VARA updated several activity rulebooks in 2025 (version 2.0) to strengthen market integrity and risk oversight – keep an eye on the “View Updates” page and VARA news.

4) MARKETING AND PROMOTIONS: THE 2024 REGIME

VARA replaced its 2022 marketing administrative orders with the Regulations on the Marketing of Virtual Assets and Related Activities 2024 (“Marketing Regulations 2024”). Key points:

• Scope. The rules apply to any marketing of, or relating to, VAs or VA Activities in or targeting the UAE, and they apply to all Entities – licensed or not, domestic or foreign.
  
• Definition. “Marketing” is broad – covering ads, social posts, endorsements, events, airdrops, branded content, and educational material if promotional in nature.
  
• Events. Unlicensed foreign firms may conduct limited marketing at Dubai events if strict conditions are met (no onboarding of UAE residents, prominent “not VARA-licensed” disclaimer, education-only content, etc.).
  
• Enforcement & fines. Part II ties the regime to the Regulations’ Part IX enforcement powers and Schedule 1 sets indicative fine amounts (VARA keeps discretion).

Practical control set. Treat promotions as a licensing control: map each campaign to licensed activity + client class, hard-code status wording, geofence, and archive approvals and deliverables – his reduces RFIs and bank friction later.

5) AML/CFT AND SANCTIONS

Under Part VI of the Regulations, VARA is the Supervisory Authority for AML/CFT concerning VASPs in Dubai, and VASPs must comply with Federal AML-CFT laws in addition to VARA rules and directives.

Expect the Compliance & Risk Management Rulebook to require rapid notification to VARA of certain non-compliance events and robust client money/assets safeguards (including reconciliation timetables), with written notice to VARA within one day where material reconciliation discrepancies persist.

6) TECHNOLOGY, CYBERSECURITY AND DATA

The Technology & Information Rulebook (May 2025 version) layers in testing and resilience requirements (including threat-led penetration testing (TLPT) where directed), 72-hour reporting of material cybersecurity or BCDR-triggering events from detection, and 24-hour follow-ups to VARA after notifying any data regulator or data subject of a personal-data incident.

• I.K.1: report material cyber/BCDR events “as soon as reasonably practicable, and in any event no later than 72 hours from detection.”
• II.C.2: if you notify a data regulator (e.g., under PDPL) or a data subject about a privacy incident, you must notify VARA within 24 hours with a summary and, where applicable, a copy.

Board-level takeaway. Build a Technology Governance & Risk Assessment Framework that covers security testing, vendor risk, change controls, and wallet infrastructure – VARA provides guidance tables in Schedule 1 of this rulebook.

7) MARKET OFFENCES AND CONDUCT

Part VIII of the Regulations sets Dubai’s market-abuse spine – inside information, insider dealing, unlawful disclosure, market manipulation, plus prevention/detection duties. The Market Conduct Rulebook cross-links these prohibitions into day-to-day controls. (Regulations Part VIII; Market Conduct Rulebook Part I). 

A concise prohibition appears in Part VIII.E: no Entity may engage or attempt insider dealing, induce it, or unlawfully disclose inside information.

8) TOKEN ISSUANCE AND LISTINGS

• Issuance. VARA supervises virtual-asset issuances under the VA Issuance Rulebook (latest versioned May 2025 on VARA’s site; an earlier September 2023 text remains widely cited). Issuers are reminded VARA’s supervisory, examination and enforcement powers extend to all virtual assets and VA activities. 
• Listings/Admissions. For DIFC markets, the DFSA operates a token recognition system; only Recognised Crypto Tokens can be admitted for use in regulated activities. DFSA periodically publishes recognition notices (e.g., RLUSD in June 2025). 

9) FEES AND ONGOING SUPERVISION

Application and supervision fees are set out in the Regulations’ Schedule 2. Fees are per activity (with extension fees for additional activities) and annual supervision fees are charged per licensed activity.

VARA also publishes Schedule 3 – Fines, confirming that fine levels and grounds are within VARA’s sole discretion and may be updated by regulation or directive. 

Enforcement toolkit (Part IX). Beyond fines, VARA can impose reprimands, suspensions, disgorgement, additional reporting, or other measures it deems necessary to protect the market and consumers.

10) INTERSECTIONS WITH CBUAE AND THE FEDERAL PERIMETER

The PTSR (2024) establishes a prudential/licensing framework for payment tokens at the CBUAE level, differentiating between dirham-denominated and foreign-currency payment tokens, and licensing issuance, conversion, and custody/transfer activities. Entities operating in Dubai that provide payment token services must meet CBUAE requirements in addition to VARA’s rules where relevant to their model. 

CBUAE’s 2024 Annual Report confirms the creation of a specific Payment Token Issuer licence category and the first licence issuance in 2024 – illustrating that the UAE’s stablecoin framework is now being operationalised.

CBDC. The Regulations explicitly reserve UAE-CBDC matters to the CBUAE. If you touch dirham CBDC rails (pilots or production), expect CBUAE oversight even if the rest of your stack is under VARA.

11) PRACTICAL PATH TO LICENSING AND LAUNCH (WHAT ACTUALLY PASSES REVIEW)

From a regulator-facing and bank-facing perspective, projects that succeed in Dubai typically do the following:

• Map the activity perimeter precisely to the VARA menus and, if applicable, the PTSR. This avoids scope drift and follow-on conditions.
  
• Engineer controls before you file: wallet governance (MPC/multisig), withdrawal throttles, reconciliations, sanctions + Travel Rule pipelines, and incident runbooks – so you can evidence effectiveness, not just policy.
  
• Prepare a “bank dossier.” Dubai is bank-connected: package governance, prudentials, onboarding controls and MI to support account opening and fiat ramps.
  
• Treat promotions as regulated conduct: status chips, risk warnings, geo/client-class gating, influencer governance, and recall workflows across channels; maintain version-controlled approvals and monitoring logs.

12) GOVERNANCE AND RESILIENCE – WHAT VARA WILL TEST

Expect VARA to scrutinise:

• Board and Approved Persons readiness against the Company Rulebook (fitness/propriety, segregation of duties, capital runways).
  
• Complaint handling, incident handling and reconciliation loops under the Compliance & Risk rulebook (including one-day notifications where reconciliation breaks persist).
  
• Cyber posture under Technology & Information (controls testing, TLPT, 72-hour cyber event reporting; 24-hour privacy-incident follow-ups).
  
• Conduct & market integrity under Market Conduct + Part VIII (insider/market abuse prohibitions, conflicts).

13) DIFC (DFSA) versus VARA – at a glance

• Regulator & perimeter. VARA: all Dubai (except DIFC), all virtual assets; DFSA: DIFC financial services perimeter with Crypto Tokens integrated into securities-style rulebooks (GEN/COB).
  
• Token gate. DFSA uses recognition; tokens must be on the Recognised Crypto Tokens list to be used in regulated activities (periodic notices, e.g., RLUSD June 2025).
  
• Promotions. Both regimes impose stringent promotion requirements; in VARA’s case, the 2024 Marketing Regulations apply UAE-wide, including to unlicensed foreign firms targeting the UAE.

14) TIMELINES, FINES AND SUPERVISION

• Timelines are driven less by “calendar promises” and more by quality of filings (scope clarity, operational evidence, and marketing controls). Poor promotions or scope drift can delay licensing and increase supervision conditions.
  
• Fines & sanctions. VARA’s Schedule 3 sets indicative fines (e.g., AML/Customer due diligence breaches; market-offence breaches), but the authority has broad discretion and can deploy other measures (suspensions, extra reporting)

15) EXECUTIVE CHECKLIST FOR DUBAI LAUNCHES

1. Confirm the venue: VARA (Dubai) or DFSA (DIFC) – and whether CBUAE PTSR applies for payment tokens.
   
2. Lock the activity map to VARA’s Schedule 1 and choose the correct activity rulebooks to build against.
   
3. Stand up compulsory rulebooks controls (Company, Compliance/Risk, Tech & Info, Market Conduct) with evidence of operation.
   
4. Engineer marketing governance to the Marketing Regulations 2024 (status chips, disclaimers, geofencing, influencer contracts, event constraints).
   
5. Wire the incident playbooks to the 72-hour cyber and 24-hour privacy notifications in the Tech & Info Rulebook.
   
6. Budget for application and supervision fees per activity (Schedule 2); avoid “scope creep” that multiplies fees and oversight.
   
7. Prepare a bank-ready dossier (prudentials, reconciliations, AML/Travel Rule, sanctions governance, MI).

HOW CRYPTOVERSE LEGAL CAN HELP

Cryptoverse Legal is a Dubai-based specialist firm focused exclusively on virtual assets and crypto. We turn complex frameworks – VARA, SCA, DFSA/FSRA, CBUAE, and global regimes like MiCA and MAS – into clear, actionable licensing and compliance strategies.

• Scoping & Licensing: Perimeter mapping (payments vs. investment activity), regulator selection, activity permissions, and end-to-end application drafting and submissions.
• Governance & Controls: Company, Compliance & Risk, Technology & Information, and Market Conduct frameworks; custody design (segregated wallets/MPC), incident reporting, outsourcing oversight.
• Token & Product: Token classification, listing/recognition or AVA governance, whitepapers, and structuring of staking/lending.
• AML/CFT & Market Integrity: UAE federal AML alignment, Travel Rule implementation, market surveillance, and financial-promotions compliance (including VARA Marketing Regulations).
• Cross-Border Expansion: Harmonising UAE approvals with MiCA/MAS and other key hubs.
• Ongoing Assurance: Supervisory engagement, audits/readiness reviews, staff training, and board MI.

Whether you’re launching in Dubai or scaling globally, we deliver regulator-ready documentation and controls that help you build, scale, and stay compliant.

Dubai’s framework is now mature: principles-led at the core, with prescriptive guardrails where market risk demands it (marketing, custody, tech, market abuse). Success in this environment comes from choosing the right perimeter, operationalising controls early, and treating promotions as regulated conduct. With those pillars in place – and with attention to the CBUAE’s PTSR where payment tokens are in scope – firms can build and scale in Dubai with regulator-ready foundations.

Disclaimer: 

This article is for general information only and is not a substitute for legal advice. Requirements change and may apply cumulatively; consult specialist counsel and verify against current VARA/DFSA/CBUAE texts and your licence conditions. See, e.g., VARA Regulations 2023 (Part IV, VI–IX; Schedules 1–3) and Marketing Regulations 2024; DFSA token recognition notices; and CBUAE PTSR 2024.

FAQs: