CRYPTO REGULATIONS IN THE UAE

1) THE UAE’S “MULTI-REGULATOR” MAP AT A GLANCE

Virtual-asset activity in the UAE is apportioned across five competent authorities depending on geography and product use:

• Dubai (outside the DIFC): Dubai’s Virtual Assets Regulatory Authority (VARA) is the specialist conduct and prudential regulator for VASPs. VARA’s framework is built on the Virtual Assets and Related Activities Regulations 2023 (the “Regulations”) and a stack of compulsory and activity-specific rulebooks.
  
• DIFC (Dubai International Financial Centre): The Dubai Financial Services Authority (DFSA) supervises “Crypto Tokens” and “Investment Tokens” within the DIFC through the DFSA Rulebook (GEN/COB/PIB/MKT/AMI). Only DFSA-recognised Crypto Tokens may be used in regulated business, with added retail protections.
  
• ADGM (Abu Dhabi Global Market): The Financial Services Regulatory Authority (FSRA) runs an activities-based regime where each firm publishes its own list of Accepted Virtual Assets (AVAs) following an internal assessment process set out in COBS 17.2 and related guidance.
  
• UAE onshore (outside free zones): The Securities and Commodities Authority (SCA) regulates investment-purpose platforms/intermediaries. SCA’s 2023 resolution for Virtual Assets Platform Operators establishes core trading, listing and surveillance obligations and repeals the 2020 crypto regulation.
  
• UAE-wide payment tokens: The Central Bank of the UAE (CBUAE) licenses Payment Token Services (stablecoins/payment tokens) under the 2024 Regulation, effective 31 August 2024, covering issuance, conversion, custody/transfer.

Practical orientation. A first scoping decision that appears in successful files is: Is the token used as money (payments/remittance → CBUAE) or as an investment (platform/intermediation → VARA/FSRA/DFSA/SCA)? This “perimeter & scope fit” anchors licensing and documentation strategy.

2) VARA (DUBAI): THE 2023 FRAMEWORK, IN PRACTICE

2.1 Compulsory & activity-specific rulebooks

Under VARA Regulations, all VARA-licensed VASPs must comply with four compulsory rulebooks  – Company; Compliance & Risk Management; Technology & Information; Market Conduct – plus one or more activity-specific rulebooks aligned to the firm’s permissions (Advisory, Broker-Dealer, Custody, Exchange, Lending & Borrowing, VA Management & Investment Services, and VA Transfer & Settlement).

Custody is tightly defined and only available where each client’s assets are segregated in separate VA wallets; otherwise a Custody licence will not be granted. (This point materially affects product selection and wallet architecture.)

2.2 Technology, breach reporting and data protection

VARA’s Technology & Information Rulebook requires a CISO, a proportionate cybersecurity programme, and a notification to VARA within 72 hours of detecting a material cybersecurity/BCDR event impacting operations, with details of nature, scope, impact and mitigation. It also cross-references the UAE PDPL for data-protection duties. 

2.3 AML/CFT supervision

Part VI of the Regulations designates VARA as a Supervisory Authority for AML/CFT in the Emirate with the power to supervise VASPs’ compliance with the Federal AML-CFT Laws and FATF-aligned obligations. Coordinate your firm’s AML framework to the federal baseline and VARA’s rulebooks/Directives.

2.4 Marketing and market conduct

Two strands apply:

• Marketing Regulations 2024: govern all marketing of VAs and VA activities in/from Dubai, including channel rules, prohibitions, required disclosures, and treatment of events and cross-border outreach.
  
• Market Conduct Rulebook: embeds duties on client agreements, complaints, investor classifications, and overarching market offences (insider dealing, unlawful disclosure, market manipulation) under Part VIII of the Regulations.

Common pitfalls the market still trips on: implying “regulated exchange” status while holding only a broker-dealer licence; global social posts that “spill” into Dubai retail audiences without controls; and “pre-launch hype” that reads as an inducement. Build your financial-promotions and geo-fencing controls accordingly.

3) DIFC/DFSA: TOKEN RECOGNITION FIRST, THEN ACTIVITY

Within the DIFC, only recognised Crypto Tokens can be used in regulated activity. DFSA’s public materials flag that, as of September 2024, recognition covered a large share of global market cap (e.g., BTC, ETH, LTC, TON, XRP) – but availability is always subject to the current recognised list and can be revoked if criteria lapse. Retail-facing business triggers extra obligations (e.g., appropriateness and ban on incentives).

DFSA separately publishes formal Notices of Crypto Token Recognition and maintains a register; GEN 3A.3.4 underpins the criteria and process.

Licensing perimeter. Only certain Financial Services apply directly to Crypto Tokens (e.g., dealing as principal/agent, arranging, providing/arranging custody, operating an MTF), and staking is cabined to custody permissions under COB 15. Ensure your variation or new licence tracks the actual service and client class.

For filings, prepare a recognition dossier mapping token characteristics to prudential category and client permissions, and keep custody feasibility/insolvency analysis front-and-centre.

4) ADGM/FSRA: FIRM-LEVEL AVA GOVERNANCE AND INSTITUTIONAL CUSTODY

The FSRA’s December 2023 Guidance – Regulation of Virtual Asset Activities in ADGM explains that each Authorised Person assesses and self-recognises the Virtual Assets it will use as Accepted Virtual Assets (AVAs) under COBS 17., and must continuously monitor them. Legacy FSRA-approved AVAs under the old process remain valid but must appear on the firm’s published AVA list.

Custody rules are applied by analogy with safe-custody standards (COBS Ch. 15 + Ch. 17). Key points include monthly statements for Retail Clients and weekly reconciliations of client VA holdings; three custody models (in-house, outsourced, non-custodial) are delineated with associated governance, multi-signature, and collusion-mitigation controls.

In filings and supervisory engagements, FSRA expects robust governance over AVA assessments, surveillance for venues, transparent sub-custody arrangements, and third-party attestations – consistent with “institutional-grade” positioning.

5) SCA (ONSHORE UAE): PLATFORM OPERATOR DUTIES

The SCA’s Chairman’s Resolution No. (26/Chairman) of 2023 regulates Virtual Assets Platform Operators and ties their obligations back to SCA’s financial activities manual and market rules. A few anchors:

• Scope – applies to VA platform operators in the State (onshore UAE).
• Trading prohibition – no VA may be traded in the State unless accepted on the operator’s official list and registered with SCA.
• 2020 repeal – the 2020 crypto assets regulation is cancelled; the 2023 Resolution is effective from publication.

Operators shoulder admission/delisting standards, surveillance, risk management and technology baselines – points that should be reflected in your governance and public disclosures.

6) CBUAE (UAE-WIDE): PAYMENT TOKEN SERVICES (STABLECOINS)

The Payment Token Services Regulation (PTSR) took effect 31 August 2024 and sits within the CBUAE Rulebook. It establishes a licensing framework for issuance, conversion, and custody/transfer of payment tokens (including fiat-referenced stablecoins used for payments). Public CBUAE materials summarise its three pillars and objectives.

Interaction tip. If your use case is payments (e.g., merchant settlement, remittance rails, on-ramp/off-ramp), assess PTSR early – even if you are also a VARA/DFSA/FSRA licensee for investment-purpose activity. The Central Bank’s SVF Regulation (2020) and Retail Payment Services regime continue to operate in parallel for non-token payment services.

The attached note highlights payment-token specifics you should evidence – reserve backing/redemption, clear communications (no legal-tender claims), FX/spread transparency, and banking-grade reconciliations.

7) WHAT BEST-IN-CLASS FILINGS LOOK LIKE (EVIDENCE OVER RHETORIC)

Across VARA/DFSA/FSRA/SCA/CBUAE, strong applications share the same anatomy:

1. Perimeter & scope fit (who you are, where you operate, what the token is in context).
2. Artefacts before assertions – four classic packs: Company, Compliance & Risk, Technology & Information, Market Conduct, plus activity-specific modules.
3. Controls that actually run – demonstrate per-client wallet segregation, MPC/multisig quorums and key ceremonies; CISO-led cyber programme; Travel-Rule-enabled AML; and MI that shows reconciliations, incident MTTR, and capital headroom.
4. Lifecycle realism – submission → RFIs → conditions → grant → early supervision.

For VARA specifically, align your seven-activity map, reflect FAO-linked capital, and engineer incident-reporting and BC/DR drills to satisfy the 72-hour standard in the T&I Rulebook. 

8) GOVERNANCE, CUSTODY AND CLIENT-ASSET PROTECTION – WHERE REGULATORS CONVERGE

• Segregation: VARA hard-links Custody licensing to per-client wallet segregation. DFSA/FSRA impose robust safe-custody controls and reconciliations aligned to securities-style regimes.
  
• Cyber & CISO: VARA mandates a CISO and technology governance, with 72-hour incident reporting; FSRA expects strong governance and incident playbooks; DFSA requires tech governance and independent technology audits.
  
• Market integrity: VARA’s Market Offences (insider dealing, unlawful disclosure, manipulation) and DFSA’s MKT/COB standards both require surveillance and fair communications.
  
• Financial promotions: All regimes demand status accuracy and audience controls; Dubai now operates under the Marketing Regulations 2024 with topic-specific requirements and guidance.

9) TOKEN GOVERNANCE – IN THREE ENVIRONMENTS

(a) Dubai under VARA

Exchange and matching venues must operate admission/delisting standards that test lawfulness, disclosure sufficiency, technology risk, custody feasibility and market integrity; ongoing surveillance is expected. Marketing in/on/from Dubai is regulated under the 2024 Marketing Regulations; avoid inducements that over-promise or imply legal-tender status. 

(b) DIFC under DFSA

Do not promote or operate in relation to a token unless it is recognised; maintain a current inventory of recognised tokens and keep retail controls tight (COB 15, risk warnings, tech audits).

(c) ADGM under FSRA

Your AVA list is your product perimeter. Maintain governance for adding/suspending/removing AVAs, keep weekly reconciliations and monthly statements for Retail Clients, and document custody arrangements (in-house vs outsourced vs self-custody).

10) FEES, SUPERVISION AND ENFORCEMENT

VARA’s Schedule 2 sets application/extension and annual supervision fees per activity; Schedule 3 outlines indicative fines (including AML/KYC breaches) with discretion to adjust. Market Offences are codified in Part VIII of the Regulations. Read your licence conditions closely – VARA may impose bespoke conditions and amend fees. 

SCA, DFSA and FSRA all retain broad inspection, investigation and enforcement powers under their statutes/rulebooks. In practice, expect early, data-driven supervision in the first year post-authorisation.

11) COMMON PITFALLS – AND HOW TO AVOID THEM

• Status inflation (e.g., claiming to be an “exchange” when authorised only for broker-dealer services), global marketing leakage into retail audiences in Dubai/DIFC, and promoting unrecognised tokens in the DIFC are repeatedly cited issues. Invest early in financial-promotions approval workflows, geo-controls, and clear status wording.
  
• Custody shortcuts (omitting per-client segregation where required) derail Custody applications under VARA and weaken banking relationships. Architect wallets and reconciliations accordingly.
  
• Incident under-reporting in Dubai violates the 72-hour standard – bake the trigger into your BC/DR and SOC runbooks to generate a supervisory notice on time.

The attached guide’s “universal path” and control checklist are useful for board MI and pre-audit self-assessments; regulators decide on evidence, not rhetoric.

12) QUICK COMPLIANCE CHECKLIST (UAE VAX OPERATORS)

• Map your perimeter: VARA vs DFSA vs FSRA vs SCA vs CBUAE; if any payment use case → check PTSR.
  
• Document stack: four compulsory packs (Company, Compliance & Risk, Tech & Info, Market Conduct) + activity modules; align to Regulation V.
  
• Custody design: per-client wallet segregation (VARA), reconciliations cadence (FSRA/DFSA), insolvency analysis.
  
• Cyber & reporting: CISO appointment; 72-hour incident notification; PDPL alignment.
  
• Token perimeter: DFSA recognition or FSRA AVA governance; SCA listing registration for onshore platforms.
  
• Marketing: VARA Marketing Regulations 2024 + Market Conduct standards; fair-clear-not-misleading. 

The UAE offers one of the world’s most developed – and precise – regulatory mosaics for virtual assets. For Dubai-centric VASPs, the 2023 VARA Regulations plus the 2024 Marketing Regulations and T&I Rulebook set a clear operating standard, from per-activity rulebooks to 72-hour incident notices and market-conduct expectations. DIFC firms must recognise tokens before use and meet securities-grade retail safeguards; ADGM firms must build and maintain their own AVA perimeter with institutional custody; onshore operators must satisfy SCA platform obligations; and payment-token businesses must face the CBUAE PTSR head-on.

Treat the perimeter decision as the foundation, assemble evidence-heavy packs, and let controls – not promises – do the talking.

HOW CRYPTOVERSE LEGAL CAN HELP

Cryptoverse Legal is a Dubai-based specialist firm focused exclusively on virtual assets and crypto. We turn complex frameworks – VARA, SCA, DFSA/FSRA, CBUAE, and global regimes like MiCA and MAS – into clear, actionable licensing and compliance strategies.

1. Scoping & Licensing: Perimeter mapping (payments vs. investment activity), regulator selection, activity permissions, and end-to-end application drafting and submissions.
   
2. Governance & Controls: Company, Compliance & Risk, Technology & Information, and Market Conduct frameworks; custody design (segregated wallets/MPC), incident reporting, outsourcing oversight.
   
3. Token & Product: Token classification, listing/recognition or AVA governance, whitepapers, and structuring of staking/lending.
   
4. AML/CFT & Market Integrity: UAE federal AML alignment, Travel Rule implementation, market surveillance, and financial-promotions compliance (including VARA Marketing Regulations).
   
5. Cross-Border Expansion: Harmonising UAE approvals with MiCA/MAS and other key hubs.
   
6. Ongoing Assurance: Supervisory engagement, audits/readiness reviews, staff training, and board MI.

Whether you’re launching in Dubai or scaling globally, we deliver regulator-ready documentation and controls that help you build, scale, and stay compliant.

Key sources (selected)

• VARA Regulations 2023 (compulsory + activity rulebooks; market offences; fees/fines). (VARA Rulebook)
• VARA Technology & Information Rulebook (CISO; 72-hour incident reporting; PDPL ref.). (VARA Rulebook)
• VARA Marketing Regulations 2024 (effective 1 Oct 2024). (VARA Rulebook)
• DFSA Crypto Token regime (recognition; retail conduct).
• FSRA Guidance (Dec 2023) (AVA governance; custody obligations).
• SCA Chairman’s Resolution (26/2023) (platform operator scope; trading prohibition; repeal of 2020). (Supreme Coffee Authority)
• CBUAE PTSR (C 2/2024) and official summaries/effective date. (Central Bank Rulebook)

Disclaimer: This publication is for information only and does not constitute legal advice or create a lawyer-client relationship. Regulatory positions evolve quickly; verify the latest versions of the cited instruments and seek formal advice on your specific facts.mation only and is not a substitute for legal advice. Requirements change and may apply cumulatively; consult specialist counsel and verify against current VARA/DFSA/CBUAE texts and your licence conditions. See, e.g., VARA Regulations 2023 (Part IV, VI–IX; Schedules 1–3) and Marketing Regulations 2024; DFSA token recognition notices; and CBUAE PTSR 2024.

FAQs: