VARA Licence Application Process in Dubai: Step-by-Step Guide for New Firms

Part 1 of 2

If you are planning to launch a crypto business in Dubai, one of the first serious questions you will eventually face is not about branding, tokenomics, or market timing.

It is this:

How does the VARA licence application process actually work for a new firm?

Not the vague version.
Not the oversimplified version.
And not the version that makes it sound like a standard company-registration exercise with a few extra forms attached.

The real version.

Because once a business moves beyond general interest in Dubai and begins seriously evaluating the market, the licensing process quickly becomes one of the most commercially important parts of the whole strategy.

It affects:

• how early the business needs to start preparing,
• what documents must exist before filing,
• how the legal entity is set up,
• what can and cannot be done before full approval,
• how long the process may take,
• and how much avoidable delay the business creates for itself.

And that last point matters more than many founders first realise.

A lot of businesses think the real challenge is “getting the regulator comfortable.”

Often, the bigger challenge is making sure the business itself is clear enough, structured enough, and documented enough before the regulator starts asking obvious questions.

That is exactly why this article matters.

If you have searched:

• VARA licence application process
• how to apply for a VARA licence
• VARA licence Dubai
• VARA new firm application
• VARA Approval to Incorporate
• VARA VASP licence process
• how long does a VARA licence take
• VARA application documents

then this guide is built for you.

This article focuses specifically on the process for new firms, because VARA itself distinguishes between the route for new firms and the route for certain existing / legacy firms. On its official licensing page, VARA states that new firms apply through a two-stage process: first Approval to Incorporate (ATI), and then the full VASP Licence application. VARA also states that any firm seeking to carry on Virtual Asset activities in or from Dubai, excluding DIFC, has a legal obligation to be licensed by VARA before commencing operations.

That is the starting point.

And once you understand that, the next thing to understand is even more important:

The VARA application process is not just a filing process. It is a readiness process.

That single idea explains why some applications move more coherently than others.

So in this first part, we are going to break down:

• what the VARA application process for new firms really is,
• how the two formal stages work,
• what ATI actually means,
• what businesses often misunderstand about the process,
• and why the strongest applications usually begin before the formal filing ever starts.

Let’s begin with the first thing many businesses get wrong.

1) The process is not just “submit and wait”

A lot of first-time applicants imagine the licensing process as something like this:

1. Fill out a form
2. Upload a few documents
3. Wait for approval
4. Get licensed

That is not how this market works.

VARA’s own public guidance already tells a much more serious story.

For new firms, VARA says the process has two formal stages:

• Stage 1: Approval to Incorporate (ATI)
• Stage 2: Full VASP Licence.

At first glance, that may still sound manageable. But once you look at what sits underneath those two stages, it becomes obvious that this is not just a procedural pipeline. It is a regulator-driven assessment of whether the applicant is fit to become, and then operate as, a licensed virtual asset business in Dubai.

That is a very different proposition.

Because a serious application is not merely proving that:

• the founders are enthusiastic,
• the product idea exists,
• or the entity can be incorporated.

It is proving that the business can be:

• structured,
• governed,
• funded,
• controlled,
• documented,
• and ultimately supervised.

This is why businesses that approach the process too casually often experience it as “slower than expected.” In many cases, the delay is not caused by a mysterious regulator. It is caused by the business discovering, during the process, that it is not yet as licensing-ready as it assumed.

That is why the better way to think about the VARA application process is this:

The formal process has two stages.

The real journey usually has three phases.

Those three phases are:

1. Pre-filing readiness
2. Stage 1 — ATI
3. Stage 2 — Full VASP Licence

VARA formally describes only the last two because those are the official steps. But commercially, serious applicants know that the first phase often determines how the rest of the journey feels.

We will come back to that.

2) Step zero: the readiness phase most founders underestimate

Before you even reach the first formal filing stage, there is a less visible but extremely important phase:

the readiness phase.

VARA does not label it this way on the public website. But in practice, this is where the strongest applications are built.

Why?

Because by the time a business reaches the formal process, a number of questions should already have been answered internally:

• What exact VA Activity is the business applying for?
• Is it one activity or more than one?
• Is the business model aligned with the licence scope being sought?
• Who are the beneficial owners and senior management?
• How will the governance structure work?
• What does the customer journey actually look like?
• How do fiat and virtual assets move through the model?
• What technology and control systems support the activity?
• Is the Regulatory Business Plan coherent?
• Are the compliance and AML frameworks aligned to the real operating model?
• Is the business financially and prudentially ready to support the application?

These are not secondary questions. They are the real architecture of the file.

And this is exactly why a lot of businesses get stuck later: they begin the formal licensing journey before they have properly solved the readiness phase.

If you want the process to feel manageable, the business should ideally enter Stage 1 with:

• a clearly defined scope,
• a real business model,
• a plausible governance story,
• an organised ownership structure,
• and a clear plan for operational setup after ATI.

Without that, even the first stage can become heavier than expected.

So before thinking about how to apply for a VARA licence, a smart founder should ask:

“How prepared are we to explain ourselves properly once the process begins?”

That is the right step-zero question.

3) Stage 1: Approval to Incorporate (ATI)

Now let’s move into the first formal stage.

VARA’s official licensing page for new firms says that applying for a VASP Licence is completed in two stages, and that the first stage is an application for Approval to Incorporate (ATI). The purpose of ATI is to allow the applicant to establish the legal entity and commence operational setup.

This point is crucial.

ATI is not the licence.
ATI is the first formal gateway toward the licence.

That distinction matters a great deal because businesses often emotionally overread ATI. They treat it as a near-final approval when, in reality, it is permission to continue building toward the licensed operating model.

What happens in Stage 1?

VARA’s public guidance says that the Stage 1 process includes the following:

1. Submit an Initial Disclosure Questionnaire (IDQ) to Dubai Economy & Tourism (DET) or the relevant Free Zone.
2. Provide additional documentation as required, including a business plan and details of the firm’s beneficial owners and senior management.
3. Pay initial fees required to commence application review, typically 50% of the licence application fee.
4. Receive an Approval to Incorporate (ATI), allowing the firm to finalise legal incorporation and complete operational setup such as office space rental and employee onboarding.

That is the formal sequence.

But the commercial meaning is just as important.

This stage is where the business first introduces itself to the Dubai regulatory ecosystem in a serious way. It is where the applicant begins to say:

• who we are,
• what we want to do,
• who owns and manages us,
• and why we should be allowed to move into the legal-incorporation and setup phase.

That is why even the early-stage materials matter.

If the business plan is weak, if the ownership structure is confusing, or if the activity appears to fall outside the regulatory perimeter, VARA expressly reserves the right not to issue ATI.

So Stage 1 is not a rubber stamp.

It is an early filter.

4) What ATI actually allows — and what it does not

This is one of the most important practical distinctions in the whole process.

VARA’s public licensing page includes a specific note at Stage 1:

At this point, the firm is not permitted to carry on Virtual Asset activities.

That is as clear as it gets.

ATI allows the firm to:

• finalise legal incorporation,
• complete operational setup,
• arrange office space,
• onboard employees,
• and build out the operational platform needed to support the later VASP application.

ATI does not allow the business to begin regulated VA activities.

This matters because a lot of firms confuse:

• being permitted to establish the vehicle,
  with
• being permitted to operate the regulated business.

Those are not the same thing.

So if you are thinking about:

• marketing aggressively after ATI,
• onboarding clients after ATI,
• treating ATI as public evidence that the business is already licensed,
• or acting like the regulatory question is “basically solved,”

that is a dangerous misunderstanding of the process.

ATI is a meaningful milestone.
But it is still only the first formal stage.

It says:

“You may continue building.”

It does not say:

“You may now conduct regulated virtual asset activity.”

That distinction should shape how the business behaves publicly and operationally after Stage 1.

5) Why VARA reserves the right to stop the process at ATI stage

Another point founders often miss is that ATI is still a substantive regulatory decision point.

VARA’s licensing page expressly states that it reserves the right not to issue an ATI where:

• the firm’s activities fall outside the regulatory perimeter, or
• the firm may not meet appropriate standards to be regulated.

This is very revealing.

It shows that Stage 1 is not just about legal incorporation mechanics. It is about whether the business is a plausible candidate for regulation under VARA at all.

That means the regulator is already thinking about two important things:

1. Perimeter fit

Does the activity really belong in the VARA framework?

If the business is describing something that sits outside the relevant perimeter, then the process may stop before it progresses further.

2. Regulatory suitability

Even if the activity is in scope, does the business appear serious and credible enough to continue toward regulation?

That is why early-stage structure matters so much.

A weak ATI package can create problems before the “real” licensing stage even begins.

And this is also why the businesses that prepare properly before filing tend to feel more in control of the process. They have already pressure-tested the model against the perimeter and built a cleaner early-stage story.

6) Who do you submit through: DET or Free Zone?

This is another practical point that comes up repeatedly.

VARA’s official licensing page states that application submissions can be made through:

• Dubai Economy & Tourism (DET) for mainland firms, or
• any relevant Dubai Free Zone in the Emirate of Dubai, excluding DIFC.

That means a new firm does not simply submit “directly into Dubai” in the abstract. The commercial licensor matters:

• mainland via DET,
• or the chosen Dubai Free Zone.

This has strategic implications because the entity setup route and commercial location should align with the broader operating plan.

A lot of founders still think about legal setup and regulatory strategy as separate discussions. In reality, they are connected from the very beginning.

The commercial licensor is part of the entry architecture.

That is one reason the ATI stage matters so much. It sits at the point where:

• legal incorporation,
• commercial location,
• and regulatory pathway

Begin to converge.

7) Why good applicants treat Stage 1 as a credibility test, not just an administrative step

The biggest mistake a new firm can make is to treat ATI like a technical hurdle.

That mindset often leads to weak early submissions because the business is still speaking in broad internal language rather than regulator-facing language.

A stronger approach is to treat Stage 1 as a credibility test.

At this point, the applicant should be able to explain:

• what regulated activity it wants to conduct,
• who the business owners and senior managers are,
• why the legal entity should be set up for this purpose,
• and why the application is not speculative or premature.

This does not mean the full submission has to be fully built at ATI stage. It does mean the early narrative must be coherent enough to justify letting the firm move into the next stage.

And this is exactly why strong licensing strategies often begin earlier than founders expect.

They begin before submission:

• when the business defines the activity correctly,
• prepares the ownership and management story,
• tests whether the model belongs inside the VARA perimeter,
• and begins drafting the narrative that will later expand into the full application.

That is the difference between:

• entering Stage 1 as a curious startup, and
• entering Stage 1 as a serious future applicant.

The regulator can feel the difference.

8) Where Part 2 will go next

Part 1 has focused on the front half of the journey:

• how the new-firm process is structured,
• what ATI is,
• what it allows,
• what it does not allow,
• and why early readiness matters before the formal process even begins.

In Part 2, we will move into the second formal stage and the heavier operational burden behind it, including:

• what happens after ATI,
• the full VASP Licence submission stage,
• meetings, interviews, and feedback from VARA,
• the application documentation burden,
• the compulsory rulebooks for all VASP applicants,
• the activity-specific rulebooks,
• what tends to slow applications down,
• and how new firms can approach the process more strategically.

Part 2 of 2

In Part 1, we focused on the front end of the process:

• the fact that VARA’s route for new firms is formally divided into two stages,
• the importance of the pre-filing readiness phase,
• the purpose of Approval to Incorporate (ATI),
• and the crucial distinction between being allowed to set up and being allowed to conduct regulated Virtual Asset activities.

Now we move into the stage that most founders are really asking about when they search terms like:

• VARA application documents
• VARA licence process
• how to apply for a VARA licence
• VARA VASP licence
• how long does VARA licence take
• VARA licence requirements

This is the stage where the file stops being preliminary and starts becoming real.

Because once ATI has been granted, the business is no longer only proving that it can be incorporated and operationally prepared. It now has to prove that it is genuinely ready to become a licensed and supervised Virtual Asset Service Provider in Dubai.

That is a much higher standard.

And this is where the quality of the preparation begins to show very clearly.

Some firms reach this stage with:

• a clean scope,
• aligned documents,
• realistic financials,
• and a well-structured RBP.

Others arrive with:

• unresolved activity questions,
• weak governance narratives,
• thin policies,
• unclear customer flows,
• and a business model that still sounds more like a pitch deck than a regulated operation.

The regulator notices the difference.

That is why Stage 2 is not simply the “longer form version” of Stage 1. It is a substantive evaluation of whether the firm can actually operate under VARA’s framework.

Let’s break that down properly.

1) Stage 2: the full VASP Licence application

After ATI, the next step is the full VASP Licence application.

VARA’s public licensing page states that once ATI is obtained, the applicant proceeds to the second stage, which includes:

• preparing the full application pack,
• engaging in meetings and interviews,
• submitting further information where requested,
• paying the balance of the application fees and the first year’s supervision fees,
• and, if successful, receiving the VASP Licence. VARA also notes that it may issue the licence subject to certain conditions in some cases.

This is one of the most important transitions in the whole licensing journey.

At ATI stage, the regulator is effectively asking:

“Should this business be allowed to establish the legal and operational base needed to continue toward licensing?”

At full VASP stage, the question becomes:

“Is this business ready to be licensed and supervised for the regulated activity it has asked to conduct?”

That is a much more demanding question.

Because the regulator is no longer evaluating an intention to build. It is evaluating a built regulatory case.

That case must be supported by:

• the legal structure,
• the governance structure,
• the prudential model,
• the compliance framework,
• the technology environment,
• the customer journey,
• and the overall coherence of the business as presented in the file.

This is where weak preparation usually shows up quickly.

2) The documentation burden is broad — and intentionally so

VARA’s website is very clear that the list of application documents it publishes is non-exhaustive. That means the firm should not treat the website as a closed checklist and assume that once those boxes are ticked, nothing else can be asked for. 

This is important for two reasons.

First, it signals that the process is fact-sensitive

A simpler model may trigger a more straightforward review.

A more complex model, for example one involving exchange, custody, transfer rails, DeFi exposure, token issuance, or payment-like functionality, may generate a broader documentary burden.

Second, it means the application is not just about completeness

A weak applicant often asks:

“Have we attached everything?”

A strong applicant asks:

“Does the file help the regulator understand the business clearly enough to trust it?”

That is a more useful way to think about the application.

The documents are not just there to fill a folder. They are there to tell a coherent story about a business that can be governed and supervised.

3) The four core documentation buckets

VARA’s published materials group the application documents into four broad categories:

1. Corporate Structure and Governance
2. Risk and Compliance
3. Technology
4. Other Supporting Information. 

This structure is useful because it reflects how the regulator itself is likely to read the business.

A. Corporate Structure and Governance

This bucket includes the materials that explain:

• who the applicant is,
• who owns it,
• who controls it,
• how it is funded,
• who the key people are,
• and how the governance framework works.

VARA’s examples in this category include:

• certificate of incorporation,
• UBO list,
• fit and proper confirmations,
• source of funds,
• organisational structure,
• governance framework,
• local entity website,
• key personnel documents,
• Regulatory Business Plan,
• financial projections,
• financial statements,
• proof of paid-up capital,
• insurance certificates,
• succession plan,
• and wind-down plan.

This tells you immediately that the regulator is not only looking at the business idea. It is looking at the institution behind the idea.

B. Risk and Compliance

This is where the file starts showing how the business identifies, manages, and monitors risk.

VARA’s examples here include:

• enterprise risk management framework,
• risk assessment,
• compliance manual,
• compliance monitoring programme,
• AML/CFT policy and procedures,
• outsourcing policy and agreements,
• conflicts of interest policy,
• insider lists,
• customer journey workflows,
• terms and conditions,
• privacy policy,
• marketing policy and plan,
• sample marketing materials,
• market conduct policy,
• and records management policy.

This is a very revealing list.

It shows that VARA expects more than basic legal documentation. It expects a control environment.

C. Technology

For many VASPs, the technology stack is inseparable from the service being licensed.

That is why VARA’s document examples include:

• technology infrastructure design,
• technology risk assessment framework,
• business continuity and disaster recovery planning,
• key and wallet management policy,
• information security policy,
• and penetration testing results. 

This is especially important for:

• exchanges,
• custodians,
• broker-dealers,
• and transfer and settlement businesses.

D. Other Supporting Information

This category allows for additional supporting materials depending on the business model, including:

• whitepapers,
• proprietary trading information,
• DeFi-related information,
• and VA payment materials.

This is another reminder that the application expands with complexity.

4) The universal rulebooks every VASP applicant should expect to deal with

One of the biggest misunderstandings in the market is that applicants think primarily in terms of the activity-specific licence.

That is important — but it is not the whole framework.

Your reviewed materials and the wider VARA rulebook structure make clear that licensed firms are generally expected to comply not just with the activity-specific rulebook, but also with broader baseline rulebooks, including:

• the Company Rulebook
• the Compliance and Risk Management Rulebook
• the Technology and Information Rulebook
• and the Market Conduct Rulebook

This is commercially very important.

Because it means the licensing burden is not limited to:

“What are the rules for our activity?”

It also includes:

“What kind of institution must we become in order to carry on that activity properly?”

That broader framework affects:

• governance,
• compliance,
• risk management,
• technology controls,
• market-facing conduct,
• and prudential readiness.

This is exactly why businesses that approach the process with only an “activity checklist” mindset usually find the full application stage heavier than expected.

The regulator is not only licensing the activity.
It is licensing the operating environment around that activity.

5) Meetings, interviews, and regulator engagement

Another point worth making very clearly is this:

The full VASP application stage is not a silent upload process.

VARA’s licensing page states that Stage 2 may involve:

• meetings,
• interviews,
• and requests for additional information or clarification.

This matters because some founders still imagine the process as a “send documents and wait” exercise.

It is better understood as an interactive review process.

That means the applicant must be ready not only to submit documents, but also to:

• explain the business model coherently,
• answer follow-up questions consistently,
• defend the scope being applied for,
• clarify technology and transaction flows,
• and respond to issues without creating contradictions in the file.

This is where weak internal coordination can create real problems.

If:

• finance says one thing,
• the RBP says another,
• compliance documentation implies something else,
• and management gives a different answer in a meeting,

then the file begins to look unstable.

That is why good application management matters as much as good drafting.

Strong applicants usually maintain:

• an issues log,
• clear document ownership,
• version control,
• and one coherent internal understanding of the business model.

That is the kind of discipline that helps the process move more smoothly.

6) What tends to slow new-firm applications down

When founders ask how long does a VARA licence take, the most honest answer is that timing depends heavily on:

• the complexity of the model,
• the quality of the submission,
• and how many clarification or remediation rounds the business triggers.

That is why the better question is often:

“What causes delay?”

Here are some of the most common causes.

Weak or unclear activity scoping

If the business is not clearly applying for the right regulated activity — or if the business model described appears broader than the scope requested — the file becomes harder to assess.

Thin or overly promotional RBP

If the Regulatory Business Plan sounds like a growth deck rather than a regulator-facing operating blueprint, the regulator will usually need more detail and more clarification.

Poorly explained customer and asset flows

This is especially important in crypto. If the file does not clearly show:

• who initiates what,
• where assets move,
• who controls wallets,
• what third parties are involved,
• and where the regulated function sits,

then the review becomes harder.

Underdeveloped governance or personnel structure

If the key functions and reporting lines are vague, the business may not look mature enough for licensing.

Generic compliance framework

A template AML or compliance pack that is not clearly tailored to the actual business model is often easy for a regulator to see through.

Weak technology documentation

For higher-risk models, vague explanations of infrastructure, wallet arrangements, resilience, or security can materially slow the process.

These are not exotic mistakes. They are very common. And most of them can be reduced by doing more disciplined work before the full application stage begins.

7) What strong applicants do differently at Stage 2

By now, the difference between stronger and weaker applicants should feel much clearer.

The strongest applicants usually do a few things consistently well:

They treat the file as one integrated story

They do not let the RBP, financials, policies, and operational descriptions drift in different directions.

They prepare for interaction, not just submission

They know there will likely be meetings and questions, and they organise internally for that reality.

They align legal, compliance, business, and technology teams early

They do not wait until after submission to find out that internal stakeholders are describing the business differently.

They know what ATI did — and did not — resolve

They understand that ATI allowed them to build the legal and operational platform, but the real licensing case still has to be won at Stage 2.

They think like future regulated entities

They do not act like startups trying to “get through” the process. They act like businesses preparing to live under supervision once the licence is granted.

This mindset shift is subtle, but extremely important.

It often affects not only the quality of the application, but also the quality of the business itself by the time it reaches the end of the process.

8) The licence is not the end of the work

One final point is worth making before we close.

Even once the VASP Licence is granted, the story is not over.

VARA’s framework makes clear that licensed firms remain subject to:

• annual supervision fees,
• prudential requirements,
• the applicable rulebooks,
• and ongoing regulatory expectations tied to the activities they are licensed to conduct.

This matters because applicants should not think of the process as:

“Get the licence and then figure the rest out later.”

A better mindset is:

“Use the application process to build the business into the kind of regulated institution that can carry the licence well.”

That is one of the biggest strategic advantages of approaching the VARA process properly. The business that emerges at the end should be stronger, clearer, and more governable than the one that entered.

Final takeaway

If you are a new firm trying to understand the VARA licence application process in Dubai, the most useful summary is this:

The formal route has two stages

1. Approval to Incorporate (ATI)
2. Full VASP Licence.

But the real journey has three phases

1. Pre-filing readiness
2. ATI
3. Full application and review

And the strongest applications are usually the ones that take the first phase seriously.

Because once the process reaches Stage 2, the regulator is not just asking whether the firm wants to be licensed.

It is asking whether the firm is:

• properly structured,
• properly documented,
• properly governed,
• and genuinely ready to become a supervised virtual asset business in Dubai.

That is the real meaning of the process.

And if you understand that early, you make better decisions:

• about timing,
• about scope,
• about documentation,
• and about how to prepare the business before formal review begins.

How CRYPTOVERSE Legal Can Help

At CRYPTOVERSE Legal, we help new firms navigate the VARA licence application process in Dubai with greater clarity, discipline, and strategic structure. 

Our support includes activity classification, pre-filing readiness planning, ATI-stage support, Regulatory Business Plan drafting, governance and compliance framework development, document-pack preparation, and end-to-end advisory throughout the full VASP application process. 

We work with founders, exchanges, brokers, custodians, token issuers, and digital asset businesses to help them avoid avoidable delays, strengthen weak areas early, and build a more coherent regulator-ready file before and during review. 

Our focus is not just on helping clients submit an application, but on helping them approach the VARA process in a way that reflects real regulatory readiness.If you are preparing to launch a crypto business in Dubai and want tailored guidance on the VARA licence application process for new firms, contact CRYPTOVERSE Legal Consultancy to discuss your licensing strategy.

FAQs