• UAE — Federal Virtual Asset Regulator

CMA - Regulates Crypto in the UAE (excluding DIFC & ADGM)

The Capital Market Authority (CMA) is the designated federal regulator for virtual assets in the UAE (excluding DIFC & ADGM) — licensing VASPs, setting capital and prudential standards, enforcing AML and Travel Rule obligations, and overseeing custody, cybersecurity, and market infrastructure compliance.

Book a Strategy Call
Get CMA VASP Readiness Pack
CMA — At a Glance

🏛️

Federal regulator for all virtual asset activities in UAE (excluding DIFC & ADGM)

📋

Mandate formalised under Chairman Resolution No. (04/Chairman) of 2026

⚖️

Activity-based licensing — authorisation required per activity, not per entity

💰

Capital range: AED 500K (MTF) to AED 4M (Dealing as Principal)

🛡️

AML, Travel Rule, custody, cyber, and governance are core supervisory pillars

⚠️

A person may not conduct virtual asset activities unless licensed by the CMA

We translate the CMA virtual asset framework into board-grade licensing strategy, activity classification, capital planning, AML/Travel Rule implementation, governance architecture, custody design, and regulator-facing application packs — through approval and go-live readiness.

Who the CMA Is

The Federal Authority for Virtual Assets in the UAE — Mandate, Instruments, and Regulatory Scope

The Capital Market Authority is the federal authority responsible for regulating virtual asset activities across the UAE. Its mandate covers VASPs and Alternative Trading System operators — and the framework it administers is a fully operational supervisory system, not merely a high-level policy instrument.

The CMA's Regulatory Mandate

Designated Federal Regulator

The CMA is the designated federal authority for virtual assets in the UAE, excluding the DIFC and ADGM financial free zones which maintain their own independent regulatory frameworks.

Dual Scope — VASPs and ATS Operators

The CMA's mandate covers both Virtual Asset Service Providers (VASPs) operating across the six licensing categories and Alternative Trading System (ATS) operators running trading platforms and matching engines.

Fully Operational Supervisory System

The UAE federal regime is not a framework in development — it is a fully operational supervisory system with binding modules, capital obligations, AML/CFT requirements, and active enforcement authority in place.

⚠️

Licensing Is Mandatory
A person may not carry on virtual asset activities in or from within the UAE unless licensed by the CMA. There is no de minimis exemption or transitional period for new entrants.

The Legal Instruments the CMA Uses

The CMA administers the regime through a layered regulatory framework comprising primary legislation and binding modules. Each instrument carries direct supervisory force — the framework is not advisory.

Primary

Chairman Resolution No. (04/Chairman) of 2026 — the foundational legal instrument establishing the CMA's VASP regulatory framework

Module

General Framework Module — overarching rules governing licensing, governance, and supervisory interaction

Module

Business Regulation Module — conduct, client disclosure, marketing, and day-to-day operational obligations

Module

Alternative Trading System (ATS) Module — market infrastructure rules for exchange and platform operators

Fees

Cabinet Resolution No. (83) of 2025 — formal fee schedule for VASP licensing and regulatory filings

AML

Federal AML/CFT framework and Travel Rule requirements — integrated UAE-wide financial crime obligations applicable to all VASPs

🏛️

Federal

CMA is the federal regulator for UAE — distinct from DIFC and ADGM frameworks

📋

2026

Mandate formalised under Chairman Resolution No. (04/Chairman) of 2026

⚖️

6 Modules

Primary resolution + 3 binding modules + fees resolution + AML/CFT framework

🔒

Mandatory

Licensing is mandatory for all virtual asset activities — no exemptions or grace periods for new entrants

CMA Licensing Model & Regulatory Scope

Activity-Based, Three-Layer Licensing — and the Full Spectrum of Virtual Asset Activities the CMA Regulates

The CMA framework is built on a three-layer licensing structure. Each activity must be individually authorised — and the CMA's regulatory scope covers the full range of virtual asset services, from exchange and trading through to custody, advisory, and market infrastructure operation.

The Three-Layer CMA Licensing Model

L1

Layer 1 — Virtual Asset Activities

What the Firm Does

The activity performed — e.g., custody, trading, advisory, platform operation, transfer, portfolio management, or issuance-related services

L2

Layer 2 — Financial Activities

How the Activity Is Legally Classified

The legal characterisation of the VA activity — Dealing as Principal, Dealing as Agent, Providing Custody, Operating an MTF, Investment Advice, Portfolio Management, Arranging

L3

Layer 3 — Licensing Categories

Capital Thresholds and Prudential Obligations

Six licensing categories — from Category 1 (AED 4M, Dealing as Principal) to Category 6 (AED 500K, MTF). Each carries distinct ongoing capital adequacy, governance, and compliance obligations

👉

Each Activity Must Be Individually Authorised. The activity-based model means authorisation is granted per activity, not per entity. A firm conducting multiple regulated activities must hold the relevant licence category for each — and capital requirements combine across all licensed categories.

What the CMA Regulates — Full Scope

Regulated Activity

TYPICAL CRYPTO BUSINESSES

Exchange & trading of virtual assets

Exchanges & Trading Venues

Brokerage and dealing activities

Broker-Dealers & Intermediaries

Transfer and settlement of virtual assets

Transfer & Settlement Infrastructure

Custody and safekeeping

Custodians & Wallet Providers

Portfolio management and advisory

Asset Managers & Advisory Firms

Financial services related to token issuance

Token Service Providers

Operation of trading platforms & exchanges

Market Infrastructure Operators

The CMA Supervises These Entity Types

✔ Exchanges & Trading Venues

✔ Broker-Dealers & Intermediaries

✔ Custodians & Wallet Providers

✔ Asset Managers & Advisory Firms

✔ Transfer & Settlement Infrastructure

✔ Token-Related Service Providers

The Six CMA Licensing Categories

Six Categories, Activity-Based and Capital-Driven — Each with a Distinct Regulatory Scope, Capital Threshold, and Business Fit

The CMA adopts a category-based licensing system aligned to financial activities. Each category carries minimum paid-up capital requirements, ongoing capital adequacy obligations, and a defined scope of permitted activities. Multiple activities require multiple licences — and combined capital obligations apply.

Category 1

AED 4M

Dealing as Principal

Trading virtual assets on own account. The highest-capital category — reflecting the balance-sheet risk the firm takes in each transaction as counterparty.

Best Suited For

  • Market makers and liquidity providers
  • Proprietary trading firms
  • Institutional trading desks

⚠️

Highest capital — most intensive governance and risk management requirements across all six categories

Category 2

AED 1M

Dealing as Agent (Broker)

Executing trades on behalf of clients without taking principal risk. Agent model — the firm acts as intermediary and facilitator, not counterparty.

Best Suited For

  • Brokerage platforms and OTC desks
  • Execution intermediaries
  • Institutional brokers

💡

Agent model — no principal balance-sheet risk. Ideal for facilitation-only business models

Category 3

AED 3M

Custody

Safekeeping and control of client virtual assets — holding private keys, controlling wallet access, or administering client assets. A separate licence required by any firm holding client assets.

Best Suited For

  • Institutional custodians
  • Wallet service providers
  • Exchanges holding client assets

⚠️

Not included in exchange or broker licences — custody always requires its own Category 3 authorisation

Category 4

AED 1M

Advisory & Arranging

Investment advice, arranging deals, and arranging custody. Non-custodial, non-execution advisory and facilitation — without taking principal risk or client asset control.

Best Suited For

  • Crypto advisory firms
  • Token structuring consultants
  • Placement agents and introducers

💡

Lowest operational intensity — suitable for advisory-only and deal-arranging models

Category 5

AED 1M

Portfolio Management

Managing client assets and investment strategies on a discretionary basis. Requires fiduciary responsibility and investment decision-making authority.

Best Suited For

  • Crypto funds and asset managers
  • Discretionary portfolio services
  • Managed staking providers

⚠️

Fiduciary obligations — client suitability, conflict management, and investment governance all apply

Category 6

AED 500K

MTF — Exchange / Trading Platform

Operating multilateral trading systems — matching buyers and sellers. Regulated as market infrastructure under the ATS Module with the most extensive operational obligations.

Best Suited For

  • Crypto exchanges and trading venues
  • Order-book and matching platforms

💡

Lowest capital threshold — but highest operational, governance, and market infrastructure obligations

👉

Multiple Activities Require Multiple Licences and Combined Capital Obligations. An exchange holding client assets needs Categories 6 and 3. A broker providing portfolio management needs Categories 2 and 5. Capital requirements are additive — all combination models must be modelled before any licensing strategy is committed to.

How CMA Authorises Firms

The CMA Licensing Process — Two-Stage Authorisation, Full Operational Readiness Required Before Final Approval

A person may not operate as a VASP unless licensed by the CMA. The licensing process is conducted in two formal stages — In-Principle Approval (IPA) followed by Final Licence Approval — with full operational readiness required before the final licence is granted.

The Two-Stage CMA Licensing Process

01

In-Principle Approval (IPA)

The CMA reviews the proposed business model, activity classification, ownership structure, governance, and financial projections. IPA grants conditional approval in principle — it is not a licence and does not permit regulated activities to commence.

02

Final Licence Approval

Following IPA, the applicant must demonstrate full operational readiness — AML/CFT frameworks live, capital deposited, systems and controls tested, governance structures in place, and custody architecture verified. The CMA grants the final licence only when all conditions are satisfied.

⚠️

IPA Is Not a Licence. Full operational readiness — not IPA alone — is required before regulated activities may lawfully commence. Firms that begin operations on the basis of IPA alone are in breach of the CMA framework.

What the CMA Assesses During Licensing

🔍

Submission of business model and activity classification — how the proposed activities map through all three licensing layers

🔍

Disclosure of ownership, governance, and management — beneficial owner, board, and key personnel fit and propriety

🔍

Financial and capital adequacy assessment — paid-up capital verification, financial projections, and ongoing capital sustainability

🔍

Operational and systems review — technology governance, cybersecurity readiness, and operational resilience

🔍

Compliance and AML/CFT framework assessment — risk-based policies, CDD/EDD, transaction monitoring, and Travel Rule architecture

🔍

Custody architecture — for Category 3 applicants, verification of client asset segregation, key governance, and reconciliation controls

Capital, Prudential & AML Framework

Prudential Oversight, Mandatory Capital Requirements, and Integrated AML/Travel Rule Obligations — Across All Licensed Categories

The CMA applies a prudential regulatory model across all six licensing categories. Capital is a live ongoing obligation, not a one-time filing requirement. AML/CFT and Travel Rule obligations are mandatory for all VASPs and are integrated with the UAE's broader financial crime prevention framework.

Capital & Prudential Requirements

Category

Activity

Min. Capital

Cat 1

Dealing as Principal

AED 4M

Cat 2

Dealing as Agent

AED 3M

Cat 3

Providing Custody

AED 1M

Cat 4

Advisory & Arranging

AED 1M

Cat 5

Portfolio Management

AED 1M

Cat 6

MTF / Exchange

AED 500K

💰 Ongoing capital adequacy — not a one-time filing threshold

📈 Capital uplift applies where client assets are held

⚙️ Risk management and governance frameworks mandatory

🔢 Multi-activity firms face combined capital requirements

AML/CFT & Travel Rule Obligations

🛡️

Risk-Based AML Programme

  • Implement risk-based AML policies
  • Conduct customer due diligence (CDD)
  • Enhanced due diligence (EDD) for higher-risk clients
  • Ongoing transaction monitoring
  • Report suspicious activity (STRs)

🔄

Travel Rule Requirements

  • Collect and transmit originator and beneficiary information
  • Verify counterparty VASPs
  • Apply EDD for unhosted wallets
  • Maintain transaction records and audit trails

💡

AML/CFT and Travel Rule Frameworks Must Be Live at Final Licence Stage. The CMA assesses AML readiness before granting the final licence — frameworks must be operational, tested, and documented. Post-approval build-out is not acceptable to the CMA.

Supervisory Pillars — Conduct, Infrastructure, Governance

Five Core Supervisory Pillars — Conduct, Market Infrastructure, Cyber Resilience, Custody, and Fitness & Propriety

Beyond licensing and capital, the CMA applies active ongoing supervision across five core pillars. These are not documentation requirements — the CMA expects genuine operational readiness and real governance, not policy frameworks that exist only on paper.

📢

Conduct, Client Disclosure & Marketing

  • Communicate in a clear, fair, and not misleading manner
  • Provide appropriate disclosures to clients
  • Maintain proper client classification and suitability processes
  • Marketing must accurately reflect risks
  • Disclose regulatory status in all promotions
  • No misleading or exaggerated claims

🏦

Market Infrastructure (ATS Module)

  • Market surveillance systems
  • Fair and orderly trading controls
  • Transparency and reporting obligations
  • Rulebook and participant governance
  • Exchanges are regulated market infrastructure — not technology platforms

🔐

Cyber, Operational Resilience & Technology Governance

  • Cybersecurity frameworks
  • Operational risk controls
  • Technology governance
  • Business continuity planning
  • Focus extends beyond documents — real operational resilience required

🔒

Custody & Client Asset Protection

  • Safeguard client ownership rights
  • Prevent unauthorised use of client assets
  • Maintain segregation and accurate records
  • Conduct reconciliations and independent audits
  • Custody is a high-risk activity requiring robust infrastructure

👤

Fitness, Propriety & Governance

  • Assessment of beneficial owners, senior management, and key personnel
  • Integrity, reputation, and regulatory history
  • Financial soundness of key individuals
  • Competence and capability across licensed activities
  • Ongoing fit-and-proper compliance required throughout the licence period

⚖️

Supervision, Returns & Enforcement

  • Active capital monitoring
  • Compliance reviews and AML/CFT oversight
  • Market conduct supervision
  • Authority to impose conditions, issue directives, and apply penalties
  • Status regularisation period applies for transition into the new regime

⚠️

The CMA’s Focus Extends Beyond Compliance Documents to Real Operational Resilience. Governance structures, cybersecurity frameworks, custody controls, and AML systems are assessed for genuine operational effectiveness — not just formal existence. The CMA expects to verify real systems, real controls, and real governance at every supervisory interaction.

What CRYPTOVERSE Legal Delivers

CMA Regulatory Strategy, Licensing Support, and Post-Authorisation Compliance — End to End

We translate the CMA virtual asset framework into board-grade licensing strategy, activity classification, capital planning, AML/Travel Rule implementation, governance architecture, custody design, and regulator-facing application packs — from initial structuring through to approval and go-live readiness.

🔍

CMA Regulatory Perimeter Analysis

We assess whether the proposed business model falls within the CMA's regulatory perimeter — mapping all proposed activities through the three-layer licensing structure to determine which VA activities are performed, how they are legally classified, and which licence categories apply before any strategy or capital commitment is made.

⚖️

Licensing Strategy & Activity Classification

We design the licensing strategy — advising on which categories are required, how combination models affect combined capital and compliance obligations, and how to structure the activity scope to manage supervisory intensity without triggering unnecessary capital or broader rulebook obligations than the business model actually requires.

💰

Capital & Prudential Planning

We model capital requirements for single and multi-category licensing structures — identifying the most capital-efficient combination, applying ongoing capital adequacy requirements and prudential overlays, and advising on capital uplift obligations where client assets are held or where combination models expand the prudential perimeter.

📂

Application Pack Drafting & Submission

We draft and manage the complete CMA application pack — regulatory business plans, governance documentation, financial projections, activity classification matrices, and all regulatory submissions from IPA through final licence approval. We manage all CMA review rounds and clarification requests.

🛡️

AML / Travel Rule Implementation

We design and implement AML/CFT frameworks and Travel Rule transaction information architectures tailored to the specific CMA categories in scope — covering risk-based policies, CDD/EDD, sanctions screening, transaction monitoring, STR procedures, counterparty VASP due diligence, and unhosted wallet controls.

🏛️

Governance & Compliance Frameworks

We design the governance architecture — board structures, senior management accountability, control function design, conflict management, client suitability frameworks, and the full compliance infrastructure required to satisfy the CMA's ongoing conduct, governance, and fit-and-proper obligations across all licensed categories.

🔒

Custody, Cyber & Operational Advisory

We design custody frameworks for Category 3 applicants — client asset segregation, private key governance, reconciliation architecture, and audit frameworks. We also advise on cybersecurity governance, technology risk management, business continuity planning, and ATS Module market infrastructure design for Category 6 operators.

🚀

Go-Live & Post-Authorisation Readiness

We build the post-authorisation compliance infrastructure so the business is ready for CMA supervision from day one. This includes finalising live AML systems, completing governance documentation, operationalising custody controls, and ensuring all licensed activities are operating within correctly scoped licence boundaries before operations commence.

From CMA Regulatory Perimeter Analysis Through to Licence Approval and Post-Authorisation Go-Live — Complete UAE VASP Regulatory Support

  • We assess all proposed activities against the CMA perimeter before any structuring decision is made — ensuring the licensing strategy is built on correct classification from the outset
  • We design and document the complete licensing strategy — activity mapping, capital modelling, governance architecture, and application pack drafting from IPA through final licence
  • We implement AML/Travel Rule frameworks, custody architecture, and ATS market infrastructure — each built to CMA operational expectations, not drawn from generic templates
  • We manage the end-to-end CMA licensing process and build the post-authorisation compliance infrastructure — so the business is ready for day-one supervised operations within correctly scoped licences
The CMA framework is federal, mandatory, activity-based, and fully operational. Your regulatory exposure is determined by what you actually do — not what you call yourself.

FAQs

Frequently Asked Questions — CMA UAE Crypto Regulation

Who regulates crypto in the UAE?

The Capital Market Authority (CMA) is the designated federal regulator for virtual assets across the UAE. This excludes the DIFC and ADGM financial free zones, which maintain separate independent regulatory frameworks under the DFSA and FSRA respectively. For any virtual asset activity conducted in or from the UAE mainland, the CMA is the competent licensing and supervisory authority.

Is CMA licensing mandatory?

Yes. A person may not carry on virtual asset activities in or from within the UAE unless licensed by the CMA. There is no de minimis threshold, no exemption for foreign firms serving UAE clients remotely, and no transitional period for new entrants. Operating without a CMA licence — or operating outside the scope of an existing licence — constitutes a regulatory breach subject to the CMA’s full enforcement powers, including penalties, directions, and public censure.

Are exchanges heavily regulated under the CMA framework?

Yes. Exchanges are regulated as market infrastructure under the CMA’s ATS Module — not merely as technology platforms. Category 6 (MTF/Exchange) carries the most extensive operational obligations of the six categories, including market surveillance systems, fair and orderly trading controls, transparency and reporting frameworks, and a formal rulebook and participant governance structure. Despite carrying the lowest minimum capital threshold (AED 500K), it demands the most extensive operational build-out. Additionally, any exchange that holds client assets must separately obtain Category 3 (Custody) authorisation — custody is not included in the Category 6 licence.

Does the CMA regulate marketing and client disclosures?

Yes. The CMA acts as a conduct regulator — not only a prudential one. Licensed entities must communicate in a clear, fair, and not misleading manner, provide appropriate disclosures to clients, and maintain proper client classification and suitability processes. All marketing must accurately reflect the risks of virtual asset products, disclose the firm’s regulatory status, and avoid misleading or exaggerated claims. Conduct and marketing obligations apply from the date of licence — they are ongoing supervisory requirements, not one-time filing matters.

 
Does the CMA regulate custody and cybersecurity?

Yes — both are core components of the CMA supervisory framework. Custody is a separately regulated activity under Category 3 — firms that hold client virtual assets, control client private keys, or administer client wallets must be specifically authorised for custody, regardless of what other licences they hold. Cybersecurity is a mandatory operational requirement across all categories — the CMA requires cybersecurity frameworks, operational risk controls, technology governance, and business continuity planning to be live and operational. The CMA’s focus extends beyond documented policies to real, tested operational resilience.

Ready to Navigate the CMA's Full Regulatory Framework?

Book a CMA Strategy Call

Whether you are entering the UAE market for the first time, re-evaluating an existing structure, or preparing for CMA supervision — we build the strategy, the application, and the compliance infrastructure around what your business actually does.

Speak to a Crypto Lawyer