TECHNOLOGY & INFORMATION RULEBOOK REQUIREMENTS UNDER VARA
Security you can prove: technology governance, key & wallet controls, TLPT, algorithm oversight, BCDR + 72-hour incident notices, PDPL-grade privacy, and confidential-information hygiene — all in one operating blueprint.
We translate Part I–III obligations — and the detailed Schedules — into policies, registers, playbooks, and evidence packs (tests, logs, attestations) that pass licensing and inspections.
SCOPE & CUMULATIVE APPLICATION (OVERVIEW)
The T&I Rulebook applies to all VARA-Licensed VASPs and adds to the Company, CRM, Market Conduct and activity rulebooks (see Introduction & Contents, pp. 1–4).
PART I —
TECHNOLOGY GOVERNANCE, CONTROLS & SECURITY (PP. 5–15)
Technology Governance & Risk Assessment Framework (TGRAF).
Document a risk-based framework with policies, processes, QA, back-ups, capacity/performance, and availability testing; review and test periodically; align to international standards; appoint a CISO accountable for Parts I & III.
Cybersecurity Policy (CISO-owned).
Submit to VARA at licensing and on request; update at least annually; cover security, data classification, access, systems ops/availability, network & smart-contract security, client authentication/session controls, change-of-details checks, privacy, vendors, protocol updates, incident response (incl. ransomware), threat-intel sharing when in market’s interest, and hardware/infrastructure standards.
Other legal obligations.
TGRAF must reflect DESC Law No. (9) / 2022, UAE PDPL (45/2021) and any CBUAE cybersecurity requirements that apply.
Cryptographic keys & VA Wallets.
No single point of failure; separate backups; strict access lifecycle; quarterly access-removal audits; immediate revocation; logs of all key changes; client education on key safety.
Testing & audit — incl. TLPT.
Annual independent VA/PT (plus smart-contract audits where relevant); internal & external vulnerability audits on a cadence; evidence available to VARA. VARA may require Threat-Led Penetration Testing (TLPT) on live production for critical functions; external, accredited testers; scope may include third-party providers; full documentation & remediation plans to VARA.
VA transactions & tracing.
Implement controls against manipulation/collusion of automated systems and run DLT tracing on inbound/outbound transactions, with responses defined in AML/CFT policy (CRM cross-ref).
Algorithm governance (if using algos).
Board-level oversight of design, testing, deployment, monitoring; maintain documentation of logic, data, assumptions & bias management; ensure competent staffing.
BCDR & incident management.
Maintain and test an annual BCDR Plan (triggers, resources, recovery priorities, communications, integrity validation, alternate site, post-event upgrades).
CISO, staff competency & 72-hour notifications.
Appoint a CISO (distinct from CO; may combine with DPO); keep staff up-to-date on VA/DLT cyber risks; notify VARA within 72 hours of material cyber/BCDR events with scope, impact, and mitigations (plus cross-regulator notifications where applicable).
PART II —
PERSONAL DATA PROTECTION (PP. 16–17)
Comply with all applicable DP laws.
Comply with all applicable DP laws in and outside UAE; control where data is stored/processed and how it is transferred.
CISO.
Implement a written privacy compliance programme; appoint a DPO with appropriate competencies (may be the CISO).
Enable VARA.
Enable VARA access to information needed to assess Part II compliance; notify VARA within 24 hours after notifying a data regulator or data subject about a personal-data incident (unless prohibited by law).
PART III —
CONFIDENTIAL INFORMATION (PP. 18+)
Protect client confidentiality.
Protect client confidentiality with policies, staff certification, and “need-to-know” access; never use or share confidential information for VA trading.
SCHEDULES — WHAT “GOOD” LOOKS LIKE (PP. 19–29)
- Schedule 1 (governance & risk): secure SDLC, workforce & infrastructure security, third-party standards; key generation/storage, wallet creation, multi-sig M > N/2, transaction verification, compromise response, audit logging (min retention), continuous detection/response, on-chain analysis, full secret rotation post-incident, customer MFA & withdrawal controls, wallet concentration risk, and a digital operational resilience testing programme (VA/PT, code review, scenario & performance testing).
- Schedule 2 (definitions): CISO, TLPT, TGRAF, BCDR, etc., for precise drafting.
What CRYPTOVERSE Legal delivers
TGRAF & Cyber Policy stack
Board-approved TGRAF mapped to the risk categories; CISO charter; SOC runbooks; protocol-change monitoring; incident/RCA templates.
Keys & wallets
Key-ceremony scripts, access lifecycle (joiner/mover/leaver), multi-sig matrices, signer geo-distribution, rotation drills, and audit-ready logs.
Testing & TLPT
Annual VA/PT scopes, smart-contract audits, vendor inclusion, TLPT procurement and tester eligibility checks; remediation trackers; evidence packs.
BCDR & 72-hour notifications
Tabletop/testing calendar; joint comms with CRM; regulator notice templates.
Privacy & DPO
PDPL-aligned DPIAs, data-map & transfer registers; 24-hour VARA notice playbook
Confidential-info hygiene
policies, staff certifications, insider-use prohibitions, and monitoring.
FAQs
Yes. A CISO is mandatory for Parts I & III; the role must be independent from the CO (may combine with DPO).
Material cyber or BCDR-trigger events: as soon as practicable and no later than 72 hours from detection, with full particulars and mitigation steps.
VARA can. TLPT may cover critical/important functions on live production, using accredited external testers; full documentation and remediation plans must be provided.
Yes, explicitly permitted under Part II (as long as competencies are met).
DLT tracing for transactions, on-chain analysis for incidents/recovery, and continuous detection/response aligned to Schedule 1.