Licentium

Licensing Hub

United Arab Emirates

The UAE splits virtual-asset oversight between SCA federally, CBUAE for payment tokens, Dubai's VARA, ADGM FSRA and DIFC DFSA. Groups often need multi-regulator analysis.

Available licences

Federal SCA Virtual-Asset Authorization (Cabinet Resolution 111/2022)

Federal authorization or licence from the SCA (or competent local licensing authority) for virtual-asset activities in the UAE outside the financial free zones. Federal activities include operating or managing a virtual-asset platform, exchanging one or more virtual assets, transferring virtual assets, virtual-asset brokerage and custody/management/control of virtual assets. Applicant must have UAE domicile and an SCA/local-authority-approved legal form. Subject to fitness, technology, investor data, capital, guarantees, insurance, compliance, investor disclosures, AML, CFT, sanctions and cyber-incident notification standards. Federal administrative penalties up to AED 10 million.

CBUAE Payment Token Services Authorization

CBUAE authorization for payment token services: payment token issuance, conversion, custody and transfer. A payment token is a crypto-asset backed by one or more fiat currencies, digitally tradable and functioning as a medium of exchange. Fiat-backed tokens, stablecoins, payment tokens, remittance tokens, wallets holding payment tokens, merchant payment products, tokenised stored-value and DeFi payment applications fall within CBUAE rules. A VARA, SCA, FSRA or DFSA authorization does not automatically authorize payment-token issuance, conversion, custody, transfer, stored value, e-money, payment services or settlement.

VARA Virtual Asset Service Licence (Dubai)

VARA authorisation and licence required before carrying out any virtual-asset activity by way of business in Dubai (mainland and Dubai free zones, excluding DIFC). Activities: advisory services, broker-dealer services, custody services, exchange services, lending and borrowing services, virtual-asset management and investment services, and transfer and settlement services. Custody covers safekeeping of virtual assets for or on behalf of another person; exchange covers VA/fiat, VA/VA, order matching and order book; transfer and settlement covers transmission, transfer or settlement between entities, accounts, wallets, addresses or locations. Anonymity-enhanced cryptocurrencies are prohibited. Compulsory rulebooks (company, compliance and risk management, technology and information, market conduct) apply, plus activity-specific rulebooks. Published fees: AED 40,000/80,000 (advisory, transfer & settlement); AED 100,000/200,000 (broker-dealer, custody, exchange, lending & borrowing, VA management, Category 1 VA issuance).

ADGM FSRA Virtual Asset Financial Services Permission

FSRA authorisation and Financial Services Permission for firms carrying on regulated activities in relation to virtual assets in or from ADGM. Uses an Accepted Virtual Asset framework: the authorised person must assess the virtual asset against FSRA criteria and notify FSRA before commencing the regulated activity in relation to that asset. Firms must maintain technology governance covering wallets, wallet creation and deployment, deletion, backup and recovery, public-key handling, origin and destination of funds, and misuse-risk controls.

ADGM Fiat-Referenced Token Framework (1 January 2026)

FSRA fiat-referenced token rules in force from 1 January 2026. An authorised person carrying on regulated activity involving fiat-referenced tokens must use only accepted fiat-referenced tokens approved by FSRA. Framework covers issuance, redemption, white paper, reserve assets, reserve segregation, stress testing, attestation, audit and holder-claim concepts. FSRA staking framework was finalised on 29 April 2026; staking products in or from ADGM should be reviewed under that framework.

DIFC DFSA Crypto Token Authorization

DFSA authorisation for financial services involving Crypto Tokens in or from the DIFC by way of business. From 12 January 2026 the DFSA removed the prescribed Recognised Crypto Token list and moved to a firm-led suitability assessment model; firms must assess whether a Crypto Token is suitable under DFSA rules and maintain documentation. DFSA-regulated firms must address governance, accountability, AML/CFT, custody, safeguarding, technology resilience, market conduct, disclosure and reporting. Public offers of Crypto Tokens in or from the DIFC, or admission to trading on an authorised market institution, require compliance with DFSA law and rules. Representative offices may not market Crypto Tokens; crowdfunding operators cannot facilitate Crypto Token investments.

DIFC Investment Token / Tokenised Securities Framework

DIFC has a separate Investment Token framework where a token represents a security, derivative or substantially similar rights. A tokenised share, debt token, fund token, derivative token, sukuk-like token, investment contract or other security-like token should not be treated as an ordinary Crypto Token without DFSA analysis. Federal SCA rules (Cabinet Resolution 111/2022) and ADGM rules similarly distinguish tokenised securities and digital securities from ordinary virtual assets; ADGM and DIFC have separate investment-token and security-token regimes.

Detailed overview

United Arab Emirates: SCA, CBUAE, VARA, FSRA and DFSA Frameworks

Regulators

The UAE has several digital-asset regulators. The correct regulator depends on location, token type and activity.

The Securities and Commodities Authority regulates virtual-asset activity under the federal framework outside the financial free zones, subject to local licensing authorities. The Central Bank of the UAE regulates payment tokens, stored value, payment services, payment systems and payment-related digital finance. Dubai’s Virtual Assets Regulatory Authority regulates virtual assets in Dubai, including Dubai mainland and Dubai free zones, but excluding the DIFC. Abu Dhabi Global Market is regulated by the Financial Services Regulatory Authority. The Dubai International Financial Centre is regulated by the Dubai Financial Services Authority.

The UAE should therefore not be analysed as a single crypto licence jurisdiction. A group may need separate analysis under SCA, CBUAE, VARA, FSRA and DFSA rules.

Federal UAE and SCA framework

Cabinet Resolution No. 111 of 2022 regulates virtual assets and virtual-asset service providers at federal level.

The Resolution applies to the UAE virtual-asset sector, including free zones, but does not apply to financial free zones. It also does not apply to digital securities and digital commodities governed by SCA regulations, or to virtual assets used for payment, including stored-value facilities, that fall within CBUAE competence.

A virtual asset is a digital representation of value that can be traded or transferred digitally and used for investment. Digital representations of paper currencies, securities and other funds are excluded.

A virtual-asset service provider is a legal person that carries out one or more virtual-asset activities or operations for the benefit of, or on behalf of, another person. This includes platform operators, brokers and custodians.

No person may conduct virtual-asset activities in the UAE unless approved or licensed by the SCA or the competent local licensing authority. The applicant must have UAE domicile and a legal form approved by the SCA or local licensing authority.

Federal licensable virtual-asset activities include operating or managing a virtual-asset platform, exchanging one or more virtual assets, transferring virtual assets, virtual-asset brokerage, and custody, management or control of virtual assets.

Federal compliance and penalties

Federal virtual-asset businesses must satisfy licensing and supervision standards covering fitness, technology systems, investor data, capital, guarantees, insurance, compliance, investor disclosures, AML, CFT, sanctions and cyber incident notification.

Virtual-asset service providers must comply with UAE AML and CFT legislation and FATF-aligned obligations.

Federal administrative penalties can include warning, suspension, licence cancellation, closure of headquarters and fines up to AED 10 million. Cabinet Resolution No. 99 of 2024 provides the current federal administrative penalty schedule for breaches of Cabinet Resolution No. 111 of 2022.

CBUAE payment tokens and stablecoins

Payment tokens and stablecoins require separate CBUAE analysis.

The UAE dirham is the UAE’s official currency. The 2025 Central Bank law includes virtual-asset payment tokens and digital financial infrastructure within the possible scope of licensed financial activities where they are used in connection with payments, deposits, credit, money exchange, remittance, investment services or other licensed financial activity.

The CBUAE Payment Token Services Regulation covers payment token services. Official CBUAE rulebook materials identify payment token services as digital payment services in the UAE, including payment token issuance, conversion, custody and transfer. A payment token is a crypto-asset backed by one or more fiat currencies, digitally tradable and functioning as a medium of exchange.

A fiat-backed token, stablecoin, payment token, remittance token, wallet holding payment tokens, merchant payment product, tokenised stored-value product or DeFi payment application should be reviewed under CBUAE rules before launch.

A VARA, SCA, FSRA or DFSA authorization does not automatically authorize payment token issuance, payment token conversion, payment token custody, payment token transfer, stored value, e-money, payment services or settlement activity.

Dubai and VARA

VARA regulates virtual assets across Dubai mainland and Dubai free zones, excluding the DIFC.

A person may not carry out any virtual-asset activity by way of business in Dubai, or purport to do so, unless authorised or licensed by VARA, unless an exemption applies.

All entities wishing to carry out virtual-asset activities in Dubai must seek VARA authorisation before commencing the activity and must obtain and maintain a licence for each virtual-asset activity.

Anonymity-enhanced cryptocurrencies are prohibited in Dubai.

VARA activities

VARA-regulated activities include advisory services, broker-dealer services, custody services, exchange services, lending and borrowing services, virtual-asset management and investment services, and transfer and settlement services.

Custody covers safekeeping virtual assets for or on behalf of another person and acting only on verified instructions.

Exchange covers virtual asset to fiat, virtual asset to virtual asset, order matching and order-book activity.

Transfer and settlement covers transmission, transfer or settlement of virtual assets from one entity, account, wallet, address or location to another.

Virtual-asset management and investment can include management, administration or disposition of virtual assets, including staking where carried out to earn fees or rewards for or on behalf of another person.

A Dubai exchange, broker, custodian, lender, manager, adviser, transfer service or token issuer should identify every VARA activity it performs. Multiple permissions may be required.

VARA rulebooks and fees

All VARA-licensed VASPs must comply with the compulsory rulebooks. These cover company, compliance and risk management, technology and information, and market conduct.

A VASP must also comply with each activity-specific rulebook relevant to its services.

VARA’s published fee schedule lists application and annual fees by activity. Advisory and transfer and settlement services have a published application fee of AED 40,000 and annual fee of AED 80,000. Broker-dealer, custody, exchange, lending and borrowing, virtual-asset management and investment, and Category 1 virtual-asset issuance have a published application fee of AED 100,000 and annual fee of AED 200,000.

VARA may impose additional fees or conditions. Rulebook versions should be checked immediately before filing.

VARA registration is not a licence. Large proprietary traders can be subject to mandatory registration where their virtual-asset volume exceeds the specified threshold, but registration does not authorize regulated VASP activity.

ADGM and FSRA

ADGM has a separate FSRA virtual-asset framework.

A firm that carries on regulated activities in relation to virtual assets in or from ADGM must be authorised by the FSRA and must hold the relevant Financial Services Permission.

ADGM uses an Accepted Virtual Asset framework. An authorised person must assess the virtual asset against FSRA criteria and notify FSRA before commencing regulated activity in relation to that virtual asset. If FSRA does not direct otherwise, the authorised person may treat the notified virtual asset as an Accepted Virtual Asset and commence the activity, subject to continuing obligations.

ADGM firms must maintain technology governance and controls covering wallets, wallet creation and deployment, deletion, backup and recovery, public-key handling, origin and destination of funds, misuse-risk controls and other virtual-asset operational risks.

An ADGM exchange, broker, custodian, MTF, investment manager, staking service, transfer service or wallet provider should identify the regulated activity, obtain FSRA authorisation and satisfy accepted-asset, custody, technology, AML and governance requirements.

ADGM fiat-referenced tokens and staking

ADGM has a fiat-referenced token framework. The FSRA rules for fiat-referenced tokens came into force on 1 January 2026.

An authorised person carrying on regulated activity involving fiat-referenced tokens must use only accepted fiat-referenced tokens approved by FSRA.

ADGM’s fiat-referenced-token framework includes issuance, redemption, white paper, reserve assets, reserve segregation, stress testing, attestation, audit and holder-claim concepts.

FSRA finalised a regulatory framework for staking of virtual assets on 29 April 2026. A staking product offered in or from ADGM should be reviewed under that framework before launch.

DIFC and DFSA

DIFC has a separate DFSA Crypto Token framework.

A person conducting financial services involving Crypto Tokens in or from the DIFC by way of business must be authorised by the DFSA. The firm’s licence specifies the financial services and the investments or tokens in relation to which those services may be provided.

From 12 January 2026, the DFSA removed the prescribed Recognised Crypto Token list and moved to a firm-led suitability assessment model. Firms must assess whether a Crypto Token is suitable under DFSA rules and maintain documentation supporting that assessment.

DFSA-regulated firms dealing with Crypto Tokens must address governance, accountability, AML, CFT, custody, safeguarding, technology resilience, market conduct, disclosure and reporting.

Representative offices may not market Crypto Tokens. Crowdfunding operators cannot operate a crowdfunding platform that facilitates Crypto Token investments. Retail clients trigger additional obligations, including appropriateness assessment and restrictions on incentives.

DIFC public offers and trading admission

A person may not make an offer of Crypto Tokens to the public in or from the DIFC or have Crypto Tokens admitted to trading on an authorised market institution except as provided under DFSA law and rules.

DIFC token offerings, exchange listings, MTF activity, custody, brokerage, funds, derivatives, investment management and advisory activity require classification under the DFSA framework.

Investment Tokens and tokenised securities

DIFC has a separate Investment Token framework. A token can be an Investment Token where it represents a security, derivative or substantially similar rights.

A tokenised share, debt token, fund token, derivative token, sukuk-like token, investment contract or other security-like token should not be treated as an ordinary Crypto Token without DFSA analysis.

ADGM and UAE federal rules also distinguish tokenised securities and digital securities from ordinary virtual assets. Cabinet Resolution No. 111 of 2022 excludes digital securities and digital commodities governed by SCA regulations. ADGM and DIFC have separate investment-token and security-token regimes.

AML and CFT

AML and CFT obligations apply across all UAE digital-asset regimes.

Federal rules require virtual-asset service providers to comply with AML and CFT legislation and FATF-aligned obligations.

VARA is the designated supervisory authority for AML in Dubai for VASPs and virtual-asset activities. VARA-licensed VASPs must comply with UAE federal AML and CFT laws and VARA rulebook requirements.

ADGM and DIFC firms must comply with the AML, sanctions and financial-crime requirements in the FSRA and DFSA frameworks.

A UAE virtual-asset business should maintain customer due diligence, beneficial-owner checks, sanctions screening, wallet screening, blockchain analytics or equivalent transaction monitoring, source-of-funds controls, high-risk jurisdiction controls, suspicious-activity reporting, travel-rule systems where applicable, transaction surveillance and cyber incident procedures.

Offshore platforms and UAE targeting

An offshore platform should not assume that offshore incorporation avoids UAE regulatory exposure.

A platform that targets UAE users, markets into Dubai, uses UAE payment rails, opens local offices, uses local agents, offers UAE-dirham fiat rails, promotes services in the UAE or provides services in or from ADGM or DIFC may trigger one or more UAE regulatory regimes.

The correct answer depends on Emirate, free-zone status, customer location, token type and activity.

Regulatory outlook

The UAE is a multi-regime digital-asset jurisdiction.

Outside financial free zones, federal SCA rules and local licensing authorities apply, with CBUAE handling payment tokens and payment services.

Dubai outside DIFC is regulated by VARA.

ADGM is regulated by FSRA.

DIFC is regulated by DFSA.

New entrants should first map location and token classification, then identify every regulated activity. The most important classification questions are whether the product is a virtual asset, payment token, fiat-referenced token, Crypto Token, Investment Token, security token, derivative, digital security, stablecoin, stored-value product or CBDC-related instrument.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started