Chapters in this guide
16
Virtual assets, and equivalent terms, are defined throughout the UAE’s regulatory landscape. However, the definitions and classifications materially differ among the federal regulators, such as the Securities and Commodities Authority (SCA) and the Central Bank of the UAE (Central Bank), the financial free zones of the Abu Dhabi Global Market (ADGM) and Dubai International Financial Centre (DIFC), and the specialised Dubai regulator, the Virtual Assets Regulatory Authority (VARA).
The SCA defines a “virtual asset” as the digital representation of the value of a property that can be digitally traded or transferred and used for investment purposes, excluding paper currencies, securities, or other funds. This broad definition captures most categories of cryptoassets, except those falling within the Central Bank’s remit. The Central Bank, by contrast, regulates payment tokens, including stablecoins, that function as means of payment under its Stored Value Facilities and Payment Token Services regulations. Under the Payment Token Services Regulation (PTSR), the issuance of and services related to algorithmic stablecoins and privacy tokens are expressly prohibited, and such instruments cannot be promoted or offered within the UAE.
Under Dubai Law No. 4 of 2022, VARA adopts the term “virtual asset” and introduces a detailed classification system encompassing fiat-referenced virtual assets (FRVAs) and asset-referenced virtual assets (ARVAs). VARA does not permit AED-pegged FRVAs, as the Central Bank retains exclusive authority over the national currency.
The ADGM follows a similar approach, defining virtual assets as digitally transferable mediums of exchange, units of account, and/or representations of value. Its framework excludes algorithmic stablecoins and privacy tokens and evaluates non-fungible tokens (NFTs) based on their function, specifically, whether they exhibit the features of regulated financial instruments. Within the DIFC, the Dubai Financial Services Authority (DFSA) distinguishes between “recognised crypto tokens” and “excluded tokens”, restricting regulated activities to the former, while treating NFTs and utility tokens as excluded unless they resemble regulated investments.
In summary, the UAE’s regulatory approach to defining cryptoassets, generally referred to as “virtual assets”, centres on three key attributes: their nature as a digital representation of value; their capacity for electronic transfer; and their potential use as an investment, exchange, or payment instrument. The UAE’s regulators apply a risk-based and function-based framework, leading to differentiated oversight for stablecoins, especially those referencing assets or operating as payment tokens, near-uniform prohibitions on algorithmic stablecoins and privacy tokens, and a context-specific treatment of NFTs depending on whether they function as regulated financial instruments.
The UAE regulates cryptoassets through a layered system combining federal legislation with the distinct frameworks of its financial free zones. At the federal level, Cabinet Resolution No. 111 of 2022 designated the Securities and Commodities Authority (SCA) as the lead federal regulator for cryptoassets. With effect from 1 January 2026, the SCA was reconstituted as the Capital Market Authority (CMA) under new Federal Decree Laws, which expanded its mandate to encompass all virtual assets and their related service providers. The CMA’s primary implementing regulation is now Decision No. 4/R.M/2026, issued on 13 February 2026, which supersedes Chairman Resolution No. 26/R.M of 2023 in its entirety and consolidates the federal licensing framework into a single comprehensive rulebook.
The Central Bank complements this regime for payment tokens and stablecoins via the Stored Value Facilities Regulation (2020) and the PTSR (2023). Among other requirements with regard to issuance and custody, the PTSR prohibits the issuance of, and services relating to, algorithmic stablecoins and privacy tokens, and restricts their promotion.
All entities engaging in cryptoasset activities must also comply with Federal Decree-Law No. 20 of 2018 on Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT), as well as its executive regulations, namely, Cabinet Decision No. 10 of 2019 (as amended), which embed FATF standards (including the Travel Rule) into the UAE framework, with supervisory mapping in VARA’s rulebooks.
At the emirate level, Dubai Law No. 4 of 2022 established VARA as an independent regulator for Dubai (outside the DIFC). VARA’s 2023 Virtual Assets & Related Activities Regulations and 2024 Marketing Regulations set out licensing requirements for virtual asset service providers (VASPs), including specific rules for exchange, custody, and brokerage activities, as well as regulations governing the marketing of virtual assets.
In the ADGM, the Financial Services Regulatory Authority (FSRA) regulates cryptoasset activities under the Financial Services and Markets Regulations 2015 (FSMR), supported by the Conduct of Business Rulebook and the Guidance on Virtual Asset Activities. These regulations cover fiat-referenced tokens, licensing for exchanges and custodians, and a developing regime for staking services.
Within the DIFC, the DFSA’s Crypto Token Regime (GEN and COB) distinguishes “recognised crypto tokens” from excluded or prohibited categories, with privacy and algorithmic tokens explicitly prohibited and regulated activities limited to recognised tokens.
The UAE adopts a function-based and technology-neutral approach to regulating cryptoassets, meaning that assets are governed according to their legal and economic characteristics rather than the technology underlying them. This principle ensures that comparable activities receive consistent treatment across federal and free-zone frameworks, even when the underlying digital instruments differ in design.
Virtual assets
Traditional cryptocurrencies are generally regulated as “virtual assets”. Onshore, the SCA and Dubai’s VARA require licensing for all related service activities, including exchange, custody, and brokerage. Within the financial free zones, both the ADGM and the DIFC require providers to obtain a Financial Services Permission (FSP) before engaging in virtual asset activities. The DFSA permits dealings only in “recognised crypto tokens”, while the FSRA in the ADGM classifies cryptocurrencies as regulated instruments subject to prudential and conduct standards.
Stablecoins and payment tokens
Stablecoins receive dedicated treatment due to their money-like function. The Central Bank holds exclusive authority over “payment tokens”, including stablecoins pegged to the UAE dirham, regulating them under the Stored Value Facilities and Payment Token Services frameworks. VARA similarly regulates FRVAs and ARVAs, and coordinates oversight with the Central Bank. In the ADGM and DIFC, fiat-pegged tokens are recognised as “fiat crypto tokens” or their equivalents and are subject to specific capital, reserve, and governance requirements distinct from those applied to general virtual assets.
Security or investment tokens
Where a digital asset meets the legal definition of a security or investment token, it is regulated under the relevant securities regime. The SCA, DFSA and FSRA all apply a substance-over-form principle, ensuring tokenised securities are treated consistently with traditional instruments that confer ownership, profit participation, or voting rights.
Notably, following VARA’s 2025 updates, Dubai now provides explicit rules for tokenised real-world assets (RWAs) under its ARVA framework. This regime permits the issuance and secondary trading of tokens backed by RWAs, such as real estate, commodities, or revenue streams, subject to strict licensing, disclosure, reserve, and audit requirements. Issuers must hold a Category 1 Issuance Licence, maintain segregated reserve assets, meet minimum capital thresholds, and provide detailed whitepaper disclosures.
NFTs and utility tokens
The treatment of NFTs and utility tokens depends on their function. Where these tokens represent genuine collectibles, artistic works, or access rights for consumption, they are generally unregulated. However, they fall within the regulatory perimeter if they display characteristics of securities, investment products, or payment instruments, for instance, when used for fundraising, financial returns, or secondary market trading.
In Dubai, entities operating NFT or utility token businesses may obtain licences through the Dubai Multi Commodities Centre, which offers activity categories such as NFTs E-Marketplaces or Distributed Ledger Technology Services. These are commercial licences rather than prudential authorisations. Where activities fall within VARA’s regulatory scope, such as virtual asset custody, brokerage, or large-scale proprietary trading, firms must also obtain a VARA licence or a No-Objection Certificate and comply with the VARA Marketing Regulations 2024. In the DIFC, the DFSA treats NFTs and utility tokens as excluded tokens, outside its Crypto-Token Regime, although AML and marketing requirements may still apply.
Prohibited assets
All major UAE regulators, namely, the Central Bank, VARA, ADGM and DIFC, maintain a unified position, prohibiting the issuance or dealing of algorithmic stablecoins and privacy tokens. These prohibitions reflect broader concerns around transparency, consumer protection, and financial stability, and form part of the UAE’s commitment to aligning its frameworks with international best practices.
At the federal level, the CMA (formerly the SCA, reconstituted on 1 January 2026) now licenses VASPs under Decision No. 4/R.M/2026, issued on 13 February 2026, which supersedes Chairman’s Decision No. 26/R.M of 2023 and operates pursuant to Cabinet Resolution No. 111 of 2022. Decision No. 4/R.M/2026 introduces a three-module rulebook spanning eight distinct licensed activity categories with minimum capital requirements ranging from AED 500,000 to AED 4,000,000. These activities include:
- dealing as principal;
- dealing as agent;
- providing custody;
- arranging custody;
- operating a multi-party trading platform;
- providing investment advice; portfolio management; and
- arranging investment transactions.
The decision imposes hard prohibitions on privacy tokens, algorithmic tokens, and organised trading facilities for crypto, and sets compliance transition deadlines running from its effective date. The Central Bank continues to regulate payment token and stablecoin providers under the Stored Value Facilities Regulation (2020) and PTSR (2023), which likewise prohibit algorithmic stablecoins and privacy tokens.
In Dubai, VARA operates a staged licensing regime, with activity-specific rulebooks for custody, exchange, lending, and issuance. Its 2025 Rulebook Version 2.0 strengthened requirements on governance, capital, and market surveillance. Mandatory enforcement of VARA’s licensing regime was highlighted on 7 October 2025 when the regulator fined 19 firms up to AED 600,000 for unlicensed operations and marketing breaches, reaffirming its strict enforcement stance.
In the ADGM, the FSRA licenses virtual asset businesses under the FSMR, while in the DIFC, the DFSA authorises firms dealing in recognised crypto tokens under its Crypto Token Regime.
Overall, licensing is mandatory across all UAE regimes, with a consistent emphasis on AML/CFT compliance, capital adequacy, governance, and investor protection.
Yes, the promotion and marketing of cryptoassets in the UAE are strictly regulated to prevent misleading communications and ensure only authorised entities market virtual assets.
In Dubai, VARA’s Regulations on the Marketing of Virtual Assets and Related Activities 2024 apply to all promotions conducted in or from the emirate, including online and event marketing. Only licensed VASPs may advertise directly or authorise others to do so, and all materials must carry prescribed disclosures and risk warnings. Crypto event promotions, such as booths, giveaways, or NFT activations, also require prior approval from VARA.
Influencer activity is expressly covered. Paid promoters and social media personalities may only advertise for a VARA-licensed VASP, must clearly disclose sponsorship, and require a valid media licence under federal rules. Several Dubai-based influencers have been fined for unlicensed promotions, reflecting VARA’s active enforcement.
At the federal level, the SCA applies its financial promotion regime to virtual assets, while the Central Bank prohibits the promotion of payment tokens unless the issuer is licensed. In the ADGM and DIFC, the FSRA and DFSA similarly restrict crypto promotions to authorised firms.
Custody of cryptoassets is regarded as a high-risk regulated activity across all UAE jurisdictions and is subject to strict licensing, prudential, and technological standards aimed at protecting client assets. Regulators consistently require asset segregation, robust cybersecurity, and compliance with AML and CFT obligations.
At the federal level, the SCA regulates virtual asset custody under Cabinet Resolution No. 111 of 2022, which requires service providers to obtain a VASP licence, maintain full segregation of client assets from proprietary holdings, and implement advanced cybersecurity and private-key management systems.
Custody in Dubai is licensed under VARA’s activity-based regime and governed by the Custody Services Rulebook. Core requirements include independent governance, documented hot/cold storage policies, rigorous private-key generation and backup practices, multi-signature where appropriate (which VARA may mandate), incident and compromise procedures, reconciliation and record-keeping, client-by-client wallet segregation, where staking from custody is offered, and detailed client agreements and disclosures.
In the free zones, both the ADGM and the DIFC treat custody as a regulated financial service. The FSRA in the ADGM requires an FSP, focusing on technology risk management and client asset reconciliation. The DFSA similarly mandates segregation of client assets, governance and capital adequacy standards, and clear disclosure of custodial risks.
Across all regulations, custodianship remains one of the most tightly supervised virtual asset activities in the UAE.
AML and CFT obligations apply fully to the virtual asset sector in the UAE, treating VASPs as regulated entities. Compliance is mandatory under Federal Decree-Law 20/2018 and Cabinet Decision 10/2019 and enforced across onshore and the financial free zones. Reporting is conducted via the Financial Intelligence Unit’s (FIU) goAML platform.
The principal legal foundation is Federal Decree-Law No. 20 of 2018 and its Executive Regulations, which require all VASPs to implement a risk-based approach to financial crime prevention. Firms must conduct robust know-your-customer and customer due diligence checks, including verification of the ultimate beneficial owner. Each VASP must appoint a qualified Money Laundering Reporting Officer resident in the UAE and promptly submit suspicious transaction reports to the FIU via the goAML platform.
A key crypto-specific requirement is compliance with the FATF Travel Rule. This applies to all virtual asset transfers exceeding AED 3,500, whether crypto-to-crypto or crypto-to-fiat. Originating VASPs must obtain and transmit accurate identifying information on both the sender and beneficiary to the receiving institution. In line with this, all UAE regulators prohibit the licensing or use of privacy tokens or anonymity-enhanced cryptocurrencies, as they conflict with the transparency standards required by the Travel Rule.
VASPs must also implement technological and sanctions controls, including real-time transaction monitoring, blockchain analytics to detect suspicious activity, sanctions screening of all clients and wallet addresses, and record-keeping for at least five years. Collectively, these measures ensure that virtual asset activities meet the same AML/CFT standards applied to the traditional financial sector.
The UAE recognises ownership of cryptoassets through a combination of statutory, property, and contractual principles, with the most detailed guidance found in the financial free zones. At the federal level, Cabinet Resolution No. 111 of 2022 and the SCA rules acknowledge that virtual assets can be owned, transferred, and used as objects of value, with ownership generally linked to control of private keys or contractual rights.
The clearest statutory definition arises from the DIFC under the Digital Assets Law (Law No. 2 of 2024), which classifies digital assets, including crypto tokens, as a form of intangible property, neither a “thing in possession” nor a “thing in action”. The law establishes detailed provisions governing control, transfer of title, and the creation of security interests over digital assets. It also introduces a legal presumption of control, whereby the person or entity with access to the private keys is presumed to hold superior legal title. In the ADGM, which follows English common law, virtual assets are similarly recognised as property in line with international jurisprudence.
Ownership may be exercised directly or indirectly. In self-custody arrangements, the holder of the private keys possesses both legal title and control. In custodial arrangements, the licensed custodian controls the private keys, but the client retains beneficial ownership. To safeguard these rights, all major regulators, the SCA, VARA, DFSA and FSRA, require strict segregation of client assets from proprietary funds, ensuring that client holdings are protected in the event of insolvency.
Collectively, these measures provide legal certainty for virtual asset ownership in the UAE, recognising digital assets as transferable property while reinforcing client protection through mandatory segregation, fiduciary duties, and clear custody frameworks.
The UAE regulates Decentralised Autonomous Organisations (DAOs) through a mix of dedicated and functional approaches, depending on the jurisdiction. The ADGM offers the only purpose-built framework under the Distributed Ledger Technology (DLT) Foundations Regulations 2023. This regime allows a DAO to obtain legal personality as a DLT Foundation, an ownerless entity capable of holding assets, entering contracts, and being sued or suing in its own name. The structure supports decentralised governance through smart contracts and token-based voting while imposing basic prudential obligations, including a minimum initial asset value of approximately USD 50,000 and annual audit requirements.
Ras Al Khaimah is also developing a dedicated framework for DAOs through its DAO Association Regime (DARe) within the emirate’s Web3-focused free zone established under RAK Law No. 2 of 2023. Introduced in October 2024, the regime would provide a legal wrapper known as a DAO Association, offering limited liability and legal recognition for decentralised projects. As of writing, the framework features tiered structures, including Startup DAO Associations for smaller treasuries and Alpha DAO Associations for larger, more mature organisations, with the aim of supporting compliant DAO formation and on-chain governance within a regulated environment.
Elsewhere in the UAE, including under VARA and the SCA, DAOs are regulated functionally according to the activities they perform. If a DAO undertakes a regulated virtual asset activity, such as exchange operation, custody, or issuance, it must obtain the relevant VASP licence. Because licensing requires a legal entity, DAOs must establish a legal wrapper, such as a company or foundation, and appoint responsible individuals to meet AML/CFT and governance obligations.
DAOs are not prohibited in the UAE but must operate through a legally recognised structure. In practice, projects either adopt the ADGM DLT Foundation model or use a hybrid arrangement combining a regulated entity with decentralised governance.
The UAE does not have a crypto-specific insolvency regime. Instead, general insolvency laws apply depending on the jurisdiction of incorporation. Onshore entities are governed by Federal Decree-Law No. 51 of 2023 Promulgating the Financial and Bankruptcy Law, while VASPs established in the financial free zones fall under the DIFC Insolvency Law No. 1 of 2019 or the ADGM Insolvency Regulations 2015 (as amended).
The primary safeguard for clients in the event of a VASP insolvency lies in the mandatory asset segregation, or ring-fencing, requirements imposed by all UAE regulators. Under VARA’s Custody Services Rulebook and equivalent provisions of the SCA, DFSA and FSRA, licensed custodians must maintain complete separation between client virtual assets and their own proprietary holdings. These frameworks clarify that client assets held in custody are not liabilities or property of the VASP, ensuring that they do not form part of the insolvent estate and are protected from general creditor claims.
Further legal certainty is provided by recent developments in the financial free zones. The DIFC Digital Assets Law 2024 classifies digital assets as intangible property and codifies the concept of “control”, reinforcing clients’ ownership rights. DIFC courts have also recognised Bitcoin as “property” under DIFC law, enabling practitioners to apply segregation principles effectively during insolvency.
Together, these measures ensure that client-held virtual assets remain off-balance sheet and can be efficiently returned, avoiding the prolonged outcomes seen in jurisdictions lacking clear crypto-specific asset protections.
Smart contracts are generally enforceable in the UAE, provided they meet the essential requirements of contract formation. The country adopts a technology-neutral approach, supported by explicit statutory recognition within the financial free zones, particularly the DIFC.
At the federal level, enforceability is determined by the traditional principles of the Federal Civil Transactions Law (Civil Code), which require offer and acceptance, lawful subject matter, and the legal capacity of the parties. A smart contract is therefore valid if it demonstrates mutual consent and clear obligations. Complementing this, Federal Law No. 46 of 2021 on Electronic Transactions and Trust Services affirms the legal validity of electronic records and signatures, confirming that digital code may constitute a binding agreement and admissible evidence if it reflects genuine intent.
Within the free zones, more specific legal clarity exists. The DIFC Digital Assets Law 2024 amends the DIFC Contracts Law to recognise “coded contracts”, agreements composed wholly of coded terms that self-execute via computer programs, marking the first express statutory acknowledgment of pure smart contracts in the region. In the ADGM, the Electronic Transactions Regulations 2021 and the FSRA’s technology-neutral framework similarly uphold the enforceability of blockchain-based and electronic agreements, provided common-law standards of intent and certainty are satisfied.
In practice, many parties adopt hybrid structures: the code automates performance, while a written agreement defines liability, remedies, and governing law. Together, these frameworks confirm that smart contracts in the UAE are legally binding and recognised as valid electronic agreements.
Victims of cryptoasset fraud in the UAE have access to both criminal and civil recourse, supported by active regulatory oversight and a maturing judicial framework tailored to digital assets.
At the federal level, crypto-related fraud and deception are prosecuted under Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes and the Federal Penal Code. These laws criminalise digital misrepresentation, unauthorised appropriation, and fraudulent schemes. Victims may file complaints directly with the Public Prosecution or the Police. Where the fraud involves a licensed virtual asset firm, complaints can also be submitted to the relevant regulator, such as VARA, the SCA, FSRA or DFSA, which may investigate, impose fines, or suspend or revoke licences in coordination with judicial authorities.
Civil remedies are also well developed. The DIFC courts, through the Digital Economy Court (DEC) established under Part 58 of the Rules of the DIFC courts, provide a specialised forum for digital asset disputes, including fraud, tracing, and misrepresentation. Courts across the UAE, both onshore and in the free zones, routinely grant interim measures such as precautionary attachments or injunctions to freeze crypto wallets and compel disclosure from exchanges. Blockchain forensic experts are often appointed to assist in asset tracing.
Recent Dubai court rulings have confirmed that cryptocurrencies are judicially recognised assets, permitting recovery in kind or, where not possible, compensation based on market value. Combined with mandatory asset segregation rules for licensed VASPs, these measures provide strong protection and recovery avenues for victims of crypto-related fraud.
The UAE offers one of the most favourable tax environments globally for cryptoassets, characterised by zero personal taxation, competitive corporate tax rates, and clear value added tax (VAT) treatment.
For individuals, there is no personal income tax or capital gains tax. Profits from crypto trading, investment, or the holding of digital assets are entirely tax-free, regardless of value or frequency. Similarly, rewards earned from personal mining or staking are not subject to income tax, provided the activity is undertaken in a non-commercial capacity.
For businesses, crypto-related revenues fall under the Federal Corporate Tax Law, which imposes a 9% tax on net taxable profits exceeding AED 375,000, with profits below this threshold taxed at 0%. The regime applies to VASPs, exchanges, trading desks, and commercial mining operations. Companies established in designated free zones may qualify for a 0% corporate tax rate if they meet the criteria of a Qualifying Free Zone Person (QFZP) and derive income from “qualifying activities”, typically involving non-mainland transactions.
For VAT (5%), the transfer and conversion of virtual assets (crypto-to-crypto or crypto-to-fiat) are VAT-exempt under Cabinet Decision 100/2024 and FTA Public Clarification VATP040, with retroactive effect from 1 January 2018. However, service fees (e.g. brokerage, advisory, custody) remain subject to VAT. Crypto mining is not covered by the exemption (VATP039); its VAT treatment depends on whether a taxable supply for consideration exists (commercial mining services may be taxable).
These rules collectively position the UAE as a highly competitive jurisdiction for crypto investors and operators, aligning the treatment of virtual assets with that of traditional financial instruments.
The UAE imposes a comprehensive data privacy and cybersecurity framework on cryptoasset firms, combining federal data protection laws with sector-specific technical standards for VASPs. These rules ensure that user data, digital wallets, and transaction systems are governed by strict security and compliance oversight.
At the federal level, Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) forms the cornerstone of privacy regulation. It requires lawful and transparent processing, purpose limitation, and the protection of data integrity and confidentiality. VASPs must appoint a Data Protection Officer where required under the PDPL or by their competent regulator. Within the financial free zones, the DIFC Data Protection Law No. 5 of 2020 and the ADGM Data Protection Regulations 2021, both modelled on the General Data Protection Regulation, establish equivalent standards, including data-subject rights such as access, erasure, and portability, restrictions on cross-border transfers, and mandatory breach notifications which in the ADGM is within 72 hours and as soon as practicable in the DIFC.
Cybersecurity obligations are equally robust. In Dubai, VARA’s Technology and Information Rulebook (2025) requires VASPs to appoint a Chief Information Security Officer, to maintain a comprehensive Technology Governance and Risk Framework, and to implement advanced key-management solutions such as multi-signature or multi-party computation (MPC) systems. Regular independent penetration testing, business continuity, and disaster recovery planning are mandatory. The FSRA in the ADGM and the DFSA in the DIFC impose comparable controls under their respective rulebooks, including technology audits, cybersecurity governance, and client asset protection measures.
The UAE regulates decentralised finance (DeFi) under a function-based approach, meaning that any activity resembling a financial service is subject to regulation regardless of whether it is operated through decentralised protocols. The focus is on the identifiable “touchpoint”, such as a VASP, platform operator, or user-facing interface, which facilitates the service.
In Dubai, VARA governs staking through provisions within its Custody Services Rulebook. Licensed VASPs may offer staking only when expressly authorised and on written client instruction. They must maintain full asset segregation and provide transparent risk disclosures. In the ADGM, the FSRA has proposed a dedicated framework for staking under its Consultation Paper No. 10 of 2025, which would regulate staking when conducted by licensed custodians or asset managers but leave solo or non-intermediated staking outside the regulatory perimeter.
Activities such as yield farming, liquidity mining, and crypto lending are regulated when they mirror traditional financial functions. Entities that pool or manage client assets for these purposes are deemed to be conducting regulated activities, such as lending, borrowing, or asset management, and must obtain the relevant licence from the VARA, FSRA or DFSA. Tokens used in such activities may also fall under securities or investment token laws if they carry governance or yield-bearing features.
Finally, all UAE regulators, including the Central Bank, enforce a unified prohibition on algorithmic stablecoins and privacy tokens, significantly restricting DeFi models that depend on untraceable or algorithmically collateralised instruments.
The UAE continues to refine its virtual asset ecosystem, with initiatives under way across DeFi, stablecoins, and tokenisation. Regulators are now shifting from rule-making to active supervision, enforcement, and targeted amendments of existing frameworks.
The most significant recent development at the federal level is Decision No. 4/R.M/2026, issued by the CMA on 13 February 2026. The Decision replaces Chairman’s Decision No. 26/R.M of 2023 in its entirety and consolidates federal VASP regulation into a single three-module rulebook. Existing licensees have until 13 February 2027 to comply with the new Business Regulation Module and Alternative Trading System Module.
The new framework also introduces enhanced governance requirements, including mandatory residency in the UAE for the Chief Executive, Compliance Officer, and Money Laundering Reporting Officer, individual CMA accreditation for all senior personnel, annual penetration testing, and cybersecurity incident reporting within 72 hours. Controller approvals are now required before crossing shareholding thresholds of 30% or 50%.
At the federal level, the Central Bank is expanding oversight of payment tokens under the PTSR. It authorised the first dirham-pegged payment token, AE Coin, in 2024 and is advancing the Digital Dirham CBDC project through the mBridge cross-border network, now in its MVP phase.
In Dubai, VARA is consolidating its activity-based rulebooks (Version 2.0 issued May 2025) and intensifying enforcement, particularly under the Marketing Regulations 2024, which impose strict standards on VASP promotions and public communications.
In the ADGM, the FSRA is consulting on new frameworks for virtual asset staking and enhanced rules for fiat-referenced tokens.
Within the DIFC, the DFSA has released Consultation Paper 168 (October 2025) proposing a “Suitable Crypto Token” assessment model and confirming that its revised Client Assets Regime will come into force on 1 January 2026.