Legal Insights
The Federal-Decree Law No. 6 of 2025 Regarding the Central Bank Regulation of Financial Institutions and Activities and Insurance Business (the New Central Bank Law) was issued in the Official Gazette and became legally effective as of 16 September 2025 (Art 188).
The New Central Bank Law introduces one of the most consequential regulatory shifts for Web3 and digital-asset infrastructure in the region.
Article 62 is the key provision to understand, to be read together with the rest of the Law, and specifically together with Article 61.
Article 61 What counts as a “Licensed Financial Activity”
Article 61 provides the master list of activities that require a licence from the Central Bank. These include, among others:
-
-
- Core banking – taking any kind of deposits (including Shari’ah-compliant) and providing all types of credit and funding facilities.
- Open finance – providing open finance services (data/financial access and connectivity).
- FX/payments/remittance – currency exchange and money transfer services, including instant transfers.
- Virtual asset payments – providing payment services using virtual assets.
- Stored value & digital money – providing stored value, retail payment, and digital money services.
- Marketing & promotion – arranging, promoting, or marketing any of the licensed financial activities.
- Dealing as principal – acting as principal in financial products that affect the institution’s balance sheet (FX, derivatives, bonds, sukuk, equities, commodities, and any other CBUAE-approved products).
- Insurance & Takaful – providing insurance, reinsurance, and related professions’ services, including Takaful and re-Takaful.
-
Article 62
Article 62 states that any person who carries on, offers, issues, or facilitates a licensed financial activity “through any means, medium, or technology” falls under the regulatory perimeter of the Central Bank of the UAE – “shall be subject to the licensing, regulatory, and oversight jurisdiction of the Central Bank”.
This language is intentional; it brings protocols, DeFi platforms, middleware, and even infrastructure providers into scope if they enable activities such as payments, exchange, lending, custody, or investment services.
What this means in practice:
- “We’re just code” is no longer a defence.
- The “Decentralisation” argument does not exempt a protocol.
- Front-end access and marketing targeting UAE users will trigger regulatory obligations, as marketing itself is a regulated activity.
- Protocols that support stablecoins, RWAs, DEX functions, lending, bridges, or liquidity routing may require a licence.
- Fines that can reach AED 1 billion and even criminal sanctions for unlicensed activity.
Why this matters now:
Article 62 shifts the regulatory conversation from “We are a decentralized protocol?” to “What financial activity does this technology enable?”
What protocols and DeFi founders should do:
1. Map their protocol functions against the list of CBUAE-regulated activities.
2. Assess marketing, website access, and communications that reach UAE users.
3. Consider whether to:
- Apply for a UAE licence,
- Operate through a regulated partner, or
- Geofence the UAE entirely.
4. Prepare for consumer-protection, disclosure, and cybersecurity obligations that now apply to tech-based financial services.
Article 62 is the UAE’s clearest signal yet that DeFi and Web3 infrastructure will be considered as regulated based on economic function, not technological form.
Projects building or operating in the UAE should treat this as a pivotal regulatory moment and align their structures before the September 2026 transition deadline.
Book a free consultation today to discuss your project and compliance issues.
