Legal Insights
TL;DR:
Launching a regulated crypto business in the UAE means navigating UAE virtual asset regulations and VASP licensing across SCA, VARA, CBUAE, ADGM/FSRA, and DIFC/DFSA. Each pathway has defined licence categories, timelines, capital and fees, and all require local presence, strong governance, and strict AML/CTF controls.
The guide explains VARA Rulebook 2.0, FRVA/ARVA issuance, CBUAE PTSR for payment tokens, and how ADGM and DIFC classify tokens and custody.
This guide will help you to map business models to optimal jurisdictions and licence types, pick the right regulator, plan your application and launch compliantly in the UAE.
Who Regulates VASPs in the UAE?
The UAE’s approach to virtual assets regulation is a combination of federal oversight and specific emirate-level regulations.
At the federal level, the Securities & Commodities Authority (SCA) and the Central Bank of the United Arab Emirates (CBUAE) set the overarching policy and regulatory framework.
At the emirate level, the UAE Cabinet has delegated the authority to regulate virtual assets in Dubai to the Virtual Assets Regulatory Authority (VARA), which oversees all virtual asset activities within the emirate.
The financial free zones, Abu Dhabi Global Markets (ADGM) and Dubai International Financial Centre (DIFC), have also developed their own regulatory frameworks based on common law principles, with the FSRA regulating ADGM and the DFSA regulating DIFC.
Regulator | Jurisdiction | Core Focus | Legal Foundation |
SCA | Mainland UAE | Virtual assets services providers: exchanges, brokers, custody | Cabinet Resolution No.111 of 2022 |
CBUAE | Federal | Payment tokens, stablecoins, and financial institutions | Payment Token Services Regulation |
VARA | Emirate of Dubai (excluding DIFC) | Virtual asset issuance, trading, custody, and advisory | Law No.4 of 2022 Regulating Virtual Assets in the Emirate of Dubai |
ADGM (FSRA) | Abu Dhabi Financial Free Zone | Institutional custody, asset management, trading platforms | Financial Services and Markets Regulations 2015 |
DIFC (DFSA) | Dubai Financial Free Zone | Tokenised securities and recognised crypto tokens | Regulatory Law, DIFC Law No.1 of 2004 DAL 2024 |
Securities and Commodities Authority
The Securities and Commodities Authority (SCA) plays a crucial role in establishing the regulatory framework for virtual assets across the UAE. It is responsible for developing specific regulations and guidelines for the treatment of virtual assets and issuing licenses for entities operating in the virtual asset space.
HISTORICAL NOTE
The Securities and Commodities Authority (SCA), previously known as the Emirates Securities and Commodities Authority (ESCA), was established in 2000. Initially, its regulatory role was primarily focused on publicly listed UAE companies and the public securities exchanges within the country.
However, since 2009, the SCA’s jurisdiction has expanded significantly, making it the primary regulator of capital markets under the UAE’s federal framework. Over time, oversight of foreign securities has gradually transitioned from the CBUAE to the SCA through an unpublished memorandum of understanding between the two entities. While regulatory updates are publicly disclosed through official SCA publications, certain procedures and practices adopted by the authority remain unpublished.
In December 2022, the UAE government issue Cabinet Resolution No. 111 of 2022, establishing a comprehensive regulatory framework for Virtual Assets and Virtual Asset Service Providers (VASPs).
SCA is the designated regulator under the Cabinet Resolution. Under the Cabinet Resolution 111 of 2022, the following activities are subject to licensing:
- Operating or managing a virtual asset platform
- Providing exchange services between virtual assets
- Providing virtual asset transfer services
- Acting as a broker in virtual asset trading
- Providing custody, management, or control services for virtual assets
- Offering or selling virtual assets on behalf of the issuer (or assisting in such offerings)
The SCA’s regulatory treatment of Virtual Assets involves an approach where VAs are categorized as: VAs for investment purposes and VAs for payment purposes.
Under the guidelines, VAs for payment purposes do not fall under the remit of SCA and instead are subject to the jurisdiction of CBUAE. This excludes VAs approved by the CBUAE for listing and trading for investment purposes on the virtual assets platform.
SCA’s current regulatory framework does not apply to the following:
- Service tokens and non-fungible tokens that do not represent virtual assets for investment purposes
- Development, deployment or use software for the purpose of mining, creating or extracting virtual assets
- Loyalty programs
- Virtual asset for payment purposes
- Any other virtual assets, as evaluated by the SCA.
The types of dedicated VA licenses issued by the SCA include:
- Virtual Asset Platform Operator
- Custody of Virtual Assets
- Virtual Assets Broker
Other regulated activities (i.e. asset management etc.) do not currently have a dedicated VA license.
The prevailing approach is to apply for the relevant financial services license and then obtain a No Objection Certificate (NOC) to carry out that activity using virtual assets.
Entities seeking an SCA license must adhere to the SCA Rulebook, which outlines requirements related to technology, security, and Anti-Money Laundering (AML) compliance. A license from the SCA enables entities to operate throughout the UAE.
The application process for a license from SCA is generally divided into following stages:
- Due diligence and discussions with the SCA’s team
- Submission of an initial application and payment of a small fee
- Receiving of an initial approval
- Completion of a legal entity formation in the correct jurisdiction
- Submission of the full application
- Payment of License Fees
- Ongoing Regulatory Oversight
In August 2025, SCA and VARA agreed on a shared framework to regulate virtual assets across the UAE. News reports indicate that the agreement includes mutual recognition of Virtual Asset Service Provider (VASP) licenses issued by either authority, along with joint processes for reviewing applications, monitoring compliance, and addressing breaches.
The two regulators will coordinate to align existing laws and develop new regulations, aiming to eliminate gaps and prevent overlaps that could impact investors or businesses. This partnership is intended to provide consistent supervision, enhance investor protection, and strengthen the UAE’s position as a unified, competitive hub for virtual assets.
The SCA-VARA agreement builds on the SCA’s current virtual asset regulatory framework*, which defines specific asset categories and licensing requirements applicable across the UAE.
*The SCA released a draft regulatory framework for Virtual Assets, which was open for industry feedback until 1 Sep 2025. The new framework is expected to be finalized and issued by early 2026.
*Fees Table annexed to the Decision of the Chairman of the SCA Board of Directors No. 32 (Chairman) of 2018
Certain key roles within a VASP entity must be accredited by the relevant regulatory authority. These roles include:
- the Head of Category or Manager,
- the Head of Compliance,
- the Head of Risk Management, and
- the Operations Manager.
These positions require formal approval from the authority to ensure compliance with regulatory standards.
Other roles within a VASP entity
do not require accreditation.
These include:
- the IT Officer,
- the Information Security Officer, and
- the Financial Manager.
While these roles remain critical to the operation of the business, they do not necessitate regulatory approval.
*Annex No. (1) – Section 2 of the SCA Rulebook
Under the Cabinet Regulation, no entity is permitted to engage in virtual asset-related activities without obtaining the necessary approval and license from the Securities and Commodities Authority (SCA) or its designated regulatory body within the relevant emirate.
IMPORTANT!
Non-compliance with the law can result in severe penalties, including fines of up to AED 4,000,000, disgorgement of profits earned from unlawful activities, and potentially criminal investigation by the Public Prosecutor.
These stringent measures underline the UAE’s commitment to maintaining a secure and well-regulated environment for virtual assets.
Central Bank of the UAE
The Central Bank of the UAE (CBUAE) regulates financial institutions, including banks, payment service providers, and fintech entities, while also overseeing payment systems, including those that involve virtual assets.
However, its authority over virtual assets is strictly limited to those used as a means of payment, i.e. stablecoins. The CBUAE does not regulate Virtual Assets classified as investment instruments or utility tokens, which instead fall under the jurisdiction of the SCA or other relevant regulators.
To govern the use of virtual assets for payments, the CBUAE issued the Payment Token Services Regulation (PTSR), which establishes rules for the issuance and use of payment tokens (i.e. stablecoins), and governs entities providing related services within the UAE.
The PTSR defines payment tokens as a type of virtual asset that maintains a stable value by referencing the value of the same fiat currency.
Payment Tokens are classified into two categories:
Dirham Payment Tokens
which can be used for any lawful purpose.
Foreign Payment Tokens
which are restricted to the purchase of virtual assets or their derivatives.
The PTSR imposes strict prohibitions on algorithmic stablecoins and privacy tokens.
No person is permitted to issue or provide services related to these tokens within the UAE, and this restriction applies universally to all entities, including those already regulated for other Virtual Asset activities by the SCA or a Local Licensing Authority such as VARA.
Additionally, the regulation imposes restrictions on services related to non-Payment Token Means of Payment that resemble Payment Token Services.
This limitation applies even to entities that are licensed under other regulatory authorities such as the SCA or VARA. These measures ensure that only authorized and properly regulated entities engage in payment-related virtual asset activities.
Licensing
Under the PTSR, any entity intending to perform Payment Token Services must obtain a license or registration from the CBUAE.
Payment Token Services encompass three primary regulated financial activities:
- Payment Token Issuing,
- Payment Token Custody and Transfer,
- Payment Token Conversion.
Entities intending to provide Payment Token Services must apply for one or more of the following licenses, depending on the nature of their operations:
Dirham Payment Token Issuer – for entities issuing Dirham-backed Payment Tokens.
Payment Token Custodian and Transferor – for businesses involved in the safekeeping and transfer of Payment Tokens.
Payment Token Conversion – for entities facilitating the exchange between Payment Tokens and fiat currency or other assets.
Foreign entities, including those located in Financial Free Zones, may apply for registration as Foreign Payment Token Issuers to operate legally within the UAE market. This requirement ensures that cross-border Payment Token activities adhere to the UAE’s regulatory standards and oversight mechanisms.
Additionally, while banks are explicitly prohibited from issuing Payment Tokens directly, they may establish subsidiaries or affiliated entities to perform such activities, provided they meet the necessary licensing requirements.
Certain low-risk Payment Tokens are exempt from the regulation.
These include tokens used for specific reward or bonus schemes, such as loyalty programs where tokens are issued as rewards by a merchant or token issuer.
Examples include airline mileage programs and customer loyalty schemes where tokens are not redeemable for cash. Payment Tokens that can only be used for non-financial goods or services provided by the issuer are also exempt.
Additionally, the CBUAE may exempt a Payment Token Issuer from licensing and other regulatory requirements if the total Reserve of Assets does not exceed AED 500,000 and the number of token-holders remains below 100. However, the CBUAE retains the authority to revoke an exemption and require the issuer to apply for a full license if deemed necessary.
The CBUAE holds broad enforcement powers under the PTSR. Violations of the regulation may result in supervisory actions, financial penalties, or even criminal investigations. The Central Bank has the authority to restrict, suspend, or revoke a license or registration, impose fines, and bar individuals or entities from engaging in financial activities within the UAE.
All licensed or registered entities must comply with Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) regulations, ensuring robust compliance measures are in place to prevent illicit financial activities.
Entities must also adhere to strict governance and risk management requirements, including maintaining appropriate capital reserves and ensuring the security and transparency of Payment Token transactions.
Dubai – Virtual Assets Regulatory Authority
Dubai is the only emirate with a dedicated regulatory body for virtual assets, known as the Virtual Assets Regulatory Authority (VARA). VARA is responsible for overseeing virtual assets (VAs) and Virtual Asset Service Providers (VASPs), establishing the licensing, compliance, and operational requirements for entities operating in this space.
VARA has developed a comprehensive set of regulations and guidelines that entities must follow to operate within Dubai’s virtual asset ecosystem. This includes the Virtual Assets and Related Activities Regulations 2023 (VARA Regulations), which set out licensing requirements, compliance obligations, and operational standards for VASPs.
Before offering regulated virtual asset-related activities in or from Dubai, whether to local residents or global customers where permissible, all businesses are required to obtain a license from VARA.
In coordination with SCA, VARA has also issued Marketing Regulations which are applicable to all market participants in the UAE, regardless of whether they are directly licensed by VARA.
Additionally, VARA has released both general rulebooks and activity-specific rulebooks to provide detailed guidance for compliance related to various virtual asset activities.
In May 2025, VARA issued Version 2.0 of its complete Rulebook framework. These changes took effect on 19 June 2025 after a 30-day transition period.
Key updates include:
- Sponsored VASPs. A new regime permits entities to operate under a licensed Regulated Sponsor, with strict oversight and compliance obligations on both parties.
Learn more about the Sponsored VASPs Regime → - Issuance Framework Overhaul. The Virtual Asset Issuance Rulebook introduces detailed requirements for Category 1 (e.g. stablecoins and ARVAs) and Category 2 tokens (e.g. utility tokens). Category 1 issuances now require prior VARA approval; Category 2 issuances must be distributed through licensed distributors.
- Margin Trading. VARA has codified margin trading rules for broker-dealers and exchanges, including updated margin definitions and internal policy requirements.
- Qualified Investor Definition. The threshold for Qualified Investor status increased significantly, aligning with broader UAE financial standards.
- Compliance & Risk Management. VASPs must conduct quarterly client and business risk assessments, meet enhanced AML/CFT obligations, and comply with clarified client money and VA insolvency protections.
- Technology Governance. New requirements include a formal Technology Governance and Risk Assessment Framework (TGRAF), mandatory Threat-Led Penetration Testing (TLPT), and controls over developer environments, wallets, and cryptographic media.
- Sponsored VASPs. A new regime permits entities to operate under a licensed Regulated Sponsor, with strict oversight and compliance obligations on both parties.
All VASPs operating in or entering Dubai must act quickly to align with the updated framework.
VARA offers several types of licenses for different activities:
- Advisory Services
- Custody Services
- Broker-Dealer Services
- Lending and Borrowing
- Exchange Services
- Management and Investment
- *Transfer and Settlement (*only as ancillary to custody, and not a standalone activity)
- Virtual Asset Issuance
Advisory Services
Advisory Services refer to offering, providing, or agreeing to provide a personal recommendation to a client regarding one or more actions or transactions related to Virtual Assets. These recommendations may be provided upon the client’s request or initiated by the Entity giving the recommendation.
When making a personal recommendation, the Entity must consider, at a minimum, the client’s knowledge and experience in investing in Virtual Assets, their investment objectives (including risk tolerance, time horizon, and venues through which they can acquire Virtual Assets), and their financial circumstances, including their ability to bear sudden and significant losses and the proportion of their net worth invested in Virtual Assets.
Custody Services
Custody Services involve the safekeeping of Virtual Assets for or on behalf of another Entity and acting only on verified instructions from or on behalf of such Entity.
All VASPs engaged in Custody Services must comply with Rules regarding the storage and custody of clients’ Virtual Assets. Only VASPs that segregate each client’s assets into separate VA Wallets qualify for a Custody Services Licence.
Broker-Dealer Services
Broker-Dealer Services include any of the following activities:
- Arranging orders for the purchase and sale of Virtual Assets between two Entities;
- Soliciting or accepting orders for Virtual Assets and accepting fiat currency or other Virtual Assets for such orders;
- Facilitating the matching of transactions in Virtual Assets between buyers and sellers;
- Entering into Virtual Asset transactions as a dealer on behalf of the Entity for its own account;
- Making a market in Virtual Assets using client assets;
- Providing placement, distribution, or issuance-related services to clients issuing Virtual Assets. Any Entity in the Emirate that issues a Virtual Asset in the course of business must comply with the VA Issuance Rulebook.
Lending and Borrowing Services
Lending and Borrowing Services involve a contract under which a Virtual Asset is transferred or lent from one or more parties (the Lenders) to one or more other parties (the Borrowers).
The Borrower must commit to return the same Virtual Asset at the request of the Lender at any time either during or at the end of the agreed period.
Exchange Services
Exchange Services include any of the following:
- Conducting an exchange, trade, or conversion between Virtual Assets and fiat currency;
- Conducting an exchange, trade, or conversion between one or more Virtual Assets;
- Matching orders between buyers and sellers and conducting an exchange, trade, or conversion between Virtual Assets and fiat currency or between one or more Virtual Assets;
- Maintaining an order book in furtherance of these activities.
VA Management and Investment Services
VA Management and Investment Services involve acting on behalf of an Entity as an agent, fiduciary, or otherwise taking responsibility for the management, administration, or disposition of that Entity’s Virtual Assets.
This may include investment management services or otherwise managing Virtual Assets, as well as taking responsibility for staking Virtual Assets for the purpose of earning fees or other amounts paid to validators and/or node operators of a proof-of-stake Distributed Ledger Technology.
Virtual Asset (VA) Issuances
Virtual Asset (VA) issuances in the Emirate are classified into two categories with distinct regulatory requirements.
Category 1 VA Issuance covers Fiat-Referenced Virtual Assets (FRVAs) (i.e. stablecoins) and Asset-Referenced Virtual Assets (ARVAs) (i.e. RWA Tokens) or any other Virtual Assets as determined by VARA. There are separate rules for ARVAs and FRVAs in the Virtual Asset Issuance Rulebook must comply with the FRVA Rules.
Category 2 VA Issuances apply to Virtual Assets that do not fall under Category 1 or the new Exempt VA category. This can typically includes utility tokens, NFTs, and DAO governance tokens. While prior approval from VARA is not required for Category 2 issuances, the placement and distribution of these tokens must be carried out exclusively by a Licensed Distributor in the UAE.
Licensed Distributors are responsible for ensuring that the issuer complies with all requirements under the VA Issuance Rulebook, including conducting due diligence, reviewing whitepapers, and notifying VARA as required.
VA Transfer and Settlement Services
VA Transfer and Settlement Services refer to the transmission, transfer, and/or settlement of Virtual Assets from one Entity to another Entity or from one Entity to another VA Wallet, address, or location.
* Currently offered only as ancillary to custody, and not a standalone activity.
A VASP can obtain licenses for multiple activities under one overarching license, except for Virtual Asset Custody Services, which must remain separate from other virtual asset categories with the exception of Transfer and Settlement Services. Any entity licensed for multiple activities must comply fully with the requirements for each service and maintain this compliance continuously.
VASPs that meet VARA’s licensing requirements must comply with four compulsory rulebooks on company, compliance and risk management, technology and information, and market conduct, as well as relevant activity-specific rulebooks.
Abu Dhabi Global Market – FSRA
In 2018, the Financial Services Regulatory Authority (FSRA) of Abu Dhabi Global Market (ADGM) amended its Financial Services and Markets Regulations 2015 (FSMR) to include provisions governing virtual asset activities.
This made ADGM the first jurisdiction in the region to establish a comprehensive and clear regulatory framework for virtual assets. The FSRA introduced its regulatory framework for Virtual Assets (VAs) with a single Regulated Activity: Operating a Crypto-Asset Business (OCAB).
In 2020, OCAB was replaced with a set of amended Regulated Activities applicable to VAs, including:
- Dealing in Investments as Principal
- Dealing in Investments as Agent
- Advising on Investments or Credit
- Arranging Deals in Investments
- Managing Assets
- Providing Custody
- Arranging Custody
- Operating a Multilateral Trading Facility (MTF)
Firms engaging in these activities must comply with both general conduct and prudential requirements and additional VA-specific requirements outlined in Chapter 17 of COBS, known as the “VA framework”.
Moreover, VA firms are restricted to working with Accepted Virtual Assets (AVAs). Previously, firms were required to obtain FSRA approval for each virtual asset they intended to use. Under the recent updates, however, firms are now responsible for conducting their own assessment of each Virtual Asset against the criteria set out in the COBS Rules to determine whether it qualifies as an AVA. Firms must notify the FSRA of this assessment at least five business days before using the Virtual Asset.
Classification & Treatment of Digital Assets
Virtual Assets (VAs)
Considered commodities (e.g., Bitcoin, Ethereum) and not classified as specified investments under FSMR. Activities involving VAs require FSRA licensing or approval, and only Accepted Virtual Assets (AVAs) meeting FSRA criteria are permitted in ADGM.
Digital Securities
Tokens with security-like characteristics (e.g., shares, debentures, investment fund units) are classified as securities under FSMR and subject to the same regulations as traditional securities.
Utility Tokens
Tokens redeemable for specific products or services via DLT platforms. Treated as commodities, they are not classified as Specified Investments unless designated as AVAs. Spot trading and transactions in Utility Tokens are generally not Regulated Activities.
Fiat Referenced Tokens (i.e. stablecoins)
Digital representations of fiat currency, fully backed by underlying reserves. FSRA has specific regulations for their issuance and use within ADGM.
Privacy tokens and algorithmic stablecoins are prohibited for use in carrying on any regulated activity in ADGM.
The ADGM VA framework consists of the following:
- Financial Services and Markets Regulations 2015 (FSMR)
- Relevant FSRA Rulebooks, including the Conduct of Business Rulebook
- FSRA Guidance & Policies Manual, including: Guidance – Regulation of Digital Security Offerings and Virtual Assets under FSMR (“ICO Guidance”)
- Guidance – Regulation of Digital Securities Activity in ADGM (“Digital Securities Guidance”)
- Guidance – Regulation of Virtual Asset Activities in ADGM (“Virtual Asset Activities Guidance”)
The Virtual Asset Framework does not apply to:
a) ICOs (Initial Coin Offerings) or other fundraising activities, whether involving Digital Securities or Utility Tokens. For details on FSRA’s approach to ICOs, Digital Securities, and Utility Tokens, refer to the ICO Guidance and Digital Securities Guidance.
b) Carrying on of a regulated activity involving Fiat Referenced Tokens*
c) The following activities:
- Creating or managing Virtual Assets that are not Accepted Virtual Assets.
- Developing, sharing, or using software for creating or mining Virtual Assets.
- Loyalty point schemes based on Virtual Assets.
- Any other Virtual Asset-related activity that the FSRA determines is not a Regulated Activity, if necessary to meet regulatory objectives.
*ADGM has recently updated its framework to further accommodate for Fiat Referenced Tokens, including adding a new activity under Category 4 license, “Providing Money Services by way of Fiat Referenced Tokens”. These amendments are effective from 1 January, 2026.
Application & Authorization Process for Virtual Asset Firms
To be authorized to conduct Regulated Activities involving Virtual Assets, an applicant must demonstrate compliance with FSMR and relevant FSRA Rulebooks. Once approved and granted a Financial Services Permission (FSP), the applicant becomes an Authorized Person under FSMR and the FSRA Rulebook, holding the same regulatory status as other Authorized Persons within ADGM.
Applicants approved by the FSRA as Authorized Persons for Virtual Asset-related Regulated Activities will receive a Financial Services Permission (FSP) specific to those activities. Their operations will be restricted to Virtual Asset-related activities unless they receive additional authorization from the FSRA.
If an applicant also wishes to conduct activities involving Specified Investments or Financial Instruments, they must apply separately to the FSRA and meet all related regulatory requirements, including fees.
Applicants seeking authorization must actively engage with the FSRA throughout the application process.
The process is generally structured into five key stages:
- Due Diligence & Discussions with FSRA team(s)
- Submission of Formal Application
- Granting of In-Principle Approval
- Granting of Final Approval
- ‘Operational Launch’ Testing
FSRA’s Position on Stablecoins (Fiat Tokens)
FSRA has introduced a dedicated regulatory framework for Fiat-Referenced Tokens (FRTs). An FRT is a digital asset that functions as a medium of exchange with a stable store of value, by referencing a fixed amount of a single fiat currency and allowing redemption in fiat from the issuer upon demand. Under COBS Rules, firms conducting Regulated Activities involving FRTs may only use Accepted FRTs, meaning those explicitly approved by the FSRA.
Importantly, the FSRA distinguishes between FRTs and other so-called “stablecoins”; not all stablecoins qualify as FRTs. For example, tokens pegged to commodities, baskets of currencies, or other assets do not meet the FRT definition. Firms seeking to conduct Regulated Activities involving such non-FRT stablecoins should engage directly with the FSRA to determine the appropriate regulatory treatment.
FSRA’s Position on NFTs (Non-Fungible Tokens)
ADGM considers NFTs as digital assets on a DLT with unique identification codes, making them non-replicable and non-exchangeable at equivalency, essentially functioning like digital collector’s items. The FSRA does not currently regulate NFTs, but continues to monitor market trends and may revisit this stance in the future.
NFT-related activities are only permitted under strict conditions:
- Conducted by regulated MTFs also authorized as Virtual Asset Custodians and operating within ADGM.
- Firms may also engage in proprietary NFT investments within ADGM.
Despite allowing some activities, the FSRA does not regulate NFTs themselves.
Dubai International Finance Centre – DFSA
The Dubai International Financial Centre (DIFC), regulated by the Dubai Financial Services Authority (DFSA) and is one of the UAE’s financial free zones. It is known for a strong regulatory framework that aligns with international best practices.
In 2022, the DFSA introduced Crypto Token regulations, allowing firms in DIFC to obtain licenses to offer financial services involving Crypto Tokens within or from the DIFC.
Token Classifications
The DFSA distinguishes between Token and Crypto Token:
Token is a broad term referring to a digitally secured representation of value, rights, or obligations that can be issued, transferred, and stored electronically using distributed ledger technology (DLT) or similar systems.
Crypto token is a specific type of Token used (or intended to be used) as a medium of exchange, payment, or investment, or one that grants a right or interest in such a Token.
However, Crypto Tokens do not include:
- Excluded Tokens (NFTs, Utility Tokens, CBDCs)
- Investment Tokens
- Any other type of Investment
(Excluded and Investment Tokens have separate regulatory definitions under DFSA rules.)
Investment tokens is a Token that functions as a Security or Derivative, grants similar rights and obligations, or serves a comparable purpose.
NFT (Non-Fungible Tokens)
To be classified as an NFT, a Token must meet strict requirements. An NFT represents a specific asset, such as art, music, collectibles, or intellectual property related to an object.
A Token must be unique and non-fungible to qualify as an NFT. If a Token is issued to multiple people or linked to multiple assets, it is unlikely to be considered an NFT and will not be classified as an Excluded Token. If a Token does not meet the NFT definition, it may instead be categorized as a Crypto Token or, depending on its structure, as part of a Collective Investment Fund or Utility Token.
The DFSA applies a “substance over form” approach, meaning that even if a Token is labeled as an NFT, it must meet the actual criteria to be recognized as such. If a Token does not qualify as an NFT but is a Crypto Token, it can only be used in financial services if the firm is licensed and the Token is a Recognized Crypto Token.
Utility Tokens
A Token qualifies as a Utility Token only if it allows the holder to pay for, receive a discount on, or access a product or service (existing or planned) provided by the issuer or another entity within its group.
However, if the Token is later used for other purposes, such as a medium of exchange, payment, or investment, it no longer meets the Utility Token definition. In such cases, it is likely to be classified as a Crypto Token instead.
CBDCs
A CBDC is a digital currency issued by a government agency, central bank, or other monetary authority.
Crypto Token Regulations
Financial services and activities can only be conducted with Recognised Crypto Tokens, meaning Tokens that the DFSA has assessed and approved based on specific Token Recognition Criteria. The DFSA has also published an initial list of Recognised Tokens.
It is strictly prohibited to conduct any financial service or activity involving Prohibited Tokens, which include Privacy Tokens and Algorithmic Tokens.
Similar restrictions apply to:
Unrecognised Crypto Tokens
Tokens that have not been assessed or approved by the DFSA.
Derecognised Crypto Tokens
Tokens whose recognition status has been revoked because they no longer meet the DFSA’s criteria.
The only financial service allowed for Unrecognised or Derecognised Crypto Tokens is custody, which can only be provided by an appropriately licensed Authorised Firm.
Fiat Crypto Tokens (Stablecoins)
Fiat Crypto Tokens are a type of Crypto Token whose value is linked to a fiat currency or a combination of fiat currencies. Like all Crypto Tokens, they must go through a recognition process before being approved for use in the DIFC.
In addition to meeting the general Crypto Token recognition criteria, Fiat Crypto Tokens must comply with extra requirements, including:
- Adequacy of reserves
- Independent third-party verification of reserves
- Stability relative to the fiat currency they reference
Tokens that claim to be pegged to assets other than fiat currency will not be classified as Fiat Crypto Tokens.
Instead, they will fall under the broader category of Crypto Tokens unless they qualify as Derivative Tokens or Security Tokens.
A Recognised Fiat Crypto Token may be used for two specific purposes in the DIFC, provided it meets additional conditions:
1. Money Services firms may use them for money transmission and payment execution but are not permitted to offer other services involving Crypto Tokens.
2. Clearing Houses may use them for clearing and settlement instead of traditional fiat currency, provided they meet additional governance and risk management requirements particularly for blockchain-based clearing processes.
DIFC Digital Assets Law (2024) & Amendments
In 2024, the DIFC introduced Digital Assets Law No. 2 of 2024 (DAL), establishing a comprehensive legal framework for digital assets.
Key Provisions of DAL
A Digital Asset is defined as:
- A notional unit that exists through the operation of software by a network of participants.
- Independent of any particular person or legal system.
- Non-duplicable, meaning its use or consumption by one party limits its availability to others.
Under DAL, a Digital Asset is considered intangible property. The law also outlines requirements for control and ownership transfer.
Following DAL’s introduction, DIFC Amendment Law No. 3 of 2024 updated several existing DIFC laws to address digital assets.
Definition of Virtual Assets – UAE Jurisdictions
Securities and Commodities Authority (SCA)
Virtual Assets:
A digital representation of the value that can be traded or transferred digitally, can be used for investment purposes, and does not include digital representations of paper currencies, securities or other funds.
Virtual Assets for investment purpose:
It is considered a digital representation of value that can be traded or transferred digitally, and can be used for investment purposes, and does not include digital representations of fiat currencies, securities, or other funds.
Although the SCA does not directly regulate mining operations and the issuance of virtual assets, virtual assets may not be traded except after they are included in the official list with a virtual assets platform operator licensed or registered with the SCA and after they are registered with the SCA in accordance with the terms and conditions for accepting virtual assets in accordance with the Appendix (1) By The Chairman of the SCA’s Board of Directors’ Decision No. 26/RM/2023 on the Regulation of the Virtual Asset Platform Operator.
For clarity, the Virtual Assets Framework shall not apply to:
-
-
- Digital securities or digital commodity derivatives contracts.
- Service tokens and non-fungible tokens that do not represent virtual assets for investment purposes.
- Development, deployment or use software for the purpose of mining, creating or extracting virtual assets.
- Loyalty programs.
- Virtual assets for payment purposes.
- Any virtual assets evaluated by the SCA.
-
Dubai – VARA
Virtual Asset:
A digital representation of value that may be digitally traded, transferred, or used as an exchange or payment tool, or for investment purposes. This includes Virtual Tokens, and any digital representation of any other value as determined by VARA.
Virtual Tokens:
A digital representation of a set of rights that can be digitally offered and traded through a Virtual Asset Platform.
ADGM – FSRA
Section 258
Financial Services And Markets Regulations 2015 (pg. 224)
Virtual Asset means a digital representation of value that can be digitally traded and functions as
(1) a medium of exchange; and/or
(2) a unit of account; and/or
(3) a store of value, but does not have legal tender status in any jurisdiction.
A Virtual Asset is –
-
-
- neither issued nor guaranteed by any jurisdiction, and fulfils the above functions only by agreement within the community of users of the Virtual Asset; and
- distinguished from Fiat Currency and E-money.
-
Utility Tokens (e.g., tokens which can be redeemed for access to a specific product or service, typically provided using a DLT platform, do not exhibit the features and characteristics of a regulated investment / instrument under the FSMR).
DIFC – DFSA
A thing is a Digital Asset if:
-
-
- it exists as a notional quantity unit manifested by the combination of the active operation of software by a network of participants and network-instantiated data;
- it exists independently of any particular person and legal system; and
- the thing is not capable of duplication and use or consumption of the thing by one person or specific group of persons necessarily prejudices the use or consumption of that thing by one or more other persons.
-
Crypto Token is defined as a type of Token that is used, or is intended to be used, as a medium of exchange or for payment or investment purposes (or that confers a right or interest in such Token). The definition of a Crypto Token does not include an Excluded Token, Investment Token or any other type of Investment.
Choosing the Right Regulator for Your Business
Choosing the right regulator is one of the most important strategic decisions a founder can make. Each UAE authority serves a distinct purpose:
- SCA and VARA frameworks are suited for exchanges and retail-facing platforms;
- ADGM and DIFC appeal to institutional operators needing common-law certainty; and
- the CBUAE governs stablecoin and payment-token projects.
The wrong choice can delay licensing, inflate costs, and constrain product scope.
Before engaging with any authority, engage legal professionals to conduct a regulatory assessment. This maps your activities and token design to the correct regime, checks licensing categories, entity/substance needs, paid-up capital, tech and AML controls, marketing rules, and cross-border ambitions. A tight assessment clarifies whether you should pursue SCA vs VARA, or anchor institutional custody in ADGM/DIFC, so your application lands cleanly, moves faster, and scales without rework.
Business Model | Ideal Regulator |
Retail exchange or national crypto platform | SCA or VARA |
Institutional exchange or custody provider | ADGM (FSRA) |
Stablecoin or payment-token project | CBUAE |
Utility-token ecosystem | Unregulated path or VARA Category 2 issuance |
Tokenisation of real-world assets (RWA) | VARA Category 1 or ADGM securities path |
DAO | ADGM DLD Foundation or Innovation City DAO Association |
AML Compliance for VASPs in the UAE
In the UAE, AML and CFT rules and regulations are established at the federal level. Additionally, both federal and local supervisory authorities – such as the UAE Central Bank, the SCA, and the VARA – have the authority to issue rules and guidance that impose further requirements on VASPs.
While additional requirements may be imposed under specific regulatory regimes, the global approach to anti-money laundering and counter-terrorist financing remains consistent. The decentralized nature of virtual asset transactions and the lack of effective AML/CTF controls create opportunities for the misuse of virtual assets for money laundering purposes.
In response to this challenge, there is a globally accepted approach primarily guided by recommendations and guidance from the Financial Action Task Force (FATF).
This approach dictates that VASPs must be regulated for anti-money laundering/counter-terrorist financing purposes, be licensed or registered, and be subject to effective systems for monitoring or supervision (FATF Recommendation 15).
The AML/CFT obligations imposed on VASPs in the UAE are based on the recommendations outlined by the Financial Action Task Force (FATF).
The Founder’s Journey: From Idea to Licence
Securing a VASP licence in the UAE is a structured journey that turns a crypto concept into a compliant, bankable business. The map below outlines VARA licensing pathway, which is one of the most comprehensive and structured approaches on the market to-date, showing how founders move from early-stage planning to full operational approval.
Every step in this process matters. It begins with an initial regulatory assessment, followed by entity formation and preparation of governance, AML, and technology documentation.
The pathway map is designed to help founders visualise where they stand today, and what’s required to reach full authorisation in the UAE’s most forward-thinking crypto jurisdiction.
NeosLegal: UAE Specialist Crypto & Web3 Law Firm: VARA, SCA, ADGM & DIFC Licensing Experts
Since 2016, NeosLegal has structured over three hundred crypto ventures, exchanges, funds, and Web3 companies entering the UAE. The firm combines legal strategy with practical execution, from choosing the right jurisdiction to drafting governance frameworks, preparing VASP applications, and representing clients in regulatory consultations.
NeosLegal’s expertise covers SCA, VARA, CBUAE, ADGM, and DIFC licensing. The team assists with corporate structuring, token issuance documentation, AML/CFT frameworks, and ongoing compliance management.
For founders, the message is clear: building in the UAE offers opportunity, if you build it right.
Schedule a consultation with NeosLegal, UAE’s specialist Crypto & Web3 law firm, to map your licensing pathway, design compliant token structures, and launch confidently into the regulated future of Web3.
Frequently Asked Questions
1. How do I get a UAE crypto license in 2026?
Pick the correct regulator (SCA, VARA, ADGM/FSRA, DIFC/DFSA or CBUAE), engage with legal professionals to conduct a regulatory assessment, set up your UAE entity, prepare governance/AML/tech docs, and file the staged application to approval.
2. Which regulator is right for my business model?
SCA or VARA for exchanges; ADGM/DIFC for institutional custody, funds, and tokenised securities; CBUAE for payment tokens and stablecoins. Start with a short regulatory assessment to avoid rework.
3. How long does a UAE crypto license take?
Well-prepared founders typically complete staged approvals in 4-10 months, depending on activity scope, documentation quality, and regulator feedback.
4. Can I market VASP services in the UAE?
Only if licensed.
Unlicensed activity and unauthorized marketing can trigger fines and takedowns. Follow VARA marketing rules in Dubai and regulator-compliant disclosures across the UAE.
5. Why partner with NeosLegal for licensing?
NeosLegal is the UAE specialist Crypto & Web3 law firm. With 300+ projects structured since 2016, including across SCA, VARA, ADGM, DIFC, and CBUAE, we map your model to the right regulator, build your regulator-ready pack, and guide you to approval.
6. How do I start my crypto licensing with NeosLegal?
Book a Free Consultation. We run a focused regulatory assessment and give you a cost-based timeline, document checklist, and licensing pathway tailored to your model.
