Legal Insights
Last updated: March 31, 2026
The UAE’s federal crypto regulations were comprehensively updated in February 2026 under Decision No. 4/R.M/2026, issued by the UAE Capital Markets Authority. The new framework establishes eight licensed financial activities, sets minimum capital requirements from AED 500,000 to AED 4 million, reinforces absolute prohibitions on privacy tokens and algorithmic tokens, introduces prohibitions on the use of privacy devices, and sets compliance deadlines that are already running. Any business operating a crypto exchange, custody service, brokerage, portfolio management, or advisory platform in or from the UAE must hold a valid licence from the relevant regulator.
Table of Contents:
- Why These Regulations Matter for Your Business
- What Changed: The Three-Module Framework
- The Eight Licensed Financial Activities
- Capital Requirements by Licence Category
- What Is Absolutely Prohibited Under the New UAE Crypto Regulations
- The Deadlines That Are Already Running
- Key Compliance Obligations Under the New Framework
- The 2026 UAE Federal Regulations and the Broader Regulatory Landscape
- What Your Business Must Do Right Now
- How NeosLegal Supports UAE VASP Licence Applications
- FAQ
Why These Regulations Matter for Your Business
If you are operating, planning to operate, or investing in a virtual asset business in the UAE, the 2026 federal crypto regulations are the single most important regulatory development you need to understand this year.
Issued on 13 February 2026 under Decision No. 4/R.M/2026 (New Federal VASP Law) by Capital Markets Authority (CMA), the new framework does not amend the previous rules. It replaces them entirely.
The New Federal VASP Law consolidates the regulatory landscape into a single rulebook that spans three modules, establishes eight distinct licensed activity categories, introduces new capital requirements, imposes hard prohibitions on specific asset classes, and sets compliance deadlines that began running from the day the Decision was issued.
The UAE has the world’s most complicated regulatory environments for digital assets. VARA was established in Dubai to govern virtual asset activities across Dubai mainland and most UAE free zones. ADGM built a dedicated virtual asset framework in Abu Dhabi’s financial free zone. The DFSA developed its own crypto regulatory perimeter in the DIFC, a Dubai based financial free zone. And now the CMA’s comprehensive VASP framework operates at the federal level, sitting above and alongside all of them.
For founders who want regulatory certainty, institutional credibility, and access to one of the world’s wealthiest investor bases, UAE licensing is a baseline requirement. Under this framework, the obligations are more detailed, more demanding, and more actively enforced.
What Changed: The Three-Module Framework
Decision No. 4/R.M/2026 supersedes Decision No. 26/R.M/2023 and repeals the virtual asset provisions of the Financial Activities Rulebook. The new framework is structured across three consolidated modules.
The General Framework Module governs definitions, scope, licensed activities, licensing procedures, principal standards, and general obligations. This is the foundation of the entire framework.
The Business Regulation Module governs client classification, suitability assessments, conflict of interest management, record-keeping, margin trading, lending and borrowing, staking, and digital wallet requirements. This is where day-to-day operational compliance lives.
The Alternative Trading System Module governs the operation of multi-party trading platforms and organised trading facilities, including technology governance, direct electronic access, and asset protection standards.
The Eight Licensed Financial Activities
Under Article 12 of the General Framework Module, eight distinct financial activities require a licence from the CMA. Operating any of these activities without a licence is strictly prohibited and may result in administrative sanctions under Cabinet Resolution No. 99 of 2024.
1. Dealing in Virtual Assets as Principal
The entity buys and sells virtual assets using its own capital and on its own account, bearing direct market risk. Any entity that actively promotes its readiness to transact through advertising or marketing will be treated as a principal dealer regardless of how individual transactions are structured.
Capital requirement: AED 4,000,000 minimum.
Who needs this: proprietary trading desks, market makers dealing on own account, any business advertising readiness to buy or sell virtual assets bilaterally.
2. Dealing in Virtual Assets as Agent
The entity executes transactions on behalf of a client rather than using its own capital. It acts as an intermediary, bearing no direct market risk. An entity that merely receives and passes on a client’s order without further involvement falls outside this definition. Where an agent concludes transactions as principal solely to fulfil client orders, it may be reclassified as a principal dealer.
Capital requirement: AED 1,000,000 minimum.
Who needs this: brokers placing client orders on third-party venues, intermediary platforms executing on behalf of users.
3. Providing Custody
The custodian safeguards and administers virtual assets belonging to clients, either by holding the legal right to the asset through control of cryptographic keys or through registration on a distributed ledger. Where a custodian delegates functions to a third party, it remains fully liable to the client. That third party must itself be licensed by the CMA or an equivalent regulatory body.
Capital requirement: AED 3,000,000 minimum.
Who needs this: institutional custodians, wallet providers holding client private keys, exchanges custodying client assets.
4. Arranging Custody
A legally distinct activity from providing custody. The arranger facilitates access to custody services offered by a licensed custodian without itself holding client assets. This includes negotiating terms, assisting with onboarding, processing payments, and transmitting instructions. Entities that merely introduce clients to custodians without financial compensation and without involvement in concluding the arrangement are exempt.
Capital requirement: AED 1,000,000 minimum
Who needs this: intermediaries connecting clients with licensed custodians as part of a broader service offering.
5. Operating a Multi-Party Trading Platform
The operation of an automated marketplace matching buy and sell orders from multiple parties on a non-discretionary, rules-based basis. This is the UAE’s primary permitted vehicle for crypto trading. Organised Trading Facilities, which are discretionary matching systems, are expressly prohibited for crypto. All crypto trading platforms must operate on automatic, non-discretionary rules only.
Capital requirement: AED 500,000 minimum.
Who needs this: crypto exchange operators, automated trading venues, order-matching platforms.
6. Providing Investment Advice
The provision of personalised recommendations to a specific investor regarding the merits of buying, selling, or holding a particular virtual asset. The advice must be directed at a specific individual rather than the market generally. General market commentary and research publications do not fall within this definition. Entities providing investment advice are subject to comprehensive suitability obligations.
Capital requirement: AED 1,000,000 minimum
Who needs this: investment advisors providing specific recommendations on virtual assets to identified clients.
7. Portfolio Management
The management of a client’s virtual asset holdings on either a discretionary or non-discretionary basis. This covers investment objective setting, asset allocation, risk management, and performance monitoring. Entities acting solely on specific per-transaction client instructions are not considered portfolio managers.
Capital requirement: AED 1,000,000 minimum.
Who needs this: fund managers, crypto asset managers discretionary trading services, robo-advisors managing client virtual asset portfolios.
8. Arranging Investment Transactions
The creation of arrangements enabling another person to buy or sell a virtual asset, without the arranger itself being a party to the trade. This includes arrangements that do not ultimately result in a completed transaction. Entities providing purely technical means of communication without capacity to influence the arrangement fall outside this definition.
Capital requirement: AED 1,000,000 minimum
Who needs this: introducers, referral platforms, and arrangers that facilitate virtual asset transactions between other parties.
Capital Requirements by Licence Category
Minimum capital requirements under Article 21 of Decision No. 4/R.M/2026:
Licence Category | Activity | Minimum Capital |
|---|---|---|
Category 1 | Dealing as Principal | AED 4,000,000 |
Category 2 | Dealing as Agent | AED 1,000,000 |
Category 3 | Providing Custody | AED 3,000,000 |
Category 4 | Custody + Advice + Arranging | AED 1,000,000 |
Category 5 | Portfolio Management | AED 1,000,000 |
Category 6 | Operating a Trading Platform | AED 500,000 |
The CMA may require capital based on projected or audited annual expenses, typically 25% to 35% of annual expenses, or a risk-based capital calculation, whichever produces the higher number. The Article 21 minimums are floors, not ceilings.
Capital adequacy must be maintained on an ongoing basis after licensing. Firms whose capital falls below the required minimum mid-licence face immediate disclosure obligations and potential sanctions.
What Is Absolutely Prohibited Under the New UAE Crypto Regulations
Three categories of hard prohibition apply regardless of licence status. No exemption or prior CMA approval can override these bans.
Privacy Tokens and Privacy Devices - Completely Banned
No person may provide financial services related to privacy tokens, issue or promote them, conduct any activities involving them, or offer them to the public in or from the UAE.
This ban extends to any technique or digital wallet designed to anonymise, hide, or prevent the tracking of transaction data, holder identities, or asset values.
Monero, Zcash, Dash, and any product feature designed to obscure transaction trails fall within this prohibition.
This mirrors parallel regulatory action across the UAE: in January 2026, the DFSA separately banned privacy token use on exchanges in the DIFC, citing incompatibility with global AML compliance norms.
Algorithmic Tokens - Completely Banned
No person may provide financial services related to algorithmic tokens, which are assets generated algorithmically to stabilise the price of, or modify supply and demand for, another virtual asset.
This prohibition covers algorithmic stablecoin activities across the board. The collapse of TerraUST and the broader instability demonstrated by algorithmic price-stabilisation mechanisms is directly reflected in this hard prohibition. There is no licensing pathway around it.
Organised Trading Facilities for Crypto - Banned
All crypto trading must occur on non-discretionary, rules-based platforms only. Discretionary matching systems, which are Organised Trading Facilities, are expressly prohibited for virtual asset trading. Any trading platform operator whose system involves any element of manual or discretionary order matching needs to assess this prohibition carefully before applying.
Utility Tokens and NFTs - Restricted
Utility tokens and NFTs are prohibited for general service provision. The narrow permitted exception allows licensed entities to provide custody or operate multi-party trading platforms specifically for these assets, subject to prior CMA approval. General utility token or NFT service provision without that specific CMA approval is not permitted.
The Deadlines That Are Already Running
Every deadline below runs from 13 February 2026.
One Year — Existing Licensees Licensed entities have one year from the Decision’s effective date to comply with the new Business Regulation Module and Alternative Trading System Module requirements. Existing licensing conditions remain enforceable during this period. The one-year window ends 13 February 2027.
Six Months — Preliminary Approval Holders Applicants who have already received preliminary approval from the CMA must fulfil all licensing requirements within six months of that approval. One extension of a further six months is available but is not guaranteed and requires CMA discretion.
45 Days — Quarterly Financial Reports Licensed entities must submit quarterly financial reports to the CMA within 45 days of the end of each quarterly period.
72 Hours — Cyber Incident Reporting Any material cybersecurity incident must be reported to the CMA within 72 hours of the entity becoming aware of it.
15 Working Days — Bankruptcy Notification Entities intending to file for bankruptcy must notify the CMA 15 working days before filing.
10 Working Days — Creditor Composition Entities requesting a composition with creditors must notify the CMA 10 working days before filing.
The compliance window under this Decision is generous by regulatory standards. It is also finite. Entities that use this period to build genuinely robust compliance infrastructure will be significantly better positioned than those who treat it as a deadline to be managed at the last moment.
Key Compliance Obligations Under the New Framework
Governance and Personnel
Licensed entities must maintain at all times a Chief Executive, Senior Executive Officer, Compliance Officer, Money Laundering Reporting Officer, Finance Director, and Internal Auditor.
The Chief Executive, Compliance Officer, and MLRO must reside in the UAE. A narrow exception exists for the Senior Executive Officer, subject to demonstrating effective oversight mechanisms and direct communication channels with the CMA. All senior personnel must be individually accredited by the CMA before taking up their roles.
Cybersecurity
Entities must establish a board-approved cybersecurity risk management framework, maintain up-to-date anti-malware systems, implement multi-factor authentication on all internet-facing systems, conduct annual penetration testing, and report material incidents within 72 hours. Third-party cyber risks must be managed as an integral part of the overall framework.
A policy document that has not been formally adopted by the board does not satisfy the board-approval requirement. This is a distinction the CMA applies during licensing reviews.
Client Classification
All clients must be classified as Retail, Professional, or Counterpart before any service is provided. Classifications must be reviewed and updated at least every three years. Getting this wrong affects every downstream suitability, appropriateness, and disclosure obligation.
Suitability and Appropriateness
Entities providing investment advice or portfolio management must conduct detailed suitability assessments covering client knowledge, financial position, and investment objectives. These must be documented, retained for six years, and updated on any material change to the client’s circumstances.
Record-Keeping
All records, including client agreements, transaction records, suitability reports, complaints, and compliance procedures, must be retained for a minimum of six years. This is a hard legal requirement, not a best practice recommendation.
Technology Audit
Entities operating trading platforms or providing custody services must appoint an independent external auditor annually to assess technology compliance. The audit report must be submitted to the CMA within four months of the financial year end.
Controller Approvals
Any person seeking to acquire or increase control in a licensed entity, including crossing thresholds of 10%, 30%, or 50%, must obtain prior written approval from the CMA before completing the transaction. This affects new investors, existing shareholders increasing their positions, and restructuring transactions.
The 2026 UAE Federal Regulations and the Broader Regulatory Landscape
Decision No. 4/R.M/2026 operates alongside, not instead of, the UAE’s other virtual asset regulatory frameworks.
VARA continues to govern virtual asset activities in Dubai and most UAE free zones outside DIFC, under VARA Rulebook Version 2.0 published in May 2025.
ADGM/FSRA continues to govern virtual asset businesses in Abu Dhabi’s financial free zone, with the new FRT framework in force from 01/01/2026.
DIFC/DFSA continues to govern financial services in the Dubai International Financial Centre, with enhanced governance standards in force from 12/01/2026 and a separate ban on privacy token use on DIFC exchanges announced in January 2026.
CBUAE governs payment tokens under the Payment Token Services Regulation, 2024 and banking services under Federal Decree-Law No. 6 of 2025, with a hard compliance deadline for DeFi projects of September 2026 and penalties up to AED 1 billion.
Compliance with one framework does not substitute for compliance with another. Mapping your specific regulatory perimeter across all applicable frameworks is the first step in any UAE crypto compliance programme, not an afterthought.
What Your Business Must Do Right Now
Whether you are an existing licensee, an applicant in process, or a founder considering UAE market entry, these steps cannot be deferred.
Map your activities against the eight new licence categories. The definitions in Decision No. 4/R.M/2026 differ materially from the 2023 framework. Activities previously characterised one way may require a different or additional licence category under the new Decision.
Conduct a gap analysis against the Business Regulation Module. Governance, cybersecurity, client classification, suitability, and record-keeping systems all require review against the new standards. Most firms operating under the 2023 framework will have gaps.
Assess your capital position against all three calculations. The Article 21 minimum. The risk-based calculation. The expense-based floor. All three. Confirm which is the binding constraint for your specific business.
Confirm your personnel against the new accreditation and residency requirements. Chief Executive, Compliance Officer, and MLRO must reside in the UAE. All key personnel require individual CMA accreditation. Any gaps need to be resolved well before the compliance deadline, not on it.
Establish or update your cybersecurity risk management framework. Board-level adoption is required. Annual penetration testing is required. 72-hour incident reporting is required. These are not aspirational standards. They are enforcement triggers.
Engage specialist UAE financial regulation counsel now. The six-month window for preliminary approval holders and the one-year window for existing licensees feel generous. Building genuinely compliant governance, AML, and cybersecurity infrastructure takes months. Starting in month ten is not a compliance strategy.
How NeosLegal Supports UAE VASP Licence Applications
Navigating the UAE’s 2026 federal crypto regulations is not a process that rewards improvisation.
The CMA expects applicants to demonstrate genuine institutional readiness, not just paperwork compliance. A rejected or delayed application costs time, capital, and market opportunity. Getting it right the first time is not just preferable. For businesses with live products and fundraising timelines, it is non-negotiable.
NeosLegal has been advising UAE virtual asset businesses since 2016, before VARA existed, before ADGM had a virtual asset framework, and before most UAE law firms had encountered the term ‘cryptocurrency’. Chambers and Partners selected NeosLegal to author the UAE chapter of Virtual Assets 2026. The Oath Middle East named NeosLegal Middle East Technology Legal Team of the Year in November 2025.
Preliminary approval and licence applications. From initial eligibility assessment and business plan development through to preparation and submission of the preliminary approval application and the full licence application. Complete, accurate, and positioned to meet the CMA’s evaluation criteria across financial fitness, experience, integrity, compliance, and legal structure.
Gap analysis and compliance structuring. For businesses operating under the 2023 framework, a thorough gap analysis against Decision No. 4/R.M/2026 with a prioritised remediation roadmap and realistic timelines.
Corporate and governance structuring. Legal form, shareholder and controller structures, board composition, and key personnel identification and CMA accreditation for each required role including Chief Executive, Compliance Officer, and MLRO.
Regulatory documentation. The full suite: client agreements, risk disclosure statements, suitability frameworks, AML and CFT policies, cybersecurity frameworks, outsourcing policies, complaints handling procedures, and business continuity plans. Drafted to current CMA standards, not generic templates.
Capital and financial advisory. Capital structure review against all three applicable calculations, three-year financial projections, and the expense-based and risk-based capital floors that may set a higher effective minimum than the Article 21 figures.
Ongoing regulatory support. CMA reporting obligations, material change notifications, controller approvals, new personnel accreditation, responses to CMA enquiries and inspections, and advice on new activity approvals as the business scales.
New market entrants. For crypto businesses outside the UAE considering market entry: jurisdictional analysis, licensing strategy, entity establishment, regulatory engagement, and full licensing support from feasibility through to CMA authorisation.
The Regulatory assessment call is the starting point.
In 30 minutes, you will know which CMA licence categories apply to your business, where your current structure has gaps, what the realistic licensing timeline looks like, and what your next step is.
Frequently Asked Questions:
1. What are the UAE's new federal crypto regulations in 2026?
The UAE's 2026 federal crypto regulations are set out in Decision No. 4/R.M/2026, issued by the UAE Financial Markets Authority on 13 February 2026. The Decision supersedes the previous 2023 framework and establishes a comprehensive three-module rulebook covering eight licensed financial activities, minimum capital requirements from AED 500,000 to AED 4 million, absolute prohibitions on privacy tokens and algorithmic tokens, and compliance deadlines running from 13 February 2026.
2. Do I need a licence to operate a crypto business in the UAE in 2026?
Any person engaging in regulated virtual asset service activities in or from the UAE must hold a valid VASP licence, from one of the 5 UAE regulators. This applies to exchanges, custodians, brokers, advisors, portfolio managers, and arrangers. Operating without a licence is strictly prohibited and subject to sanctions under Cabinet Resolution No. 99 of 2024. A trade licence from any UAE free zone does not substitute for a virtual asset service licence.
3. How much capital do I need for a UAE crypto licence in 2026?
Capital requirements under Decision No. 4/R.M/2026 range from AED 500,000 for operating a multi-party trading platform to AED 4,000,000 for dealing as principal. Where multiple activities are combined, the highest requirement governs. The CMA may additionally require capital based on projected annual expenses, typically 25% to 35%, or a risk-based calculation, whichever is higher. Capital must be maintained on an ongoing basis, not only at the point of application.
4. Are privacy tokens banned in the UAE in 2026?
Yes. Privacy tokens and privacy devices are completely and unconditionally prohibited under Decision No. 4/R.M/2026. No licence or prior CMA approval can authorise providing services, issuing, promoting, or offering privacy tokens to the public in or from the UAE. The DFSA separately banned privacy token use in the DIFC from January 2026. The prohibition is UAE-wide at the federal level and covers any technique or wallet designed to anonymise transaction data or hide holder identities.
5. Are algorithmic tokens banned in the UAE in 2026?
Yes. Algorithmic tokens are completely prohibited under Decision No. 4/R.M/2026. The prohibition covers any asset generated algorithmically to stabilise the price of, or modify supply and demand for, another virtual asset. There is no licensing pathway around this prohibition. It covers providing financial services related to algorithmic tokens, issuing them, promoting them, and offering them to the public.
6. What is the compliance deadline for existing UAE crypto licensees?
Existing licensed entities have one year from 13 February 2026, meaning until 13 February 2027, to comply with the new Business Regulation Module and Alternative Trading System Module requirements. Preliminary approval holders have six months from the date of their approval, with one possible extension of a further six months subject to CMA discretion. Failure to comply within the applicable window may attract sanctions under Cabinet Resolution No. 99 of 2024.
7. What key personnel are required under the UAE's 2026 crypto regulations?
Licensed entities must maintain at all times a Chief Executive, Senior Executive Officer, Compliance Officer, Money Laundering Reporting Officer, Finance Director, and Internal Auditor. The Chief Executive, Compliance Officer, and MLRO must reside in the UAE. All senior personnel must be individually accredited by the CMA before taking up their roles.
8. What is the difference between providing custody and arranging custody under UAE law?
They are legally distinct activities requiring separate CMA licences. Providing custody means actually holding and safeguarding client virtual assets, including controlling cryptographic keys or holding assets on a distributed ledger. Arranging custody means facilitating a client's access to a licensed custodian without holding the assets yourself. Both require a CMA licence. Both have different capital requirements. Characterising one as the other at the licensing stage is one of the most common and costly sequencing mistakes in UAE crypto licence applications.
9. Does the UAE's 2026 federal crypto regulation apply alongside VARA and ADGM?
Yes. Decision No. 4/R.M/2026 operates at the federal level alongside VARA (Dubai), ADGM/FSRA (Abu Dhabi financial free zone), DIFC/DFSA (Dubai financial free zone), and CBUAE (payment tokens, September 2026 deadline). Compliance with one framework does not substitute for compliance with another. A UAE virtual asset business may be subject to multiple regulators simultaneously depending on its activities, structure, and location.
10. How do I start the UAE crypto licensing process in 2026?
The process begins with a preliminary approval application to the CMA, accompanied by evidence of financial fitness, professional experience, integrity, compliance history, and a three-year business plan. The CMA has 45 working days to decide on preliminary approval. Once granted, you have six months to fulfil all licensing requirements and submit your full licence application.
Beginning with a specialist regulatory assessment, mapping activities, capital, governance, and personnel against the new requirements, prevents the mistakes that delay applications after they are filed.
If your company operates or plans to operate an exchange, custody, brokerage, or advisory platform in or from the UAE, speak with the NeosLegal team to assess your licensing requirements, capital thresholds, and compliance strategy.
About the Author
Irina Heaver is the UAE Crypto Lawyer and Founder of NeosLegal. She has structured over 300 crypto and Web3 projects and advised governments and regulators on crypto asset frameworks.
Legal Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. The regulatory landscape is evolving rapidly. Businesses seeking to obtain a UAE virtual asset service provider licence should obtain qualified legal counsel experienced in UAE financial regulation. Contact NeosLegal at [email protected]. Current as of 30/03/2026 based on Decision No. 4/R.M/2026 issued by the UAE Financial Markets Authority on 13 February 2026.
