One crypto licence, five regulators: do you need approval in every emirate to operate?
There is no single "UAE crypto licence". A VASP authorised in one jurisdiction still needs a separate look at whether it can lawfully deal with, or market to, persons anywhere else in the country.
The launch of a consolidated tracker covering VARA, ADGM, DIFC, the CBUAE and the SCA/CMA is useful precisely because it exposes a question that catches out most new entrants: licensing in the UAE is jurisdictional, not national. A firm that holds a Virtual Asset Service Provider licence from Dubai's VARA is not thereby licensed to solicit clients in Abu Dhabi, and an ADGM-regulated exchange cannot simply open a Dubai office and start onboarding mainland UAE customers on the strength of its Abu Dhabi Global Market authorisation.
Why five regimes exist side by side
The UAE's federal structure means virtual asset activity is regulated at three distinct levels that do not automatically recognise one another:
- Dubai (onshore and non-DIFC free zones): the Virtual Assets Regulatory Authority licenses and supervises VASPs conducting virtual asset activities in or from Dubai, under its own rulebooks covering exchange, broker-dealer, custody, lending and advisory activities.
- ADGM and DIFC: these are separate common-law financial free zones with their own financial services regulators (the Financial Services Regulatory Authority in ADGM, and the Dubai Financial Services Authority in DIFC) and their own virtual asset frameworks, distinct from both VARA and onshore UAE law.
- The rest of onshore UAE: outside Dubai, crypto-asset activities are regulated federally by the Securities and Commodities Authority, which licenses virtual asset service providers operating in Abu Dhabi, Sharjah and the other emirates outside the financial free zones.
- The Central Bank: the CBUAE regulates payment tokens and stablecoin issuance and related payment services nationally, layered on top of whichever VASP licence a firm otherwise holds.
A licence from any one of these bodies authorises activity within that body's territorial and functional remit only. It does not create a passport to the other four.
What this means in practice
For a firm already licensed somewhere in the UAE, the practical questions are narrower than "am I licensed" — they are about where customers are, and what conduct counts as regulated activity there:
- Marketing and solicitation: VARA's regime restricts the promotion of virtual asset services to persons in Dubai by unlicensed entities, including entities licensed elsewhere in the UAE or abroad. Sending marketing material, running targeted ads, or onboarding a Dubai-resident client from an ADGM or SCA-licensed entity can itself be an unlicensed activity in Dubai.
- Passive access versus active solicitation: regulators generally distinguish between a UAE resident accessing a platform on their own initiative (reverse solicitation, which most regimes tolerate to some degree) and the platform actively targeting that jurisdiction. The line is fact-specific and increasingly policed — this is not a safe harbour to rely on structurally.
- Group structures: many international VASPs now hold parallel licences — a VARA licence for Dubai-facing business, an ADGM or DIFC entity for free-zone and international clients, and an SCA registration for the rest of onshore UAE — precisely because no single approval covers the whole country.
- Payment tokens and stablecoins: even a fully licensed VASP under VARA, ADGM, DIFC or the SCA may need a separate CBUAE approval if its activity touches licensed stablecoin issuance or payment services, since that sits under a distinct federal gateway.
A VARA licence lets you operate in Dubai. It does not let you market in Abu Dhabi, custody assets from DIFC, or issue a stablecoin without the Central Bank's separate sign-off.
Due diligence before onboarding or investing
Counterparties, investors and banks conducting diligence on a UAE VASP should ask not just "is this entity licensed" but "licensed by whom, for what activity, and in respect of which customers". A licence certificate from one regulator says nothing about the entity's authority to deal with clients based in a different emirate or free zone. Cross-checking the specific regulator's public register — VARA's, the FSRA's, the DFSA's or the SCA's — against the entity's actual customer footprint is the only reliable way to confirm the scope of authorisation matches the business being conducted, and it is the gap that consolidated trackers are now trying to close.
Key instruments: VARA Virtual Assets and Related Activities Regulations (Dubai); ADGM Financial Services and Markets Regulations (virtual asset framework); DFSA (DIFC) digital assets regime; SCA Chairman's Decision on the Regulation of Virtual Assets and Virtual Asset Service Providers (onshore UAE outside Dubai); CBUAE payment token/stablecoin framework. General information, not legal advice.