Technology & Digital Assets Technology

Virtual assets & VARA

VARA · VASP licensing

The United Arab Emirates has, in the space of a few years, moved from having no dedicated virtual-asset law to operating one of the most articulated regulatory maps in the world. For a crypto business, the hard question is no longer whether the UAE regulates virtual assets, but which of its regulators it must answer to — and what each demands.

Dubai's dedicated regulator: VARA

Dubai took the decisive step with Law No. 4 of 2022 on the Regulation of Virtual Assets, which created the Virtual Assets Regulatory Authority (VARA) as a dedicated, standalone regulator. VARA supervises virtual assets across the Emirate of Dubai — mainland and free zones alike — with one significant carve-out: the Dubai International Financial Centre (DIFC), which has its own financial regulator. It is, in substance, the first purpose-built virtual-asset authority in the region.

The operative rules sit in VARA's Virtual Assets and Related Activities Regulations 2023 and an accompanying architecture of Rulebooks. No person may carry on a regulated virtual-asset activity in or from Dubai without a VARA licence. The regime is activity-based: rather than a single undifferentiated "crypto licence", VARA authorises defined activities, each with its own dedicated Rulebook layered on top of compulsory cross-cutting Rulebooks (company, compliance and risk, technology and information, and market conduct).

The regulated activities span the value chain — advisory, broker-dealer, custody, exchange, lending and borrowing, virtual-asset management and investment services, and transfer and settlement services. A firm applies for the specific activities it intends to conduct, and its obligations are calibrated accordingly. VARA materially revised its Rulebooks in 2025, tightening controls around areas such as margin trading and token-distribution arrangements and harmonising compliance expectations across activities — a reminder that this is a living framework, not a fixed one.

The hard question is no longer whether the UAE regulates virtual assets, but which of its regulators a business must answer to — and what each demands.

The wider map: federal, onshore, and the financial free zones

VARA does not sit in isolation. Above it is a federal layer. Under Cabinet Decision No. 111 of 2022 on the regulation of virtual assets, the Securities and Commodities Authority (SCA) holds federal competence over virtual assets and their service providers onshore, with power to delegate — and it is by virtue of that delegation that VARA exercises authority within Dubai. Onshore, outside Dubai, a VASP generally requires SCA licensing or approval. A cooperation arrangement announced in 2024 sought to streamline this interface, broadly enabling a Dubai-licensed VASP to be recognised for onshore purposes, reducing duplication between the two authorities.

Layered onto this is a functional split at federal level. Where a token behaves like a security or a commodity, it falls within the SCA's traditional remit; where a token operates as a fiat-referenced payment instrument, the Central Bank of the UAE (CBUAE) is engaged. This "same-risk, same-rules" logic means the label a project gives its token matters far less than what the token actually does.

The two financial free zones run their own regimes and their own regulators. In the DIFC, the Dubai Financial Services Authority (DFSA) operates a crypto-token framework; in Abu Dhabi Global Market (ADGM), the Financial Services Regulatory Authority (FSRA) runs one of the region's longest-standing virtual-asset regimes. Crucially, these regimes do not passport into one another. An ADGM FSRA authorisation permits operation from ADGM; it does not confer the right to operate under VARA in Dubai, under the DFSA in the DIFC, or under the SCA onshore. A group with genuinely multi-jurisdictional ambitions must plan for parallel authorisations, not one licence stretched across borders.

Stablecoins and the Central Bank

The stablecoin question sits with the CBUAE. Its Payment Token Services Regulation, issued in 2024, governs fiat-referenced tokens used for payment. It distinguishes Dirham Payment Tokens (AED-denominated stablecoins from a CBUAE-licensed issuer) from Foreign Payment Tokens, and regulates issuance, custody and transfer, and conversion. Its practical bite is significant: following a transition period, merchants in the UAE may not accept a virtual asset in payment for goods and services unless it is a licensed payment token — which excludes unbacked assets such as Bitcoin and Ether from the payments use-case. VASPs already licensed by VARA or the SCA generally need to align with the CBUAE regime to continue offering stablecoin-related services.

Core obligations every VASP carries

Whichever regulator issues the licence, a common floor of obligations applies:

  • AML/CFT. Every VASP operates within the UAE's federal anti-money-laundering and counter-terrorist-financing framework — customer due diligence, sanctions screening, suspicious-transaction reporting to the Financial Intelligence Unit through the national goAML portal, and record-keeping. This is the common national channel, whatever the licensing authority.
  • The Travel Rule. Qualifying virtual-asset transfers at or above the applicable threshold must carry originator and beneficiary information, in line with international standards.
  • Custody and client-asset protection. Segregation, safeguarding, and controls over private keys and collateral arrangements.
  • Market conduct. Prohibitions on market abuse and manipulation, fair-dealing and disclosure duties, and — a distinctive UAE feature — strict controls on the marketing and promotion of virtual assets.

Operating unlicensed: a real risk, not a theoretical one

The enforcement posture has hardened. VARA has moved beyond warnings to financial penalties, cease-and-desist orders, and public naming of unlicensed firms — across 2024 and 2025 it issued sanctions against dozens of entities for unlicensed activity and marketing breaches, with fines in published rounds running from the tens of thousands into the hundreds of thousands of dirhams per firm, and considerably higher ceilings available for serious cases. Beyond the fine, unlicensed operation contaminates banking relationships, invalidates counterparty contracts, and can foreclose the possibility of ever obtaining a licence.

Choosing a UAE home

For a crypto business, the strategic choice turns on fit, not fashion. Dubai retail-facing exchange and brokerage activity points naturally to VARA; an institutional or markets-infrastructure model may sit more comfortably in ADGM (FSRA) or the DIFC (DFSA); a security- or commodity-token proposition engages the SCA; and any fiat-referenced payment token engages the CBUAE. The right answer usually begins with an honest characterisation of the token and the activity, and only then a choice of forum. Getting that sequence right is the difference between a licence and a cease-and-desist order.

Instruments referenced: Dubai Law No. 4 of 2022 on the Regulation of Virtual Assets; Cabinet Decision No. 111 of 2022 on the Regulation of Virtual Assets and their Service Providers; VARA Virtual Assets and Related Activities Regulations 2023 and associated Rulebooks; the CBUAE Payment Token Services Regulation (2024); the ADGM FSRA and DIFC DFSA virtual-asset frameworks; and the UAE's federal AML/CFT framework administered through the Financial Intelligence Unit's goAML system. This page is general information, not legal advice; the framework is evolving and specific advice should be taken on any particular matter.

A technology or digital-asset matter on your desk?

Every matter is handled personally. Tell me about your situation and I'll advise on the best way forward — confidentially and without obligation.

Get in touch