Knowledge Hub · Financial Services · Virtual Assets
20 practitioner questions on UAE virtual asset regulation, with side-by-side answers across VARA (Dubai), DFSA (DIFC), FSRA (ADGM) and federal + international standards. Every answer cites primary sources only.
The Virtual Assets Regulatory Authority (VARA) is Dubai's dedicated virtual asset regulator, established by Dubai Law 4 of 2022. Operational since March 2022. Jurisdiction: all VA activities physically conducted from, or marketed to, Dubai mainland (excluding DIFC). Cabinet Decision 111/2022 confirmed VARA's federal recognition. VARA is the world's first dedicated virtual asset regulator with a separate statutory mandate (rather than an extension of an existing financial regulator).
Source: Dubai Law 4/2022; Cabinet Decision 111/2022The Dubai Financial Services Authority regulates virtual assets within DIFC under the DFSA Crypto Token Regime (introduced 2021, expanded 2022-2024). DFSA Crypto Tokens are integrated into the existing financial-services rulebook (GEN, CIR, COB, AML modules). Securities tokens treated as securities; payment tokens treated under separate regime; utility tokens limited.
Source: DFSA Rulebook GEN, CIR, COB, AML modules; DFSA Crypto Token RegimeThe Financial Services Regulatory Authority regulates virtual assets within ADGM under the FSRA Crypto Asset Framework (FCAF), launched 2018 and updated 2023. ADGM was the first MENA jurisdiction to issue a comprehensive virtual asset framework. Activities regulated under FSMR 2015 + FSRA Conduct of Business Rulebook (COBS) Section 17 + AML Rulebook.
Source: FSMR 2015; FSRA COBS Section 17; FSRA Crypto Asset Framework Guidance 2018 (updated 2023)Federal: SCA regulates security-token offerings federally under SCA Decisions 22 and 23/2020; CBUAE regulates Payment Tokens (stablecoins) federally under Regulation 2/2024. The UAE has split jurisdictions: VARA (Dubai mainland), DFSA (DIFC), FSRA (ADGM), SCA (federal securities tokens), CBUAE (federal payment tokens). Internationally: this multi-regulator approach contrasts with EU's MiCA Regulation (single EU-wide framework, 2023/1114) and Singapore's MAS Payment Services Act (single MAS regulator).
Source: SCA Decisions 22, 23/2020; CBUAE Regulation 2/2024; EU MiCA 2023/1114VARA Regulations 2023 + Activity Specific Rulebooks: (1) Advisory Services; (2) Broker-Dealer Services; (3) Custody Services; (4) Exchange Services; (5) Lending and Borrowing Services; (6) Virtual Asset Management and Investment Services; (7) Virtual Asset Transfer and Settlement Services. Plus issuer-side: VA Issuance approval. Each Activity has its own Rulebook. All licensees must comply with the four Compulsory Rulebooks: Company; Compliance and Risk Management; Technology and Information; Market Conduct.
Source: VARA Regulations 2023; Activity Specific Rulebooks; Compulsory RulebooksDFSA does not have a separate "VASP" category set. Crypto Token activities are mapped onto existing DFSA Financial Services categories — Arranging, Dealing, Managing, Advising, Custody, Operating an Investment Exchange or Crypto Token Trading Facility — each requiring the relevant Specific Endorsement under the existing DFSA licensing framework.
Source: DFSA GEN Module; DFSA Crypto Token EndorsementFSRA crypto activities are similarly mapped onto FSMR-defined Regulated Activities — Operating a Multilateral Trading Facility (for crypto exchanges); Providing Custody; Dealing in Investments as Principal/Agent; Arranging Deals; Managing Assets — with specific permissions for Accepted Virtual Assets.
Source: FSMR 2015; FSRA COBS Section 17VARA's 7-category split is bespoke to the UAE. EU MiCA uses 9 categorisations of "crypto-asset services" (Article 3(1)(16)). Singapore MAS PSA has 7 payment service activities. UK FCA registers VASPs under MLRs without a separate category structure. The UAE multi-regulator approach with VARA's bespoke categories is more granular than most international peers.
Source: EU MiCA Article 3; Singapore Payment Services Act 2019VARA and FSRA operate independently, but VARA's framework draws on the FSRA experience. Cross-border activity between Dubai mainland and ADGM requires VARA licence + ADGM licence where physical activity occurs in both. Many groups operate parallel ADGM/Dubai mainland licences.
Source: Dubai Law 4/2022; ADGM Founding Law 4/2013DFSA and FSRA operate two separate financial-centre crypto regimes. Both are well regarded internationally. DFSA's regime is more recent (2021-onwards); FSRA's regime predates DFSA's by 3 years and is the earlier MENA reference point.
Source: DFSA Crypto Token Regime; FSRA Crypto Asset FrameworkFSRA Crypto Asset Framework launched June 2018 — the first comprehensive MENA virtual asset regulatory framework. Key concepts: Accepted Virtual Asset (must be authorised by FSRA — list maintained); Recognised Crypto Asset Exchange; tailored capital and conduct rules; specific custody requirements (cold-storage minimums); FATF-aligned AML/CFT. Updated 2023 to align with VARA developments and OECD/FATF advances.
Source: FSMR 2015; FSRA COBS Section 17; FSRA Crypto Asset Framework Guidance 2018 (updated 2023)FSRA's 2018 framework was a global first-mover. Comparable: SFC Hong Kong (since 2018, expanded 2023 retail framework); MAS Singapore (PSA 2019); FCA UK (since 2020 MLRs registration). EU MiCA (in force 2024-2025) is now the comprehensive comparator at scale.
Source: SFC Hong Kong Statement 6 November 2018; EU MiCA 2023/1114VARA does not operate a "crypto token" classification in the same way as DFSA — VARA's framework focuses on activities (Q2), with token-level scrutiny via the Issuance Approval process. A token issued under DFSA approval is not automatically marketed-permitted in Dubai mainland — VARA approval is separately required.
Source: Dubai Law 4/2022; VARA Issuance RulebookDFSA Crypto Token Regime: classifies tokens as Investment Token (security or derivative — treated under existing securities framework); Crypto Token (payment / utility — newer regime); Excluded Token (e.g. fiat currency, certain CBDCs). Recognised Crypto Tokens published by DFSA (e.g. Bitcoin, Ether, certain stablecoins). Activities require Specific Endorsement of an existing DFSA licence. Marketing to retail subject to suitability and risk-warning rules.
Source: DFSA GEN Module 1.5; DFSA Crypto Token Module CIR App 2; DFSA Recognised Crypto Tokens ListFSRA's parallel regime classifies as Accepted Virtual Asset (authorised — list maintained), Specified Investment (security tokens — fall under FSMR Schedule 1 categories), and excluded categories (fiat currencies, certain stablecoins under separate regime).
Source: FSMR 2015; FSRA Accepted Virtual Asset listToken-classification approach (substance over form) is the international consensus. EU MiCA classifies as Asset-Referenced Token, E-Money Token, or "other" Crypto Asset (Articles 3-5). UK FCA distinguishes Security Tokens, E-Money Tokens, Unregulated Tokens. UAE multi-regulator classification largely converges with these international categories.
Source: EU MiCA Articles 3-5; UK FCA PS19/22 Crypto Assets GuidanceCBUAE Payment Token Services Regulation (Regulation 2/2024) supersedes any VARA framework on stablecoin issuance. VARA-licensed entities engaging in PT-related activities (issuance, conversion, custody, transfer) require both VARA activity licence AND CBUAE Payment Token Service Provider authorisation. Coordination memorandum between VARA and CBUAE.
Source: CBUAE Regulation 2/2024; VARA Regulations 2023DFSA-licensed entities offering Payment Token services to UAE residents must comply with CBUAE Regulation 2/2024 — federal regulation has overriding scope on Payment Tokens. DFSA has signed information-sharing memorandum with CBUAE.
Source: CBUAE Regulation 2/2024; DFSA-CBUAE MOUFSRA-licensed entities are similarly subject to CBUAE Regulation 2/2024 for Payment Token services to UAE residents. Cross-regulatory coordination via MOU.
Source: CBUAE Regulation 2/2024; FSRA-CBUAE MOUCBUAE Regulation 2/2024 (effective 1 July 2024). Headline features: Payment Tokens defined as fiat-referenced stablecoins; AED-referenced stablecoins favoured for domestic payments; foreign-currency stablecoins permitted for limited cross-border use; 1:1 high-quality liquid asset reserve, daily MTM, segregated, audited monthly; UAE substance and reserves with CBUAE-licensed banks. Comparable to EU MiCA E-Money Token regime, MAS Singapore's Stablecoin Regulatory Framework (2023), and UK FCA stablecoin proposals.
Source: CBUAE Regulation 2/2024; EU MiCA Articles 48-58 (E-Money Tokens)VARA Compliance and Risk Management Rulebook Part V implements the Travel Rule. VARA-licensed VASPs must collect, hold and securely transmit originator and beneficiary information for VA transfers above USD 1,000. Required data: name, account/wallet identifier, physical address (or DOB / national ID), beneficiary name and account. Sunrise problem (where one side is in a non-Travel-Rule jurisdiction) addressed via VARA's Counterparty VASP Diligence framework.
Source: VARA Compliance and Risk Management Rulebook Part V; FATF Recommendation 16DFSA AML Module Section 14 implements Travel Rule for DIFC VASPs. Same USD 1,000 threshold. Counterparty VASP diligence framework parallels VARA's. DFSA published Travel Rule Guidance 2024.
Source: DFSA AML Module Section 14; DFSA Travel Rule Guidance 2024FSRA AML Rulebook Section 14 implements Travel Rule. FSRA was the first MENA regulator to operationalise Travel Rule (2018). FSRA Counterparty VASP Diligence and Travel Rule Guidance 2024 align with VARA/DFSA approach.
Source: FSRA AML Rulebook Section 14; FSRA Travel Rule Guidance 2024Federal AML Law (FDL 20/2018) + Cabinet Decision 10/2019 also impose AML/CFT obligations including Travel Rule on VASPs UAE-wide. International: FATF Recommendation 16 + Updated Guidance for VASPs (October 2021); EU TFR Regulation 2023/1113 (companion to MiCA — Travel Rule for crypto, no de minimis); FinCEN US (Bank Secrecy Act FinCEN Final Rule). UAE Travel Rule implementation is FATF-compliant.
Source: FATF Recommendation 16; EU Transfer of Funds Regulation 2023/1113VARA Compliance and Risk Management Rulebook + Federal AML Law FDL 20/2018 + Cabinet Decision 10/2019. Requirements: appointment of MLRO; risk-based AML/CFT programme; customer due diligence (CDD) including beneficial owner identification; enhanced due diligence for high-risk customers (PEPs, high-risk jurisdictions); ongoing transaction monitoring; suspicious-transaction reporting to UAE FIU through goAML portal; record-keeping 5 years minimum; staff training; Travel Rule (Q6); periodic risk assessment.
Source: VARA Compliance and Risk Management Rulebook; FDL 20/2018; Cabinet Decision 10/2019DFSA AML Module — comparable obligations. DFSA-licensed VASPs file STRs through UAE FIU goAML portal. DFSA enforcement of AML rules has been a high priority post-FATF 2020 mutual evaluation.
Source: DFSA AML Module; FDL 20/2018FSRA AML Rulebook — comparable obligations. FSRA was the first MENA regulator with virtual-asset-specific AML guidance. FSRA-licensed VASPs use UAE FIU goAML portal for STRs.
Source: FSRA AML Rulebook; FDL 20/2018FDL 20/2018 (federal AML/CFT) + Cabinet Decision 10/2019 + UAE FIU regulations apply UAE-wide. The UAE was placed on FATF "grey list" in 2022 and removed in February 2024 following substantial reforms — VASP regulation a centrepiece. EU AMLD 5 + AMLD 6, US Bank Secrecy Act, UK MLRs 2017 — UAE AML/CFT now broadly aligned.
Source: FATF Mutual Evaluation Report (2020) + Follow-up; EU AMLD 5/6; US BSAVARA Marketing Regulations 2023: marketing of VA products to Dubai-resident retail clients requires a VARA licence with appropriate retail authorisation. Marketing must be fair, clear, not misleading; risk warnings prominent; influencer arrangements disclosed; targeted advertising restrictions for under-18s; "do your own research" disclaimers required. VARA has actively enforced marketing rules including issuing public warnings and orders against non-compliant promoters.
Source: VARA Marketing Regulations 2023; VARA Compulsory Rulebook on Market ConductDFSA COB Module Marketing Rules apply — financial promotions to DIFC retail clients require licensed firm involvement, prescribed risk warnings, suitability gating. Cross-border marketing into Dubai mainland requires VARA approval (DFSA licence does not passport to mainland for marketing).
Source: DFSA COB Module; Dubai Law 4/2022FSRA COBS Module marketing rules: similar prescribed-risk-warning regime. ADGM-licensed firm marketing to UAE-mainland retail must respect VARA's mainland jurisdiction.
Source: FSRA COBS ModuleFederal marketing rules apply to non-UAE VASPs targeting UAE residents. Comparable: UK FCA Crypto Asset Financial Promotion regime (effective October 2023 — strict including 24-hour cooling-off); EU MiCA Article 7 white paper marketing rules; Singapore MAS Digital Token Service Provider marketing restrictions (effective June 2024 — much tighter retail rules).
Source: UK FCA Promotion Order; EU MiCA Article 7; MAS DTSP NoticeVARA Custody Services Rulebook + Compulsory Technology and Information Rulebook: client assets segregated from firm assets; minimum cold-storage threshold (not less than 80-90% per asset type per Rulebook); hot-wallet limits; multi-signature key management; insurance coverage; periodic third-party penetration testing; reconciliation requirements; audit by approved auditor; bankruptcy-remote structures preferred.
Source: VARA Custody Services Rulebook; VARA Technology and Information RulebookDFSA COB Module 6.11 + Crypto Token additions: comparable segregation, cold-storage minimums, key management. DFSA Custody Endorsement requires client-asset audit and reconciliation.
Source: DFSA COB Module 6.11; DFSA Custody EndorsementFSRA COBS 17.7 + 17.8 — segregation, cold storage minimums, key management, audit. FSRA was first MENA regulator with explicit cold-storage % threshold (typically 90%+).
Source: FSRA COBS Sections 17.7-17.8UAE custody rules align with MAS Singapore Notice PSN02 (PSP custody rules) and HK SFC Anti-money Laundering and Counter-Terrorist Financing Guideline (cold-wallet 98%). EU MiCA Article 75 imposes custody obligations on Crypto-Asset Service Providers — broadly consistent with UAE approach. The post-FTX environment globally (late 2022) drove convergence on segregated, audited, predominantly cold-stored custody.
Source: EU MiCA Article 75; HK SFC AMLO Guidelines; MAS Notice PSN02VARA does not regulate NFTs that are "unique, non-fungible, and not used as a means of payment" — these fall outside the Dubai Law 4/2022 definition of Virtual Asset. Substance test: where an NFT exhibits fungibility characteristics (fractional ownership, mass-issued series traded on liquid markets, used as payment, or marketed as investment), VARA may treat it as a Virtual Asset and require licensing. NFT marketplaces facilitating speculative trading of fungible-character NFTs typically need VARA licensing.
Source: Dubai Law 4/2022; VARA Issuance RulebookDFSA NFT treatment under the Crypto Token Regime substance test — pure-collectible NFTs typically excluded; NFTs functioning as Investment Tokens (fractionalised, mass-issued, traded for investment return) are regulated as securities or Crypto Tokens.
Source: DFSA Crypto Token Regime; DFSA GEN App 5FSRA NFT Guidance 2023: substance-over-form approach. Pure unique-collectible NFTs not regulated. NFTs with fungible-character features regulated as Virtual Assets or Specified Investments depending on construction.
Source: FSRA NFT Guidance 2023UAE substance approach aligns with EU MiCA (NFTs largely excluded under Article 4(3) unless they represent fungible rights) and US SEC's Howey-test approach (NFTs sold as investment contracts may be securities — SEC actions against Impact Theory, Stoner Cats, Flyfish Club). The UAE position is more stable than the US enforcement-driven position.
Source: EU MiCA Article 4(3); SEC Order 2023 In the Matter of Impact Theory LLCTokens conferring securities-like rights (equity, debt, profit-share) fall under SCA federal jurisdiction (SCA Decisions 22/2020, 23/2020) where offered to UAE residents. VARA coordinates with SCA on dual-jurisdiction matters. Pure security-token offerings to professional investors only may obtain bespoke approvals.
Source: SCA Decisions 22/2020, 23/2020; Dubai Law 4/2022Investment Tokens (security/derivative tokens) fall within the existing DFSA securities framework — regulated under the relevant Specified Investment categories (Shares, Debentures, Units, Derivatives). Issuance via Prospectus or Exempt Offer; secondary trading via DFSA-licensed Investment Exchange or MTF.
Source: DFSA Markets Law DIFC Law 1/2012; DFSA GEN App 5Security tokens fall within FSMR Schedule 1 categories (Shares, Debentures, Units in CIS, Derivatives) and require Authorisation under existing categories. FSRA 2017 Guidance on Initial Coin/Token Offerings established the substance test.
Source: FSMR 2015 Schedule 1; FSRA ICO/STO Guidance 2017SCA Decisions 22-23/2020 establish federal security-token framework; offerings require SCA approval. International: SEC US (Howey test); EU MiCA excludes financial-instrument tokens from MiCA scope (regulated under MiFID II); UK FCA Security Token Regime under existing securities framework. UAE is fully within international consensus on security-token treatment.
Source: SCA Decisions 22, 23/2020; SEC v W.J. Howey Co 328 US 293 (1946)VARA licence required where (i) VA activities are physically conducted from Dubai mainland; (ii) services are marketed to or offered to Dubai-resident retail clients ("solicitation" trigger). Pure outbound trades by Dubai-resident clients on foreign platforms (no marketing into Dubai) generally outside VARA scope but may have AML/CFT implications. Reverse-solicitation defence narrowly construed.
Source: Dubai Law 4/2022; VARA Marketing Regulations 2023DFSA licence required where activities are physically conducted from DIFC, or financial promotions made to DIFC clients. Reverse solicitation narrowly construed — must be "at the exclusive initiative" of the client without solicitation.
Source: DFSA GEN Module; DFSA RPP guidanceFSRA licence required for ADGM-physical activities + ADGM-resident-client solicitation. Comparable reverse-solicitation framework.
Source: FSMR 2015; FSRA Marketing Conduct RulesCross-border solicitation rules align with EU MiCA Article 61 reverse-solicitation, MAS Singapore (June 2024 DTSP regime — narrower reverse-solicitation), UK FCA financial-promotion regime. The UAE three-regulator structure means a non-UAE provider must consider VARA + DFSA + FSRA + federal scope simultaneously.
Source: EU MiCA Article 61; MAS DTSP Notice 2024VARA-SCA coordination: where a Dubai-licensed VARA entity conducts security-token activity, SCA approval is also required for the security-token element. Information-sharing memorandum.
Source: SCA-VARA MOU; SCA Decisions 22, 23/2020SCA's federal jurisdiction over security tokens does not displace DFSA's DIFC jurisdiction within the financial centre. DIFC-resident security-token issuers regulated by DFSA Markets framework rather than SCA.
Source: DFSA-SCA framework; DIFC Law 9/2004Same position. ADGM-resident security-token issuers regulated by FSRA, not SCA.
Source: FSRA-SCA framework; ADGM Founding Law 4/2013SCA Decisions 22 and 23/2020 establish the federal Security Token Offering and Crypto Asset framework — onshore (excluding DIFC, ADGM, Dubai mainland which is VARA). SCA cooperates with VARA, DFSA, FSRA via MOUs. SCA also supervises commodity exchanges and the federal capital markets — virtual assets are an extension rather than the core mandate.
Source: SCA Decisions 22, 23/2020; FL 4/2000 (SCA Law)DMCC (Dubai Multi Commodities Centre) free zone "crypto" trade licence permits trading and incorporation activities, but does NOT confer VA-services authorisation. A DMCC entity offering VA services to Dubai-resident clients still requires VARA licence. DMCC is a corporate / trade-licence layer, not a VA regulator. Same applies to IFZA, Meydan FZ, JAFZA: they license corporate vehicles but VARA / FSRA / DFSA / SCA / CBUAE are the conduct regulators.
Source: DMCC Free Zone regulations; Dubai Law 4/2022DIFC entity formation is via DIFC Authority; conduct regulation is DFSA. Both licences are required for VA services in DIFC.
Source: DIFC Authority Law; DFSA frameworkADGM entity formation via ADGM Registration Authority; conduct regulation by FSRA. Both required.
Source: ADGM Registration Authority; FSRA frameworkThe distinction between corporate trade licence and conduct authorisation is universal. Singapore: ACRA (incorporation) vs MAS (conduct). UK: Companies House vs FCA. The UAE multi-free-zone landscape has historically caused confusion — VARA's establishment and federal framework clarification post-2022 has substantially mitigated this.
Source: Singapore ACRA / MAS framework; UK Companies House / FCA frameworkVARA-licensed Dubai mainland VASPs subject to standard FDL 47/2022 corporate tax (9% above AED 375,000). Trading in virtual assets, transaction fees, custody fees etc. are taxable income. Cabinet Decision 100/2023 QFZP regime is generally not available to mainland VARA entities (mainland is not a Free Zone). Specific guidance on virtual-asset cost basis, valuation and FX treatment in FTA Public Clarification CT P-005 (2024).
Source: FDL 47/2022; FTA CT Public Clarification CT P-005 (2024)DIFC VASPs may qualify as Qualifying Free Zone Person under Cabinet Decision 100/2023 + Ministerial Decision 265/2023, achieving 0% on Qualifying Income (typically B2B fund/treasury services). Direct-to-retail virtual-asset trading typically falls outside Qualifying Income — taxed at 9%.
Source: Cabinet Decision 100/2023; MD 265/2023ADGM VASPs face the same QFZP analysis. Holding-company / fund-management activities may qualify; direct retail VA trading typically does not.
Source: Cabinet Decision 100/2023; MD 265/2023Federal CT scope: VASP earnings taxable; capital gains on individual personal investment in VA generally outside CT under Cabinet Decision 49/2023 (natural persons). DMTT (Cabinet Decision 142/2024) applies to in-scope VASP MNE groups (revenue EUR 750m+). International: US treats virtual assets as property (IRS Notice 2014-21); UK as property/CGT or income depending on activity (HMRC CRYPTO20000); Singapore generally tax-free if not deemed business.
Source: Cabinet Decisions 49/2023, 142/2024; IRS Notice 2014-21; HMRC CRYPTO20000Under Dubai Law 4/2022 and VARA Regulations 2023: (i) investigations + production orders; (ii) administrative fines (up to AED 50m+ for serious breaches); (iii) licence suspension/revocation; (iv) public censure; (v) restitution / disgorgement orders; (vi) prohibition on individuals; (vii) referral to public prosecution for criminal offences. VARA appeals lie through the Dubai Courts administrative circuit. VARA has actively used enforcement tools — public warnings, license cancellations, and fines published since 2023.
Source: Dubai Law 4/2022; VARA Regulations 2023; VARA Enforcement ProcedureDFSA enforcement powers under Regulatory Law DIFC Law 1/2004 — administrative fines, prohibitions, licence revocation, restitution. Appeal to Financial Markets Tribunal under DIFC Law 5/2014 then DIFC Court of Appeal.
Source: DIFC Law 1/2004; DIFC Law 5/2014FSRA enforcement powers under FSMR 2015 ss229-236 — fines, prohibitions, suspensions. Appeal to ADGM Regulatory Committee then Court of Appeal.
Source: FSMR 2015 ss229-236UAE three-regulator enforcement broadly comparable to UK FCA, MAS Singapore, HK SFC. EU MiCA Articles 105-110 require national regulator enforcement powers including fines up to EUR 15m or 12.5% of annual turnover for legal persons. VARA's published fines have so far been narrower in scale but the framework supports substantial penalties.
Source: EU MiCA Articles 105-110; UK FSMA 2000 s206Capital and fees vary by Activity (per Activity Specific Rulebook): typical paid-up capital ranges AED 100k (Advisory) to AED 5m+ (Exchange / Custody). Application fees AED 40k-100k+; annual supervision fees on a percentage-of-revenue or activity-tier basis. Substance: physical office in Dubai, qualified personnel in scope (MLRO, COO, CEO, CTO/Head of Cyber as applicable), local board/committee meetings, audited UAE accounts.
Source: VARA Activity Specific Rulebooks; VARA Fee ScheduleDFSA capital varies by category — typically PIB (Prudential Investment Business) Module rules apply. Substance per DFSA GEN Module — fit-and-proper Approved Persons, physical office, audited DIFC accounts.
Source: DFSA PIB Module; DFSA GEN ModuleFSRA capital under PRU Module + COBS 17. Substance per FSRA GEN Module — Authorised Senior Executive Function holders, physical ADGM office, audited accounts.
Source: FSRA PRU Module; FSRA GEN ModuleUAE capital requirements broadly aligned with EU MiCA Article 67 (initial capital tiers — EUR 50k Class 1 Advisory; EUR 125k Class 2; EUR 150k Class 3 Trading Platform / Custody) and MAS Singapore (SGD 100k base capital). VARA's tiered Activity-specific approach is more granular than MiCA's three-tier model.
Source: EU MiCA Article 67; MAS PSA Capital RequirementsVARA Compulsory Rulebook on Market Conduct + Activity-specific COB rules: retail clients receive enhanced suitability assessment, mandatory risk warnings, complaint-handling procedures, leverage caps, marketing restrictions. Professional Clients (institutional investors meeting AUM and experience thresholds) and Qualified Investors face lighter-touch protections. Retail-targeted VA derivatives generally restricted (similar to FCA UK retail-derivative ban 2021).
Source: VARA Market Conduct Rulebook; VARA COB rulesDFSA Conduct of Business categorisation: Retail Client, Professional Client, Market Counterparty. Marketing of Crypto Tokens to Retail Clients restricted; suitability and risk-warning regime applies. Cooling-off period for retail purchase.
Source: DFSA COB Module Section 2; DFSA Crypto Token RulesFSRA Client Categorisation: Retail Client, Professional Client (per se / elective), Market Counterparty. Retail crypto access permitted but with strong suitability + risk-warning regime. Some leveraged products restricted to professional clients only.
Source: FSRA COBS Section 2; FSRA Client CategorisationUAE retail / professional split aligns with MiFID II and FCA. EU MiCA Article 69 imposes retail protections for crypto-asset offerings; specific prohibition on misleading marketing. MAS Singapore June 2024 reform tightens DTSP retail protections (mandatory risk acknowledgement, 24-hour cooling-off). UAE is in the international mainstream on retail protection.
Source: EU MiCA Article 69; MiFID II Article 25; UK FCA Crypto Promotion Order 2023VARA Compulsory Rulebook on Technology and Information: cybersecurity programme; multi-signature key management with HSMs; cold-storage minimums; penetration testing (annual minimum); incident-reporting (within 24-72 hours per severity); business-continuity plan; cybersecurity-incident insurance encouraged. Aligns with NIST Cybersecurity Framework + ISO 27001 + UAE Information Assurance Standards.
Source: VARA Technology and Information RulebookDFSA GEN Module Section 5 (Systems and Controls) + crypto-specific add-ons. DFSA Cyber Risk Guidance + UAE Information Assurance Standards apply.
Source: DFSA GEN Module Section 5; DFSA Cyber Risk GuidanceFSRA GEN + Operational Risk Module + Crypto-specific COBS 17 cyber requirements. ADGM operates strict incident-reporting framework parallel to DFSA.
Source: FSRA GEN; FSRA COBS Section 17UAE operational-resilience requirements aligned with EU DORA (Digital Operational Resilience Act 2022/2554) — applicable to MiCA CASPs from January 2025. UK FCA / PRA SS1/21 Operational Resilience. Singapore MAS Notice TRM. UAE post-FTX environment has strengthened cyber requirements faster than several international peers.
Source: EU DORA 2022/2554; UK PRA SS1/21; MAS Notice TRMVARA has signed MOUs with multiple international regulators (HK SFC, MAS Singapore, FCA UK, regulators in Switzerland, France, Hong Kong) for information-sharing and supervisory cooperation. No formal equivalence regime — a foreign-licensed firm wishing to serve UAE clients still needs UAE licence. VARA encourages cross-listing of recognised assets (e.g. major exchange tokens).
Source: VARA MOUs (published); Dubai Law 4/2022DFSA has IOSCO MMOU + bilateral MOUs with major financial regulators. DIFC firms benefit from DIFC Government's reputation in cross-recognition (e.g. with Indian SEBI for foreign-portfolio investor passporting). No automatic crypto-specific equivalence.
Source: DFSA MOU network; IOSCO MMOUFSRA has signed extensive international MOUs (IOSCO MMOU + bilateral with FCA UK, MAS Singapore, SEC US, ASIC Australia, etc.). FSRA operates the Digital Lab regulatory sandbox for cross-border collaboration.
Source: FSRA MOU network; FSRA Digital LabEU MiCA's single passport across 27 EU member states is the most ambitious cross-recognition. The UAE three-regulator approach + federal layers means there is no internal "passport" between VARA, DFSA, FSRA — but the MOU network provides supervisory cooperation. International FATF VASP Travel Rule alignment provides de facto convergence on AML/CFT compliance.
Source: EU MiCA passport regime; FATF Travel Rule alignmentNot legal advice. This entry is reference. Specific facts always change the answer. Speak to us for matter-specific advice.
We add Q&As as practitioners ask them. Same business-day partner response on matter-specific advice.
Speak to us →