Exchange operations
Running any platform where buyers and sellers of virtual assets transact.
UAE’S FIRST CRYPTO-NATIVE LAW FIRM · EST. 2016
QUICK ANSWER
A UAE VASP licence authorises your crypto business to operate legally, whether you run an exchange, custody platform, broker-dealer service, or lending operation. Five regulators cover five different jurisdictions and client types. The right choice depends on your business model, target market, and capital position. Operating without authorisation can result in fines and criminal investigations. NeosLegal has guided 300+ businesses through this process since 2016, across VARA, ADGM, DIFC, CMA, and CBUAE. Book a strategy call to map your licensing path.
WHAT FOUNDERS NEED TO KNOW
Crypto exchanges, custodians, broker-dealers, OTC desks, and DeFi platforms entering the UAE face one of the most advanced and most complex regulatory environments in the world. The UAE does not have one crypto regulator. It has five, each with distinct licensing categories, capital requirements, operational standards, and jurisdictional reach.
Selecting the wrong regulator is the most expensive early-stage mistake a crypto founder makes in the UAE. NeosLegal assesses your business model, target clients, token design, and growth plans before any application begins. We then drive the entire process: jurisdiction selection, entity structuring, documentation preparation, regulator engagement, and post-approval compliance.
UAE VASP LICENSING
A Virtual Asset Service Provider (VASP) is any business that conducts regulated virtual asset activities on behalf of others or as part of its commercial operations. If your business does any of the following, it is a VASP and requires a licence from the relevant UAE regulator:
Running any platform where buyers and sellers of virtual assets transact.
Holding, storing, or controlling virtual assets or private keys on behalf of clients.
Executing virtual asset transactions on behalf of clients or dealing as principal.
Operating any facility that provides credit against virtual assets or enables asset lending.
Providing investment advice or managing portfolios of virtual assets for clients.
Issuing, offering, or placing virtual assets. This includes token launches, STOs, and certain NFT platforms.
CRITICAL NOTE
A trade licence from any UAE free zone, including DMCC, IFZA, and RAKEZ, does not authorise regulated virtual asset activities. A trade licence and a VASP licence are entirely separate regulatory instruments.
VARA fined 19 firms simultaneously for unlicensed operation in 2025. Stage of business and company size are not protections. The enforcement posture is active and consistent.
WHO REGULATES CRYPTO IN THE UAE
Understanding which regulator covers your business is the foundational decision. Each operates under a different legal framework, covers a different geographic jurisdiction, and serves a different client profile. Compliance with one does not substitute for compliance with another.
Jurisdiction: Dubai mainland and most Dubai free zones.
The world’s first dedicated virtual asset regulator, established under Dubai Law No. 4 of 2022. VARA Rulebook Version 2.0 has been in force since May 2025. VARA governs eight activity categories: Exchange Services, Broker-Dealer Services, Custody Services, Management and Investment Services, Transfer and Settlement Services, Lending and Borrowing Services, Advisory Services, and Virtual Asset Issuance. VARA licensing runs in two stages: Approval to Incorporate (ATI), which permits entity formation but not regulated activity, followed by the full VASP licence.
Choose VARA for: exchanges, OTC desks, custodians, token projects, RWA platforms, and investment management services primarily in Dubai.
2026 UPDATE
VARA Rulebook 2.0 introduced the ARVA framework, the world’s first dedicated regulatory regime for real-world asset tokenization. Any Dubai-based project issuing asset-referenced tokens requires VARA ARVA compliance.
Jurisdiction: Abu Dhabi financial free zone.
English common law. English-language courts. Licensing virtual asset businesses since 2018. The FSRA is generally preferred for institutional capital management, fund structures, sophisticated international investors requiring common law certainty, DAO governance under the DLT Foundation framework, and institutional-grade dealers.
2026 UPDATE
ADGM’s FRT (Fiat-Referenced Token) framework came into force on 11 January 2026. Standalone FRT issuers require minimum CET1 capital of USD 2,000,000.
Jurisdiction: Dubai financial free zone.
A common law financial centre with independent courts and a globally recognised regulatory framework. The DFSA regulates Investment Tokens, digital asset activities, and traditional financial services within DIFC. An enhanced digital asset regime took effect from January 2026. DIFC recognises seven pre-approved crypto tokens: BTC, ETH, LTC, TON, XRP, USDC, and EURC.
Choose DIFC for: regulated financial institutions expanding into digital assets, asset managers, broker-dealers, and firms with institutional counterparties in London, New York, or Singapore.
2026 UPDATE
The DFSA expanded its Investment Token regime, increasing requirements for custody, client asset segregation, and risk disclosures, aligning DIFC more closely with global financial centres.
Jurisdiction: Federal UAE, payment tokens and DeFi.
The CBUAE governs payment tokens, stablecoins, and DeFi platforms under Federal Decree-Law No. 6 of 2025. The compliance deadline for DeFi protocols, payment platforms, and bridge operators is 16 September 2026. The CBUAE penalty ceiling for non-compliance is AED 1 billion.
Choose CBUAE for: AED stablecoin projects, payment platforms, fintech infrastructure, and settlement systems.
2026 UPDATE
The Payment Token Services Regulation and Federal Decree-Law No. 6 of 2025 extended CBUAE oversight into DeFi and payment-linked virtual asset activity, with strict requirements on licensing, reserve backing, and prohibition of algorithmic stablecoins.
Jurisdiction: Federal UAE, onshore.
The CMA issued Decision No. 4/R.M/2026 on 13 February 2026, replacing the entire 2023 federal VASP framework. Eight licensed activity categories. Minimum capital from AED 500,000 to AED 4 million. Hard prohibitions on privacy tokens and algorithmic tokens. Extraterritorial reach: applies to any business targeting UAE clients, even if operating from outside the country.
Choose CMA for: projects issuing investment tokens, tokenized funds, commodity-linked products, or operating in onshore UAE markets outside VARA and ADGM frameworks.
| Regulator | Jurisdiction | Best for | Key 2026 update |
|---|---|---|---|
| VARA | Dubai and most Dubai free zones | Exchanges, trading platforms, custodians, RWA token issuers | ARVA framework: first dedicated RWA tokenization regime |
| ADGM/FSRA | Abu Dhabi financial free zone | Institutional players, funds, DAO structures, international investors | FRT framework in force 01 Jan 2026; USD 2M CET1 minimum |
| DIFC/DFSA | DIFC financial free zone | Traditional asset managers, broker-dealers, institutional finance | Expanded Investment Token regime; stricter governance and custody |
| CBUAE | Federal UAE | AED stablecoin issuers, payment platforms, fintech systems | DeFi oversight extended; September 2026 compliance deadline |
| CMA | Federal UAE onshore | Exchanges, custodians, funds, tokenized securities | New federal framework Decision No. 4/R.M/2026 |
VASP LICENSING PROCESS
Map your business activities to the correct regulatory category under the relevant regulator. This determines which activities require licensing, which regulator has jurisdiction, and whether any exemptions apply. This single step prevents the most expensive mistake in UAE crypto market entry.
Select the optimal regulator based on your business model, target market, capital position, token design, and growth strategy. This decision must be made before incorporation.
VARA and ADGM both conduct pre-application meetings with prospective applicants. NeosLegal manages substantive pre-application conversations that surface specific concerns before you file. The difference between well-handled pre-application dialogue and none at all is routinely three to six months on licensing timeline.
Incorporate the UAE entity under the correct structure: mainland, free zone, or ADGM/DIFC. Capital requirements, governance mandates covering the CEO, MLRO, and Compliance Officer, and office substance requirements all flow from the licensing framework.
Prepare the full application package: regulatory business plan, AML/CTF framework, compliance policies, risk assessment, governance documentation, UBO disclosure, technology architecture review, and team fit-and-proper evidence. This phase is the most time-consuming and the most common source of delays.
Submit to the relevant regulator. VARA requires an ATI before the main application. Regulator queries are where unprepared applications lose months. NeosLegal manages all regulatory correspondence throughout the review process. Experience across multiple applications means we know what the regulator is actually asking.
In-Principle Approval comes with conditions: capital injection, office establishment, Approved Persons completion, and technology testing. We manage every condition through to the final operating licence, so there is no gap between conditional approval and launch.
Annual compliance certificates, periodic VARA and ADGM reviews, ongoing AML program maintenance, VARA marketing compliance, and regulatory change monitoring. We stay alongside you after authorization.
Founder commentary on licensing process
“Most licensing failures are not caused by the application itself. They are caused by structural decisions made 6 months earlier: wrong jurisdiction, wrong entity type, wrong governance appointments.
By the time founders reach us after a failed application, the cost of correction is always greater than the cost of getting it right the first time.”
REQUIREMENTS
Missing any of these is the primary cause of delayed applications.
VARA requires a Dubai entity. ADGM requires an ADGM entity. DIFC requires a DIFC entity. Incorporating in the wrong jurisdiction before regulatory pathway confirmation adds months and significant restructuring cost.
Board composition, senior management structure, decision-making authority, and conflicts of interest policy, designed for the specific regulator’s current standards. Generic templates trigger queries.
Implemented KYC, configured transaction monitoring, appointed MLRO, completed staff training, and documented testing evidence. Not a draft. Regulators want compliance programs, not compliance documents. A compliance document describes what a firm intends to do. A compliance program demonstrates what a firm is already doing.
Senior Executive Officer, Compliance Officer, MLRO, Finance Officer, and Licensed Directors. Crypto-specific experience is expected and increasingly scrutinised by VARA and the FSRA. The CEO, MLRO, and Compliance Officer must be UAE-resident and meet fit-and-proper standards.
Unencumbered capital meeting the correct category requirement, calculated accurately. Wrong category calculations require auditor involvement to resolve. All capital must be maintained at all times, not deposited once at application.
System architecture, cybersecurity, business continuity, and disaster recovery documentation. For custodians: cryptographic key management documentation to VARA and FSRA standards.
BIGGEST MISTAKES FOUNDERS MAKE
Licensing delays in the UAE are rarely caused by slow regulators. They are caused by avoidable structural mistakes made before the application is ever filed. The same six mistakes appear in the majority of stalled or delayed applications NeosLegal encounters.
The most common and most expensive mistake. Founders choose a free zone first, then discover the regulator they need does not operate there. Or they incorporate in Dubai and find their business model is better suited to ADGM. By the time the mismatch surfaces, there is an entity to unwind, capital tied up in the wrong structure, and months lost. The correct sequence is always: regulatory assessment first, jurisdiction second, entity third. Not the other way around.
VARA governs eight distinct activity categories. Each carries different capital requirements, governance standards, AML obligations, and application documentation. A founder who classifies an OTC desk as an exchange service applies under the wrong category. A custody provider who omits the management and investment component applies for an incomplete permission set. Both discover the error during VARA’s review, not before filing. Misclassification does not just delay the application. It signals to the regulator that the applicant does not fully understand their own business model.
VARA and ADGM do not want compliance documentation. They want compliance programs. A compliance document describes what a firm intends to do. A compliance program demonstrates what a firm is already doing: implemented KYC procedures, configured transaction monitoring, an appointed MLRO, completed staff training, and documented evidence of testing. Founders who submit policy documents instead of operational programs receive queries that add three to six months to the review process.
VARA and ADGM both require genuine local substance: not a registered address, not a nominee arrangement, not a virtual office. Substance means qualified senior management physically present in the UAE, a genuine operating presence, and key decision-making that demonstrably occurs within the jurisdiction. Founders who structure for minimal local presence discover during licensing review that their governance model does not satisfy regulator expectations.
They are not. VARA covers Dubai. CMA has federal reach. A business serving clients across multiple emirates may need both: a VARA licence combined with a CMA cooperation arrangement. The August 2025 CMA-VARA mutual recognition agreement is still being operationalised.
The cheapest licensing option is rarely the right one. Founders who choose their regulator based on the lowest application fee frequently end up with a licence that does not cover their actual activities, a structure that institutional investors will not accept, or an entity that cannot access UAE banking because it has no demonstrated compliance infrastructure. The cost of choosing the wrong licence is not the application fee. It is the restructuring bill, the delayed fundraising, and the lost months of runway.
TIMELINE AND FEES
Timeline is within your control. A well-prepared application filed by legal counsel with established VARA or ADGM relationships moves through the process significantly faster than one filed without specialist preparation.
A 9-month licensing process and an 18-month licensing process do not cost the same. The difference in legal fees between a well-prepared and a poorly prepared application is typically smaller than the cumulative cost of:
Founders who invest appropriately in getting licensing right from the start consistently achieve better commercial outcomes than those who optimise for the lowest possible upfront legal cost.
KEY FIGURES
The primary factor is application quality, not regulator workload.
| Activity | Application fee (USD) | Annual supervision fee (USD) |
|---|---|---|
| Dealing as Principal | 25,000 to 40,000 | 25,000 to 50,000 |
| Dealing as Agent | 25,000 | 25,000 |
| Managing Assets | 25,000 | 25,000 |
| Providing Custody | 25,000 to 40,000 | 25,000 to 50,000 |
| Advising or Arranging | 15,000 | 15,000 |
| Operating an MTF (standalone) | 10,000 plus USD 125,000 VA add-on | 10,000 plus USD 60,000 VA add-on |
| FRT Issuance standalone (from 01 Jan 2026) | 70,000 | 70,000 |
| Prudential Category | Determinative Activity | Minimum Capital (USD) |
|---|---|---|
| Category 2 | Dealing as Principal | 2,000,000 |
| Category 3A | Dealing as Agent | 500,000 |
| Category 3B | Custody for public funds | 4,000,000 |
| Category 3C | Managing Assets or FRT Issuance | 250,000 (or 2,000,000 for standalone FRT) |
| Category 4 | Advising, Arranging, MTF | 50,000 |
LEGAL FEES
NeosLegal works on fixed-fee, milestone-based engagements. Fees depend on licence category, business model complexity, application readiness at engagement start, and scope of ongoing post-authorisation support. Specific written cost estimates are provided after the free assessment call, before any engagement commitment is made.
LICENSING STAGES
NeosLegal is the UAE’s first crypto-native law firm, founded by Irina Heaver in 2016. We have structured 300+ regulated crypto businesses, exchanges, funds, and VASPs across all five UAE regulatory frameworks, with a 100% acceptance rate on Tier-1 exchange legal opinions.
Before any entity is formed and before any document is prepared, we map your specific business model to the correct regulator and licence category. This single step prevents the most expensive mistake in UAE crypto market entry.
VARA and ADGM both conduct pre-application meetings with prospective applicants. NeosLegal manages substantive pre-application conversations that surface specific concerns before you file. The difference between well-handled pre-application dialogue and none at all is routinely three to six months on licensing timeline.
Every element, built to current regulator standards. Governance framework designed for the specific regulator's current expectations. Operational AML/CTF program built and tested, not drafted. Business plan and three-year financial projections. Technology risk framework and cybersecurity documentation. Approved Persons identification and fit-and-proper preparation. All supporting documentation required for submission.
Regulator queries are where unprepared applications lose months. NeosLegal manages all regulatory correspondence throughout the review process. Experience across multiple applications means we know what the regulator is actually asking.
In-Principle Approval comes with conditions: capital injection, office establishment, Approved Persons completion, and technology testing. We manage every condition through to the final operating licence, so there is no gap between conditional approval and launch.
Annual compliance certificates, periodic VARA and ADGM reviews, ongoing AML program maintenance, VARA marketing compliance, and regulatory change monitoring. We stay alongside you after authorization.
WHY CHOOSE NEOSLEGAL
Every engagement is fixed-fee with defined milestones confirmed before work begins. Direct access to Irina Heaver and senior associates throughout, not associates managing the relationship.
“NeosLegal is the UAE’s first crypto-native law firm, advising founders, VCs and institutions across the digital assets ecosystem since 2016. With over 300 blockchain and Web3 projects structured, the firm is known for its deep regulatory insight, technical fluency, and founder-first approach.”
From navigating regulations and setting up your business to managing risks and tax strategies, we’ve got you covered. Let us handle the legal details so you can focus on growing your Bitcoin venture.
Book a call with a crypto lawyer today →
If your activities include exchange, brokerage, custody, investment management, advisory, transfer and settlement, lending, or token issuance in Dubai, yes. A trade licence from any UAE free zone does not cover regulated virtual asset activities. VARA fined 19 firms for unlicensed activity in 2025. The reliable way to confirm your regulatory position is a perimeter analysis, which NeosLegal conducts as the starting point of every licensing engagement.
TODO: content to be added
TODO: content to be added
TODO: content to be added
TODO: content to be added
TODO: content to be added
TODO: content to be added
TODO: content to be added
TODO: content to be added
GET STARTED
In 30 minutes you will know which UAE regulator governs your specific activities, which licence categories apply, what the realistic timeline and cost looks like, and what your practical next step is.
You leave with a clear licensing roadmap, not a generic assessment.
Legal Disclaimer: This page provides general information about UAE virtual asset service provider licensing and regulatory frameworks. It does not constitute legal advice and should not be relied upon as such. Regulatory requirements vary by jurisdiction, business model, and individual circumstances. Always consult qualified legal counsel experienced in UAE financial regulation before making licensing, structuring, or operational decisions. Current as of April 2026 based on VARA Rulebook 2.0, CMA Decision No. 4/R.M/2026, and applicable UAE regulatory frameworks.
Founder commentary
“The single most common and most expensive mistake founders make in the UAE is choosing the wrong regulator before they understand their business model. Once you have incorporated under VARA’s framework, unwinding to pursue an ADGM or DIFC structure costs months and significant capital.
The regulator selection decision must be made before entity formation. Not after.”
IRINA HEAVER
UAE CRYPTO LAWYER & FOUNDER OF NEOSLEGAL