UAE Crypto Licensing in 2026
What the CMA Means for Your Virtual Asset Business
Last Updated: April 2026
What the CMA Means for Your Virtual Asset Business
Last Updated: April 2026
The UAE’s regulatory landscape for virtual assets has never changed faster - or more significantly - than in 2026. On 1 January 2026, the Emirates Securities and Commodities Authority (SCA) was formally replaced by the Capital Market Authority (CMA), a new independent federal regulator with a broader mandate, stronger enforcement powers, and explicit authority over virtual assets. Shortly after, on 13 February 2026, the CMA issued Decision No. 4/R.M/2026 - a new three-module VASP rulebook that replaced the entire 2023 federal framework and set fresh compliance deadlines that are already running.
For crypto exchanges, custodians, broker-dealers, token issuers, and any business handling digital assets in or from the UAE, this is not background noise. This is a structural reset of the rules that govern your licence, your AML obligations, your client-facing operations - and your exposure to penalties of up to AED 250 million for unlicensed activity. The pace of change has not slowed: on 13 April 2026, the CMA issued a comprehensive new Virtual Assets Framework expanding regulated activities to eight categories across five regulatory modules.
This article breaks down what changed, what it means for VARA-licensed operators, and what your business needs to do before the transition window closes.
For crypto exchanges, custodians, broker-dealers, token issuers, and any business handling digital assets in or from the UAE, this is not background noise. This is a structural reset of the rules that govern your licence, your AML obligations, your client-facing operations - and your exposure to penalties of up to AED 250 million for unlicensed activity. The pace of change has not slowed: on 13 April 2026, the CMA issued a comprehensive new Virtual Assets Framework expanding regulated activities to eight categories across five regulatory modules.
This article breaks down what changed, what it means for VARA-licensed operators, and what your business needs to do before the transition window closes.
Table of Content:
- From SCA to CMA: What Actually Changed
- Who Regulates What: The UAE’s Five-Regulator Landscape
- What This Means for VARA-Licensed Operators
- AML/CTF Obligations Under the New CMA Framework
- Token Listing: A New Federal Gateway
- What Your Business Needs to Do Now
- How AML Zone Supports Virtual Asset Businesses Through CMA Compliance
From SCA to CMA: What Actually Changed
A New Regulator with Federal Authority
Under Federal Decree-Law No. 32 of 2025 (FDL32), the SCA was formally dissolved and reconstituted as the Capital Market Authority (CMA) - inheriting all rights, contracts, licences, and obligations of its predecessor, but operating under a fundamentally different mandate. This was not a merger or a rebrand: it was an institutional transformation. The CMA receives the SCA’s entire regulatory infrastructure but is vested with significantly expanded powers, independent legal personality, financial autonomy, and direct accountability to the UAE Cabinet - a structural elevation that the SCA never had.
Federal Decree-Law No. 33 of 2025 (FDL33) provides the substantive regulatory framework: licensing requirements, conduct standards, market abuse rules, enforcement mechanisms, and - for the first time at the federal statutory level — explicit regulation of virtual assets used for investment purposes.
The CMA carries powers that the SCA never had:
The CMA Virtual Assets Framework: Five Modules, Eight Regulated Activities
The CMA’s virtual assets regulatory framework has evolved rapidly in early 2026 through two successive instruments.
On 13 February 2026, the CMA issued Decision No. 4/R.M/2026, replacing the 2023 federal VASP rulebook and establishing initial compliance deadlines. That decision introduced three core activity categories and set the transitional compliance window running.
On 13 April 2026, the CMA issued a comprehensive Virtual Assets Framework - a full regulatory umbrella superseding and expanding the February decision. The new framework consists of five core modules:
The framework expands the scope of regulated activities from three to eight, covering: Dealing in Virtual Assets as Principal, Dealing as Agent, Providing Custody, Arranging Custody, Arranging Investment Deals, Providing Investment Advice, Portfolio Management, and Operating a Multilateral Trading Facility.
It also imposes absolute prohibitions on privacy tokens and algorithmic tokens, and establishes capital requirements calibrated to activity type and risk profile.
Compliance deadlines under the February Decision’s Business Regulation and ATS provisions run until 13 February 2027. Firms should expect implementing guidance under the April framework to follow shortly
A New Regulator with Federal Authority
Under Federal Decree-Law No. 32 of 2025 (FDL32), the SCA was formally dissolved and reconstituted as the Capital Market Authority (CMA) - inheriting all rights, contracts, licences, and obligations of its predecessor, but operating under a fundamentally different mandate. This was not a merger or a rebrand: it was an institutional transformation. The CMA receives the SCA’s entire regulatory infrastructure but is vested with significantly expanded powers, independent legal personality, financial autonomy, and direct accountability to the UAE Cabinet - a structural elevation that the SCA never had.
Federal Decree-Law No. 33 of 2025 (FDL33) provides the substantive regulatory framework: licensing requirements, conduct standards, market abuse rules, enforcement mechanisms, and - for the first time at the federal statutory level — explicit regulation of virtual assets used for investment purposes.
The CMA carries powers that the SCA never had:
- Extraterritorial jurisdiction - any business targeting UAE clients, whether operating from outside the country or from a financial free zone, is now within scope of CMA regulation
- Virtual asset authority - crypto assets used for investment are formally classified as Financial Products under FDL33
- Resolution powers - the CMA can intervene in, restructure, or wind down systemically important licensed entities
- Criminal penalties - up to AED 250 million for unlicensed activity, significantly higher than the previous SCA regime
The CMA Virtual Assets Framework: Five Modules, Eight Regulated Activities
The CMA’s virtual assets regulatory framework has evolved rapidly in early 2026 through two successive instruments.
On 13 February 2026, the CMA issued Decision No. 4/R.M/2026, replacing the 2023 federal VASP rulebook and establishing initial compliance deadlines. That decision introduced three core activity categories and set the transitional compliance window running.
On 13 April 2026, the CMA issued a comprehensive Virtual Assets Framework - a full regulatory umbrella superseding and expanding the February decision. The new framework consists of five core modules:
- General Requirements - governance, fit and proper standards, licensing conditions, and reporting obligations
- Conduct of Business - client classification, suitability, conflicts of interest, and operational conduct standards
- Alternative Trading System (ATS) - rules for multilateral trading platforms, including both virtual asset and tokenised securities facilities
- AML/CFT - anti-money laundering and counter-terrorist financing obligations aligned with FATF standards
- Prudential Requirements - capital adequacy, liquidity, and financial soundness standards
The framework expands the scope of regulated activities from three to eight, covering: Dealing in Virtual Assets as Principal, Dealing as Agent, Providing Custody, Arranging Custody, Arranging Investment Deals, Providing Investment Advice, Portfolio Management, and Operating a Multilateral Trading Facility.
It also imposes absolute prohibitions on privacy tokens and algorithmic tokens, and establishes capital requirements calibrated to activity type and risk profile.
Compliance deadlines under the February Decision’s Business Regulation and ATS provisions run until 13 February 2027. Firms should expect implementing guidance under the April framework to follow shortly
Not sure how the new CMA rules impact your licensing plans?
Who Regulates What: The UAE’s Five-Regulator Landscape
One of the most operationally critical realities of UAE crypto licensing in 2026 is that five separate regulatory regimes operate concurrently - and compliance with one does not substitute for compliance with another.
One of the most operationally critical realities of UAE crypto licensing in 2026 is that five separate regulatory regimes operate concurrently - and compliance with one does not substitute for compliance with another.
*Under the former SCA-VARA cooperation framework, a VARA licence in practice conferred nationwide authorisation, removing the need for a separate SCA application. The August 2025 CMA-VARA agreement intends to preserve this mutual recognition under the new federal framework - but as of early 2026, the formal mechanism has not yet been fully implemented. The position is in active transition.
A Dubai-based exchange serving clients across the UAE historically relied on VARA-SCA coordination for nationwide coverage. Under the new CMA framework, that relationship is being renegotiated - and until formal mutual recognition is in place, such an operator may face obligations under both VARA and CMA simultaneously. For businesses with payment token or stablecoin functionality, CBUAE’s Payment Token Services Regulation applies on top of both.
Dual - and sometimes triple - compliance is no longer an edge case. It is the operational baseline.
A Dubai-based exchange serving clients across the UAE historically relied on VARA-SCA coordination for nationwide coverage. Under the new CMA framework, that relationship is being renegotiated - and until formal mutual recognition is in place, such an operator may face obligations under both VARA and CMA simultaneously. For businesses with payment token or stablecoin functionality, CBUAE’s Payment Token Services Regulation applies on top of both.
Dual - and sometimes triple - compliance is no longer an edge case. It is the operational baseline.
What This Means for VARA-Licensed Operators
VARA Remains Relevant - But Its Role Is Changing
The August 2025 CMA-VARA cooperation agreement established mutual recognition of VASP licences and joint application processes. Cabinet Decision 111 of 2022, which designates VARA as a competent licensing authority, remains in force. VARA’s Rulebook V2.0 (issued May 2025) continues to govern virtual asset activities in Dubai, and VARA continues to issue substantive guidance - including the updated Exchange Services Rulebook effective 31 March 2026.
The Federal Override
Under FDL33, no virtual asset can be traded anywhere in the UAE unless it appears on the CMA’s official list, is registered with the CMA, and is operated by a CMA-licensed platform. This gives the CMA effective veto authority over which assets can be traded - even on VARA-licensed platforms in Dubai.
The CMA’s extraterritorial reach covers anyone targeting UAE clients, regardless of where they operate. VARA’s formal jurisdiction is limited to Dubai - though historically a VARA licence provided de facto nationwide authorisation through SCA coordination. Whether that passporting fully carries over under the CMA remains unresolved: the CMA-VARA mutual recognition agreement from August 2025 signals the intent, but the implementing mechanics are not yet in place. For multi-emirate operators planning new market entries today, relying on VARA alone carries regulatory risk until this is formalised.
The direction of travel is clear: VARA is gradually transitioning from an independent sovereign regulator toward a delegated local licensing authority operating within the CMA’s federal framework - much as Cabinet Decision 111/2022 originally envisaged. The key open question for operators is not whether this transition will happen, but how quickly the CMA will formalise the mutual recognition mechanics that determine whether a VARA licence still provides practical nationwide coverage.
Until that clarity arrives, businesses with national ambitions should factor CMA engagement into their licensing strategy from day one - not as an afterthought once VARA authorisation is in hand.
VARA Remains Relevant - But Its Role Is Changing
The August 2025 CMA-VARA cooperation agreement established mutual recognition of VASP licences and joint application processes. Cabinet Decision 111 of 2022, which designates VARA as a competent licensing authority, remains in force. VARA’s Rulebook V2.0 (issued May 2025) continues to govern virtual asset activities in Dubai, and VARA continues to issue substantive guidance - including the updated Exchange Services Rulebook effective 31 March 2026.
The Federal Override
Under FDL33, no virtual asset can be traded anywhere in the UAE unless it appears on the CMA’s official list, is registered with the CMA, and is operated by a CMA-licensed platform. This gives the CMA effective veto authority over which assets can be traded - even on VARA-licensed platforms in Dubai.
The CMA’s extraterritorial reach covers anyone targeting UAE clients, regardless of where they operate. VARA’s formal jurisdiction is limited to Dubai - though historically a VARA licence provided de facto nationwide authorisation through SCA coordination. Whether that passporting fully carries over under the CMA remains unresolved: the CMA-VARA mutual recognition agreement from August 2025 signals the intent, but the implementing mechanics are not yet in place. For multi-emirate operators planning new market entries today, relying on VARA alone carries regulatory risk until this is formalised.
The direction of travel is clear: VARA is gradually transitioning from an independent sovereign regulator toward a delegated local licensing authority operating within the CMA’s federal framework - much as Cabinet Decision 111/2022 originally envisaged. The key open question for operators is not whether this transition will happen, but how quickly the CMA will formalise the mutual recognition mechanics that determine whether a VARA licence still provides practical nationwide coverage.
Until that clarity arrives, businesses with national ambitions should factor CMA engagement into their licensing strategy from day one - not as an afterthought once VARA authorisation is in hand.
VARA or CMA? Choose the smartest UAE licensing route before you commit.
AML/CTF Obligations Under the New CMA Framework
AML compliance for virtual asset businesses in the UAE has always been demanding. Under the new CMA framework, those expectations have been formalised and strengthened at the federal statutory level.
The General Framework Module of CMA Decision 4/R.M/2026 sets out AML/CTF obligations that apply to all licensed virtual asset activities. These align with FATF Recommendation 15 - the travel rule and VASP-to-VASP requirements - and with UAE Federal Decree-Law No. 10 of 2025 on combating money laundering, terrorist financing, and proliferation financing (which replaced the previous 2018 framework and came into force on 14 October 2025).
Key AML requirements for CMA-licensed VASPs include:
The appointment of a qualified MLRO is not a box-ticking exercise under the new framework. The CMA’s fit and proper requirements for key controlled functions - including the MLRO, Compliance Officer, and senior management - require formal regulatory approval. These individuals carry personal liability for compliance failures.
If your business does not yet have an appropriately qualified and CMA-approved MLRO in place, this is a priority action item.
AML compliance for virtual asset businesses in the UAE has always been demanding. Under the new CMA framework, those expectations have been formalised and strengthened at the federal statutory level.
The General Framework Module of CMA Decision 4/R.M/2026 sets out AML/CTF obligations that apply to all licensed virtual asset activities. These align with FATF Recommendation 15 - the travel rule and VASP-to-VASP requirements - and with UAE Federal Decree-Law No. 10 of 2025 on combating money laundering, terrorist financing, and proliferation financing (which replaced the previous 2018 framework and came into force on 14 October 2025).
Key AML requirements for CMA-licensed VASPs include:
- Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) for higher-risk clients, including PEPs and high-risk jurisdictions
- Travel Rule compliance - mandatory transmission of originator and beneficiary information on virtual asset transfers above the threshold
- Transaction monitoring - automated systems capable of detecting suspicious activity in real time
- Sanctions screening - continuous screening against UAE, UN, OFAC, and EU sanctions lists
- MLRO appointment - a qualified, CMA-approved Money Laundering Reporting Officer is required for all licensed entities
- Suspicious Transaction Reporting (STR) - to the UAE Financial Intelligence Unit (goAML platform)
- Record-keeping - a minimum of five years for all transaction and CDD records
The appointment of a qualified MLRO is not a box-ticking exercise under the new framework. The CMA’s fit and proper requirements for key controlled functions - including the MLRO, Compliance Officer, and senior management - require formal regulatory approval. These individuals carry personal liability for compliance failures.
If your business does not yet have an appropriately qualified and CMA-approved MLRO in place, this is a priority action item.
Token Listing: A New Federal Gateway
One of the most consequential - and least-discussed - changes introduced by FDL33 is the federal token admission requirement.
Before any virtual asset can be traded on a UAE platform, it must be accepted onto the CMA’s official list. This creates a federal regulatory gateway that applies regardless of whether a platform is licensed by VARA, DFSA, FSRA, or the CMA itself.
For operators, this means:
Operators should conduct a full audit of their current token offerings against the CMA’s admission criteria as a matter of urgency.
One of the most consequential - and least-discussed - changes introduced by FDL33 is the federal token admission requirement.
Before any virtual asset can be traded on a UAE platform, it must be accepted onto the CMA’s official list. This creates a federal regulatory gateway that applies regardless of whether a platform is licensed by VARA, DFSA, FSRA, or the CMA itself.
For operators, this means:
- Every virtual asset currently listed on your platform must be assessed against the CMA’s admission criteria
- Privacy tokens (e.g. Monero, Zcash) and algorithmic tokens are absolutely prohibited under the new framework
- Any new token listing requires CMA assessment and approval before trading can commence
- Tokens that are not on the CMA’s approved list may become untradeable once the transitional period ends on 1 January 2027
Operators should conduct a full audit of their current token offerings against the CMA’s admission criteria as a matter of urgency.
Need help meeting UAE AML and token listing rules?
Make sure your structure is compliant before deadlines hit.
Make sure your structure is compliant before deadlines hit.
What Your Business Needs to Do Now
The transition window closes on 1 January 2027 for CMA framework regularisation, and 13 February 2027 for Business Regulation and ATS Module compliance. For businesses that have not yet begun, these deadlines are closer than they appear.
Priority Actions
1. Regulatory Perimeter Mapping
Identify which of the five UAE regulatory regimes applies to your business based on your specific activities, entity structure, client geography, and product offering. Do not assume that a single licence covers all your obligations.
2. Gap Analysis Against FDL32, FDL33, Decision 4/R.M/2026, and the April 2026 Virtual Assets Framework
Conduct a structured review of your current compliance framework against the full CMA rulebook - regardless of whether you are currently VARA, DFSA, or FSRA licensed. The April 2026 framework expands regulated activities to eight categories and introduces a dedicated AML/CFT and Prudential module. Cross-border and extraterritorial provisions are likely to create new obligations.
3. Token Listing Review
Audit all virtual assets currently listed or under consideration on your platform. Remove or pause any privacy or algorithmic tokens. Prepare documentation for CMA admission of all remaining assets.
4. MLRO and Key Controlled Functions
Confirm that your MLRO, Compliance Officer, and relevant senior management meet the CMA’s fit and proper requirements and have received - or are in the process of obtaining - formal regulatory approval.
5. AML/CTF Framework Update
Review your AML policies, procedures, and controls against the General Framework Module requirements. Update your travel rule implementation, transaction monitoring parameters, and sanctions screening lists to reflect the CMA’s expectations.
6. Licensing Strategy Decision
For new market entrants, the strategic choice between a VARA licence, a CMA licence, or both requires careful analysis. A VARA licence historically provided nationwide coverage via SCA coordination - but that mechanism is in transition under the CMA framework and not yet fully formalised. Until mutual recognition is confirmed, businesses targeting clients across the UAE should assess whether VARA alone is sufficient or whether direct CMA engagement is warranted from the outset.
The transition window closes on 1 January 2027 for CMA framework regularisation, and 13 February 2027 for Business Regulation and ATS Module compliance. For businesses that have not yet begun, these deadlines are closer than they appear.
Priority Actions
1. Regulatory Perimeter Mapping
Identify which of the five UAE regulatory regimes applies to your business based on your specific activities, entity structure, client geography, and product offering. Do not assume that a single licence covers all your obligations.
2. Gap Analysis Against FDL32, FDL33, Decision 4/R.M/2026, and the April 2026 Virtual Assets Framework
Conduct a structured review of your current compliance framework against the full CMA rulebook - regardless of whether you are currently VARA, DFSA, or FSRA licensed. The April 2026 framework expands regulated activities to eight categories and introduces a dedicated AML/CFT and Prudential module. Cross-border and extraterritorial provisions are likely to create new obligations.
3. Token Listing Review
Audit all virtual assets currently listed or under consideration on your platform. Remove or pause any privacy or algorithmic tokens. Prepare documentation for CMA admission of all remaining assets.
4. MLRO and Key Controlled Functions
Confirm that your MLRO, Compliance Officer, and relevant senior management meet the CMA’s fit and proper requirements and have received - or are in the process of obtaining - formal regulatory approval.
5. AML/CTF Framework Update
Review your AML policies, procedures, and controls against the General Framework Module requirements. Update your travel rule implementation, transaction monitoring parameters, and sanctions screening lists to reflect the CMA’s expectations.
6. Licensing Strategy Decision
For new market entrants, the strategic choice between a VARA licence, a CMA licence, or both requires careful analysis. A VARA licence historically provided nationwide coverage via SCA coordination - but that mechanism is in transition under the CMA framework and not yet fully formalised. Until mutual recognition is confirmed, businesses targeting clients across the UAE should assess whether VARA alone is sufficient or whether direct CMA engagement is warranted from the outset.
How AML Zone Supports Virtual Asset Businesses Through CMA Compliance
AML Zone advises virtual asset businesses, crypto exchanges, custodians, and token issuers on regulatory licensing, AML/CTF compliance framework design, and ongoing supervisory alignment in the UAE.
Our services for virtual asset businesses include:
Whether you are navigating the CMA transition, assessing a new UAE market entry, or restructuring an existing compliance programme, our team can help you map the regulatory perimeter and build a compliance strategy that is fit for the new federal framework.
AML Zone advises virtual asset businesses, crypto exchanges, custodians, and token issuers on regulatory licensing, AML/CTF compliance framework design, and ongoing supervisory alignment in the UAE.
Our services for virtual asset businesses include:
- CMA and VARA licensing advisory - strategy, application preparation, and regulator engagement
- MLRO-as-a-Service - providing a qualified, experienced MLRO on a retained basis for businesses without in-house capacity
- AML/CTF compliance framework design - policies, procedures, risk assessments, and control frameworks aligned with CMA, VARA, and FATF requirements
- Travel Rule implementation - gap analysis and vendor selection support
- Regulatory gap analysis - structured assessment of your current compliance position against FDL32, FDL33, CMA Decision 4/R.M/2026, and the April 2026 Virtual Assets Framework
- Ongoing compliance support - retainer-based advisory covering regulatory changes, regulatory correspondence, and compliance monitoring
Whether you are navigating the CMA transition, assessing a new UAE market entry, or restructuring an existing compliance programme, our team can help you map the regulatory perimeter and build a compliance strategy that is fit for the new federal framework.
This article is provided for informational purposes only and does not constitute legal or regulatory advice. Businesses should seek professional advice specific to their circumstances.