CMA Dubai Federal VASP Law 2026: New UAE Crypto Rules Explained

The new CMA Dubai federal VASP framework is changing how crypto businesses operate across the UAE. Under Decision No. 4/R.M/2026, the UAE Capital Markets Authority introduced a completely new licensing and compliance regime for virtual asset service providers operating outside DIFC and ADGM. The new UAE CMA regulations establish eight licensed crypto activity categories, stricter AML and governance requirements, federal token approval rules, and capital requirements reaching AED 30 million. Businesses operating under VARA or serving clients across multiple emirates must now assess how the CMA in UAE framework applies to their operations before the 13 February 2027 compliance deadline.

Mahesh Maddu May 23, 2026

Key Takeaways

CMA Decision No. 4/R.M/2026 fully replaces the UAE’s 2023 federal VASP framework.
The UAE Capital Markets Authority introduced eight separate crypto licensing categories.
Capital requirements range from AED 500,000 to AED 30 million depending on activity type.
Algorithmic stablecoins and privacy-focused tokens are banned under the UAE CMA framework.
Existing businesses must comply with the Business Regulation and ATS Modules before 13 February 2027.
UAE-resident executives are mandatory for several senior compliance positions.
Dual compliance between CMA Dubai and VARA may apply to certain crypto firms.
Federal token approval requirements could affect existing exchange listings.

What Is the UAE Capital Markets Authority (UAE CMA) Framework?

The Securities and Commodities Authority was restructured into the UAE Capital Markets Authority in 2025 under Federal Decree-Laws No. 32 and No. 33 of 2025. The regulator received expanded powers covering virtual assets, crypto businesses, and related financial services activities.

Decision No. 4/R.M/2026 acts as the main implementation framework for federal virtual asset regulation in the UAE.

The new CMA in UAE framework is divided into three regulatory modules.

General Framework Module

This module covers:

Licensing requirements
Corporate governance standards
Ownership approvals
Capital adequacy requirements
Senior management obligations

Business Regulation Module

This module regulates:

AML and CFT obligations
Client onboarding
Suitability assessments
Compliance systems
Operational controls
Record retention

Alternative Trading System (ATS) Module

The ATS module applies to:

Crypto exchanges
Trading infrastructure
Order matching systems
Platform governance and technology controls

All licensed firms must comply immediately with the General Framework Module. Existing businesses have until 13 February 2027 to align with the Business Regulation and ATS requirements.

The Eight Licensed Virtual Asset Activities Under CMA Dubai

The new CMA Dubai framework introduces eight distinct regulated activity categories.

Activity Category	Minimum Capital	Description
Virtual Asset Advisory Services	AED 500,000	Investment recommendations without custody or execution
Virtual Asset Brokerage	AED 2,000,000	Facilitating client virtual asset transactions
Virtual Asset Portfolio Management	AED 3,000,000	Managing client portfolios on a discretionary basis
Virtual Asset Custody	AED 4,000,000+	Safekeeping client digital assets and private keys
Virtual Asset Exchange Services	Determined by CMA	Operating virtual asset exchanges
Virtual Asset Dealing	AED 30,000,000	Acting as market maker or principal dealer
Virtual Asset Arranging	AED 500,000	Arranging transactions between clients and providers
Alternative Trading Systems	Determined by CMA	Operating regulated trading infrastructure

Why the CMA in UAE Matters for Crypto Businesses

The new CMA in UAE framework significantly expands federal oversight of virtual asset activities.

Previously, many crypto businesses mainly focused on:

VARA in Dubai
DFSA in DIFC
FSRA in ADGM

The UAE CMA now creates an additional federal regulatory layer for businesses operating across the UAE outside financial free zones.

This means a VARA-licensed exchange in Dubai could still face federal CMA obligations if it serves clients in:

Abu Dhabi
Sharjah
Ajman
Fujairah
Ras Al Khaimah
Umm Al Quwain

For many crypto firms, dual compliance has now become a practical business reality.

How UAE CMA Regulations Align With VARA, DFSA, and FSRA

The CMA Dubai framework does not replace other UAE financial regulators.

VARA

VARA continues regulating virtual asset activities in Dubai outside DIFC.

DFSA

The Dubai Financial Services Authority continues regulating financial services inside DIFC.

FSRA

The Financial Services Regulatory Authority continues supervising ADGM-based financial firms.

However, the UAE CMA now functions as the federal regulator for onshore virtual asset activities throughout the UAE

Businesses serving UAE clients from overseas may also fall within scope depending on their structure and operations.

UAE CMA Token Listing Rules Explained

One of the most important parts of the UAE CMA framework involves token approvals.

Under the new rules:

Tokens must appear on the CMA-approved list or receive CMA registration
Exchanges may need to remove unsupported assets
Existing token listings must be reviewed against federal requirements

This gives the UAE Capital Markets Authority significant influence over which assets can legally trade within the UAE market.

Crypto businesses should review:

Stablecoin exposure
Token listings
Privacy token availability
Cross-border trading access

Mandatory Compliance Requirements Under the CMA Dubai Framework

The Business Regulation Module introduces stricter operational obligations for licensed firms.

Mandatory Senior Management Roles

The following positions must remain active at all times:

CEO
Senior Executive Officer
Compliance Officer
MLRO
Finance Director
Internal Auditor

The CEO, Compliance Officer, and MLRO must reside in the UAE and receive CMA accreditation.

Client Classification Rules

Clients must be classified before services are provided:

Retail
Professional
Counterparty

Reviews are required every three years.

Suitability Assessments

Portfolio managers and advisory firms must document:

Financial position
Investment goals
Risk tolerance
Product suitability

Cybersecurity Requirements

The UAE CMA framework requires:

Board-approved cybersecurity frameworks
Annual penetration testing
Incident reporting within 72 hours

Record Retention

Businesses must maintain records for at least six years, including:

Client agreements
Transaction records
AML documentation
Complaints
Compliance procedures

What Is Prohibited Under the UAE CMA Framework?

The framework introduces direct restrictions on several crypto asset categories and trading activities.

Algorithmic Stablecoins

Algorithmic stablecoins are prohibited across the UAE.

The regulatory reasoning specifically references the risks associated with failed models such as TerraUST.

Privacy Tokens

Privacy-focused cryptocurrencies including:

Monero (XMR)
Zcash (ZEC)
Dash

are prohibited under the federal framework.

Discretionary Order Matching

Crypto trading platforms must operate using transparent rules-based execution systems. Discretionary order matching is prohibited.

Utility Tokens and NFTs

General service provision involving utility tokens and NFTs is restricted unless prior CMA approval is obtained.

What Existing Businesses Should Do Now

Conduct a Regulatory Assessment

Map all business activities against the eight licensed activity categories.

Review Capital Adequacy

Assess whether paid-up capital meets CMA Dubai requirements.

Evaluate Dual Compliance Exposure

Determine whether both VARA and UAE CMA obligations apply.

Review Token Listings

Identify unsupported or prohibited assets that may require removal.

Upgrade AML and Compliance Systems

Businesses should strengthen:

Transaction monitoring
Risk management
Client onboarding
Cybersecurity systems
Internal reporting controls

Recruit UAE-Based Officers

The UAE-resident executive requirement may create increased demand for experienced compliance professionals.

Important Compliance Deadlines

Requirement	Deadline
General Framework Module	Immediate application
Business Regulation Module	13 February 2027
ATS Module Compliance	13 February 2027
Preliminary Approval Holder Compliance	Within 6 months of approval

Failure to comply may trigger regulatory enforcement actions and financial penalties.

Penalties for Non-Compliance

Under Cabinet Resolution No. 99 of 2024, firms may face:

Fines up to AED 4 million
Profit disgorgement
Licence suspension
Regulatory investigations
Criminal referral to the Public Prosecutor

The UAE CMA treats AML and operational governance as core licensing obligations rather than secondary compliance functions.

Frequently Asked Questions

Does the CMA law replace VARA?

No. VARA continues to regulate virtual asset activities in Dubai outside DIFC under VARA Rulebook Version 2.0. The CMA operates at the federal level alongside VARA. A Dubai-based exchange needs VARA compliance for its Dubai operations and may also need CMA compliance depending on its activities and client geography. Mutual recognition between VARA and CMA was promised but has not yet been implemented.

What is the compliance deadline for existing businesses?

Existing licensed entities have until 13 February 2027 to comply with the Business Regulation Module and ATS Module requirements. The General Framework Module applies from the outset. Preliminary approval holders have six months from their approval date, with one possible extension.

What are the penalties for non-compliance?

Sanctions under Cabinet Resolution No. 99 of 2024 apply for non-compliance. Fines of up to AED 4 million apply for unlicensed activity. Disgorgement of profits from unlicensed operations is available as a remedy. Criminal investigation by the Public Prosecutor can also be initiated.

Do I need a separate CMA licence for each activity I offer?

Yes. The eight licensed activity categories are distinct. Combining exchange services with custody requires compliance with the capital and operational requirements for both categories, and potentially separate licence endorsements for each. This is a deliberate design to prevent co-mingling of funds and ensure capital adequacy for each risk type.

How does IncHub support businesses navigating the CMA framework?

IncHub Financial Services FZCO provides corporate services support for the entity establishment and ongoing compliance dimensions of CMA-relevant crypto businesses, including entity incorporation, CT and VAT registration, goAML DNFBP registration, UBO filings, and coordination with CMA-specialist legal counsel. Contact us at inchub.ae.

Final Thoughts

The new CMA Dubai framework represents one of the most significant regulatory changes for the UAE crypto industry. The UAE CMA framework has significantly expanded federal oversight while introducing stricter operational standards and stronger governance requirements for virtual asset businesses operating across the UAE.

Businesses already licensed under VARA, DFSA, or FSRA should not assume existing approvals alone are enough. The growing overlap between federal and emirate-level regulations means firms should assess their licensing, token listings, AML systems, and operational structure as early as possible.

With the 13 February 2027 transition deadline approaching, crypto exchanges, brokers, custodians, advisers, and trading platforms should begin compliance planning now to reduce regulatory risk and operational disruption.

Verified Sources and References

Middle East Briefing – UAE Virtual Assets 2026: New Framework and Key Developments (May 2026)

Mahesh Maddu

Founder & CEO, IncHub

Mahesh Maddu is the Founder and CEO of IncHub Group. With over 15 years of advisory experience, he has supported founders, family offices, and global investors in setting up and managing businesses across UAE mainland, free zones, and offshore jurisdictions. He holds an MBA from Bangalore University and is a certified Anti-Money Laundering specialist and STEP member, with expertise in trust and foundation structuring for high-net-worth clients.