Proud of UAE  [email protected]       [email protected]        +97142500251 97142500251+       +971507869887 971507869887+      WhatsApp

What Is VARA and What Does It Require of Virtual Asset Businesses in Dubai?

What VARA Is and Why It Matters

The Virtual Assets Regulatory Authority (VARA) is the world’s first independent regulatory body dedicated exclusively to virtual asset oversight. Established under Dubai Law No. 4 of 2022, VARA is responsible for licensing, regulating, and supervising all virtual asset activities and virtual asset service providers (VASPs) operating in or from the Emirate of Dubai — across both the mainland and Dubai’s free zones, with one significant exception: the Dubai International Financial Centre (DIFC), which remains under the oversight of the Dubai Financial Services Authority (DFSA).

VARA’s regulatory mandate is comprehensive. It covers crypto assets, digital tokens, NFTs, payment tokens, and the full range of activities that VASPs conduct with or on behalf of clients. No business may conduct virtual asset activities in Dubai without first obtaining explicit authorisation from VARA. This is not a registration or notification requirement — it is a licensing requirement, and operating without a licence carries enforcement consequences that include fines, trade licence cancellation, and criminal referral.

The regulatory framework has matured significantly since VARA’s launch. By July 2026, more than 80 VASPs have been licensed across the UAE’s five virtual asset regulators. In May 2025, VARA issued Version 2.0 of its complete Rulebook framework — adding more than 350 pages of updated requirements across twelve rulebooks — which took effect on 19 June 2025. The era of early-stage regulatory experimentation is over. VARA is now in active supervision mode, and the consequences of inadequate compliance are no longer theoretical.

The Regulated Activities Under VARA

Any entity intending to conduct virtual asset activities in Dubai must obtain a VARA licence for each activity it proposes to carry out. The regulated activities are:

Regulated ActivityWhat It Covers
VA Advisory ServicesProviding advice, guidance, or recommendations on virtual assets, including investment advice and market commentary
VA Broker-Dealer ServicesBuying and selling virtual assets as principal or agent on behalf of clients
VA Custody ServicesSafeguarding, storing, and managing clients’ virtual assets; subject to the Custody Services Rulebook finalized March 2025
VA Exchange ServicesOperating platforms that facilitate the buying, selling, and trading of virtual assets between users
VA Issuance ServicesGenerating and issuing new virtual assets, including Initial Coin Offerings (ICOs) and Security Token Offerings (STOs); requires publication of a Whitepaper and Risk Disclosure Statement
VA Lending and Borrowing ServicesFacilitating loans or borrowing arrangements using virtual assets as collateral
VA Management and Investment ServicesManaging virtual asset portfolios or funds on behalf of clients
VA Transfer and Settlement ServicesFacilitating the transfer of virtual assets between parties, including cross-border payment and remittance services

In addition, VARA’s Marketing Regulations apply to all market participants in the UAE — regardless of whether they are directly licensed by VARA — controlling how virtual assets and related services can be marketed to UAE residents. Enforcement of these regulations, which began in earnest in June 2025, resulted in AED 7.5 million in fines across five entities in that single month.

Need Expert Advice?

Contact the team at Farahat & Co. for professional support and expert insights for businesses operating in the UAE.

The VARA Licensing Process

Obtaining a VARA licence is a two-stage process requiring preparation, documentation, and engagement with both the relevant commercial licensing authority and VARA itself:

Stage 1 — Approval to Incorporate

  1. Submit an Initial Disclosure Questionnaire (IDQ) to either Dubai Economy and Tourism (DET) for mainland entities, or the relevant Free Zone Authority (FZA) for free zone entities
  2. Provide supplementary documentation including a detailed business plan, details of beneficial owners and senior management, and evidence of the proposed governance structure
  3. Make the preliminary payment — typically corresponding to 50% of the licence application fee
  4. Receive the Approval to Incorporate from the commercial licensing authority

Stage 2 — VASP Licence Application

  1. Submit the full VASP licence application to VARA with comprehensive supporting documentation covering proposed activities, financial resources, technology infrastructure, compliance arrangements, and key personnel credentials
  2. Engage with VARA’s feedback and queries during the review process
  3. Pay the remaining licence fees
  4. Receive the VASP licence for each approved regulated activity

Entities must demonstrate genuine ability to meet VARA’s regulatory standards — a compliant business structure, a robust operational setup, qualified and assessed senior management, and adequate capital reserves. VARA’s approach is outcomes-focused: what matters is whether controls actually work in practice, not whether policies exist on paper.

The VARA Rulebook Framework — Version 2.0 (May 2025)

VARA governs licensed entities through two layers of regulation: mandatory rulebooks that apply to all VASPs, and activity-specific rulebooks that apply to each licensed activity separately.

Mandatory Rulebooks (All Licensed VASPs)

  • Company Rulebook — governance requirements including qualified board composition, senior management accountability, outsourcing standards, conflict of interest policies, related-party reporting, and ongoing fit-and-proper assessments
  • Compliance and Risk Management Rulebook — comprehensive AML/CFT requirements including quarterly client risk assessments, business risk assessments, FATF Travel Rule compliance, targeted financial sanctions screening, STR filing through goAML, and appointment of a Money Laundering Reporting Officer (MLRO)
  • Technology and Information Rulebook — Technology Governance and Risk Assessment Framework (TGRAF), mandatory Threat-Led Penetration Testing (TLPT), developer environment controls, cryptographic media management, and cybersecurity incident reporting
  • Market Conduct Rulebook — prohibition of market manipulation (wash trading, spoofing, pump-and-dump strategies), client asset protection, trading venue requirements, and behaviour monitoring obligations

Activity-Specific Rulebooks

Each regulated activity carries its own dedicated rulebook setting out the specific requirements for conducting that activity — including capital requirements, operational standards, client protection measures, and reporting obligations. The Custody Services Rulebook, finalized in March 2025, introduced particularly stringent requirements: at least 95% of client virtual assets must be held in cold storage, client assets must be segregated and labelled as “Client VA Wallet” in all books and records, and mandatory third-party audits of custody arrangements are required.

Key Compliance Obligations Under VARA Version 2.0

AML/CFT Compliance

VASPs must implement comprehensive AML/CFT systems aligned with the UAE’s federal AML framework under Federal Decree-Law No. 10 of 2025 and FATF international standards. Specific Version 2.0 requirements include:

  • Quarterly AML/CFT client risk assessments — each client must be assigned a risk rating reviewed no less than every three months
  • Enhanced Due Diligence for high-risk clients and Politically Exposed Persons, requiring senior management approval before establishing the business relationship
  • FATF Travel Rule compliance — mandatory collection, storage, and transmission of verified originator and beneficiary data for all virtual asset transfers above approximately AED 3,672 (USD 1,000)
  • Targeted financial sanctions screening against UNSC and other applicable sanctions frameworks; transactions involving listed entities or individuals are prohibited
  • goAML STR filing — suspicious transaction reports must be filed through the FIU’s goAML platform

Governance and Personnel

  • Board of Directors must include qualified individuals overseeing compliance procedures
  • Senior management must be qualified and operate under Board direction
  • Individual MLROs and Senior Management are now personally subject to VARA enforcement action for non-compliance under Version 2.0 — personal accountability has been explicitly extended beyond institutional liability
  • Annual MLRO Certification Renewal is required — the February 2026 deadline applies to all licensed entities

Technology Governance

Version 2.0 introduced a formal Technology Governance and Risk Assessment Framework (TGRAF) that all VASPs must implement and maintain. Mandatory Threat-Led Penetration Testing (TLPT) is now required, with specific controls over developer environments, wallets, and cryptographic media. Cybersecurity incidents must be reported to VARA immediately.

Client Asset Protection

Version 2.0 clarified that client money and client virtual assets held by a VASP are not owned by the VASP and will not form part of its estate in the event of insolvency. Separate client VA wallets must be maintained and labelled as such in the VASP’s books and records. VASPs generally cannot take ownership of client money under client agreements unless placed under a formal trust arrangement.

The Sponsored VASP Concept

Version 2.0 introduced a new category — the “Sponsored VASP” — which allows an entity to conduct virtual asset activities in Dubai under the sponsorship of an existing VARA-licensed Regulated Sponsor. The Sponsored VASP must be either controlled by the Regulated Sponsor or share the same controlling entity. Both entities must comply with VARA’s Marketing Regulations. Strict oversight obligations apply to the Regulated Sponsor, who bears responsibility for ensuring the Sponsored VASP’s compliance with all applicable VARA requirements.

VARA’s Scope — What It Covers and What It Doesn’t

  • Covered: All Dubai mainland activities and all Dubai free zones — DMCC, DWTC, DSO, DAFZA, and others
  • Not covered: The Dubai International Financial Centre (DIFC), which is regulated by the DFSA under its own Virtual Assets framework
  • Federal coordination: VARA coordinates with the Securities and Commodities Authority (SCA), which covers virtual asset activities in jurisdictions outside Dubai and has issued its own federal framework. Cabinet Resolution No. 111 of 2025, effective January 2026, expanded the federal definition of virtual assets to include tokenized securities and Real World Asset (RWA) tokens

Enforcement — What Non-Compliance Costs

VARA’s enforcement posture has shifted substantially. Between August 2024 and August 2025, VARA issued enforcement notices against 36 firms for violations including unlicensed virtual asset activities and unauthorized marketing. The Compliance and Risk Management Rulebook Version 2.0 now explicitly extends personal enforcement action to individual MLROs and Senior Management, not just to the VASP entity itself.

Penalties under the updated framework range from financial fines to suspension or revocation of licences, with coordination with Dubai’s commercial licensing authorities potentially resulting in trade licence cancellation. The penalty structure is now graduated by severity of the breach, replacing the earlier relatively simple fine range.

Why Audit and Compliance Support Matters for VARA-Licensed Entities

Version 2.0’s mandatory third-party audit requirement for custody activities, combined with the mandatory MLRO Certification Renewal cycle and the quarterly risk assessment schedule, means that VARA-regulated entities now operate within a continuous compliance calendar rather than a point-in-time licensing exercise. Professional audit and compliance support ensures that the controls a VASP documents in its policies are also functioning as required in practice — which is precisely the standard VARA applies in its supervision.

Frequently Asked Questions (FAQs)

What is VARA in Dubai?

VARA (Virtual Assets Regulatory Authority) is the world’s first independent regulator dedicated exclusively to virtual assets. Established under Dubai Law No. 4 of 2022, it licences and supervises all virtual asset service providers operating in Dubai — across the mainland and all free zones except the DIFC — and sets the comprehensive compliance framework under which they operate.

Does a business need a VARA licence to operate in Dubai’s free zones?

Yes, for all Dubai free zones except the DIFC. VARA’s jurisdiction covers all Dubai mainland and free zone territories except the DIFC, which is regulated by the DFSA. A business operating virtual asset activities from DMCC, DWTC, DSO, or any other Dubai free zone requires a VARA licence.

What changed in VARA’s May 2025 Rulebook update?

Version 2.0, effective 19 June 2025, introduced more than 350 pages of updates across twelve rulebooks. Key changes include quarterly AML/CFT client risk assessments, mandatory FATF Travel Rule compliance, the Sponsored VASP concept, a formal Technology Governance and Risk Assessment Framework (TGRAF), mandatory Threat-Led Penetration Testing, personal enforcement liability for MLROs and Senior Management, and the 95% cold storage requirement for custody service providers.

What is the FATF Travel Rule and does it apply to VARA-licensed entities?

The FATF Travel Rule requires VASPs to collect and transmit verified originator and beneficiary information for all virtual asset transfers above the applicable threshold (approximately USD 1,000 or AED 3,672). From VARA Version 2.0, compliance with the Travel Rule is mandatory for all VARA-licensed entities, and transfers to unhosted wallets above the threshold require enhanced scrutiny.

Can individual compliance officers be personally liable under VARA?

Yes. VARA Version 2.0 explicitly extended personal enforcement action to individual MLROs and Senior Management for non-compliance — not just to the VASP entity. This includes the Annual MLRO Certification Renewal, with compliance required by February 2026 for all licensed entities.

What is a Sponsored VASP under the VARA framework?

A Sponsored VASP is a new category introduced in Version 2.0 that allows an entity controlled by, or sharing a common controlling entity with, a VARA-licensed Regulated Sponsor to conduct virtual asset activities in Dubai under that sponsor’s oversight. Strict compliance obligations apply to both entities, with the Regulated Sponsor bearing responsibility for the Sponsored VASP’s regulatory compliance.

Need Expert Advice?

Contact the team at Farahat & Co. for professional support and expert insights for businesses operating in the UAE.

How Farahat & Co. Can Help

Farahat & Co. provides audit, compliance, and advisory services to VARA-licensed entities and businesses considering VARA licensing in Dubai — including third-party custody audits, AML/CFT compliance reviews, financial statement preparation for VARA reporting requirements, and ongoing compliance support under the Version 2.0 framework.

Contact Farahat & Co. today to discuss your VARA compliance and audit requirements.

Ervee is a CPA with international experience in Tax and Accounting. He has over 12 years of experience in accounting and bookkeeping and over a year in VAT implementation, registration, and accounting in UAE. He regularly drives out inefficiencies in company operations and loves the challenge of helping clients find additional ways for an easier and improved compliance and verification of transactions.
×

Hold On!

Business decisions are easier with the right guidance.

For audit, accounting, tax, or VAT, our team is here to help.