The UAE has redrawn the rules of digital assets. Federal Decree-Laws No. 32 and 33 of 2025 replaced the SCA with the Capital Market Authority (CMA), now live since 1 January 2026, and handed it the enforcement tools, mandate, and international credibility to match the world's leading capital markets regulators.
Virtual assets play a core role in the new regulatory framework, since the CMA itself acknowledges that they are "reshaping how financial markets operate, and regulation must evolve at the same pace." — Waleed Saeed Al Awadhi, Chief Executive Officer, UAE Capital Market Authority.
What This Means for the Market
The SCA was created under Federal Law No. 4 of 2000, when UAE capital markets were at an early stage and focused mainly on equities and commodity exchanges. As digital assets emerged, cross-border activity accelerated, and the complexity of financial products grew, the original framework began to show its limitations.
Federal Decree-Law No. 33 of 2025 expands the substantive regulatory perimeter and brings virtual assets explicitly within the federal capital markets framework for the first time.
The practical operationalization of this came on 13 February 2026, when the CMA issued Decision No. 4/R.M/2026, a replacement of the 2023 federal VASP framework with a new three-module rulebook: the General Requirements Module, the Business Regulation Module, and the Alternative Trading System Module.
This encompasses eight licensed activities, new capital thresholds, strengthened governance standards, and a transition timeline which has already entered into force. What the CMA has built is an architecture that is coherent, statute-driven and internationally aligned, exhibiting a closer design to the UK's FCA, MAS in Singapore, and the EU's MiCA framework.
Under the old SCA regime, virtual asset licensing operated on broad, category-based distinctions. The CMA has replaced this with an activity-based model across eight specific regulated activities: dealing as principal, dealing as agent, providing custody, arranging custody, arranging investment deals, providing investment advice, portfolio management, and operating a multilateral trading facility.
This granularity, as well as the licensing modularity, adds value to the new regulatory regime, since it forces every participant in the ecosystem to map what they do against a clear regulatory category. A single business model can now require multiple licenses if it spans, for example, both custody and arrangement functions. The CMA has been explicit about this in their public communications: firms performing functions comparable to traditional finance will face equivalent scrutiny, consistent with the principle of "same activity, same risk, and same regulatory outcome."
Banks are used to this world. For crypto-native firms and fintechs, the adjustment is more significant, but the outcome is a levelled playing field where the same rules, capital requirements, and governance standards apply to everyone.
On capital requirements, the CMA has set clear thresholds that vary based on the chosen activities. These prudential requirements must be fulfilled on an ongoing basis, linking capital discipline to daily operations in a way that protects clients and builds market integrity.
Capital requirements
A key development in the CMA framework is that the new rules apply to anyone targeting UAE clients, regardless of where they are established, including operators in financial free zones and international firms outside the UAE entirely.
This element shows how mature the regulatory framework has become. If we look at international jurisdictions with well-established financial regulators — such as the SEC, the FCA, and MAS — these authorities operate with some form of extraterritorial scope when it comes to protecting their domestic market participants. The CMA now makes no exception.
For the UAE, this closes a gap that created inconsistent outcomes for clients depending on who was serving them and from where. For VARA-licensed entities in Dubai, this creates a more structured compliance environment. VARA remains the competent authority for virtual asset businesses in Dubai outside the DIFC, and continues to issue pivotal guidance, including the updated Exchange Services Rulebook effective March 2026.
The CMA-VARA cooperation agreement signed in August 2025 is designed to allow a VARA license to be valid across the UAE, without the need for a separate CMA application. This mutual recognition is still developing, and firms should follow CMA guidance closely as implementation details emerge. But the direction is towards a more coherent, layered regulatory system.
The UAE Digital Asset Regulatory Landscape
The UAE now operates across five regulatory frameworks for digital assets:
The CMA framework gives the UAE's digital asset ecosystem a federal layer that is credible, internationally legible, and investor protective.
The introduction of a CMA-maintained list of admissible virtual assets is a key change from the SCA regime. From January 2026, no virtual asset may be traded in the UAE unless it has been accepted onto the CMA's official list, registered with the CMA, and operated by a CMA-licensed platform.
Clearly, the challenge for the CMA will be to approve admissible tokens promptly, in a continuously developing ecosystem, without slowing down innovation and market opportunities.
The framework also introduces clear prohibitions on privacy tokens and algorithmic tokens, asset classes that have been associated with significant systemic risks in other markets. This is consistent with approaches under MiCA in Europe, MAS guidelines in Singapore, and emerging federal frameworks in the United States. It is a signal that the CMA is building a market that international institutional capital can enter with confidence.
Under the governance requirements established by Decision 4/R.M/2026, licensed entities are now required to appoint mandatory senior roles: CEO, Senior Executive Officer, Compliance Officer, MLRO, Finance Director, and Internal Auditor — with the CEO, Compliance Officer, and MLRO required to be UAE residents.
For institutional counterparties such as international banks, sovereign wealth funds, and asset managers considering digital asset partnerships, the requirement for resident senior management creates real accountability and willingness to establish a durable presence in the country.
AML/CFT obligations have been retained and strengthened, in line with the UAE's financial crime prevention framework. The CMA has embedded AML/CFT compliance as a foundational licensing requirement, not a supplementary one.
On enforcement, the new regime is more powerful than the SCA's. Criminal penalties for unlicensed activity can now reach AED 250 million, compared to the previous regime's fines, which were capped at AED 100,000 for relevant markets and AED 1 million as a criminal sanction. This is a signal to the entire market that the UAE takes its regulatory framework seriously and will defend its integrity — a positive change that aims to attract serious, long-term market participants.
The UAE's digital asset market has grown significantly and is continuing to do so. According to Chainalysis, the UAE received more than $56 billion in on-chain value between 2024 and 2025, a 33% year-on-year increase.
Snapshot
Institutional participation has been rising sharply. Institutional-sized transfers ($1M–$10M) grew approximately 55% year-on-year, reflecting deepening involvement from international banks, global asset managers, and major exchanges.
The broader UAE fintech market is projected to grow from $2.97 billion in 2024 to $6.42 billion by 2030, at a CAGR of 13.8%. The UAE blockchain market is estimated at $8.9 billion for 2025, with projections of $72.6 billion by 2032.
Regarding tokenization, we have recently seen this practice move from concept to execution. The Dubai Land Department's real estate tokenization initiative has been a landmark milestone, and Abu Dhabi-based KAIO, which recently raised $8 million in a Tether-led round, is building infrastructure to bring institutional funds on-chain — with plans including a tokenized fund with Mubadala Capital. AED-denominated stablecoins are becoming a real presence in the UAE market, and are here to stay.
The CMA framework is supportive of these use cases, and we are confident it will equip the market with the structure to scale responsibly and sustainably.
Existing licensed entities have until 13 February 2027 to fully comply with the new Business Regulation and the related requirements. However, the CMA has clarified that this grace period is not a pause. Conduct rules apply from day one, and supervision is already live. Firms are expected to begin gap analysis immediately, and the CMA has issued specific circulars for different categories of license holders and applicants.
For firms with in-principle approval under the old SCA framework, operations can continue subject to conditions. Firms currently in the licensing pipeline need to realign their applications under the new regime. For banks and financial institutions that have not been part of it yet, the transition period is an opportunity to step in.
In our experience, the firms that engage with regulatory change proactively as a competitive advantage are the ones that come out of transition periods strongest. Compliance built at the last minute is expensive, disruptive, and visible to regulators. Early adoption creates differentiated market positioning and a track record with the authority that has long-term value.
We have been building digital asset infrastructure in the UAE since our foundation, and we have watched the regulatory landscape evolve in real time through multiple iterations. What the CMA has delivered with the two Decree-Laws and Decision 4/R.M/2026 is a coherent, internationally aligned, institutionally credible architecture for digital assets.
Operate with substance. Maintain adequate capital. Know your clients. Protect investors. Be accountable. These are the foundations of a market that can sustain itself.
At Fuze, we believe this framework is aligned with what we have built our business to do: give financial institutions the ability to offer digital asset services in a way that is compliant, scalable, and operationally robust.
