The UAE's New Federal VASP Framework
16 APR 2026
The UAE Capital Markets Authority has introduced a comprehensive federal framework for Virtual Asset Service Providers. Issued on 13 February 2026, Resolution No. 04/2026 replaces previous VASP provisions and establishes a unified licensing regime that took effect immediately upon publication. For firms operating in or entering the UAE virtual asset space, the question is not whether this applies to them. It is whether they are ready.
From SCA to CMA: A Regulatory Evolution
Effective 1 January 2026, the former Securities and Commodities Authority transitioned into the Capital Markets Authority under Federal Decree-Laws No. 32 and 33 of 2025. This was not a rebrand. It represented a material expansion of mandate, bringing virtual assets and related activities expressly within the CMA’s supervisory scope. The new framework consolidates that mandate into a single, modular rulebook.
The Framework: Three Modules, One Standard
Resolution No. 04/2026 is structured across three interlocking modules, each targeting a distinct layer of compliance.
The General Framework Module sets the foundation. It defines the licensed activities, establishes licensing categories with corresponding capital requirements, and imposes broad governance, systems and controls, and cybersecurity obligations applicable to all VASPs. Eight regulated activities are defined: dealing as principal, dealing as agent, providing custody, arranging custody, operating a multilateral trading facility, providing investment advice, portfolio management and arranging investment deals. Firms must map their current and planned activities against these categories to determine which licence or combination of licences applies.
The Business Regulation Module governs how licensed firms interact with clients. It introduces detailed requirements across client classification, suitability and appropriateness assessments, marketing materials, best execution, trade confirmations, client asset and fund safeguarding, margin trading, lending and borrowing, staking and digital wallet services. The obligations differ by client type. Retail clients attract the highest level of protection, including negative balance protection on margin positions, mandatory risk disclosure statements and 20% net equity close-out thresholds. Firms are also required to integrate AML and CTF obligations throughout the client lifecycle rather than treating them as a standalone compliance function.
The Alternative Trading System Module applies to operators of trading venues. It introduces requirements on market infrastructure, order transparency, short selling controls, erroneous trade management, market abuse prevention and operational resilience. Virtual asset MTF operators face additional obligations, including virtual asset registration, white paper disclosure, ongoing market information requirements and technology audit reports submitted to the CMA within four months of financial year-end.
Ten Compliance Priorities Firms Cannot Ignore
The framework places ten areas under heightened regulatory scrutiny. Each carries practical implications that go beyond policy documentation.
Licensing scope and activity classification demand immediate attention. Firms must assess whether existing or planned services fall within the defined categories and whether their current licence covers all relevant activities. This assessment has direct implications for capital requirements. Category One (dealing as principal with client assets) requires a minimum of AED 4 million or 35% of audited annual expenses, whichever is higher.
Governance and senior management accountability are central to the framework. The CMA requires clearly defined roles for the Senior Manager, CEO, CFO, Compliance Officer, MLRO, Risk Officer and Internal Auditor. Key positions including the CEO and Compliance Officer must be held by UAE-resident individuals. Combining roles is permitted within defined parameters but requires documented assessment of conflicts and effective controls.
Operationalisation of policies and controls reflects a clear regulatory direction: documentation is a starting point, not an end point. The CMA expects firms to demonstrate that policies are actively implemented, tested and evidenced through logs, reports and monitoring outcomes. Gap between written policy and operational reality is a primary inspection focus.
Cybersecurity is elevated to a board-level risk. The General Framework Module dedicates an entire chapter to cybersecurity risk management, requiring firms to maintain an approved framework, conduct regular risk assessments, implement multi-factor authentication, establish incident response plans and report material cybersecurity incidents to the CMA within 72 hours.
Client conduct requirements are granular and enforceable. The Business Regulation Module introduces specific standards for suitability assessments, appropriateness assessments, conflict of interest management, order execution practices and periodic client reporting. Retail client protections are particularly detailed. Firms must retain suitability and appropriateness records for six years and update assessments every three years or on material change.
AML and CTF integration across business processes is a non-negotiable baseline. The framework requires customer due diligence, transaction monitoring, sanctions screening and MLRO oversight to be embedded in daily operations. Firms that treat compliance as a quarterly exercise rather than a continuous function will face the most significant gaps.
Recordkeeping and audit readiness underpin the entire framework. Six-year retention periods apply across most categories of record. Firms must be able to reproduce records in a readable format within three business days. Annual external audits are mandatory and the CMA retains the right to appoint an independent expert at the firm’s expense where manipulation, fraud or misconduct is suspected.
Market integrity obligations for trading venue operators extend to transaction surveillance, market abuse prevention systems, erroneous trade controls and transparency requirements at both pre-trade and post-trade stages. Firms must notify the CMA immediately upon identifying suspected fraud or manipulation.
Local substance expectations are codified. The presence of key individuals in the UAE is a licence condition, not a best practice. The Senior Manager exemption from permanent residency is narrow and conditional, requiring effective internal control frameworks and direct communication channels with the regulator.
Wind-down and client protection planning is required before it becomes necessary. The framework includes detailed provisions for licence cancellation, voluntary liquidation, preventive composition and bankruptcy. Firms are expected to maintain documented wind-down plans and communicate with the CMA at least ten to fifteen working days before initiating any such proceedings.
Transition: What Existing Licence Holders Must Do
The framework took effect immediately upon publication. Existing licence holders have up to one year to achieve compliance with the Business Regulation Module and the ATS Module. Compliance with the General Framework Module is required from the effective date. Applications that had not reached initial approval stage at publication are deemed null and must be resubmitted under the new framework without payment of an additional application fee.
Firms that do not meet transition requirements during the regularisation period remain subject to the administrative penalties set out in Cabinet Resolution No. 99 of 2024.
The Practical Starting Point
For most firms, the immediate priority is a structured gap assessment against all three modules. This means reviewing activity classifications against the licensing categories, assessing governance structures and key person arrangements, reviewing client-facing documentation and processes against the Business Regulation Module, and evaluating cybersecurity frameworks against the requirements of the General Framework Module.
The UAE has signalled clearly that virtual asset regulation is now capital markets regulation. Firms that approach this framework with the same rigour applied to traditional financial services licensing will be positioned to operate with confidence. Those that treat it as a compliance update rather than a structural review risk falling short of expectations that are, as of 13 February 2026, legally binding.
j. awan & partners advises regulated entities on licensing, compliance frameworks and regulatory strategy across UAE and GCC jurisdictions. To discuss the implications of Resolution No. 04/2026 for your firm, please get in touch.
Stay up to date with our latest news
The UAE Capital Markets Authority has introduced a comprehensive federal framework for Virtual Asset Service Providers. Issued on 13 February 2026, Resolution No. 04/2026 replaces previous VASP provisions and establishes a unified licensing regime that took effect immediately upon publication. For firms operating in or entering the UAE virtual asset space, the question is not whether this applies to them. It is whether they are ready.
From SCA to CMA: A Regulatory Evolution
Effective 1 January 2026, the former Securities and Commodities Authority transitioned into the Capital Markets Authority under Federal Decree-Laws No. 32 and 33 of 2025. This was not a rebrand. It represented a material expansion of mandate, bringing virtual assets and related activities expressly within the CMA’s supervisory scope. The new framework consolidates that mandate into a single, modular rulebook.
The Framework: Three Modules, One Standard
Resolution No. 04/2026 is structured across three interlocking modules, each targeting a distinct layer of compliance.
The General Framework Module sets the foundation. It defines the licensed activities, establishes licensing categories with corresponding capital requirements, and imposes broad governance, systems and controls, and cybersecurity obligations applicable to all VASPs. Eight regulated activities are defined: dealing as principal, dealing as agent, providing custody, arranging custody, operating a multilateral trading facility, providing investment advice, portfolio management and arranging investment deals. Firms must map their current and planned activities against these categories to determine which licence or combination of licences applies.
The Business Regulation Module governs how licensed firms interact with clients. It introduces detailed requirements across client classification, suitability and appropriateness assessments, marketing materials, best execution, trade confirmations, client asset and fund safeguarding, margin trading, lending and borrowing, staking and digital wallet services. The obligations differ by client type. Retail clients attract the highest level of protection, including negative balance protection on margin positions, mandatory risk disclosure statements and 20% net equity close-out thresholds. Firms are also required to integrate AML and CTF obligations throughout the client lifecycle rather than treating them as a standalone compliance function.
The Alternative Trading System Module applies to operators of trading venues. It introduces requirements on market infrastructure, order transparency, short selling controls, erroneous trade management, market abuse prevention and operational resilience. Virtual asset MTF operators face additional obligations, including virtual asset registration, white paper disclosure, ongoing market information requirements and technology audit reports submitted to the CMA within four months of financial year-end.
Ten Compliance Priorities Firms Cannot Ignore
The framework places ten areas under heightened regulatory scrutiny. Each carries practical implications that go beyond policy documentation.
Licensing scope and activity classification demand immediate attention. Firms must assess whether existing or planned services fall within the defined categories and whether their current licence covers all relevant activities. This assessment has direct implications for capital requirements. Category One (dealing as principal with client assets) requires a minimum of AED 4 million or 35% of audited annual expenses, whichever is higher.
Governance and senior management accountability are central to the framework. The CMA requires clearly defined roles for the Senior Manager, CEO, CFO, Compliance Officer, MLRO, Risk Officer and Internal Auditor. Key positions including the CEO and Compliance Officer must be held by UAE-resident individuals. Combining roles is permitted within defined parameters but requires documented assessment of conflicts and effective controls.
Operationalisation of policies and controls reflects a clear regulatory direction: documentation is a starting point, not an end point. The CMA expects firms to demonstrate that policies are actively implemented, tested and evidenced through logs, reports and monitoring outcomes. Gap between written policy and operational reality is a primary inspection focus.
Cybersecurity is elevated to a board-level risk. The General Framework Module dedicates an entire chapter to cybersecurity risk management, requiring firms to maintain an approved framework, conduct regular risk assessments, implement multi-factor authentication, establish incident response plans and report material cybersecurity incidents to the CMA within 72 hours.
Client conduct requirements are granular and enforceable. The Business Regulation Module introduces specific standards for suitability assessments, appropriateness assessments, conflict of interest management, order execution practices and periodic client reporting. Retail client protections are particularly detailed. Firms must retain suitability and appropriateness records for six years and update assessments every three years or on material change.
AML and CTF integration across business processes is a non-negotiable baseline. The framework requires customer due diligence, transaction monitoring, sanctions screening and MLRO oversight to be embedded in daily operations. Firms that treat compliance as a quarterly exercise rather than a continuous function will face the most significant gaps.
Recordkeeping and audit readiness underpin the entire framework. Six-year retention periods apply across most categories of record. Firms must be able to reproduce records in a readable format within three business days. Annual external audits are mandatory and the CMA retains the right to appoint an independent expert at the firm’s expense where manipulation, fraud or misconduct is suspected.
Market integrity obligations for trading venue operators extend to transaction surveillance, market abuse prevention systems, erroneous trade controls and transparency requirements at both pre-trade and post-trade stages. Firms must notify the CMA immediately upon identifying suspected fraud or manipulation.
Local substance expectations are codified. The presence of key individuals in the UAE is a licence condition, not a best practice. The Senior Manager exemption from permanent residency is narrow and conditional, requiring effective internal control frameworks and direct communication channels with the regulator.
Wind-down and client protection planning is required before it becomes necessary. The framework includes detailed provisions for licence cancellation, voluntary liquidation, preventive composition and bankruptcy. Firms are expected to maintain documented wind-down plans and communicate with the CMA at least ten to fifteen working days before initiating any such proceedings.
Transition: What Existing Licence Holders Must Do
The framework took effect immediately upon publication. Existing licence holders have up to one year to achieve compliance with the Business Regulation Module and the ATS Module. Compliance with the General Framework Module is required from the effective date. Applications that had not reached initial approval stage at publication are deemed null and must be resubmitted under the new framework without payment of an additional application fee.
Firms that do not meet transition requirements during the regularisation period remain subject to the administrative penalties set out in Cabinet Resolution No. 99 of 2024.
The Practical Starting Point
For most firms, the immediate priority is a structured gap assessment against all three modules. This means reviewing activity classifications against the licensing categories, assessing governance structures and key person arrangements, reviewing client-facing documentation and processes against the Business Regulation Module, and evaluating cybersecurity frameworks against the requirements of the General Framework Module.
The UAE has signalled clearly that virtual asset regulation is now capital markets regulation. Firms that approach this framework with the same rigour applied to traditional financial services licensing will be positioned to operate with confidence. Those that treat it as a compliance update rather than a structural review risk falling short of expectations that are, as of 13 February 2026, legally binding.
j. awan & partners advises regulated entities on licensing, compliance frameworks and regulatory strategy across UAE and GCC jurisdictions. To discuss the implications of Resolution No. 04/2026 for your firm, please get in touch.
16 APR 2026
The UAE's New Federal VASP Framework