UAE Crypto Licensing 2026: The Eight CMA-Licensed Activities and Compliance Requirements

Q: How much capital do I need for a CMA crypto licence in the UAE?

Article 21 minimum capital ranges from AED 500,000 for operating a trading platform to AED 4,000,000 for dealing as principal. However, the CMA also applies an expense-based calculation (25-35% of annual operating expenses) and a risk-based assessment. The highest of all three figures becomes the binding requirement, and capital must be maintained continuously after licensing.

UAE Crypto Licensing 2026: The Eight CMA-Licensed Activities and Compliance Requirements

{getToc} $title={Table of Contents}

The UAE's eight CMA-licensed crypto activities explained - capital requirements, compliance obligations and deadlines under Decision No. 4/R.M/2026.

Decision No. 4/R.M/2026, issued by the Capital Markets Authority on 13 February 2026, replaces the previous federal VASP framework entirely and establishes eight distinct licensed activities.
Minimum capital requirements range from AED 500,000 for operating a trading platform to AED 4,000,000 for dealing as principal, with expense-based and risk-based calculations potentially raising the effective floor.
Licensed entities must appoint six mandatory senior roles, with the CEO, Compliance Officer and MLRO required to reside in the UAE and hold individual CMA accreditation.
Privacy tokens, algorithmic tokens and discretionary trading platforms are absolutely prohibited, with no licensing pathway or exemption available.
Existing licensees have until 13 February 2027 to comply with the new framework, while preliminary approval holders face a six-month window.
Compliance obligations span board-approved cybersecurity frameworks, 72-hour incident reporting, client classification, suitability assessments and six-year record retention.

How the CMA's New Federal Framework Reshapes VASP Licensing in the UAE

The UAE's Capital Markets Authority (CMA) issued Decision No. 4/R.M/2026 on 13 February 2026, replacing the previous federal virtual asset framework in its entirety. This is not an amendment. It is a comprehensive new rulebook that redefines how VASP licensing works at the federal level, establishing eight distinct activity categories with materially higher capital, governance and AML/CFT compliance thresholds.

For any business operating a crypto exchange, virtual asset custody service, brokerage, advisory platform or portfolio management operation in or from the UAE, this Decision is now the single most important federal regulatory instrument. It sits alongside - not above - the frameworks maintained by VARA in Dubai, ADGM's FSRA in Abu Dhabi, the DFSA in the DIFC, and the CBUAE for payment tokens. Compliance with one framework does not substitute for compliance with another.

What Decision No. 4/R.M/2026 Means for Virtual Asset Licensing in the UAE

Decision No. 4/R.M/2026 supersedes Decision No. 26/R.M/2023 and repeals the virtual asset provisions of the previous Financial Activities Rulebook. The new framework is structured across three consolidated modules, each addressing a distinct regulatory layer.

The General Framework Module establishes definitions, regulatory scope, the eight licensed activity categories, licensing procedures and principal standards. This is the constitutional layer that determines whether a particular activity falls within the CMA's jurisdiction and what form of authorisation is required.

The Business Regulation Module governs operational conduct after licensing. It covers client classification, suitability assessments, conflict of interest management, record-keeping, margin trading, lending, staking and digital wallet requirements. In practice, this is where day-to-day compliance obligations sit.

Finally, the Alternative Trading System Module applies specifically to entities operating multi-party trading platforms. It addresses technology governance, market surveillance, trade reporting, business continuity and disaster recovery standards. Together, the three modules create a comprehensive regime that the CMA has described as moving toward institutional resilience rather than market-access-led regulation.

The Eight Licensed Financial Activities Explained

Under Article 12 of the General Framework Module, eight distinct financial activities now require a CMA licence. Operating any of these without authorisation is prohibited and may attract sanctions under Cabinet Resolution No. 99 of 2024. The licensing regime is activity-based, meaning firms conducting multiple activities must hold separate authorisation for each one.

Dealing as Principal and Dealing as Agent

Dealing as principal means buying and selling virtual assets using the entity's own capital and bearing direct market risk. Any entity that actively advertises its readiness to transact will be treated as a principal dealer regardless of how individual transactions are structured. This activity carries the highest minimum capital at AED 4,000,000.

Dealing as agent, by contrast, means executing transactions on behalf of a client without using the entity's own capital. The agent bears no direct market risk. However, where an agent concludes transactions as principal solely to fulfil client orders, it may be reclassified. This activity requires AED 1,000,000 minimum capital.

The distinction matters because misclassification between these two categories can trigger enforcement action. A business describing itself as an agent but routinely taking principal positions is operating without the correct licence.

Providing Custody and Arranging Custody

Providing custody means safeguarding client virtual assets by controlling cryptographic keys or holding assets on a distributed ledger. Where a custodian delegates functions to a third party, it remains fully liable. That third party must itself be CMA-licensed or hold equivalent regulatory authorisation. Minimum capital is AED 3,000,000.

Arranging custody is a legally distinct activity. The arranger facilitates a client's access to a licensed custodian without itself holding client assets. This includes negotiating terms, assisting with onboarding and transmitting instructions. Entities that merely introduce clients without financial compensation are exempt. This activity requires AED 1,000,000.

Confusing custody with arranging custody is one of the most common licensing errors. The infrastructure requirements differ fundamentally. A custody provider needs secure storage architecture, disaster recovery and insurance arrangements. An arranger does not.

Operating a Multi-Party Trading Platform

This activity covers the operation of an automated marketplace matching buy and sell orders from multiple parties on a non-discretionary, rules-based basis. Organised Trading Facilities - which involve discretionary matching - are expressly prohibited for crypto. All trading must follow pre-established, automatic rules.

At AED 500,000, this carries the lowest Article 21 minimum capital. However, when combined with other activities such as custody or dealing, the capital requirement escalates. Platform operators must also maintain liquid resources sufficient to cover at least six months of operating expenses.

Investment Advice, Portfolio Management and Arranging Transactions

Providing investment advice means giving personalised recommendations to a specific investor about buying, selling or holding a virtual asset. General market commentary does not qualify. Advisors are subject to comprehensive suitability obligations and must document assessments for at least eight years.

Portfolio management covers both discretionary and non-discretionary management of client virtual asset holdings. This includes objective-setting, asset allocation, risk management and performance monitoring. Entities acting solely on specific per-transaction client instructions are excluded.

Arranging investment transactions means creating arrangements that enable another person to buy or sell a virtual asset, without the arranger being a party to the trade. All three activities require AED 1,000,000 minimum capital. For advisory and portfolio management services, the CMA imposes detailed suitability assessment requirements covering client knowledge, financial position and investment objectives.

Capital Requirements and How They Are Calculated

Article 21 of Decision No. 4/R.M/2026 establishes minimum capital floors for each licence category. These are statutory minimums, not ceilings. The CMA applies a three-calculation approach, and the highest figure governs.

The eight licensed activities are grouped into six licence categories for capital purposes, with arranging custody, investment advice and arranging transactions sharing a single tier.

Licence Category	Activity	Minimum Capital (AED)
Category 1	Dealing as Principal	4,000,000
Category 2	Dealing as Agent	1,000,000
Category 3	Providing Custody	3,000,000
Category 4	Arranging Custody, Investment Advice, Arranging Transactions	1,000,000
Category 5	Portfolio Management	1,000,000
Category 6	Operating a Multi-Party Trading Platform	500,000

The Three-Calculation Approach

Beyond these fixed floors, the CMA requires capital based on projected or audited annual operating expenses - typically 25% to 35% of those expenses. For activities involving client asset holding, the percentage sits at 35%. A separate risk-based calculation may push the requirement higher still, based on factors such as business model complexity, client asset volumes and technology maturity.

In practice, the binding capital requirement for most firms will exceed the Article 21 minimum. A custody provider with AED 20 million in annual operating expenses, for example, would face an expense-based floor of AED 7 million - well above the AED 3 million statutory minimum.

Ongoing Capital Adequacy

Capital adequacy is not a one-time licensing hurdle. Licensed entities must maintain minimum capital continuously after authorisation. If capital falls below the required level during operations, the entity faces immediate disclosure obligations and potential sanctions. Quarterly financial reports submitted within 45 days of each quarter-end give the CMA regular visibility into capital positions.

Governance, Personnel and Residency Requirements

Decision No. 4/R.M/2026 mandates a structured governance model more prescriptive than its predecessor. Every licensed entity must appoint and maintain six defined senior roles at all times.

Mandatory Roles and UAE Residency

The six required positions are Chief Executive Officer, Senior Executive Officer, Compliance Officer, Money Laundering Reporting Officer (MLRO), Finance Director and Internal Auditor. Three of these - the CEO, Compliance Officer and MLRO - must reside in the UAE. This residency requirement signals the CMA's focus on local accountability and prevents wholly offshore governance structures.

All senior personnel must be individually accredited by the CMA before taking up their roles. This creates a formal register of accredited individuals. A compliance officer removed from one firm for regulatory violations will carry that history into future applications. Personnel turnover in any of the six roles requires CMA notification and approval before replacement individuals assume office.

For firms that previously relied on offshore management or outsourced compliance, these requirements will demand material restructuring. Recruitment of suitably qualified UAE-resident individuals for the CEO, Compliance Officer and MLRO positions should be treated as an early priority in any transition plan.

Controller Approvals and Ownership Thresholds

Any person seeking to acquire or increase control in a licensed entity must obtain prior written CMA approval. The thresholds are 10%, 30% and 50% ownership. This applies to new investors, existing shareholders increasing their stakes and corporate restructurings. The CMA assesses controllers on fit and proper criteria covering competence, integrity and financial soundness.

For M&A transactions in the virtual asset space, this adds procedural complexity. Sellers and buyers must coordinate with the CMA before completing transactions, potentially extending deal timelines.

Compliance Obligations: Cybersecurity, Client Classification and Record-Keeping

Beyond governance, Decision No. 4/R.M/2026 establishes detailed operational compliance requirements. These span cybersecurity, client protection, suitability and record retention - each with specific standards that must be embedded into daily operations.

Cybersecurity and Technology Governance

Every licensed entity must establish a board-approved cybersecurity risk management framework. This is not a best-practice recommendation. A policy document that has not been formally adopted by the board does not satisfy the requirement. The framework must cover governance, risk identification, incident response, business continuity and disaster recovery.

Annual penetration testing by qualified independent third parties is mandatory. Multi-factor authentication must be implemented on all internet-facing systems. Any material cybersecurity incident must be reported to the CMA within 72 hours, creating high-pressure obligations on security operations teams to investigate and classify incidents rapidly.

Entities operating trading platforms or providing custody must also commission an independent annual technology audit. The audit report must be submitted to the CMA within four months of financial year-end.

Client Classification and Suitability

All clients must be classified as Retail, Professional or Counterpart before any service is provided. This classification drives downstream obligations because different categories receive different levels of protection. Retail investors receive the highest protections, including mandatory suitability assessments and detailed risk disclosures. Classifications must be reviewed every three years.

For firms providing investment advice or portfolio management, suitability assessments are particularly demanding. Before providing advice, the firm must collect information on client knowledge, financial position and investment objectives. Assessments must be documented in writing and retained for at least eight years. Getting client classification wrong affects every downstream compliance obligation.

Record-Keeping and Reporting

All regulatory records must be retained for a minimum of six years. This covers client agreements, transaction records, suitability reports, complaints, compliance procedures and audit documentation. For custodial activities, the retention period extends to eight years following transaction completion.

Records must be maintained in readily accessible formats, protected from loss or unauthorised access, and retrievable during regulatory examinations. For entities with cross-border operations, records must capture transaction origination, intermediaries and beneficial parties to support KYC and AML/CFT tracking across jurisdictions.

Prohibited Activities: What Cannot Be Licensed

Three categories of absolute prohibition apply regardless of licence status. No CMA approval or exemption can override these bans.

Privacy tokens and privacy-enhancing devices are completely prohibited. No entity may trade, custody, advise on or offer privacy tokens to the public in or from the UAE. This covers Monero, Zcash, Dash and any wallet or tool designed to obscure transaction trails or hide holder identities. The DFSA separately banned privacy tokens in the DIFC from January 2026, reinforcing the UAE-wide position.

Algorithmic tokens are equally prohibited. The ban covers any asset generated algorithmically to stabilise the price of, or modify supply and demand for, another virtual asset. This reflects a direct regulatory response to the TerraUST collapse. There is no licensing pathway around this prohibition.

Organised Trading Facilities for crypto are banned. All virtual asset trading must occur on non-discretionary, rules-based platforms. Any trading system that involves manual or discretionary order matching is prohibited. Platform operators whose systems include any element of human discretion in trade matching must assess this carefully before applying.

Utility tokens and NFTs occupy a narrower restricted category. Licensed entities may provide custody or operate trading platforms for these assets, but only with prior CMA approval. General utility token or NFT service provision outside these two narrow exceptions is not permitted.

Compliance Deadlines and Transition Periods

Every deadline runs from the Decision's effective date of 13 February 2026. The compliance calendar is compressed and the consequences for missing deadlines are material.

Existing licensed entities have one year - until 13 February 2027 - to comply with the Business Regulation Module and Alternative Trading System Module requirements. During this period, existing licensing conditions remain enforceable. However, the CMA has emphasised this is not a grace period to defer action. Entities should immediately assess their business models, governance structures and compliance infrastructure against the new standards.

Preliminary approval holders face a tighter window. They must fulfil all licensing requirements within six months of receiving preliminary approval. A single extension of six months is available at CMA discretion but is not guaranteed. The CMA expects applicants to be substantially prepared before entering the licensing pipeline.

Ongoing reporting obligations add further time pressure. Quarterly financial reports are due within 45 days of quarter-end. Material cybersecurity incidents must be reported within 72 hours. Entities intending to file for bankruptcy must notify the CMA 15 working days before filing. Creditor composition requests require 10 working days' notice.

What This Means for Compliance Officers and In-House Legal Teams

For compliance officers and in-house counsel at UAE virtual asset businesses, Decision No. 4/R.M/2026 demands an organisational-scale response. The transition from the previous framework is not a matter of updating documents. It is a fundamental shift in regulatory philosophy toward institutional resilience.

The immediate priority is mapping existing activities against the eight new licence categories. Activities previously characterised under the 2023 framework may require a different or additional licence category. Does your platform operation include custody functions that must now be separately licensed? Does your brokerage activity constitute dealing as agent - or does it involve principal positions that change the classification entirely?

Capital adequacy must be assessed against all three calculations: the Article 21 floor, the expense-based percentage and any risk-based adjustment. Even firms that meet the statutory minimum may face a higher binding requirement. Where shortfalls are identified, capital must be deployed or operations restructured.

Governance compliance requires urgent attention, particularly the UAE residency requirements for CEO, Compliance Officer and MLRO positions. Recruitment of qualified UAE-resident individuals takes months, and individual CMA accreditation adds further lead time. Starting this process in month ten of a twelve-month transition window is not a viable strategy. For a broader view of the UAE's evolving licensing landscape, compliance teams should monitor developments across all five regulators simultaneously.

What Clients are Asking their Advisors

What are the eight licensed crypto activities under the UAE's 2026 federal regulations?

Decision No. 4/R.M/2026 requires CMA licensing for eight activities: dealing as principal, dealing as agent, providing custody, arranging custody, operating a multi-party trading platform, providing investment advice, portfolio management, and arranging investment transactions. Each carries specific capital requirements ranging from AED 500,000 to AED 4,000,000, with the CMA able to impose higher effective minimums through expense-based and risk-based calculations.

How much capital do I need for a CMA crypto licence in the UAE?

Article 21 sets minimum floors from AED 500,000 (trading platform) to AED 4,000,000 (dealing as principal). However, the CMA also applies an expense-based test (25-35% of annual operating costs) and a risk-based assessment. The highest of all three figures becomes the binding requirement. Capital must be maintained on an ongoing basis, not only at the point of application.

What is the difference between providing custody and arranging custody under UAE crypto law?

Providing custody means directly holding and safeguarding client virtual assets, including controlling cryptographic keys. It requires AED 3,000,000 minimum capital plus secure storage infrastructure and disaster recovery systems. Arranging custody means facilitating access to a licensed custodian without holding assets yourself - requiring AED 1,000,000. Misclassifying one as the other is a common and costly licensing mistake.

Are privacy tokens and algorithmic stablecoins banned in the UAE?

Yes. Decision No. 4/R.M/2026 imposes absolute prohibitions on privacy tokens such as Monero and Zcash, privacy-enhancing devices, and algorithmic tokens designed to stabilise another asset's price. No licence or CMA approval can override these bans. The DFSA separately banned privacy tokens in the DIFC from January 2026, making the prohibition effectively UAE-wide across all regulatory jurisdictions.