Overview

On 1 January 2026, the UAE's Securities and Commodities Authority (SCA) was reconstituted as the Capital Market Authority (CMA) pursuant to Federal Decree-Law No. 32 of 2025 - a federal public authority with legal personality, financial and administrative independence, and direct accountability to the UAE Cabinet. This is not a rebranding exercise. The CMA carries a materially expanded statutory mandate, including explicit federal authority over virtual assets used for investment purposes, extraterritorial reach over activities targeting UAE clients from outside the country or from within financial free zones, and a significantly enhanced enforcement toolkit with criminal penalties of up to AED 250 million for unlicensed activity.

Federal Decree-Law No. 33 of 2025, enacted simultaneously, codified the new licensing regime for financial activities and brought virtual assets firmly within the federal capital markets perimeter (except within the Emirate of Dubai - which remains under VARA).. On 13 February 2026, the CMA gave the framework its operational form by issuing Decision No. 4/R.M/2026 — replacing the 2023 federal VASP regime in its entirety and establishing the comprehensive three-module rulebook that governs all virtual asset activity in and from the UAE today.

Scope

The CMA's framework is structured across three interlocking modules. 

• The General Framework Module serves as the foundational layer and applies to all licensed entities - establishing universal requirements across licensing, governance, cybersecurity, key personnel, AML/CFT obligations, virtual asset registration, and general conduct. 
• The Business Regulation Module governs client-facing conduct, covering client classification, suitability and appropriateness, client asset protection, margin trading, order handling, record-keeping and periodic disclosure. 
• The Alternative Trading System Module sets the operational standards for trading venues, covering both Multilateral Trading Facilities (MTFs) and Organised Trading Facilities (OTFs), with dedicated chapters for tokenised securities platforms and virtual asset MTFs specifically.

Licence Categories

Applicants may apply for one or a combination of eight licensed activity categories:

• Advisory Services — Guidance on the acquisition, disposal or management of virtual assets.
• Arranging Investment Deals — Making arrangements that enable clients to buy, sell or subscribe to virtual assets, including order transmission and coordination roles.
• Dealing in Virtual Assets — Buying and selling virtual assets as principal or agent on behalf of clients.
• Managing Virtual Assets - Discretionary portfolio management of virtual assets on behalf of clients.
• Operating a Collective Investment Scheme - Managing pooled virtual asset investment structures.
• Providing Virtual Asset Custody Services - Safekeeping of client virtual assets through cryptographic key control, operated as a licensed Digital Wallet Service Provider.
• Operating an Alternative Trading System - Running an MTF or OTF for the trading of virtual assets or tokenised securities.
• Virtual Asset Transfer and Settlement Services - On-chain and off-chain payment and settlement infrastructure.

Applicant Profiles

The CMA accepts applications from a broad range of entities - including exchanges, custodians, broker-dealers, asset managers, tokenisation platforms and emerging digital asset businesses - provided they can demonstrate adequate UAE substance, fit-and-proper management and sufficient capitalisation. 

All licensed entities must maintain a physical head office within the UAE. Foreign firms are required to establish a UAE-incorporated entity; overseas licences do not confer authorisation to operate within the UAE's federal perimeter. Entities already licensed by VARA, DFSA or FSRA remain subject to CMA obligations where their activities extend to the mainland or target clients across the UAE, and dual compliance is now an operational reality for many established operators. 

Process

The licensing journey follows two formal stages:

In-Principle Approval - Applicants submit a business plan, proposed governance framework and supporting documentation. The CMA has a 45-working-day decision window from the date of a complete submission. Approval is valid for six months, with one possible extension, and does not constitute a licence.

Full Licence - The complete policy and procedural suite, technology architecture documentation, key person approvals, capital evidence and virtual asset registration submissions are reviewed. The CMA has a 60-working-day decision clock at this stage. Operational go-live is conditional on satisfying all regulatory conditions in full.

Key Considerations

Capital - Minimum capital requirements range from AED 500,000 for advisory and arranging activities to AED 4 million for entities operating trading platforms or providing custody services, with thresholds calibrated to activity type and risk profile.

Governance - A physical head office in the UAE is mandatory. Four key roles must be held by UAE-resident individuals: the Chief Executive Officer, Senior Manager, Compliance Officer, and Anti-Money Laundering Reporting Officer. All key persons and controllers are subject to a formal Fit and Propriety assessment by the CMA. A minimum of 15 CPD hours per year is required for the Senior Executive Officer, Compliance Officer and AMLRO.

Technology - Annual penetration testing, an ICT asset inventory, multi-factor authentication on all critical systems, and real-time cybersecurity monitoring are mandatory for all licensed entities. Material cybersecurity incidents must be reported to the CMA within 72 hours. Operators of tokenised securities or virtual asset MTFs must additionally submit an annual Technology Audit Report within four months of their financial year end.

Token Admission - Before any virtual asset can be made available to clients, it must be registered with the CMA and, for MTF operators, supported by a published Key Characteristics Document and White Paper. Privacy tokens and algorithmic tokens are categorically prohibited.

Records - All records must be retained for a minimum of six years and be capable of reproduction within three working days.

Transition - Entities subject to the Business Regulation and Alternative Trading System Modules have until 13 February 2027 to achieve full compliance. This window is already running.

Engage CFC

CFC's regulatory specialists have deep working knowledge of the CMA's three-module framework - from In-Principle Approval through to full licence and ongoing supervisory compliance. We support clients across the full spectrum of licensed activities, delivering pre-submission gap analyses, regulator-ready governance frameworks, technology documentation and virtual asset registration submissions that are aligned to CMA expectations from day one. Engage CFC to navigate the complexity, compress your timeline and build a compliance architecture that stands up to the CMA's scrutiny.