Federal · Capital Markets Authority

CMA Crypto License UAE — the federal path for virtual asset service providers

The UAE Capital Markets Authority issued Decision 4/R.M/2026 on 13 February 2026, replacing the 2023 SCA VASP framework with a new three-module federal regime. Every crypto exchange, custodian, broker, adviser and portfolio manager operating in or from the UAE outside VARA, ADGM, DIFC and CBUAE perimeters now sits within the CMA framework.

Schedule Consultation → Read Our Insights
1,000+
Crypto clients advised since 2015
USD 1.4B+
Transactions advised
All 5
UAE crypto regulators covered
World's 1st
Cryptocurrency IPO completed

What the UAE CMA regulates — and how it differs from VARA, ADGM, DIFC and CBUAE

The UAE has five distinct virtual asset regulators. Understanding which one applies to your business is the first decision in any UAE crypto licensing strategy.

RegulatorJurisdictionWhat they regulate
CMA (federal Capital Markets Authority)UAE federal level, excluding Dubai mainland (VARA), ADGM, DIFCFederal VASP framework — exchanges, custody, broker-dealer, advisory, portfolio management
VARAEmirate of Dubai (excluding DIFC)Seven activity categories: advisory, broker-dealer, custody, exchange, lending, management, transfer & settlement
ADGM FSRAAbu Dhabi Global Market free zoneVirtual Assets Framework — exchanges, custodians, fund managers
DIFC DFSADubai International Financial Centre free zoneCrypto Token regime for institutional players
CBUAEUAE federal, payment-token specificPayment Token Services Regulation (stablecoins, payment-token issuers)

The CMA is the UAE's only nationally-reaching federal crypto regulator for non-payment-token activity. For multi-emirate operators (e.g. a crypto exchange serving Abu Dhabi, Sharjah and northern emirates), the CMA framework is the appropriate authorisation route — VARA's territorial limit to Dubai means it cannot serve clients nationally.

The new 2026 framework — Decision 4/R.M/2026

On 13 February 2026, the UAE Capital Markets Authority issued Decision No. 4/R.M/2026, replacing the prior 2023 SCA VASP Framework. The new framework is structured in three modules:

  1. Module 1 — General Principles & Authorisation. Defines the licensable activities, the application process, fit-and-proper standards for senior management, and the federal registry of authorised VASPs.
  2. Module 2 — Conduct of Business & Prudential Requirements. Sets capital, liquidity, segregation, custody, AML/CFT, market conduct, and consumer protection requirements per activity category.
  3. Module 3 — Token Regulation & Cross-Border Recognition. Addresses token classification (utility, security, payment), the regulator-to-regulator recognition framework with VARA, ADGM, DIFC and CBUAE, and the federal token registry.

CMA license categories

The CMA framework regulates five primary activity categories. Each requires separate authorisation (an operator providing multiple activities applies for the relevant combination):

CategoryWhat it coversIndicative capital
ExchangeOperating a multilateral facility matching buyers and sellers of virtual assetsAED 1.5M+ (varies by tier)
CustodyHolding or controlling client virtual assets or private keysAED 2M+ (varies by AUC)
Broker-DealerReceiving, transmitting or executing client ordersAED 500K+
AdvisoryAdvice to clients on the merits of buying, selling or holding virtual assetsAED 100K-300K
Portfolio ManagementDiscretionary management of client virtual asset portfoliosAED 500K-1M+

Indicative capital figures shown — the operative requirements are set out in Module 2 and vary by sub-category, projected AUC/AUM, and operational risk profile.

Who needs a CMA license — vs VARA, ADGM or DIFC

The simplest decision rule:

For most institutional crypto operators, the practical question becomes "VARA or CMA?" — and the answer turns on geographic scope and target market: VARA for Dubai-concentrated retail or institutional, CMA for multi-emirate institutional reach.

Application process & timeline

The CMA application is a four-stage process:

  1. Pre-application engagement — informal scoping with the CMA's Virtual Asset team; identifying category, model, and timeline. Typically 2-4 weeks.
  2. Initial Disclosure Document (IDD) — formal pre-application package: entity, ownership, business model, financial projections, governance, AML/CFT framework, technology architecture. Review: 4-8 weeks.
  3. Full Application & In-Principle Approval (IPA) — comprehensive application including policies, audited capital injection, BCP/DR, and senior management approved-person assessments. CMA decision: 8-16 weeks.
  4. Licence grant & operational readiness — final conditions cleared, licence issued, go-live readiness inspection. Typically 4-8 weeks after IPA.

Total realistic timeline: 6-12 months for a well-prepared applicant. Faster than ADGM/DIFC for institutional models; comparable to VARA.

How Neo Legal advises CMA applicants

Neo Legal's UAE financial services practice covers the full federal regulatory perimeter — CMA, CBUAE PTSR, plus VARA, ADGM FSRA and DIFC DFSA where the choice of regulator is part of the structuring exercise. Our team includes Manpreet Kaur, our Director of Licensing & Regulatory Compliance, who previously served at VARA itself and has direct insight into UAE regulator expectations across all five frameworks.

Our CMA engagements typically follow this pattern:

Frequently asked questions.

What is the UAE CMA crypto license?
The CMA crypto license is a federal authorisation issued by the UAE Capital Markets Authority under Decision 4/R.M/2026 (effective February 2026), permitting a regulated entity to provide virtual asset services — exchange, custody, broker-dealer, advisory, or portfolio management — at the federal level across the UAE (excluding Dubai which is governed by VARA, plus ADGM, DIFC, and CBUAE for payment tokens). It replaces the 2023 SCA VASP framework.
How is the CMA different from VARA?
Jurisdiction is the key difference. The CMA is a federal regulator with nationwide reach (excluding the four other regulator perimeters: VARA in Dubai, ADGM, DIFC, CBUAE for payment tokens). VARA's reach is limited to the Emirate of Dubai (excluding DIFC). For multi-emirate operators, only the CMA can authorise national operations. Many institutional models therefore prefer CMA over VARA despite VARA's earlier maturity.
How much does a CMA crypto license cost?
Capital requirements vary by category: Exchange and Custody typically require AED 1.5-2M+ in minimum capital, Broker-Dealer AED 500K+, Advisory AED 100-300K, Portfolio Management AED 500K-1M+. Application and supervision fees vary by activity tier. Total all-in cost (capital + fees + legal/compliance setup) for an exchange license is typically AED 2.5-5M+ in year one.
How long does CMA licensing take?
Realistically 6-12 months from pre-application engagement to licence grant, broken into four stages: pre-application engagement (2-4 weeks), Initial Disclosure Document review (4-8 weeks), full application and In-Principle Approval (8-16 weeks), and final licence grant after operational readiness clearance (4-8 weeks).
Do I need a CMA license if I already have a VARA license?
Generally no — operating from Dubai under a VARA licence covers your Dubai activity. The CMA framework specifically excludes activities authorised under VARA, ADGM, DIFC and CBUAE. The question only arises if you want to extend operations beyond Dubai into other emirates — in which case the CMA would authorise that broader reach.
Can foreign crypto exchanges get a CMA license?
Yes. The CMA framework permits foreign-owned entities provided they establish a UAE-incorporated subsidiary (or branch via the appropriate authorisation) that meets all capital, substance, key-personnel and AML/CFT requirements. The CMA also operates a cross-border recognition framework under Module 3 of Decision 4/R.M/2026 for certain home-regulator equivalents.
What activities are covered by the CMA crypto license?
The CMA framework covers five primary categories: (i) Exchange — operating multilateral matching facilities; (ii) Custody — holding or controlling client virtual assets; (iii) Broker-Dealer — receiving and transmitting client orders; (iv) Advisory — investment-merits advice on virtual assets; (v) Portfolio Management — discretionary management of client portfolios. Each requires separate authorisation.
What capital does the CMA require?
Capital requirements are activity-dependent and set out in Module 2 of Decision 4/R.M/2026. Indicative ranges: Exchange AED 1.5M+, Custody AED 2M+ (varies by AUC), Broker-Dealer AED 500K+, Advisory AED 100-300K, Portfolio Management AED 500K-1M+. The CMA also requires expense-based capital (typically 1.2-1.5x monthly operating expenses) and operational risk buffers.
Are stablecoins regulated by the CMA?
Stablecoins denominated in AED or with UAE-resident clients fall under the CBUAE Payment Token Services Regulation (PTSR), not the CMA. Stablecoins denominated in other fiat currencies or asset-referenced tokens that fall outside the PTSR scope may sit within the CMA's Module 3 token regulation framework. We advise clients on the precise classification per token design.
Who is the regulator behind the CMA? Is this the same as the SCA?
The Capital Markets Authority is the rebranded successor to the Securities and Commodities Authority (SCA), reflecting an expanded mandate that explicitly includes virtual asset and digital securities regulation alongside traditional capital markets oversight. The transition was formalised through 2025-2026 reforms culminating in Decision 4/R.M/2026.
How does Neo Legal help with CMA applications?
Neo Legal provides end-to-end CMA advisory: regulator-selection opinions (CMA vs VARA vs ADGM vs DIFC), UAE entity establishment, pre-application CMA engagement, Initial Disclosure Document drafting, full application drafting (policies, AML/CFT, governance, BCP/DR), approved-person sourcing and submission, ongoing regulator liaison through licence grant, and post-licence regulatory supervision retainers.
Related insights & resources
The CMA Virtual Asset Regulations Explained
Detailed practitioner walkthrough of the federal-level framework that complements VARA at the emirate level.
Do I Need a VARA Licence?
Decision flowchart — seven questions that determine whether your activity falls within VARA or CMA jurisdiction.
Crypto Exchange License UAE — Full Regulator Comparison
Side-by-side: which UAE regulator suits which exchange model — VARA, CMA, ADGM, DIFC.
UAE Licensing Tracker
Free monthly-updated tracker of every entity licensed by VARA, ADGM, DIFC, CMA and CBUAE.
VARA Licensing Practice
For Dubai-focused crypto operators, our full VARA licensing practice — all seven categories.
UAE Financial Services Licensing
The broader UAE financial-services licensing practice across all five regulators.

Speak with senior counsel.

Neo Legal engagements are partner-led from day one. Tell us about your matter — we respond directly.

Schedule a Consultation