On September 16, 2025, the United Arab Emirates enacted Federal Decree Law No. 6 of 2025, introducing one of the most consequential regulatory shifts for the crypto industry in the Middle East. The law eliminates the ability for DeFi protocols to avoid regulation by claiming they are "just code," bringing decentralized exchanges, cross-chain bridges, stablecoins, and Web3 infrastructure under the Central Bank of the UAE's direct oversight.

With administrative penalties reaching up to AED 1 billion ($272 million) and criminal sanctions for unlicensed activities, the new framework marks a decisive shift from the UAE's previously fragmented regulatory landscape to a comprehensive federal approach. The law grants crypto companies a one-year transitional period until September 2026 to either obtain proper licensing, partner with licensed entities, or cease operations targeting UAE users.

For international crypto companies, the challenge lies in navigating the UAE's complex multi-layered regulatory architecture—spanning the Central Bank of the UAE (CBUAE), Securities and Commodities Authority (SCA), Dubai's Virtual Assets Regulatory Authority (VARA), and the financial free zones DIFC and ADGM—each with distinct frameworks and licensing requirements.

To understand the practical implications of this regulatory evolution, we spoke with Gabriel Elmarzouki and Mehdi Al Ghafari of Astruc & Co., a Dubai-based law firm with extensive experience in UAE virtual assets regulations and defending victims of crypto-related frauds, under the supervision of Romain Astruc, Managing Partner. Their insights provide crucial guidance for DeFi protocols, crypto platforms, and investors navigating this new compliance landscape.

From "Just Code" to Full Accountability - The Criminal Law Dimension

Federal Decree Law No. 6 of 2025 eliminates the ability for DeFi protocols to avoid regulation by claiming they are "just code," bringing protocols, DEXs, and cross-chain bridges under Central Bank oversight. Given your specialization in criminal law and your experience defending victims of crypto-assets related frauds, how does this law change the criminal liability landscape for developers, protocol operators, andDAO participants? What specific criminal risks should crypto founders operating in or targeting the UAE be aware of, and how can they structure their operations to avoid crossing into criminal territory?

Federal Decree-Law No. 6 of 2025 Regarding the Central Bank, Regulation of Financial Institutions and Activities, and Insurance Business (the “New CBUAE Law”) came into force on 16 September 2025 and gives DeFi, DEX and infrastructure players something they have never really had in the UAE: a clear federal answer to the argument that they are “just code”.

The starting point is the definition of “Virtual Assets” in Article 1, as a digital representation of value or rights transferable and storable electronically using distributed ledger technology, excluding the digital form of the UAE dirham. Article 61 then sets out a wide list of “Licensed Financial Activities” that now fall under the Central Bank’s perimeter, expressly including open finance services, providing payment services using virtual assets, stored-value services, retail payment systems, and digital money, as well as arranging, promoting, or marketing for such activities. Article 62 goes one step further and states in substance that any person who “engages in, offers, issues, or facilitates” a Licensed Financial Activity, by any means, medium or technology, is subject to Central Bank licensing and supervision.

In practice, this removes the conceptual separation between a “technology provider” and a “financial institution”. If your protocol, smart contracts, interface, or middleware enables payments, exchange, lending, custody, remittances, investment or open finance services for UAE users, you are no longer outside the regulatory perimeter simply because the system is non-custodial, permissionless, or “autonomous”. DeFi protocols and DEXs, cross-chain bridges and L2s that move value, payment-focused stablecoin and CBDC rails, wallets and custodial layers, on/off-ramps and order-routing middleware will all be analysed through the lens of whether they are in substance facilitating regulated financial activities into the UAE market, including via online access from abroad or from free zones.

The New CBUAE Law also arrives in an ecosystem where virtual assets were already regulated at federal and Emirate level. Cabinet Decision No. 111 of 2022 on the Regulation of Virtual Assets and Their Service Providers prohibits engaging in virtual asset activities such as operating platforms, exchange, transfer, trading and custody of virtual assets without a licence from the Securities and Commodities Authority or a competent local licensing authority. In parallel, the Central Bank’s 2024 Payment Token Services Regulation imposes a dedicated regime for payment tokens (fiat-referenced stablecoins), and expressly bans the issuance, servicing, and promotion of algorithmic stablecoins and privacy tokens for use as means of payment in or into the UAE. In Dubai, VARA’s rulebooks prohibit all virtual asset activities involving anonymity-enhanced cryptocurrencies and strictly limit marketing of virtual assets to licensed VASPs.

Against this backdrop, the New CBUAE Law does two things that are decisive for DeFi and Web3: first, it expressly brings technology-enabling platforms, protocols, and decentralised applications into scope as soon as they facilitate or enable a Licensed Financial Activity. Second, it significantly raises the stakes: administrative fines can now go up to AED 1 billion, and engaging in a Licensed Financial Activity without a licence is a criminal offence, punishable by imprisonment and a fine between AED 50,000 and AED 500 million under Article 170. The law provides a one-year transitional period from 16 September 2025, meaning that by around mid-September 2026 DeFi and infrastructure players that touch UAE users are expected either to regularise their position or to cease in-scope activities.

Concretely, we are advising DeFi protocols, DEX operators, bridge developers, and middleware providers to prioritise several operational steps before that deadline: (i) map your full stack (smart contracts, front-ends, sequencers, oracles, custody layers, payment tokens) against the lists of Licensed Financial Activities in Article 61 and of virtual asset activities under Cabinet Decision 111, rather than relying on legacy assumptions about what is or is not a “financial institution”; (ii) decide on a genuine UAE strategy: obtain the appropriate licences (for example, as a payment token service provider or VASP), operate via a CBUAE-licensed or VARA/SCA-licensed partner, or genuinely exclude the UAE through robust geo-fencing, no UAE-targeted marketing, and clear terms and conditions; (iii) if you choose to remain in scope, elevate governance, AML/CFT and technology-risk controls to the level expected of a regulated payments or virtual-asset institution: proper KYC and sanctions screening, transaction monitoring, consumer-protection frameworks for complaints and disclosures, cyber-security and incident response, and Board-level oversight; (iv) review token design and liquidity flows to ensure that any stablecoin or token used for UAE-facing payments complies with the Payment Token framework and is not an algorithmic or privacy token.

In short, we are moving from a fragmented and relatively permissive landscape, where many DeFi actors could still hide behind the “just code” rhetoric, to a federal framework that deliberately treats enabling technology as part of the regulated perimeter. This is meant both to protect users and to make the UAE more attractive to institutional-grade players who are prepared to operate on a fully licensed, compliant basis.

Protecting Victims in the New Regulatory Framework

With your extensive experience helping victims of financial and real estate frauds, particularly in crypto-assets, how do you see Federal Decree Law No. 6 strengthening victim protection and recovery mechanisms? The law introduces penalties up to AED 1 billion for unlicensed activities—from a litigation and victim advocacy perspective, what new legal remedies does this create for defrauded investors? What red flags should UAE residents and investors watch for when engaging with crypto platforms, and what immediate steps should victims take if they suspect fraud?

From the perspective of victims of crypto-related fraud, Federal Decree-Law No. 6 of 2025 is a substantial step forward. It creates a much more explicit line between lawful, licensed activity and unlawful operations, and it equips regulators and prosecutors with a powerful sanction’s toolkit.

On the substantive side, the law reinforces a simple rule: no one should carry on or promote Licensed Financial Activities in or from the UAE without appropriate authorisation. Articles 61 and 62 capture not only traditional banks and payment companies, but also other financial institutions and technology-enabling platforms that facilitate payments, exchange, remittances, lending, custody, or investment services, including when those services use virtual assets. Operating without a licence is no longer a regulatory technicality; it is a criminal offence under Article 170, punishable by imprisonment and a very wide fine range, and it sits alongside new minimum administrative fines and a maximum administrative penalty of AED 1 billion for serious breaches. This regime dovetails with Cabinet Decision No. 111 of 2022, which has already required virtual asset service providers in onshore UAE to secure licences from the SCA or a local licensing authority, and which prohibits dealing with persons engaging in virtual asset activities in the State without such a licence.

For enforcement and litigation, this clarity matters enormously. In the past, operators of “DeFi” yield platforms, high yield staking schemes or offshore exchanges targeting UAE residents could argue that they were simply software providers or that their offerings fell into a legal grey zone. Under the New CBUAE Law, those who design, operate or actively market platforms that in substance take client funds, promise returns, provide exchange, custody or payment functions, or intermediate investments will find it much harder to claim they are outside the regulatory perimeter. When we act for victims, we can now frame complaints and civil claims not only around classic fraud, misrepresentation, or breach of trust, but also around clear breaches of financial-services and virtual-asset licensing rules, which helps regulators, police, and courts to intervene earlier, freeze assets and coordinate across agencies.

The types of crypto-fraud cases that will be easier to prosecute include unlicensed centralised exchanges and pseudo-DeFi platforms that take deposits or execute trades for UAE users without any authorisation; yield, staking or “investment” products promising fixed or unrealistic returns; OTC desks and informal on/off-ramp operators masquerading as “consultants” while effectively acting as unlicensed brokers; and influencer-driven promotions or social-media “signal” groups that direct UAE residents into unlicensed platforms. In each of these scenarios, the lack of a licence is a serious violation, and the fact that the operator is providing or promoting a Licensed Financial Activity without authorisation becomes an additional lever for enforcement, alongside any underlying fraud or money-laundering offences.

In parallel, the broader UAE regulatory framework is making it harder for fraudsters to hide. The Payment Token Services Regulation and virtual-asset regimes restrict algorithmic stablecoins and privacy tokens, which removes some of the tools historically used to obscure flows. The supervisory authorities have also issued joint guidance on combating the use of unlicensed virtual-asset providers, including a non-exhaustive list of red flags: platforms with no clear licence from CBUAE, SCA, VARA, DFSA or FSRA; vague or non-existent disclosure of the legal entity and jurisdiction behind the website; unrealistic or “guaranteed” returns and aggressive referral schemes; lack of any meaningful consumer-protection features; and requests that clients transfer funds to personal accounts or unrelated third parties.

For UAE-based investors, the practical message is straightforward. Before committing funds, check which authority regulates the platform (onshore CBUAE/SCA, Dubai VARA, DIFC’s DFSA, ADGM’s FSRA), verify that the licence exists and matches the activities being offered, read the risk disclosures, and be sceptical of any project that trumpets “no KYC”, relies on anonymity or privacy tokens, or pressures you to act quickly with promises of guaranteed or unusually high returns. A strong law is an important shield, but it is most effective when investors themselves treat licensing status and regulatory transparency as non-negotiable.

Multi-Jurisdictional Complexity - UAE, GCC, and Beyond

Articles 61 and 62 require CBUAE licensing for crypto activities "through any means, medium, or technology." Given your 15 years of experience across the GCC (UAE, Oman, KSA, Qatar), Iraq, Turkey, Lebanon, and Egypt, how should international crypto companies navigate the overlapping regulatory frameworks—CBUAE, VARA, DIFC's DFSA, ADGM's FSRA—while also considering broader MENA expansion? What's your strategic advice for structuring cross-border crypto operations across these jurisdictions, and how does UAE's new framework compare to regulatory developments in neighboring countries?

For international crypto companies, the UAE’s attraction is clear: it offers several sophisticated regimes rather than a single monolithic rulebook. At the same time, this “federal plus Emirate plus free zone” architecture requires a coherent structuring strategy; simply collecting licences is not enough.

At federal level, the SCA and CBUAE jointly anchor the perimeter. In onshore UAE, Cabinet Decision No. 111 of 2022 prohibits engaging in virtual-asset activities such as operating platforms, exchanging, transferring, trading, or providing custody of virtual assets without a licence from the SCA or a local licensing authority. The New CBUAE Law now defines a broad set of Licensed Financial Activities in Article 61, covering banks, insurers, and other financial institutions, and explicitly including open finance services and payment services using virtual assets. Article 62 then brings into scope any person who engages in, offers, issues or facilitates such activities “through any means, medium or technology”, making clear that financial-services technology, including DeFi and Web3 infrastructure, is subject to Central Bank licensing when it serves the UAE market.

On top of this federal layer, Dubai’s Virtual Assets Regulatory Authority regulates virtual-asset activities conducted in the Emirate of Dubai outside the DIFC, including exchanges, brokers, custodians, and advisory services, and imposes strict rules on marketing of virtual assets and on anonymity-enhanced cryptocurrencies. Within the financial free zones, the ADGM’s FSRA and the DIFC’s DFSA each operate their own comprehensive virtual-asset frameworks under their respective financial-services laws. All these regimes sit on top of general UAE AML/CFT legislation and are now complemented by the Payment Token Services Regulation, which centralises the regulation of fiat-referenced payment tokens at CBUAE level.

Our consistent advice to international crypto and fintech groups is to treat this not as four or five unrelated regimes, but as a single matrix. In practical terms, that usually means: (i) choosing a primary regulatory “home” aligned with your business model and target clients: for example, ADGM or DIFC for institutional and capital-markets facing models, or VARA for a Dubai-focused retail exchange or broker; (ii) ring-fencing any onshore UAE exposure, especially AED and payment-token flows, via a clearly separate entity that is licensed under the New CBUAE Law and the virtual-asset framework (or by partnering with an existing CBUAE/SCA-licensed PSP or VASP); and (iii) clearly allocating activities, client segments and booking of risks across entities, with robust intra-group service, liquidity and IP-sharing agreements so that technology, order-routing and liquidity management can be shared, while regulatory obligations remain clearly attributed.

It is important to understand that a free-zone licence is not a passport to the rest of the UAE. A DFSA-licensed or FSRA-licensed firm that markets aggressively to onshore retail clients, or that offers payment-token rails into the onshore market, still has to consider CBUAE and SCA requirements, and may need a separate onshore entity or at least carefully structured arrangements with a licensed onshore partner. Conversely, an onshore payment-token or virtual-asset entity cannot simply claim that its activities are beyond Central Bank reach because it “only” uses a DeFi protocol or bridge running in a free zone or offshore; Article 62 is deliberately drafted to capture facilitation and enabling of financial activities, not just direct provision. In our practice, we therefore encourage clients to harmonise their AML/CFT, sanctions, conduct-of-business and technology-risk standards across all UAE entities to the highest common denominator among CBUAE, SCA, VARA, DFSA and FSRA, and to build a group-wide compliance function that has visibility across onshore and free-zone operations.

When we compare this to the broader MENA landscape, the UAE stands out for breadth rather than leniency. Bahrain’s Central Bank has had a dedicated Crypto-Asset Module since 2019, providing a clear licensing regime for exchanges, custodians and other crypto-asset service providers, which makes it an attractive complementary hub. Saudi Arabia remains cautious: cryptocurrencies are not legal tender, banks are generally prohibited from engaging in crypto transactions without specific approval, and most virtual-asset activities are channelled through limited sandboxes. Kuwait has gone further and adopted an almost complete prohibition on crypto activities, including payments, investments, and mining, through a series of circulars from 2023 onwards. Qatar has historically restricted virtual-asset services, although more recent frameworks are beginning to differentiate between different types of digital assets, often excluding cryptocurrencies from the new categories.

By contrast, the UAE has chosen a more demanding but ultimately more constructive route: a dense multi-regulatory framework, higher expectations on licensing and compliance, but a clear path for serious players to operate, innovate and scale. For global crypto companies and Web3 builders who are willing to embrace that discipline, the strategic prize is the ability to position the same group across CBUAE/SCA, VARA, DFSA and FSRA, targeting different segments of the Middle East market from a single jurisdiction that is committed both to innovation and to regulatory credibility.

About the Authors:

Gabriel Elmarzouki and Mehdi Al Ghafari are legal associates at Astruc & Co., specializing in UAE virtual assets regulations, financial services law, and crypto compliance. Working under the supervision of Romain Astruc, Managing Partner at Astruc & Co., they advise international crypto companies, DeFi protocols, and victims of crypto-related frauds on navigating the UAE's evolving regulatory framework. Astruc & Co. is a Dubai-based legal consultancy firm providing specialized guidance across the GCC, MENA, and international markets, with offices in Dubai, Doha, and Istanbul.

Want to contribute to our Q&A series? If you're a legal expert in the web3/AI space and would like to share your expertise by joining our Q&A series, please reach out to hi@databirdjournal.com