jurisdictional architecture
The UAE’s multi-authority regulatory architecture for tokenized assets creates five distinct regulatory jurisdictions, each with its own licensing, supervision, and enforcement framework. This compliance map identifies the jurisdictional boundaries, overlapping mandates, and the compliance requirements that firms must navigate when operating across the UAE tokenization ecosystem.
authority jurisdiction matrix
| activity | onshore uae | dubai (excl. difc) | difc | adgm | federal overlay |
|---|---|---|---|---|---|
| virtual asset exchange | sca | vara | dfsa (recognized tokens only) | adgm fsra | cabinet decision 111 |
| tokenized securities | sca | vara | dfsa | adgm fsra | sca securities framework |
| payment tokens/stablecoins | cbuae | vara + cbuae | dfsa + cbuae | adgm fsra + cbuae | cbuae monetary mandate |
| custody services | sca | vara | dfsa | adgm fsra | cabinet decision 111 |
| aml/cft compliance | sca | vara | dfsa | adgm fsra | federal decree-law 20 |
| sanctions compliance | all | all | all | all | eocn |
| str reporting | all | all | all | all | uae fiu |
federal requirements (apply to all jurisdictions)
The federal compliance layer creates a baseline that applies to all VASPs regardless of their licensing jurisdiction. This baseline cannot be reduced through jurisdictional selection — it represents the minimum compliance standard for all UAE-licensed entities. All VASPs regardless of jurisdiction must comply with Federal Decree-Law No. 20 of 2018 on AML/CFT, which establishes customer due diligence, ongoing monitoring, and suspicious transaction reporting obligations. All VASPs must participate in the national VASP register maintained by the SCA under Cabinet Decision No. 111. All VASPs must report suspicious transactions to the UAE FIU through the goAML system. All VASPs must implement sanctions screening per EOCN requirements, covering UAE domestic lists, UN Security Council lists, and other applicable international sanctions. All VASPs must comply with the Travel Rule, transmitting originator and beneficiary information with virtual asset transfers. These federal requirements were validated by the FATF assessment and the UAE’s grey list removal in February 2024.
overlapping mandates
Key areas of overlapping authority require careful compliance navigation. Stablecoin and payment token regulation creates dual requirements from the CBUAE (federal monetary mandate) and the licensing authority (activity-level regulation). A firm issuing AED-pegged stablecoins in Dubai must satisfy both VARA licensing requirements and CBUAE payment token authorization requirements. The stablecoin regulatory framework analysis and the CBUAE payment token regulation examine this overlap.
Token classification creates potential jurisdictional ambiguity. The token classification framework determines whether a token is a security (SCA jurisdiction), a payment token (CBUAE jurisdiction), or a virtual asset (licensing authority jurisdiction). Tokens with hybrid characteristics may fall under multiple authority mandates, requiring coordinated compliance approaches.
Cross-border supervision creates situations where federal authorities and free zone regulators must coordinate on entities operating across jurisdictional boundaries. A firm with operations in both Dubai (VARA) and Abu Dhabi (ADGM FSRA) faces supervision from both authorities plus federal-level requirements from the SCA and CBUAE.
compliance complexity management
Firms operating across multiple UAE jurisdictions can manage compliance complexity through several strategies. Establishing a centralized compliance function that coordinates requirements across all licensing jurisdictions reduces duplication and ensures consistency. Building the compliance infrastructure to meet the most stringent authority’s requirements ensures that lower thresholds are automatically satisfied. Engaging with all relevant authorities proactively maintains regulatory relationships and reduces the risk of supervisory surprises. Monitoring regulatory developments across all authorities through the regulatory framework tracker dashboard enables early identification of changes that may affect compliance requirements.
data protection overlay
In addition to financial regulatory requirements, VASPs operating in the UAE must comply with data protection regulations that vary across jurisdictions. The federal Personal Data Protection Law (PDPL) applies to onshore operations. ADGM’s Data Protection Regulations provide a comprehensive privacy framework for ADGM-based entities. DIFC’s Data Protection Law establishes privacy requirements for DIFC-based entities. These data protection requirements interact with AML/CFT obligations — where extensive customer data collection is mandated — creating compliance tension that firms must manage carefully. The data protection brief examines this interaction in detail.
how to use this compliance map
This compliance map serves as a reference tool for determining which authorities have jurisdiction over specific activities, identifying where overlapping mandates create dual compliance requirements, understanding the federal compliance baseline that applies across all jurisdictions, and planning multi-jurisdiction compliance strategies. The map should be read alongside the multi-authority licensing strategy guide for practical navigation guidance, the federal vs free zone comparison for the jurisdictional architecture analysis, and the cross-emirate regulatory arbitrage analysis for strategic positioning assessment.
authority-specific compliance requirements
Beyond the federal baseline, each authority imposes specific compliance requirements that firms must meet. VARA requires activity-specific compliance across its seven categories, with tailored requirements for each activity type covering technology governance, client asset protection, conduct of business, and financial reporting. ADGM FSRA applies its Financial Services and Markets Regulations compliance framework, with additional requirements specific to digital asset operations covering prudential standards, market conduct, and operational resilience. The DFSA applies its established financial services compliance framework with additional crypto token-specific requirements, limited in scope to recognized token activities. The SCA’s compliance requirements continue developing through implementing regulations, with existing requirements covering AML/CFT, licensing, and market conduct for the entities currently under its supervision.
The CBUAE applies its own compliance requirements to payment token issuers and to banks providing services to VASPs, creating an additional compliance dimension for firms involved in stablecoin issuance or dependent on banking relationships for fiat currency operations. The CBUAE’s AML/CFT supervisory role extends to assessing whether banks conduct adequate due diligence on their VASP clients.
dispute resolution framework
The UAE’s multi-authority architecture provides different dispute resolution mechanisms across jurisdictions. ADGM and DIFC operate common law court systems that provide familiar legal infrastructure for international financial institutions. ADGM Courts and the DIFC Courts have developing jurisprudence in financial services disputes. Dubai onshore disputes fall under the civil law court system. The availability of common law dispute resolution is a significant factor for firms choosing between jurisdictions, particularly those with international investor bases that expect English common law protections.