The UAE’s virtual asset regulation operates across multiple, sometimes overlapping, jurisdictions, requiring a clear delineation of supervisory authority. Primary oversight is shared among federal and regional bodies, as well as the specialized Financial Free Zones (FFZs). The Central Bank of the UAE (CBUAE), the Virtual Assets Regulatory Authority (VARA) in Dubai, and the Securities and Commodities Authority (SCA) at the federal level constitute the primary onshore authorities. Entities operating within the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM) remain subject to their respective regulatory bodies, the Dubai Financial Services Authority (DFSA) and the Financial Services Regulatory Authority (FSRA), due to the FFZs’ constitutional exemption from most federal civil and commercial laws.
The New CBUAE Law consolidates authority over all licensed financial institutions outside the FFZs. For professional investors, the immediate focus must be quantifying the potential financial and criminal exposure associated with operating unlicensed infrastructure and preparing for the statutory transition period which mandates regularization by September 16, 2026, subject to potential extension.
Key Regulatory Risk Jurisdictions and Authority Delineation
| Regulatory Body | Primary Jurisdiction | Governing Federal Law/Decree | Key Scope Expansion (Post-2025) |
| Central Bank of the UAE (CBUAE) | UAE Federal Mainland (excluding FFZs) | Federal Decree-Law No. 6 of 2025 | Mandatory licensing for Virtual Asset infrastructure (Wallets, APIs, Protocols/DeFi) |
| VARA | Emirate of Dubai (Mainland and Non-Financial Free Zones) | VARA Rulebook 2023 | Oversight of all Virtual Asset Service Providers (VASPs) and Market Conduct |
| DFSA | Dubai International Financial Centre (DIFC) | DIFC Laws / DFSA Framework | Proposed enhancements to regulatory scope for crypto tokens, custody, and risk management |
| SCA | UAE Federal Mainland (outside CBUAE and FFZ authority) | CAAR (Crypto Assets Activities Regulation) | Licensing and AML/CFT compliance for onshore VASP activities; Coordination with VARA on unified rules |
Analysis of CBUAE Federal Decree-Law No. 6 of 2025
Statutory Mandates, Effective Date, and Interim Period
The Federal Decree-Law No. 6 of 2025 Regarding the Central Bank Regulation of Financial Institutions and Activities and Insurance Business (the New CBUAE Law) represents a comprehensive overhaul of the UAE’s financial regulatory architecture. This law officially took effect on September 16, 2025 , repealing and replacing the 2018 legislation. The law significantly enhances the authority and independence of the CBUAE, centralizing the oversight of a broad spectrum of licensed financial institutions, including payment service providers, banks, insurers, and fintech entities operating outside the established Financial Free Zones.
A crucial provision for existing entities is the mandated transition period. Regulated institutions that were previously licensed or operating must regularize their operational and legal standing to align fully with the new requirements within one year from the Law’s effective date—specifically, by September 16, 2026. This period, which the CBUAE may extend at its discretion, requires detailed planning. During this interim phase, all previous regulations, guidelines, decisions, and existing technical definitions issued under the superseded frameworks remain in full force and effect until such time as they are explicitly replaced by new instruments issued under the authority of the New CBUAE Law. This requires a dual-track approach to compliance: adhering to existing rules while preparing for the implementation of the new federal mandates.
Expansion of Regulatory Scope: Targeting Infrastructure and Decentralized Finance (DeFi)
The most transformative provision of the New CBUAE Law is its expansive definition of regulated activities, extending CBUAE oversight to components of the digital asset ecosystem previously considered tangential or entirely outside regulatory purview. Article 62 of the Decree-Law explicitly includes within the scope of regulatory control those aspects deemed critical to the functioning of digital finance, thereby subjecting them to mandatory CBUAE licensing.
The Regulation of Technological Infrastructure
Article 62 mandates licensing for technological components, specifically targeting infrastructure that underpins virtual asset services. This includes “digital asset tools,” cryptocurrency wallets, Application Programming Interfaces (APIs), and blockchain explorers. The fundamental consequence of this expansion is a redirection of liability upstream in the technological supply chain. An institutional investor utilizing a licensed VASP for asset management is now compelled to conduct diligent verification that the VASP’s backend infrastructure providers—such as proprietary custody wallet APIs or data aggregation tools—are also appropriately licensed by the CBUAE, even if these providers have no direct client interface.
This structural expansion is a deliberate policy choice by the UAE to prevent regulatory arbitrage, where unregulated infrastructure might facilitate or intermediate licensed financial activities. By regulating the enabling technology , the CBUAE asserts control over the operational stability and integrity of the digital finance ecosystem, ensuring that core technological elements meet the same stringent compliance and governance standards as the licensed entities they serve.
Inclusion of Decentralized Protocols and Applications
Furthermore, Article 62 specifically encompasses the domain of decentralized financial services. The law explicitly includes Virtual Assets payment tokens, Decentralized Finance (DeFi), and other emerging technologies used in connection with Licensed Financial Activities. More profoundly, the scope covers the offering or operation of platforms, decentralised applications (dApps), protocols, or technological infrastructure designed to facilitate, intermediate, or enable key financial services, such as payments, credit, deposits, money exchange, remittances, or investment services.
This explicit inclusion of “protocols” and “dApps” represents a direct legal challenge to the operational premise of permissionless, autonomous digital systems. The legislation effectively compels previously autonomous or decentralized systems (such as a governance DAO or a lending protocol) to establish identifiable, legally responsible entities capable of fulfilling CBUAE compliance requirements. Global crypto service providers, including those involved solely in software development or protocol deployment, must immediately assess their exposure and compliance risks derived from potential UAE user access or engagement. The implication is clear: decentralization is not a shield against the jurisdiction of the federal regulator when the application facilitates regulated financial services within the UAE.
Statutory Interpretation: The Bifurcation of Virtual Assets (Article 187)
The CBUAE Law establishes a critical distinction regarding the regulatory treatment of Virtual Assets (VAs), primarily defined through the lens of usage and intent. This separation is codified in Article 187, which addresses the interpretation of specific terms within the Decree-Law.
Exclusion of Investment Activity
Article 187 provides a crucial carve-out, confirming that Virtual Assets, as defined in applicable State laws, are not to be considered “Currency” according to the Decree-Law. Critically, Virtual Assets shall not be covered by the provisions of this Decree-Law if they are intended for investment purposes, the exchange of one Virtual Asset for another, or swap operations for trading purposes. These activities remain subject to other existing legislation in the State.
The regulatory consequence of this provision is the confirmation that the CBUAE’s expanded authority under Law 6/2025 is primarily focused on preserving monetary stability and overseeing the payment system. VAs used purely for speculative investment, such as basic crypto-to-crypto swaps conducted without immediate connection to fiat currency conversion or payment utility, are deliberately excluded from the direct control of the CBUAE. Jurisdiction over these investment-oriented activities is deferred to other regulatory authorities, such as the SCA or VARA, depending on the operational location and the specific classification of the virtual asset.
Inclusion of Payment Activity
Conversely, the CBUAE Law asserts its regulatory scope precisely when Virtual Assets and digital currencies are utilized as a means or instrument of payment or when they involve the exchange of a virtual asset for a currency (fiat). This regulatory nexus confirms that any service that facilitates the flow of value in a manner analogous to traditional fiat systems—whether the asset is bitcoin, an altcoin, or a stablecoin—falls within the purview of the CBUAE’s payment system oversight.
Further confirming this focus on monetary stability, the framework explicitly defines and acknowledges “Algorithmic Stablecoins”.16 These are classified as Virtual Assets that purport to maintain a stable value relative to a fiat currency or other asset through automated or manual supply/demand interventions by the issuer or another person, and which are used or may be used as a Means of Payment. The inclusion of a definition for algorithmic stablecoins demonstrates the regulator’s proactive approach to understanding and controlling digital assets that pose potential risks to the nation’s monetary system when deployed as payment instruments.
Penal Liability and Enforcement Under Federal Law
The compliance requirements established by the New CBUAE Law are reinforced by severe criminal and financial penalties, highlighting the high-stakes environment for non-compliant actors. Article 61 extends compliance requirements to all forms of marketing and online communications regarding crypto services, meaning that mere promotion of an unlicensed service can trigger liability.
Non-compliance with the new federal mandates, particularly those concerning infrastructure licensing, exposes entities to extraordinary punitive measures. Financial penalties range from a minimum of AED 50,000 to a maximum of AED 500,000,000.Furthermore, failure to adhere to the CBUAE Law carries the potential for imprisonment, reflecting the UAE’s intent to treat unlicensed activity as a severe criminal offense.
This substantial increase in penalty exposure requires global crypto service providers with any presence or user base in the UAE to conduct an immediate and thorough assessment of their operational exposure. With the September 2026 compliance deadline looming , any delay in seeking necessary licensing for infrastructure components or operationalizing compliance frameworks will substantially escalate legal and financial risk.
Jurisdictional Nuance and the Dual Licensing Imperative
The Financial Free Zone (FFZ) Carve-Out and Its Supremacy
The UAE’s regulatory model incorporates specialized Financial Free Zones (FFZs), namely the Dubai International Financial Centre (DIFC) and the Abu Dhabi Global Market (ADGM), which possess quasi-independent legal jurisdiction. This authority is derived from Article 121 of the UAE Constitution and Federal Law No. 8 of 2004, which explicitly allows for the creation of FFZs and exempts them and their licensed financial activities from the application of most Federal civil and commercial laws.
The FFZs have consequently developed bespoke common law regulatory frameworks and independent common law court systems to adjudicate commercial and financial disputes, providing an alternative legal foundation compared to the mainland’s civil law system. For instance, the DFSA, the DIFC regulator, is actively proposing enhancements to its framework (CP No. 168), aiming to bolster market integrity and consumer protection by expanding the scope of recognized crypto tokens and refining governance requirements for custody, disclosure, risk management, and staking services.
It is imperative for investors to note the limits of this autonomy: FFZs are not exempt from Federal criminal laws, including the overriding Federal Laws on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT). Additionally, FFZ authorized firms are explicitly restricted from dealing in deposit-taking from the State’s markets and from dealing in the UAE Dirham, ensuring the CBUAE retains control over the national currency and onshore liquidity.
Dubai Mainland (VARA) Framework and Enforcement Precedent
The Virtual Assets Regulatory Authority (VARA) is the designated supervisory authority for virtual asset activities within the Emirate of Dubai, encompassing both the mainland and non-financial free zones (excluding DIFC).The VARA framework unequivocally requires all entities providing virtual asset services in or from Dubai to be officially licensed.
Precedent of Enforcement
Recent enforcement actions by VARA underscore the authority’s commitment to market integrity and compliance. In late 2025, VARA issued significant financial penalties and mandatory cease-and-desist orders against 19 firms found to be operating outside the official regulatory framework. These entities were penalized for violating mandatory licensing requirements and contravening virtual asset marketing regulations.
The financial penalties imposed ranged from AED 100,000 to AED 600,000, scaled according to the severity and scope of the unauthorized activity.Beyond these standard fines, the VARA framework allows for far more severe sanctions for market offenses, including disgorgement of profits or avoided losses. Penalties for VASPs can reach up to AED 50 million or 15% of annual revenue, or 300% of gained profits if that amount is greater. This enforcement history reinforces the message that licensing is not optional; it is the prerequisite for operation within Dubai.
The regulatory environment is further unified by the cooperation between VARA and the SCA, ensuring consistent rules and standards are applied across the country’s digital asset market, thereby preventing regulatory gaps.
Inter-Jurisdictional Conflict and Mainland Engagement Risk
Strategic legal structuring requires a careful assessment of the potential risks arising from operating an FFZ entity while engaging the mainland market. Although free zones offer fiscal benefits and established digital finance clusters , they are not silos. A free zone company engaging the UAE mainland is legally obligated to ensure compliance with mainland requirements. If a Dubai free zone entity seeks to serve clients in other mainland Emirates, such as Abu Dhabi, coordination with the SCA, the federal-level authority for virtual asset activities outside Dubai, may be required.
A critical consideration for investors is the concept of the “Fly-In” Risk. The VARA enforcement actions clearly demonstrate that maintaining an online-only model, or merely possessing an international license, does not provide immunity if the operations actively target or serve the UAE market from Dubai.11 Regulators focus on the nexus of access and promotion within the jurisdiction, rather than solely the physical location of incorporation.
Therefore, the choice between mainland incorporation (offering unrestricted domestic reach) and free zone structuring (providing significant fiscal and regulatory benefits) mandates a clear, strategic decision regarding the intended user base. Success demands not only licensing compliance but also a continuous, sustained commitment to governance and cybersecurity, regardless of location.
Mandatory Compliance: AML/CFT and Enhanced Due Diligence Obligations
The UAE’s commitment to global financial standards requires all virtual asset entities to operate under rigorous AML/CFT regimes, aligning with Federal laws and international mandates, particularly those of the Financial Action Task Force (FATF).
Federal AML/CFT Statutory Foundation and FATF Alignment
Virtual Asset Service Providers (VASPs) are designated as AML Obligors in the UAE. Their compliance obligations are governed by a robust suite of federal legislation, including Federal Decree-Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism, alongside the subsequent implementing regulations such as Cabinet Decision No. (10) of 2019 and Cabinet Decision No. (74) of 2020.
Compliance is mandatory for all licensed providers of virtual asset services, requiring adherence to the principles and recommendations issued by the FATF specifically tailored for virtual asset activities. The FATF guidance, updated in 2021, clarified the expansive definition of Virtual Assets (VA) and VASPs, provided application guidance for “so-called” stablecoins, and introduced specific requirements related to peer-to-peer transactions and information-sharing among VASP supervisors.
VASP Compliance Architecture and MLRO Mandates
To operate legally, VASPs must establish a comprehensive compliance architecture. This includes setting up a robust AML/CFT compliance framework.13 Key requirements established under regulatory guidance (e.g., the VARA Rulebook for Dubai) mandate:
- Appointment of an MLRO: A dedicated Money Laundering Reporting Officer (MLRO) must be appointed, possessing a minimum of two years of experience relevant to AML/CFT compliance.
- Risk Assessment: The VASP must conduct and maintain a formal AML Business Risk Assessment (BRA).
- Policy Development: Designing and implementing exhaustive AML/CFT policies and procedures that are congruent with the VARA Rulebook, Federal AML Laws, and FATF Recommendations is obligatory.
- Registration: All VASPs must formally register on the UAE’s federal goAML Portal for regulatory reporting purposes.
Customer Due Diligence (CDD) Protocols for Investors
The AML/CFT framework imposes strict Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) requirements designed to achieve full transparency regarding the source of funds and the nature of the transaction. VASPs must conduct KYC (Know Your Customer), screening, and risk assessment on all customers, suppliers, and third parties. This process includes the screening of Ultimate Beneficial Owners (UBOs).
Wallet and Transaction Traceability
Compliance protocols extend directly to the digital asset transactions themselves. VASPs must implement systems for screening the Virtual Asset Wallet address and are required to ensure that the crypto assets involved in transactions are traceable. Furthermore, the industry-critical FATF Travel Rule compliance is mandated for VASPs, requiring the transmission of originating and beneficiary information for qualifying virtual asset transfers.
In addition to standard CDD, specialized enhanced due diligence is required for certain high-risk customers, suppliers, and third-parties. Traceability and due diligence are further enforced by the rule that deposits and withdrawals must only be made from and to a designated bank account of the VASP, maintained with an authorized financial institution, which requires explicit CBUAE approval if it is a foreign financial institution.
Obligations of Licensed Financial Institutions (LFIs) Dealing with VASPs
The CBUAE has extended compliance risk management requirements to Licensed Financial Institutions (LFIs)—i.e., banks—that interface with the virtual asset sector. This guidance imposes a rigorous control mechanism on the banking relationships of VASPs, effectively making LFIs a secondary compliance layer.9
LFIs are subject to specific CBUAE guidelines when establishing relationships with VASP customers and counterparties.They must request and receive CBUAE non-objection before opening any account for a VASP. Furthermore, LFIs are explicitly prohibited from engaging or working with any VASP that does not possess a national license.
Enhanced Due Diligence (EDD) on VASPs
The requirement for enhanced due diligence mandates that LFIs must verify the identities of all VASP customers and obtain a comprehensive understanding of their business operations through detailed customer profiles, including transaction details. LFIs must also actively monitor non-institutional individual customers’ digital transactions conducted with VASPs, particularly if those transactions originate from high-risk jurisdictions.
This stringent regulatory imposition on LFIs generates a crucial systemic banking risk for the virtual asset industry. By requiring CBUAE approval for VASP accounts and prohibiting relationships with unlicensed operators, the framework effectively grants the CBUAE control over the critical banking access necessary for a VASP’s operation. This process forces banks into a de-risking posture, making the availability and continuity of banking services a significant operational constraint and a major risk factor for investors assessing the counterparty stability and liquidity of any UAE-licensed VASP.
Data Retention and Reporting Mandates
VASPs must adhere to strict record-keeping and reporting mandates to ensure regulatory auditability. The primary requirement for data retention mandates that all records of transactions, documents, and correspondence must be securely maintained for a period not less than five years.
In the context of continuous transaction monitoring, VASPs are required to file numerous mandatory reports via the goAML portal to the Financial Intelligence Unit (FIU), including, but not limited to:
- Suspicious Activities Reports (SAR) and Suspicious Transactions Reports (STR).
- Partial Name Match Reports (PNMR).
- Funds Freeze Reports (FFR).
- Reports related to high-risk country transactions (HRC) and high-risk country activities (HRCA).
Taxation and Fiscal Structuring for Virtual Asset Investors
The UAE has positioned itself as a fiscally attractive jurisdiction for digital assets by implementing a focused Corporate Tax (CT) regime alongside favorable VAT treatment for crypto trading activities.
Federal Corporate Tax (CT) Regime and Applicability
The introduction of a federal Corporate Tax, governed by Federal Decree-Law No. 60 of 2023 , marks a significant development. CT is levied on the net profits of corporations and other entities derived from business activities.The CT generally applies to all businesses and individuals conducting activities under a commercial license in the UAE, effective from the beginning of their first financial year starting on or after June 1, 2023, or January 1, 2024, depending on the entity’s financial year.
For professional crypto traders and virtual asset businesses, CT liability is triggered if the net profits exceed the designated threshold of AED 375,000. Profits below this threshold are subject to a 0% CT rate. The applicability of CT to virtual asset income hinges on the classification of the activity: if the activity constitutes professional trading conducted under a commercial license, it is generally subject to CT. However, income derived from passive investment activities may be treated differently, provided it meets specific qualifying criteria, aligning with the intent of attracting long-term capital.
Qualifying Free Zone Person (QFZP) Status and 0% CT
A cornerstone of the UAE’s fiscal policy is the maintenance of corporate tax incentives within Free Zones. Free Zone businesses can qualify for a 0% Corporate Tax rate on their relevant income if they attain the status of a Qualifying Free Zone Person (QFZP).
To secure and maintain this preferential 0% rate, the entity must meet specific statutory compliance requirements:
- Regulatory Compliance: The entity must comply with all extant regulatory requirements imposed by its respective free zone authority and any applicable federal body.4
- No Mainland Nexus: The QFZP must strictly avoid conducting business set up in the UAE’s mainland.
- Adherence to Guidance: Compliance must align with the conditions and clarifications outlined in the Federal Tax Authority’s (FTA) Corporate Tax Guide on Free Zone Persons, issued in May 2024, which addresses grey areas such as cryptocurrency investment.
For institutional investors engaged in professional crypto trading from a Free Zone base, achieving and defending QFZP status is fiscally paramount. Any failure to satisfy the comprehensive QFZP substance test, particularly regarding unauthorized physical or operational nexus with the mainland, risks the entire operation losing the preferential 0% rate and being subject to the standard 9% Corporate Tax rate. Therefore, rigorous internal controls and accounting documentation are necessary to prove QFZP qualification continuously.
Value Added Tax (VAT) Exemption
The UAE has definitively clarified the VAT treatment of virtual asset transactions, significantly improving the jurisdiction’s competitiveness as a liquidity hub. Cabinet Decision No. (100) of 2024, issued on October 2, 2024, amended the UAE VAT Executive Regulations to integrate virtual assets.
Under this amendment, the trading and conversion of Virtual Assets are explicitly exempted from Value Added Tax. “Virtual Assets” are defined for this purpose as a “digital representation of value that can be digitally traded or converted and can be used for investment purposes and does not include digital representations of fiat currencies or financial securities”.
This definitive VAT exemption for trading and conversion provides a substantial fiscal advantage for high-frequency trading firms, market makers, and liquidity providers. By eliminating the frictional cost associated with VAT on transactions, the policy reinforces the UAE’s strategic objective of attracting global digital asset liquidity, offering a competitive edge compared to jurisdictions where such activities may be subject to standard VAT rates.
Strategic Legal Recommendations
Recapitulation of Core Regulatory Risks
The legislative advancements in the UAE, anchored by Federal Decree-Law No. 6 of 2025, have fundamentally re-priced the cost of non-compliance. The overwhelming risk facing crypto investors and service providers is the potential for severe criminal and financial liability exposure, reaching up to AED 500 million, triggered by the unlicensed operation of technological infrastructure (including crypto wallets, protocols, and dApps) after the September 2026 deadline.
Furthermore, strong regional enforcement, exemplified by the coordinated actions of VARA and the SCA, confirms that unauthorized virtual asset activities and associated marketing that target the UAE market will be met with immediate and substantial punitive measures, including heavy fines and mandatory cease-and-desist orders.
Strategic Legal and Fiscal Recommendations
Based on the analysis of the New CBUAE Law, VARA precedents, and the fiscal regime, the following strategic recommendations are imperative for institutional investors and regulated entities operating within or accessing the UAE market:
1. Infrastructure Liability Audit:
Mandatory legal and operational audits must be conducted immediately on all core technological tools utilized by the fund or its counterparties. This audit must specifically verify the licensing status of backend service providers, including proprietary and third-party custody solutions, APIs, and any decentralized components (protocols, dApps) that facilitate financial services, ensuring they comply with the CBUAE’s licensing mandates under Decree-Law 6/2025.
2. Jurisdictional Choice Modeling Based on Intent:
Legal counsel should utilize the statutory bifurcation established in Article 187 to model the optimal licensing structure. Entities focused purely on speculative, virtual asset-to-virtual asset investment or exchange, which are intentionally excluded from the CBUAE’s primary payments mandate, may retain greater regulatory flexibility under the SCA/VARA framework. Conversely, any entity facilitating fiat conversions, token issuance used as a means of payment, or lending protocols (DeFi) must plan for CBUAE registration and compliance.
3. Enhanced Counterparty Verification (Banking Nexus):
To mitigate systemic banking risk and compliance failure, robust due diligence on all VASP counterparties must extend beyond general licensing. Counterparties must provide documented proof of compliance architecture, including the appointment of an experienced MLRO, successful implementation of the FATF Travel Rule, and crucially, documented evidence of CBUAE non-objection status from their Licensed Financial Institution banking partners.Engaging with a VASP that cannot secure local banking access represents a significant operational liquidity risk.
4. Meticulous Free Zone Compliance for Fiscal Optimization:
For entities seeking to leverage the 0% Corporate Tax rate through Qualifying Free Zone Person (QFZP) status, the entity must establish rigorous, auditable documentation demonstrating compliance with QFZP substance requirements. Furthermore, operations must be structurally and functionally segmented to legally and practically avoid any unauthorized mainland operational nexus, thus preserving the favorable fiscal treatment.
Appendices
Federal and Regional Penalties for Unlicensed Virtual Asset Activity
| Regulatory Violation | Authority Enforcing | Penalty Range (Financial) | Other Sanctions/Liability |
| Unlicensed Infrastructure/Wallet Operation | CBUAE (Federal) | AED 50,000 to AED 500,000,000 | Potential Imprisonment; Mandatory cease-and-desist |
| Unlicensed VASP Operation in Dubai (Standard) | VARA | AED 100,000 to AED 600,000 (standard violations) | Immediate Cease-and-Desist Orders |
| Major Market Offences (VASP) | VARA | Up to AED 50 Million (VASP) or 15% Annual Revenue | Disgorgement of profits; License revocation |
| Unregistered VASP Operation (General) | Federal Law | Fine or imprisonment, or both | Federal criminal liability |
Corporate Tax (CT) Applicability for Virtual Asset Entities
| Entity Type / Location | Applicable CT Rate | Condition for Favorable Rate | Governing Legislation |
| Mainland VASP (Profits $>$ AED 375k) | Standard CT Rate (9%) | Income exceeds AED 375,000 threshold | Federal Decree-Law No. 60/2023 |
| Free Zone VASP/Investment Fund | 0% | Must be a Qualifying Free Zone Person (QFZP); Complies with all regulatory requirements; Avoids unauthorized mainland engagement | FTA Corporate Tax Guide on Free Zone Persons |
| VAT on Trading/Conversion | 0% (Exempt) | Applies only to VAs as defined (digital representation of value for trade/investment, excluding fiat/securities) 22 | Cabinet Decision No. (100) of 2024 |
