Crypto Exchanges in Dubai Are on the Edge of a Legal Cliff

The UAE has detonated its most aggressive regulatory reset in years. Federal Decree-Law No. 6 of 2025 centralises control of all financial activity under the Central Bank—pulling crypto exchanges in Dubai, wallet developers, blockchain explorers, DeFi protocols, and even offshore tools into a licensing regime backed by criminal penalties.

The enactment of Federal Decree‑Law No. 6 of 2025 (effective 16 September 2025) consolidates banking, insurance and financial activities under the Central Bank of the UAE (“CBUAE”), extending it’s licensing perimeter to cover technology providers of virtual-asset services, including self-custody wallets and blockchain explorers. Failure to obtain a CBUAE licence can now trigger criminal sanctions and very large fines.

Key Features of the New Law

• The law repeals and replaces Federal Decree‑Law No. 14 of 2018 and Federal Decree‑Law No. 48 of 2023 (insurance) and takes effect 16 September 2025.
• Article 61 extends regulated activity to include “advertising, marketing or promoting” of financial services as a regulated act.
• Article 62 expands the scope to “carrying on, offering, issuing or facilitating, whether directly or indirectly … any Licensed Financial Activity, regardless of the medium, technology or form employed”.
• Article 170 introduces criminal liability for unlicensed financial activities: imprisonment and/or fines from AED 50,000 up to AED 500 million.
• The law explicitly brings virtual asset payment services, infrastructure providers and technology tools into scope.

Regulatory Perimeter – What is Within Scope

Federal Decree-Law No. 6 of 2025 establishes a centralised, federal licensing perimeter administered by the Central Bank of the UAE (CBUAE). Once a financial activity is classified as a “Licensed Financial Activity”, federal jurisdiction prevails over any free-zone framework. This hierarchy is explicit: operating inside a free-zone does not exempt any entity from compliance when its service is accessible to, or used by, UAE residents outside that zone.

1. Free-Zones Have No Shielding Effect When Services Reach UAE Residents

VARA (Dubai) and ADGM’s FSRA (Abu Dhabi) retain authority to regulate virtual-asset activities within their jurisdictional borders, but their licences do not constitute a defence under federal law if the provider’s tools or communications reach the broader onshore UAE population.

This is because the New Law:

• Treats the provision, facilitation or promotion of a regulated service as a licensable act regardless of technology, medium or location.
• Applies to any person “directly or indirectly” enabling access to the activity.
• Contains no carve-out allowing free-zone licences to override or replace CBUAE licensing obligations.

Under this structure, VARA and ADGM licences remain valid only for activity strictly contained within the free-zone, without spillover to UAE residents. A free-zone licence therefore becomes insufficient the moment:

• a product is reachable on the public internet,
• an app or protocol is globally available without geographical restriction,
• a marketing communication or website can be accessed from the UAE mainland,
• UAE-resident users interact with the tool (even unintentionally).

In operational terms, businesses cannot rely on the historical assumption that “free-zone regulation = UAE compliance.” Federal jurisdiction now clearly supersedes.

2. Why Dubai’s Crypto Ecosystem Is No Longer a Safe Harbour?

The UAE’s new federal law is blunt: if UAE residents can access your crypto tool, you may now be committing a crime.That includes:

• self-custody wallets,
• blockchain explorers,
• market-data tools,
• API providers,
• decentralised protocols,
• and every crypto exchange in Dubai—onshore or offshore.

This is not speculative. This is written directly into the structure of Federal Decree-Law No. 6 of 2025, which came into force on 16 September 2025.

3. What Counts as a “Licensed Financial Activity” — The New Scope

The threshold for what constitutes a licenceable act has substantially widened. According to legal analysis, payment services using virtual assets, open-finance infrastructure, and any technology facilitating such activity are now captured.

Key expansions include:

• Virtual-asset payment rails and settlement layers.
• Wallet interfaces capable of initiating, approving, or routing transactions.
• APIs connected to wallets, custody layers, or blockchain networks.
• Tools that allow users to view, query, validate or transmit transactions (blockchain explorers, analytics dashboards, RPC nodes).
• Protocols where end-users can interact with financial functionality, even if decentralised.

This makes the regulatory boundary functional, not formal. If a tool can be used in a manner that resembles payment service facilitation or financial intermediation—even without custody—it risks classification as a “Licensed Financial Activity.”

Capture of Infrastructure, APIs, Explorers, DeFi and Communications

The New Law does not confine itself to traditional intermediaries such as exchanges or custodians. It expressly reaches technical enablers, reflecting a policy view that the infrastructure layer can itself constitute participation in financial activity.

Impacted categories include:

• Infrastructure providers
  RPC endpoints, validator nodes, relayers, indexing services—any service enabling users to initiate or broadcast blockchain transactions.
• API providers
  Interfaces that allow developers or end-users to transact, track balances, fetch blockchain data, or trigger automated interactions.
• Blockchain explorers
  Considered high-risk because they facilitate transaction analysis, address queries, and interaction with on-chain data.
• DeFi protocols
  Smart-contract systems enabling swaps, lending, staking, or liquidity operations are treated as “facilitating” regulated activity—even if non-custodial.
• Marketing and communications
  Article 61 elevates advertising or promotion to a licensable act. Simply sending an email newsletter or publishing a webpage that UAE residents can access may trigger liability.

The perimeter is therefore activity-based, access-based, and technology-neutral.

Extraterritorial Reach — Foreign Companies Are In Scope

The law’s drafting is deliberately extraterritorial. Legal guidance emphasises that activities outside the UAE are licenceable if UAE residents can access the service. This includes:

• Foreign wallet developers with globally available apps.
• Blockchain explorers, analytics dashboards, or API endpoints that do not geo-block the UAE.
• dApps and protocols accessible via a public website.
• Social-media posts, newsletters or promotional material viewable by UAE users.

The decisive test is use or accessibility by UAE residents, not incorporation, server location or operational presence. As a result, foreign entities face the same licensing exposure as domestic firms unless they implement:

• strict geo-fencing,
• contractual exclusions of UAE residents,
• IP-based access controls,
• monitored compliance logs preventing UAE onboarding.

Failure to implement these controls can constitute an unlicensed financial activity that triggers both criminal and administrative sanctions.

4. Self-Custody Wallets, Explorers, and Market-Data Tools — Now Potentially Criminal

Federal Decree-Law No. 6 of 2025 redraws the licensing perimeter so broadly that technology once deemed “neutral” or “non-custodial” can now fall squarely within the definition of a regulated financial activity. Market commentary highlights that self-custody wallets, blockchain explorers, and market-data tools—even when non-custodial, open-source, or unmonetised—may require a licence from the Central Bank of the UAE (CBUAE) if accessible by UAE residents.

This represents a structural shift away from global norms where self-custody and infrastructure tools are treated as outside the perimeter. In the UAE, the regulator no longer distinguishes meaningfully between “financial service provider” and “technology provider.” The operative test is functional: does the tool enable a financial act, or assist a user in performing one, directly or indirectly?

Under this approach:

1. Self-Custody Wallets

Self-custody wallets—software enabling users to generate private keys, sign transactions, and transmit on-chain instructions—are treated as facilitation of financial activity, regardless of whether the provider holds or touches customer assets.

Wallet developers now face three core regulatory exposures:

• Initiation of virtual-asset payment activity: generating and broadcasting transactions may qualify as enabling payment services.
• Infrastructure risk: tools that “facilitate” any step in the transaction lifecycle may fall within Articles 60–62.
• Promotion risk: simply offering the wallet online, or emailing about it, is a regulated act under Article 61 if accessible by UAE residents.

This means the typical “non-custodial = unregulated” assumption no longer holds. A CBUAE licence may be required even if the provider never interacts with funds, personal data, or customer accounts.

2. Blockchain Explorers

Explorers—viewers of transaction data, addresses, balances and mempool activity—are referenced in market commentary as newly exposed. Although they do not execute transactions, they:

• Enable users to monitor, interpret, and verify financial activity, and
• Assist in identifying or initiating transaction paths, which the regulator may view as facilitation.

The law’s technology-neutral drafting captures any digital tool that “carries on, offers, issues, or facilitates” regulated financial activity. Explorers therefore risk falling into:

• Data-layer facilitation, and
• Financial-services promotion if the explorer links to, recommends, or interfaces with on-chain activity.

Even passive explorers accessible to UAE users, hosted outside the UAE, may require a CBUAE licence unless geofenced.

3. Market-Data Tools and Analytics

Market-data providers—price aggregators, portfolio-trackers, analytics dashboards, or market-cap reporters—may be viewed as performing a role analogous to financial analytics providers in traditional markets.

Regulatory risk arises when these tools:

• Display actionable trading signals or pricing,
• Integrate wallet connectivity,
• Provide routing or transaction-initiation capabilities, or
• Embed links to execution venues.

Under Article 61, publishing such information to UAE residents can itself become a licence-triggering act. The law expressly targets communications and digital access, not just transactional capability.

5. Extraterritorial Reach — “If the UAE Can See It, the UAE Can Regulate It

Developers are now publicly warning that even offering a wallet, explorer, or market-data tool—without custody, without intermediary functions, without monetisation—may meet the threshold for a licensable activity.

This is because:

• The law treats offer, facilitate, enable, or provide access as sufficient.
• No distinction is made between onshore and offshore providers.
• No exemption is granted for open-source, non-profit, or decentralised architecture.
• The CBUAE has explicit authority to classify any activity as financial if it witnesses risk to the financial system.

As summarised in developer commentary:

“The law makes it a crime to provide self-custody Bitcoin wallets, blockchain explorers … without a Central Bank licence.”

This is not hyperbole—under Article 170, unlicensed activity can attract:

• Criminal liability, including imprisonment;
• Fines ranging up to AED 500 million; and
• Parallel administrative penalties that may reach AED 1 billion.

The regulatory obligation attaches the moment the service becomes accessible to a UAE resident—irrespective of where the developer is located, whether the software is custodial, or whether the provider has any commercial presence.

6. Practical Consequence

Developers must now assume that any unlicensed crypto-related tool exposed to UAE residents creates federal liability unless:

• the provider obtains a CBUAE licence; or
• strict geofencing and contractual exclusion mechanisms are implemented; or
• the service is re-architected to remove functional exposure to regulated activity.

The environment is no longer permissive. It is default-restrictive, with federal criminal penalties serving as the deterrent.

6. Step-by-Step Compliance Workflow for Business Implementation

Step 1: Internal Scoping and Risk Assessment

1. Map your business activities: wallet development, blockchain explorer, API/analytics, dApp, marketing of crypto-services.
2. Determine whether any product or service targets UAE residents (explicitly or by access).
3. Evaluate whether the service falls under the “licensed financial activity” definition in Article 60–62.
4. Document risk areas: self-custody tools, unhosted wallets, DeFi protocols, market-data services, promotion/marketing.

Step 2: Licence Check and Decision-Making

5. If your activity is captured, determine the licensing regime under the CBUAE (or other regulator) for virtual asset/payment services.
6. Decide: (a) apply for licence; (b) restrict access from UAE residents; or (c) restructure product to fall outside scope (with documented compliance rationale).
7. If restricting access from UAE, implement geo-blocking, terms of service exclusions, IP restrictions and contractual warranties from users.

Step 3: Implementation of Controls & Governance

8. Update terms of use, privacy policy, service-level agreements to include UAE jurisdiction exclusion or compliance statements.
9. Install compliance monitoring: track access logs, IP addresses, user residency indications.
10. Govern marketing: review all communications (emails, newsletters, campaigns, websites, social media) for implication of regulated activity to UAE persons—Article 61 covers this.
11. Implement AML/KYC and consumer-protection governance if licenceable activity is engaged.

Step 4: Contractual and Documentation Requirements

12. Draft contracts and customer terms with indemnities, jurisdiction clauses excluding UAE or aligning with UAE law as required.
13. Prepare internal policies: client onboarding, risk management, governance, incident response in line with CBUAE expectations.

Step 5: Transition & Timeline

14. The law provides a transition period—typically one year from effective date (i.e., until 16 Sept 2026) for entities to align.
15. Coordinate with regulatory advisor to track forthcoming implementing regulations, circulars and guidance from CBUAE.

Step 6: Ongoing Monitoring & Enforcement Readiness

16. Keep abreast of enforcement actions and public disclosures by CBUAE.
17. Prepare for audits, inspections and potential sanctions by establishing documentation trails of compliance decisions.

7. Key Risks and Compliance Failures

Criminal and Administrative Sanctions

• Engaging in regulated financial activity without a licence may lead to imprisonment and fines up to AED 500 million under Article 170.
• Administrative fines may reach up to AED 1 billion.
• Sanctions may apply even to foreign-based companies if their services are accessible by UAE residents.

Reputational and Operational Risks

• The tightening of the regulatory regime may impact the UAE’s positioning as a crypto innovation hub. 99Bitcoins
• Failure to restrict access or mis-classifying services may cause sudden operational shutdown, asset freeze, loss of customer trust.
• Marketing to UAE residents without licence may itself be a breach (Article 61).

Legal and Contractual Exposure

• Contracts that imply provision to UAE residents may be voidable or expose parties to liability.
• Data/logs of UAE users may trigger supervisory scrutiny.

Practical Checklist for Businesses

• Conduct business-model mapping and determine if access to UAE persons occurs.
• Analyse services: self-custody wallet, explorer, API, dApp-infrastructure, market data – identify regulated-activity risks.
• Determine licensing requirement with CBUAE for activities falling under Articles 60-62.
• If not licensed, restrict service from UAE: implement geolocation, terms of service, contractual exclusion.
• Review all marketing/advertising to ensure no unlicensed promotion targeting UAE.
• Amend user terms and contracts to reflect UAE exclusion or compliance status.
• Install technical controls: IP blocking, residency checks, logs, audit trail.
• Maintain governance documents: compliance policy, AML/KYC procedures, incident-response plan, record-keeping.
• Monitor official CBUAE guidance, circulars, and timelines for transition period.
• Establish a framework for remediation in case of breach: legal-review, disclosure to regulator, customer communication.

Sample Clause – User Agreement Exclusion of UAE Residents

“Exclusion of United Arab Emirates Residents – The Service may not be used by any individual or entity resident or domiciled in the United Arab Emirates. By accessing the Service you represent and warrant that you are not a resident or domiciliary of the UAE, and will not access the Service from such location. The Company reserves the right to immediately suspend or terminate access for any user determined to be a UAE resident or to have otherwise breached this clause.”

Use this clause as a placeholder – adapt to your specific jurisdictional and regulatory analysis.