Learn
🕑 11 min read
📅 March 12, 2026
🏫 Regulatory Intelligence
Virtual asset regulation in Dubai has matured rapidly since VARA began issuing licences in 2023. The technology requirements are sophisticated. The AML/CFT expectations are stringent. But one area that catches VASPs off guard more consistently than any other is the people side of compliance - specifically, the mandatory appointment of a Chief Information Security Officer (CISO) and the ongoing competency requirements for all staff.
Under the Company Rulebook, Part I (Technology and Information Governance), Sections I (CISO Appointment) and J (Staff Competency), VARA establishes prescriptive requirements for who must lead your cybersecurity function, how they must be qualified, and what level of awareness every employee in your organisation must maintain. These are not suggestions. They are licensing conditions, and non-compliance can trigger enforcement action, licence conditions, or suspension.
This article examines both sections in detail: what VARA requires of the CISO role, how it interacts with the Compliance Officer and DPO functions, what “appropriately experienced” actually means in practice, and how to structure a training programme that satisfies the staff competency obligations. If you are building, restructuring, or scaling a VASP compliance team in Dubai, this is your operational blueprint.
👥
Part I, Section I
The CISO: VARA’s Mandatory Cybersecurity Leadership Role
VARA requires every licensed VASP to appoint a Chief Information Security Officer (CISO). This is not an optional governance enhancement - it is a mandatory condition of operating under a VARA licence. The CISO must be a named individual with direct accountability for the entity’s information security programme, and VARA expects the appointment to be documented, reported, and maintained as part of the entity’s ongoing compliance filings.
The key regulatory requirement that most VASPs initially overlook is the separation mandate: the CISO must be a separate individual from the Compliance Officer (CO). VARA recognises that these two functions - information security and regulatory compliance - serve different objectives, require different expertise, and must operate independently to be effective. Combining them in a single individual creates an inherent conflict of interest and reduces the organisation’s ability to maintain independent assurance over its cybersecurity posture.
VARA Separation Rule
The CISO must be a distinct appointment from the Compliance Officer. These are two separate roles with separate mandates. However, VARA does permit the CISO role to be combined with the Data Protection Officer (DPO) function, provided the individual has sufficient expertise in both information security and data protection to discharge both sets of responsibilities effectively.
| Role Combination | Permitted? | Rationale & Conditions |
|---|---|---|
| CISO + Compliance Officer | No | These roles must be held by different individuals. The CO oversees regulatory compliance across all frameworks; the CISO focuses on information security. Combining them creates a conflict of interest and reduces independent assurance. VARA enforces this separation as a licensing condition. |
| CISO + DPO | Yes (conditional) | Permitted where the individual possesses appropriate expertise in both information security and data protection. In practice, this is common for smaller VASPs where the overlap between cybersecurity and data privacy is substantial. The individual must be able to demonstrate competency in UAE PDPL requirements alongside information security management. |
| CISO + CTO | Discouraged | While not explicitly prohibited, VARA expects the CISO to have an independent reporting line. Combining the CISO with the CTO - who is typically responsible for building and deploying the systems the CISO must secure - creates a first-line/second-line conflict that undermines the CISO’s ability to challenge and oversee technical decisions. |
| CISO + MLRO | Discouraged | The Money Laundering Reporting Officer has a distinct regulatory mandate under UAE AML/CFT law. While not explicitly prohibited by Section I, combining these roles stretches a single individual across two demanding, independently regulated functions. VARA generally expects separation for entities above a minimal scale. |
The practical implication is clear: even a small VASP needs at minimum two senior compliance personnel - a Compliance Officer and a CISO (who may also serve as DPO). For entities of any meaningful scale, three or more is typical: CO, CISO, DPO, and MLRO as separate roles.
🎓
Qualifications & Experience
What “Appropriately Experienced” Means in Practice
VARA requires the CISO to be “appropriately experienced.” This is deliberately principles-based rather than prescriptive - VARA does not mandate specific certifications or a minimum number of years. However, the regulatory expectation is clear: the CISO must have demonstrable, relevant experience in information security at a senior level, with credible expertise in the virtual asset and DLT operating environment.
Based on VARA’s licensing assessments and enforcement patterns, here is what “appropriately experienced” looks like in practice:
Information Security Leadership
A minimum of 5–7 years in information security roles, with at least 2–3 years in a leadership or managerial capacity. The CISO must have experience designing, implementing, and overseeing security programmes - not just executing technical tasks. VARA is looking for strategic capability, not just operational skills.
VA/DLT-Specific Knowledge
Understanding of blockchain architecture, smart contract security, cryptographic key management, consensus mechanisms, and the threat landscape specific to virtual assets. A CISO with 20 years in traditional banking but no exposure to DLT environments will struggle to satisfy VARA’s expectations.
Recognised Certifications
While not mandatory, certifications such as CISSP, CISM, CISA, or CEH significantly strengthen a CISO candidate’s profile. For VA-specific credibility, certifications in blockchain security (e.g., CBSP, C|BSE) or smart contract auditing demonstrate targeted expertise. VARA assessors review CVs during licensing and expect to see credible qualifications.
Regulatory Awareness
The CISO must understand the regulatory landscape in which the VASP operates. This includes VARA’s own rulebook, the UAE PDPL (Federal Decree-Law No. 45 of 2021), and relevant international standards (ISO 27001, NIST CSF). The ability to translate regulatory requirements into security controls is a core competency.
Core CISO Responsibilities Under VARA
The CISO’s mandate under the Company Rulebook extends across the full scope of information security governance. Key responsibilities include:
- Information security strategy: Define, implement, and maintain the entity’s information security programme aligned to VARA requirements and industry best practices
- Risk management: Conduct regular risk assessments, maintain a risk register, and ensure controls are proportionate to identified risks
- Incident response leadership: Serve as the senior authority during cybersecurity incidents, coordinate with the incident response team, and oversee VARA notification obligations
- Vulnerability management: Oversee penetration testing, vulnerability scanning, and remediation tracking
- Third-party security: Assess and monitor the security posture of third-party service providers, custodians, and technology partners
- Staff awareness: Drive the cybersecurity awareness and training programme (see Section J below)
- Board reporting: Provide regular reports to the board or governing body on the state of information security, material risks, and compliance status
- Key management oversight: Ensure cryptographic key management practices meet VARA standards, including HSM governance, key rotation, and access controls
Reporting Line Matters
VARA expects the CISO to have a sufficiently senior reporting line - ideally to the CEO, COO, or board directly. A CISO buried under the CTO or reporting through several layers of management cannot exercise the independence that VARA requires. During licensing assessments, VARA reviewers will examine the organisational chart to verify that the CISO has appropriate authority, access to the board, and the ability to escalate concerns without interference.
📚
Part I, Section J
Staff Competency: Training Requirements for All Personnel
Section J of the Company Rulebook moves beyond the CISO and addresses every individual in the organisation. VARA requires that all staff be aware of the latest cybersecurity risks, with a particular emphasis on risks specific to virtual assets and distributed ledger technology. This is not limited to technical personnel - it extends to operations, customer support, marketing, finance, and any other function that interacts with the VASP’s systems or client data.
The training obligation has three dimensions: it must be current (reflecting the latest threat landscape), VA/DLT-specific (addressing risks unique to the virtual asset environment), and proportionate (calibrated to each staff member’s role and level of access).
Proportionate Training Principle
VARA does not require every employee to hold a CISSP. Instead, training must be proportionate to role: a customer support agent needs phishing awareness and social engineering defence; a smart contract developer needs secure coding practices and audit methodology; a wallet operator needs key management procedures and physical security awareness. The common thread is that every individual understands the specific cybersecurity risks relevant to their function.
| Training Tier | Target Audience | Core Topics | Frequency |
|---|---|---|---|
| Tier 1: Foundation | All staff (including non-technical) | Phishing and social engineering; password hygiene; physical security; incident reporting procedures; data handling and classification; mobile device security; identifying suspicious activity | Annual mandatory, with quarterly refreshers (short modules or simulated phishing exercises) |
| Tier 2: VA-Specific | Operations, customer support, compliance | VA/DLT threat landscape; common crypto scams and attack vectors; client asset segregation; wallet security basics; fork and chain event awareness; regulatory reporting triggers; insider threat indicators | Annual mandatory, with updates when significant new threats emerge |
| Tier 3: Technical | Developers, infrastructure, security team | Secure coding practices; smart contract vulnerability classes; key management and HSM procedures; penetration testing methodology; incident response roles; BCDR procedures; on-chain forensics | Semi-annual, plus ad hoc training on new tools, platforms, or protocols introduced |
| Tier 4: Leadership | Board, C-suite, senior management | Cybersecurity governance; regulatory obligations and liability; risk appetite and tolerance; incident escalation protocols; crisis communication; board-level cyber reporting | Annual, with incident-triggered briefings as needed |
VARA expects training to be documented and auditable. This means maintaining records of: who was trained, on what topics, when, and with what assessment results. During supervisory reviews, VARA can request training records as evidence of compliance. A verbal assertion that “we train our staff” without supporting documentation will not satisfy the requirement.
Onboarding Is Day One
New hires must receive cybersecurity awareness training before gaining access to any system containing client data, virtual assets, or sensitive operational information. This includes contractors and temporary staff. VARA does not distinguish between permanent and temporary personnel for training purposes - if they have access, they need training.
Simulated Attack Exercises
Best-practice VASPs go beyond passive training modules. Simulated phishing campaigns, social engineering tests, and tabletop exercises for incident response are highly effective and demonstrate to VARA that your programme goes beyond checkbox compliance. Track click rates, report rates, and improvement over time as measurable KPIs.
🏗
Team Design
How to Structure a VARA-Compliant Team
The question VASPs most frequently ask is: “How many compliance and security people do I actually need?” The answer depends on the scale and complexity of your operations, but VARA’s requirements establish a minimum baseline that applies to every licensee.
| VASP Size | Minimum Roles | Recommended Team Structure |
|---|---|---|
| Early-Stage / Small (10–30 staff) |
CO, CISO/DPO, MLRO | 3 mandatory roles minimum. CISO and DPO can be combined in one individual. MLRO must be separate. Consider outsourcing specialist functions (penetration testing, blockchain forensics) to retain qualified consultants. |
| Growth-Stage / Medium (30–100 staff) |
CO, CISO, DPO, MLRO | 4 separate roles. The CISO should have at least one dedicated security analyst. The CO should have a compliance analyst. Dedicated AML/CFT team under the MLRO. Security operations (SOC) can be outsourced to an MSSP with VA expertise. |
| Established / Large (100+ staff) |
CO, CISO, DPO, MLRO, + teams | Full security team (security engineering, SOC analysts, GRC specialists). Dedicated compliance team with framework-specific expertise. In-house blockchain forensics capability. Internal audit function. Risk management team. CISO should have a deputy for business continuity. |
The Outsourcing Question
VARA permits outsourcing of certain security functions (e.g., SOC monitoring, penetration testing, forensics) but the accountability cannot be outsourced. The CISO remains personally accountable for the information security programme regardless of how many functions are performed by third parties. You can outsource execution, but you cannot outsource governance. Ensure your outsourcing arrangements include: SLA requirements, right-to-audit clauses, incident notification obligations, and compliance with VARA’s third-party risk management expectations.
The Talent Challenge
Finding a CISO with both traditional information security experience and deep VA/DLT expertise is genuinely difficult. The talent pool is small and global demand is high. Consider candidates from traditional financial services who have made a deliberate pivot into crypto/DLT, supplemented with VA-specific training and mentoring from blockchain security specialists.
UAE Residency Considerations
VARA expects key compliance and security personnel to be based in or accessible from the UAE. While remote working arrangements exist across the industry, VARA may require certain roles - particularly the CISO and CO - to be UAE-resident or to maintain a substantive presence in Dubai. Clarify residency expectations during the licensing process.
🔒
Schedule 1, Risk Category 4
Staff Competency Meets Customer Protection
Staff competency requirements do not exist in isolation. They connect directly to VARA’s customer protection obligations under Schedule 1, Risk Category 4 (Customer VAs). Your staff - particularly those in customer-facing roles, wallet operations, and security - must understand the controls that protect customer virtual assets:
Strong MFA Requirements
VARA mandates strong multi-factor authentication for customer-facing systems. Critically, instant messaging-based verification (SMS, WhatsApp) is not considered strong MFA. Staff must understand why SMS-based 2FA is inadequate (SIM swapping, SS7 attacks) and be able to guide customers towards hardware tokens, authenticator apps, or biometric verification.
Withdrawal Controls
VASPs must implement tiered withdrawal limits and cooling periods for new withdrawal addresses. Staff must be trained on the rationale for these controls, the escalation process for override requests, and how to identify social engineering attempts where clients are being coerced into making withdrawals by third parties.
User Education Obligations
VARA expects VASPs to educate their clients on security best practices. This means your customer-facing staff need sufficient expertise to advise clients on wallet security, phishing prevention, and the importance of strong authentication. Staff who cannot explain these concepts to customers are not meeting the competency requirement.
Wallet Concentration Risk
Operations staff must understand the risks of excessive asset concentration in a single wallet or custody arrangement. Monitoring wallet balances, triggering rebalancing actions, and escalating concentration threshold breaches are operational competencies that directly support VARA’s customer protection expectations.
🔐
Part III & UAE PDPL
Confidential Information and Data Protection Training
Staff competency under VARA extends beyond cybersecurity into the protection of confidential client information and personal data. Part III of the Company Rulebook requires all staff to be familiarised with the entity’s obligations regarding confidential information - and explicitly prohibits the use of client information for trading purposes or any unauthorised disclosure.
In parallel, Part II requires compliance with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021, or PDPL). The DPO - whether a standalone appointment or combined with the CISO role - must ensure that all staff who handle personal data understand their obligations under the PDPL, including lawful processing, data minimisation, storage limitation, and the rights of data subjects.
Key Training Points for Confidential Information & Data Protection
- No trading on client data: Staff must understand that using client information - including trading patterns, order flow, or balance data - for personal trading or sharing with third parties is a severe compliance violation
- Need-to-know access: Only access client information necessary for your role. Browsing client accounts without a business reason is a disciplinary and potentially criminal matter
- 24-hour data incident reporting: Under Part II, data incidents must be reported to VARA within 24 hours of the initial data incident report. Staff must know how to recognise a data incident and escalate immediately
- DPO as the escalation point: All data protection queries, subject access requests, and potential data incidents must be escalated to the DPO without delay
- Cross-border data transfers: Staff must understand that transferring personal data outside the UAE is subject to restrictions under the PDPL and requires appropriate safeguards
Key Takeaways
- CISO is mandatory: Every VARA-licensed VASP must appoint a Chief Information Security Officer. This is a licensing condition, not a recommendation.
- Separation from CO: The CISO and Compliance Officer must be different individuals. The CISO may be combined with the DPO role if the individual has appropriate dual expertise.
- “Appropriately experienced”: VARA expects demonstrable information security leadership experience with VA/DLT-specific knowledge. Certifications strengthen but do not replace practical experience.
- All staff, proportionate training: Every employee must receive cybersecurity awareness training proportionate to their role. Technical staff need deeper, more specialised training.
- VA/DLT-specific awareness: Generic IT security training is insufficient. Training must address risks unique to virtual assets, including key management, chain events, smart contract vulnerabilities, and crypto-specific social engineering.
- Document everything: Training records must be maintained and available for VARA review. Undocumented training is, for compliance purposes, training that never happened.
This article is for informational purposes only and does not constitute legal or regulatory advice. Virtual asset service providers should consult their legal counsel and VARA directly for entity-specific guidance on CISO appointment and staff competency obligations. Published March 2026. References: VARA Company Rulebook Part I (Technology and Information Governance), Sections I and J; VARA Company Rulebook Part II (Personal Data Protection); VARA Company Rulebook Part III (Confidential Information); VARA Schedule 1, Risk Category 4 (Customer VAs); UAE Federal Decree-Law No. 45 of 2021 (PDPL).