Learn
Getting the people side of VARA right will make or break your licensing application. Technology controls are fixable. Organisational structure problems take months to untangle.
I watched a well-funded exchange nearly lose their VARA licence application over something that had nothing to do with their technology stack. Their security was solid - hardware security modules, multi-sig wallets, the works. The problem? Their CISO reported to the CTO, who also managed the development team. VARA took one look at the org chart and said, essentially, “the person overseeing security can’t report to the person whose velocity targets conflict with security reviews.”
That restructuring delayed their launch by three months. Not because the technology wasn’t ready, but because the governance wasn’t.
This article breaks down everything VARA requires on the people and governance side: who you need to hire, what qualifications they need, how your org chart should look, and what competency requirements apply to every employee - not just the security team. These are the requirements from Part I, Sections I and J of the Technology and Information Rulebook, explained in plain language.
The CISO: Not a Title, a Structural Requirement
Let’s start with the big one. VARA requires every VASP to appoint a Chief Information Security Officer. But “appoint a CISO” understates what VARA actually expects. This isn’t about putting a title on someone’s LinkedIn profile. It’s about creating a structural role with specific attributes that VARA will verify.
Independence
This is the non-negotiable that catches most crypto companies. The CISO must be functionally independent from the technology development and operations teams. They can’t report to the CTO. They can’t report to the head of engineering. They need a direct reporting line to the CEO, the board, or an equivalent senior management body.
The logic is sound: a CISO who reports to the CTO faces an inherent conflict of interest. The CTO wants to ship features fast. The CISO needs the authority to slow things down when security reviews are incomplete. If the CTO can overrule the CISO, the security function is compromised. VARA gets this, and they check for it.
The reporting line matters.
I’ve seen VARA reviewers literally request the org chart and trace the CISO’s reporting line. If it goes through engineering or product, that’s a finding. Restructure before you apply, not after.
Qualifications
VARA doesn’t prescribe specific certifications (no “must have CISSP” mandate), but they expect demonstrable competency in information security management, risk assessment, and incident response. In practice, this means your CISO should have:
- Meaningful industry experience in cybersecurity (typically 7+ years)
- Relevant professional certifications (CISSP, CISM, CISA, or equivalent)
- Understanding of cryptographic systems and blockchain technology
- Experience with regulatory compliance frameworks
- Ability to communicate security risks to non-technical senior management
The crypto-specific knowledge matters. A CISO who’s brilliant at traditional IT security but has never dealt with key management, wallet architecture, or smart contract risk is going to have a steep learning curve. VARA expects your CISO to understand the specific threat landscape of virtual assets, not just generic cybersecurity.
Responsibilities
VARA expects the CISO to own, at minimum:
Policy Ownership
Developing, maintaining, and enforcing the cybersecurity policy and all supporting procedures
Risk Assessment
Leading the cybersecurity risk assessment process and maintaining the risk register
Incident Response
Directing the incident response programme, including VARA’s 72-hour notification obligations
Board Reporting
Regular reporting to senior management on security posture, threats, incidents, and compliance status
Testing Oversight
Overseeing penetration testing, vulnerability assessments, and smart contract audits
Training Programme
Designing and running the staff competency and security awareness programme
The Full-Time vs. Fractional CISO Question
This is the question every small VASP asks: “Do we really need a full-time CISO?”
The honest answer: VARA doesn’t explicitly mandate full-time employment. The proportionality principle means that a smaller VASP with a simpler risk profile - say, an advisory firm that doesn’t hold client assets - might be able to justify a fractional CISO arrangement. But there are important caveats.
A fractional CISO still needs to meet all the same requirements: independence, qualifications, defined responsibilities, direct reporting line. They need to be actively involved in your organisation, not just a name on a document who shows up once a quarter. VARA will check. They’ll want to see evidence of the CISO’s involvement - meeting minutes, policy review records, incident response participation, board reports.
My recommendation: if you’re a custodian, exchange, or any VASP handling client assets, hire a full-time CISO. The risk profile justifies it, and VARA will likely push back on a fractional arrangement for high-risk VASPs. If you’re a small advisory or management firm, a fractional CISO can work - but document the arrangement thoroughly and ensure genuine engagement.
Budget-wise, expect to pay AED 40,000-80,000 per month for a full-time CISO with crypto experience in Dubai. Fractional arrangements typically run AED 15,000-30,000 per month. These aren’t optional expenses. They’re licensing prerequisites.
Staff Competency: It’s Not Just About the Security Team
Here’s the part that surprises people: VARA’s staff competency requirements don’t apply only to your security team. They apply to everyone. Every employee who touches technology, handles customer data, or has access to your systems needs appropriate training and demonstrated competency.
VARA breaks this into tiers, and it’s worth understanding the distinction:
Tier 1: All Staff
Every employee, regardless of role, needs security awareness training. This covers:
- Recognising phishing and social engineering attacks
- Password hygiene and multi-factor authentication
- Data handling and classification procedures
- Incident reporting - how to escalate when something looks wrong
- Acceptable use policies for company devices and systems
Tier 2: Technical Staff
Developers, system administrators, DevOps engineers, and anyone with privileged access need additional training on:
- Secure development practices (OWASP, secure coding standards)
- Cryptographic key handling procedures
- Change management and deployment security
- Vulnerability management and patching protocols
- Specific threats relevant to virtual asset platforms
Tier 3: Security Team & CISO
Your dedicated security personnel need continuous professional development:
- Maintaining professional certifications
- Staying current on emerging threats in the crypto space
- Incident response exercises and tabletop drills
- Regulatory updates (VARA publishes guidance regularly)
- Cross-training with DESC standards
The Training Programme: What VARA Actually Wants to See
Writing a training policy is the easy part. VARA wants evidence that the training is actually happening, that it’s effective, and that it’s being updated. Here’s what a compliant training programme looks like in practice:
Frequency: Security awareness training for all staff at least annually, with additional sessions when significant changes occur (new systems, new threat vectors, major incidents). Your security team should have quarterly learning objectives.
Content relevance: Generic “don’t click suspicious links” training won’t cut it for a crypto company. Your training needs to cover crypto-specific threats: SIM-swapping attacks targeting key holders, social engineering targeting wallet operations, supply chain attacks on DeFi protocols, insider threats around key access.
Testing and assessment: VARA expects you to verify that training is effective. This means quizzes, phishing simulations, practical exercises - not just slides that people click through while checking their phones.
Records: You need to maintain detailed training records: who attended, when, what was covered, assessment results. These records need to be available for VARA inspection. A compliance platform that tracks training completion and stores records is much more defensible than a folder of sign-in sheets.
New joiner onboarding: Every new employee must complete security training before they get access to production systems. Not within 30 days. Not “when they have time.” Before access is provisioned. This needs to be baked into your onboarding workflow.
Senior Management and Board Competency
This is the requirement that makes some founders uncomfortable: VARA expects your senior management - including the board or governing body - to have sufficient understanding of technology and cybersecurity risks to make informed decisions.
That doesn’t mean your board members need to be able to write Solidity code. It means they need to:
- Understand the material technology risks facing the business
- Be able to interpret the CISO’s security reports and ask meaningful questions
- Approve the technology governance framework with genuine understanding, not rubber-stamping
- Challenge management on cybersecurity investment and risk acceptance decisions
In practice, this means your board needs some form of technology/cybersecurity briefing or training. Some VASPs address this by including a technology committee within the board. Others bring in external advisors for periodic briefings. Whatever the approach, you need to demonstrate that senior leadership engagement is genuine, not performative.
One approach I’ve seen work well: the CISO presents quarterly to the board with a structured security posture report that includes key metrics (incidents, vulnerability trends, audit findings, training completion rates) alongside an executive risk summary. Keep the reports in your compliance platform so there’s an audit trail showing the board actually received and engaged with the information.
Segregation of Duties: The Org Chart Traps
Beyond the CISO reporting line, VARA expects proper segregation of duties across several areas. Here are the combinations that will get you flagged:
The developer who approves their own code to production. VARA requires that code changes go through independent review before deployment. The person writing the code can’t be the same person approving it for release.
The key holder who also manages the key management system. Key operations need dual control. The person performing a key ceremony shouldn’t be the same person with administrative access to the HSM or key management infrastructure.
The incident responder who also handles the VARA notification. OK, this one’s not a strict prohibition, but VARA strongly prefers that incident response and regulatory notification are handled by different individuals to prevent conflicts of interest around incident severity classification.
The compliance officer who also manages the systems being audited. Self-auditing isn’t auditing. Your compliance function should have the independence to assess systems without pressure from the teams running those systems.
Your People & Governance Readiness Checklist
Before you submit your VARA application, make sure you can answer “yes” to all of these:
CISO appointed with a direct reporting line to the CEO or board (not CTO/engineering)
CISO qualifications documented - CV, certifications, relevant experience on file
CISO involvement evidenced - meeting minutes, policy documents with CISO review stamps, board reports
Security awareness training completed by all staff, with assessment results recorded
Technical staff training completed for developers, admins, and privileged access holders
Board briefing records showing senior management engagement with technology risks
Segregation of duties documented across code deployment, key management, and compliance functions
Onboarding workflow that requires security training before system access is granted
Training programme with defined frequency, content updates, and effectiveness measurement
Tracking all of this in spreadsheets works until it doesn’t - usually right when VARA asks for evidence during the licensing review. A structured compliance platform like Venvera lets you manage training records, policy approvals, org structure documentation, and board reporting in one place, mapped against VARA’s specific requirements. It supports 13 frameworks starting at €399/month, which is considerably cheaper than the embarrassment of a delayed licence.
Getting This Right
The people and governance requirements might seem less glamorous than the technical security controls, but VARA treats them with equal seriousness. A VASP with perfect encryption and terrible governance is still a risk to its clients and to the market. VARA knows this.
Start with the CISO appointment and org chart. Get the reporting line right from the beginning - restructuring later is painful, expensive, and visible. Then build the training programme. Then document everything. Every policy review, every training session, every board briefing needs to be recorded and available.
The VASPs that get through VARA licensing smoothly aren’t the ones with the fanciest technology. They’re the ones that take governance seriously, put the right people in the right seats, and can prove it all when the regulator asks.
Build Your VARA Governance Framework
Track CISO appointments, staff training records, board reporting, and policy approvals - all mapped to VARA’s requirements. 13 frameworks, starting at €399/month.
Book a Demo →Last updated: March 2026. Requirements based on VARA Technology and Information Rulebook, Part I Sections I and J. Always verify current requirements with VARA directly.
