Learn
🕑 14 min read
📅 March 12, 2026
🏫 Regulatory Intelligence
If you are operating - or planning to operate - a virtual asset business in Dubai, the Dubai Virtual Assets Regulatory Authority (VARA) is the regulator you need to understand. Established under Law No. 4 of 2022, VARA is one of the first standalone virtual asset regulators in the world, and it has built a regulatory framework that rivals the depth and specificity of traditional financial regulation.
The centrepiece of VARA’s technical requirements is the Technology and Information Rulebook (VARA_EN_169_VER20250519). This is not a set of high-level principles. It is a detailed, prescriptive rulebook that specifies exactly what Virtual Asset Service Providers (VASPs) must implement across technology governance, cybersecurity, data protection, key management, testing, business continuity, and more. Non-compliance can result in licence suspension, fines, or revocation.
In this guide, we break down the full structure of the Technology and Information Rulebook, explain who it applies to, outline the key obligations, and provide practical guidance on how to approach compliance. Whether you are a crypto exchange, a custody provider, a DeFi protocol with a Dubai licence, or an advisory tokenisation platform, this article will give you a clear picture of what VARA expects.
ℹ️ What Is VARA?
VARA (Virtual Assets Regulatory Authority) was established by Dubai’s Law No. 4 of 2022 as the dedicated regulatory body for virtual assets and virtual asset activities in the Emirate of Dubai. It operates independently and has the authority to issue licences, set regulations, conduct inspections, and take enforcement action against VASPs. VARA’s jurisdiction covers all of Dubai except the DIFC (Dubai International Financial Centre), which is regulated by the DFSA.
🎯
Scope of Application
Who Does the VARA Technology Rulebook Apply To?
The Technology and Information Rulebook applies to every entity that holds - or is applying for - a VARA licence to conduct Virtual Asset (VA) Activities in Dubai. Under VARA’s framework, a VASP (Virtual Asset Service Provider) is any entity licensed by VARA to conduct one or more of the seven defined VA Activities:
① Advisory Services
Providing advice or recommendations on virtual assets to clients, including portfolio management advice.
② Broker-Dealer Services
Acting as an intermediary in the buying and selling of virtual assets on behalf of clients.
③ Custody Services
Safekeeping and administration of virtual assets or the instruments enabling control over virtual assets.
④ Exchange Services
Operating a platform that facilitates the exchange of virtual assets for fiat or other virtual assets.
⑤ Lending and Borrowing
Offering or facilitating the lending or borrowing of virtual assets, including as a platform.
⑥ Management and Investment
Managing virtual asset portfolios on behalf of clients or operating VA investment schemes.
⑦ Transfer and Settlement Services
Facilitating the transfer of virtual assets from one person or address to another, including payment services involving virtual assets.
The rulebook applies in full regardless of your licence category. Whether you are a small advisory firm or a major exchange processing billions in daily volume, VARA expects the same structural compliance - though the proportionality principle allows certain controls to be scaled based on the nature, scale, and complexity of your VA Activities.
⚠️ Important: DESC Alignment Required
VARA’s rulebook explicitly requires alignment with the Dubai Electronic Security Center (DESC) standards. Your cybersecurity policies, access controls, and incident response procedures must not only satisfy VARA requirements but also comply with DESC’s information security standards. This dual-compliance requirement catches many VASPs off guard during licensing reviews.
📖
Rulebook Structure
The Three Parts of the VARA Technology and Information Rulebook
The Technology and Information Rulebook is organised into three main parts, each addressing a distinct domain of requirements. Understanding this structure is essential because VARA’s assessment framework follows it - and your compliance programme should mirror it.
Part I: Technology Governance and Cybersecurity
This is the largest and most demanding section. It covers:
- Section A - Technology Governance: Board-level oversight of technology risk, IT strategy alignment, technology risk management frameworks, change management, and outsourcing governance.
- Section B - Cybersecurity: The mandatory cybersecurity policy with 18 minimum criteria, CISO appointment requirements, security operations, vulnerability management, and incident response.
- Section C - Cryptographic Key and Wallet Management: Key generation, storage, rotation, backup, recovery, and destruction procedures - plus specific wallet management requirements for custody providers.
- Section D - Technology Audit and Testing: Annual penetration testing, vulnerability assessments, smart contract audits, and independent security assessments.
- Section E - Business Continuity: BCP/DRP requirements, recovery objectives, testing frequency, and failover procedures.
Part II: Personal Data Protection
Part II mandates compliance with UAE Federal Decree-Law No. 45 of 2021 (the UAE Personal Data Protection Law, or PDPL) and sets additional VARA-specific requirements:
- Data protection policies covering collection, processing, storage, transfer, and destruction of personal data.
- Consent management - explicit, informed consent must be obtained for all personal data processing activities.
- Data subject rights - mechanisms for access, rectification, erasure, and portability requests.
- Cross-border data transfers - specific restrictions on transferring personal data outside the UAE without adequate safeguards.
- Data breach notification - reporting obligations to VARA and affected individuals when personal data breaches occur.
Part III: Confidential Information
Part III addresses the handling of confidential business information beyond personal data:
- Information classification - VASPs must implement a classification scheme that identifies and categorises confidential information.
- Access controls - role-based access and need-to-know principles for confidential data.
- Third-party disclosures - restrictions on sharing confidential information with external parties and requirements for NDAs.
- Regulatory cooperation - obligations to provide confidential information to VARA upon request while maintaining appropriate records.
In addition to these three parts, the rulebook includes Schedule 1, which defines five risk categories with detailed, prescriptive standards for each. These risk categories map to the severity of the VA Activity being performed and determine the minimum control standards that apply.
✅
Core Requirements
The 10 Key Obligations Every VASP Must Understand
While the full rulebook is extensive, these are the ten obligations that we see VASPs struggle with most during licensing and ongoing compliance reviews. Each of these is a hard requirement - not a recommendation.
1
Mandatory CISO Appointment
VARA requires every VASP to appoint a Chief Information Security Officer (CISO) who is separate from the Compliance Officer. The CISO must have demonstrable expertise in information security, report directly to senior management or the board, and be responsible for the overall cybersecurity programme. This role cannot be combined with other C-level functions. For smaller VASPs, a qualified outsourced CISO arrangement may be acceptable, but VARA must be notified and approve the arrangement.
2
Comprehensive Cybersecurity Policy (18 Criteria)
Part I, Section B mandates a cybersecurity policy that addresses at minimum 18 specific criteria - from information security and data governance to ransomware response and MFA for VA transactions. This is not a generic policy template; VARA expects each criterion to be addressed with specific, implementable controls tailored to your VA Activities. We cover these 18 criteria in detail in our companion article.
3
72-Hour Incident Reporting to VARA
VASPs must report cybersecurity incidents, technology failures, and data breaches to VARA within 72 hours of detection. The report must include the nature of the incident, systems affected, estimated impact, containment actions taken, and remediation plans. This is a hard deadline - not a best-effort target. VASPs must have pre-established incident reporting templates and escalation procedures ready to meet this timeline. Follow-up reports may be required as the investigation progresses.
4
Annual Penetration Testing by Independent Third Parties
Part I, Section D requires annual penetration testing conducted by an independent, qualified third party. The scope must cover all externally facing systems, internal networks, web applications, mobile applications, and APIs. Results must be documented with a formal remediation plan, and critical/high-severity findings must be remediated within defined timelines. VARA may request the pen test reports during inspections or licence reviews.
5
Smart Contract Security Audits
If your VA Activity involves smart contracts - whether for token issuance, DeFi protocols, automated market making, or any other on-chain logic - VARA requires independent security audits of those smart contracts before deployment and after material changes. The audit must cover code correctness, access control vulnerabilities, reentrancy risks, oracle manipulation vectors, and economic attack surfaces. Audit reports must be retained and made available to VARA upon request.
6
Cryptographic Key and Wallet Management
Part I, Section C is uniquely specific to the VA industry. It requires documented procedures for the entire key lifecycle: generation (using hardware security modules or equivalent), storage (with segregation of duties), rotation schedules, backup and recovery, and secure destruction. For custody providers, additional wallet management requirements apply, including segregation of client assets, real-time reconciliation, and cold/hot wallet ratio policies. This section alone can require months of implementation work.
7
Business Continuity and Disaster Recovery
Section E requires a comprehensive BCP and DRP with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for all critical systems. Plans must be tested at least annually through tabletop exercises and full failover tests. VARA expects documented evidence of testing, including lessons learned and remediation actions taken after each test. For exchange and custody VASPs, specific uptime requirements may apply as conditions of the licence.
8
Board-Level Technology Governance
Section A makes the board (or its equivalent governing body) directly responsible for technology governance. The board must approve the technology risk management framework, receive regular reports on cybersecurity posture, and demonstrate active oversight of technology decisions. VARA does not accept delegation of technology governance to a purely operational level. Board meeting minutes must show evidence of technology risk discussions.
9
UAE PDPL Compliance
Part II requires full compliance with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). This includes maintaining a Record of Processing Activities (ROPA), implementing data protection impact assessments for high-risk processing, establishing lawful bases for all personal data processing, and providing mechanisms for data subjects to exercise their rights. Cross-border data transfers require adequate safeguards - particularly relevant for VASPs with global operations that process UAE customer data in foreign jurisdictions.
10
Third-Party and Outsourcing Governance
The rulebook requires due diligence, contractual controls, and ongoing monitoring for all material technology outsourcing arrangements. VASPs must maintain a register of outsourced services, ensure outsourcing does not reduce regulatory accountability, and include audit rights and data access provisions in all vendor contracts. VARA must be notified of material outsourcing arrangements and retains the right to object to arrangements that pose unacceptable risks.
📈
Risk-Based Framework
Schedule 1: The Five Risk Categories
Schedule 1 of the rulebook defines five risk categories that determine the specific standards a VASP must meet. These categories are assigned based on the nature, scale, and complexity of the VA Activities performed, and they directly influence the depth of controls required.
The risk category is not self-assessed. VARA assigns it during the licensing process based on the information you provide about your business model, transaction volumes, number of clients, types of virtual assets supported, and custody arrangements. Your category can change over time if your business profile evolves - and with it, your compliance obligations.
💡 Practical Tip
When preparing your VARA licence application, assume you will be assigned a higher risk category than you expect. Building controls to a higher standard from the outset is significantly less expensive than retrofitting them after VARA assigns a more demanding category. We have seen VASPs waste months reworking their compliance programmes because they built to Category 4 and were assigned Category 3.
⚠️
Pitfalls to Avoid
The 5 Most Common VARA Compliance Mistakes
Working with dozens of VARA-licensed and licence-seeking VASPs, we consistently see the same mistakes. Avoiding these will save you months of back-and-forth with the regulator.
1. Treating policies as sufficient without operational evidence
VARA reviews evidence of implementation, not just policy documents. If your cybersecurity policy says you perform quarterly vulnerability scans, VARA will ask for the scan reports. If your BCP says you test annually, VARA will ask for the test results and remediation actions. Policies without evidence are treated as non-compliance.
2. Ignoring the DESC alignment requirement
Many VASPs focus exclusively on VARA’s rulebook and forget that DESC compliance is a parallel requirement. The Dubai Electronic Security Center has its own information security standards, and VARA expects alignment with both frameworks. This is particularly common for VASPs relocating from other jurisdictions who are unfamiliar with the UAE regulatory landscape.
3. Using the same person as CISO and Compliance Officer
VARA explicitly requires the CISO to be a separate individual from the Compliance Officer. This is a structural requirement, not a suggestion. Startups and smaller VASPs often try to combine these roles to save costs, but VARA will reject the arrangement during the licensing review. Plan for two separate roles from day one.
4. Inadequate key management documentation
Section C on cryptographic key and wallet management is one of the most detailed sections in the rulebook, and it is where VARA’s requirements diverge most from traditional financial regulation. VASPs coming from a TradFi background often lack the blockchain-specific key management expertise to satisfy these requirements. Conversely, crypto-native firms often have strong technical practices but poor documentation.
5. No incident response playbooks or 72-hour reporting readiness
The 72-hour reporting deadline to VARA is absolute. VASPs that have a generic incident response policy but no pre-drafted reporting templates, escalation matrices, or defined VARA communication channels will miss this deadline when a real incident occurs. VARA views missed reporting deadlines as a serious compliance failure, separate from the underlying incident.
🗺
Implementation Roadmap
A Practical Compliance Roadmap for VASPs
Based on our experience guiding VASPs through the VARA licensing and compliance process, here is a phased approach that typically takes 4-8 months depending on the starting maturity level:
“The VARA licensing process is not a checkbox exercise. It is a substantive assessment of your operational readiness to handle virtual assets responsibly. VASPs that approach it with the rigour of a traditional financial licensing application succeed. Those that treat it as a startup formality do not.”
- Venvera compliance advisory team
⚖️
Regulatory Comparison
How VARA Compares to MiCA and Other Frameworks
VASPs operating across multiple jurisdictions need to understand how VARA’s requirements relate to other major regulatory frameworks. Here is a high-level comparison of the technology and security requirements:
The key takeaway: VARA is more prescriptive than MiCA on technology and security matters, particularly around key management, smart contract audits, and CISO requirements. VASPs that are already MiCA-compliant will find that VARA requires additional, crypto-specific controls that the EU framework does not address in the same detail. Conversely, VARA-compliant VASPs will find that MiCA compliance requires relatively modest incremental effort on the technology side, though AML/KYC requirements differ significantly.
“VARA has set a global benchmark for virtual asset regulation. The Technology and Information Rulebook is one of the most comprehensive technology governance frameworks in the crypto industry - and Dubai’s willingness to enforce it is what gives it credibility. VASPs that invest in genuine compliance will find it becomes a competitive advantage as institutional capital demands regulatory certainty.”
- Analysis based on VARA regulatory publications and industry assessments, 2026
About This Article
This guide is based on the VARA Technology and Information Rulebook (VARA_EN_169_VER20250519), publicly available VARA regulatory publications, and Venvera’s direct experience supporting VASPs with technology compliance in Dubai. Requirements may be updated by VARA; always refer to the latest published rulebook for authoritative guidance.
VARA compliance guide
VARA VASP requirements Dubai
Virtual asset regulation Dubai
VARA technology rulebook
Dubai crypto regulation 2026
VARA CISO requirements
Disclaimer: This article is for informational purposes only and does not constitute legal or regulatory advice. VASPs should consult with qualified legal and compliance professionals regarding their specific VARA obligations. Regulatory requirements may change; always refer to the latest VARA publications. References to the Technology and Information Rulebook are based on VARA_EN_169_VER20250519 as of March 2026.
© 2026 Venvera. All rights reserved.