CBUAE Crypto Licence: September 2026 Deadline and What You Must Do Now

Federal Decree Law No. 6 of 2025, effective September 16, 2025, fundamentally expands the CBUAE's regulatory perimeter. Entities whose activities are newly captured by the law have until September 16, 2026 to achieve full licensing compliance. The penalty for operating a licensed financial activity without authorisation is now a criminal offence, with fines ranging from AED 1 million to AED 500 million.

Who the New Law Captures

• Payment service providers using virtual assets (Article 61)
• Open finance and API-based financial data services (Article 61)
• Virtual asset exchanges, custody providers, and transfer services
• Technology providers whose platforms enable regulated financial activities (Article 62)
• DeFi protocols with significant UAE user activity or dirham-denominated flows
• Stablecoin issuers and payment token operators

Article 62: The Technology Provider Trap

Article 62 is the provision most commonly overlooked by technology companies. It captures any entity that facilitates, intermediates, or enables a licensed financial activity through technology, regardless of whether the entity itself is the licensed institution. This includes API aggregators, middleware platforms, blockchain node operators, and fintech infrastructure providers. If your technology enables payments, credit, deposits, or investment services for regulated institutions, you likely need to assess your Article 62 exposure.

The Licensing Process in Brief

• Pre-application consultation with CBUAE FinTech Office to confirm activity category
• Full application submission: corporate docs, business plan, technology architecture, AML/CFT programme, governance framework
• CBUAE review and management assessment: 3 to 6 months typical
• Conditional approval and operational readiness verification
• Final licence grant

Key Requirements

• Minimum capital proportional to activity type: AED 2 million to AED 50 million
• AML/CFT programme mapped to CBUAE and Federal Decree Law No. 20 of 2018
• Technology architecture blueprint showing all systems, data flows, and security controls
• Fit and proper governance: board, CEO, CCO, AMLCO, CISO
• UAE data residency for customer financial data
• Fraud detection and prevention systems per 2025 law Article requirements

Realistic Timeline to September 2026

If you have not already begun your compliance assessment, you are behind. Applications submitted after March 2026 risk not receiving authorisation before the September 2026 deadline given typical CBUAE processing times. The assessment and documentation preparation phase alone takes 4 to 8 weeks for well-prepared organisations. Start now.