VARA's regulatory architecture comprises 12 interconnected rulebooks that govern every aspect of virtual asset operations in Dubai. Four are compulsory for all licensed VASPs; eight are activity-specific. In May 2025, VARA issued Version 2.0 of all twelve rulebooks — the most significant update since the framework's inception.
1. Compliance and Risk Management: The foundation of VARA's AML/CFT framework. Covers customer due diligence, ongoing transaction monitoring, suspicious activity reporting, sanctions screening, client asset segregation (mandatory "Client VA Wallet" labelling), and the 8-year record retention requirement. V2.0 strengthened personal liability for senior management and MLROs.
2. Technology and Information: Cybersecurity standards, data protection policies, IT governance, incident response procedures, and system resilience requirements. VASPs must demonstrate robust technological infrastructure capable of protecting client data and virtual assets.
3. Market Conduct: Fair dealing obligations, disclosure requirements, conflict of interest management, and market manipulation prohibitions. Ensures VASPs maintain transparent and ethical operations.
4. Company Rulebook: Corporate governance requirements, board composition, director qualifications, capital adequacy, and organizational structure standards.
5-8. Exchange, Broker-Dealer, Custody, Lending: Detailed operational requirements for each activity type. V2.0 introduced codified margin trading rules for broker-dealers and exchanges, updated margin definitions, and collateral wallet arrangement clarity.
9-11. Transfer/Settlement, Management/Investment, Advisory: Specialized rules for payment processing, fund management, and financial advisory services in the virtual asset space.
12. VA Issuance (inc. FRVA/ARVA): The most complex rulebook, covering token issuance categories, whitepaper requirements, FRVA stablecoin rules, ARVA real-world asset rules, and the distinction between Category 1 (licensed) and Category 2 (distributed) issuances.
The Sponsored VASP model allows entities to operate under a Regulated Sponsor's license. Enhanced Qualified Investor definitions clarify who may access sophisticated products. Marketing rules now apply to all crypto businesses in Dubai, licensed or not. Insolvency provisions explicitly protect client assets from VASP estate claims.
Sources: VARA Rulebooks, Linklaters, NeoS Legal. Not legal advice. See Disclaimer.
The VA Issuance Rulebook underwent the most significant V2.0 changes. Category 1 issuances (FRVAs, ARVAs, and VARA-designated tokens) require full VARA licensing and pre-approval. Category 2 issuances (utility tokens, NFTs, governance tokens) must use Licensed Distributors who ensure issuer compliance with whitepaper requirements, due diligence, and VARA notification. This tiered approach balances consumer protection for high-risk products with lighter-touch regulation for lower-risk innovations.
The Compliance and Risk Management Rulebook is the most operationally demanding of the four compulsory rulebooks. In practice, it requires VASPs to build and maintain: real-time transaction monitoring systems with automated suspicious activity detection, sanctions screening integrated with current UNSC and FATF lists (updated following the October 2025 list revision), segregated wallet infrastructure with "Client VA Wallet" labelling, incident response plans with VARA notification timelines, and comprehensive staff training programs on AML/CFT obligations. Senior management and MLROs face personal enforcement liability — a provision that concentrates accountability at the highest levels.
When VARA issued Rulebook V2.0 in May 2025, licensed VASPs had a 30-day transition period with full compliance required by 19 June 2025. Key operational changes included updating margin trading policies, implementing the new Qualified Investor framework, revising client agreements to reflect enhanced insolvency protections, and preparing for potential Sponsored VASP relationships. The short transition period signalled VARA's expectation that licensed VASPs maintain operational agility and compliance readiness at all times.
Implementing compliance across all applicable rulebooks requires systematic project management. Best practice involves: mapping each rulebook requirement to specific policies, procedures, and technology systems. Creating a compliance matrix that tracks each obligation, its responsible owner, implementation status, and evidence documentation. Engaging external compliance consultants for gap analysis before VARA assessment. Conducting tabletop exercises for incident response, business continuity, and wind-down scenarios. Building compliance monitoring dashboards that provide real-time visibility into AML/CFT metrics, capital adequacy, and technology uptime. The investment in this infrastructure pays dividends beyond regulatory compliance — it creates operational resilience and institutional credibility that attracts enterprise clients and banking partners.
Understanding cross-rulebook dependencies is essential for comprehensive compliance. The Compliance and Risk Management Rulebook's AML/CFT requirements apply to every activity — meaning a custody provider's staking services must comply with both the Custody Rulebook and the Compliance Rulebook simultaneously. The VA Issuance Rulebook's FRVA and ARVA rules interact with the Market Conduct Rulebook's disclosure requirements and the Company Rulebook's capital adequacy standards. Technology requirements span all activities — cybersecurity standards from the Technology Rulebook apply equally to exchange platforms and advisory services. VASPs holding multiple activity licenses must map compliance obligations across all applicable rulebooks, identifying overlaps and ensuring that policies address the most stringent requirement across applicable frameworks.
VARA publishes circulars, directives, and guidance notes on an ongoing basis. Licensed VASPs must monitor these publications and implement required changes within specified transition periods. The January 2026 privacy token ban and the May 2025 Rulebook V2.0 demonstrate VARA's willingness to make significant regulatory changes with relatively short compliance windows. Building regulatory monitoring into operational processes — through automated tracking, legal advisory relationships, and compliance team bandwidth — is essential for maintaining licensing status.