The United Arab Emirates has passed a sweeping financial law that widens the country’s regulatory perimeter to explicitly include decentralized finance (DeFi) and Web3 infrastructure. The measure—Federal Decree Law No. 6 of 2025—became effective on Sept. 16, 2025, and is quickly reshaping how crypto builders, wallet teams and protocols think about operating in the UAE.
Cointelegraph first reported the shift, noting that the law draws DeFi, protocols, middleware and even infrastructure providers into the net if they enable payments, exchange, lending, custody or investment services. In other words, arguing that a project is “just code” won’t keep it outside the compliance perimeter anymore.
What the law actually says
The new framework is part of a broader update to the UAE’s banking and insurance rules, but two articles matter most for crypto:
- Article 61 lists activities that require a Central Bank of the UAE (CBUAE) license, and it now expressly includes “providing payment services using Virtual Assets” as well as stored value, retail payments and digital money services.
- Article 62 closes the technology loophole: any person who carries on, offers, issues or facilitates a licensed financial activity—regardless of the medium or technology—falls under CBUAE oversight. The law explicitly names “Virtual Assets payment tokens” and DeFi among the covered technologies, and mentions platforms, dApps, protocols, and infrastructure that facilitate payments, credit, deposits, exchange, remittances or investment services.
This wording is unusually direct compared with many jurisdictions still debating whether (or how) to regulate DeFi. It targets what the service does, not just who runs it.
The penalties and the runway
Law firms tracking the change say the enforcement toolkit is robust. Administrative fines can now reach up to AED 1 billion (about $272 million), and unlicensed activity can trigger criminal sanctions—both clear escalations from the prior regime. At the same time, firms have a one-year transition (until Sept. 16, 2026) to align their licensing and controls.
Put simply: the UAE is telling market participants, “You’re in scope—get licensed.” The expansion also makes explicit that technology providers and platforms enabling regulated services (for example, payment gateways, API aggregators, or routing middleware) may now fall under CBUAE supervision, even if they don’t hold customer deposits themselves.
Does this ban self-custody? Lawyers say no
One viral claim suggested the law amounted to a de facto ban on self-custody wallets. Local legal practitioners who spoke to Cointelegraph pushed back: individuals using their own wallets aren’t the target; the law focuses on firms whose wallet products enable regulated services for UAE users (like payments or transfers). Those companies may need a license, but self-custody by individuals remains unaffected, according to the attorneys cited. Expect further clarifications as implementation guidance rolls out.
How this fits into the UAE’s regulatory mosaic
The UAE already has active digital-asset regulators—VARA in Dubai, the SCA for securities and commodities, and DFSA inside the DIFC—each with their own rulebooks. The new central bank law doesn’t erase those regimes; it harmonizes the banking/payment side and clarifies that virtual-asset payment services and tech enablers come under the CBUAE when they touch licensed financial activities. Policy watchers say this dual track (specialized VA regulators + central bank guardrails) is meant to give firms a clearer, more predictable path than fragmented rules.
What changes for DeFi and Web3 teams
- “Just code” is not a shield. If your protocol, interface or middleware facilitates a covered financial activity for UAE users, the question shifts from “Are we decentralized?” to “Do we need a CBUAE license?”
- Wallet providers take note. A non-custodial wallet that adds payments or transfer rails for local users may be seen as enabling a regulated service and, therefore, require authorization. Pure self-custody (user holds keys, no payments layer) is different.
- Penalties are real. With potential AED 1B administrative fines in the toolkit, the incentive to regularize operations is strong—especially for consumer-facing apps.
- There’s time—but not forever. The transition period runs to Sept. 16, 2026. Teams should use it to map activities against Article 61/62, pick the correct license path, and upgrade compliance (KYC/AML, disclosures, reporting).
Why the UAE is doing this now
Legal memos describe the law as an attempt to modernize supervision for a digital economy—folding banks, payments and insurers into one framework, adding fraud-prevention obligations, and plugging the gap where technology facilitators previously sat outside banking rules. The virtual-asset payment and emerging-tech language signals that the central bank wants clear accountability when crypto rails touch real users and money.
That approach also reflects a pragmatic calculus: the UAE has positioned itself as a global hub for Web3, but to sustain that status it needs predictable, enforceable rules that satisfy international partners on AML/CFT while giving builders a stable base to launch products. The new law is a step toward that balance.
The debate to watch
The biggest open question is how far “facilitation” will be interpreted in practice. If a front-end merely routes to third-party services, is it “carrying on” a licensed activity? Where is the line between publishing code and operating financial infrastructure? Expect clarifying circulars and, over time, case-by-case precedents.
For now, the directional message is unambiguous: if you enable payments, exchange, lending, custody or investments for UAE users—on-chain or off—you’re inside the perimeter and should plan accordingly.
Conclusion
- The UAE’s new central bank law brings DeFi and Web3 infrastructure into regulatory scope, effective Sept. 16, 2025.
- Article 61/62 explicitly cover virtual-asset payments, stored value, and technology platforms that facilitate regulated services—closing the “we’re just code” argument.
- Firms have until Sept. 16, 2026 to comply; maximum administrative fines rise to AED 1B with potential criminal penalties for unlicensed activity.
- Lawyers emphasize the law does not ban self-custody for individuals; it expands licensing for companies that enable regulated functions.