Federal Decree-Law No. (6) of 2025, effective 16 September 2025, places the Monetary Authority of the United Arab Emirates (CBUAE) as the central regulator of DeFi and Web3 activities. In practice, the UAE is drawing a firm regulatory line around a sector that long operated in the shadows, replacing ambiguity with a more defined —and more demanding— framework.
A New Regulatory Perimeter for Web3 and DeFi
The law explicitly expands the CBUAE’s authority to cover “open finance services” and “payment services using Virtual Assets,” bringing into scope activities that for years operated in regulatory grey zones. For many builders, this marks the first time the supervisory perimeter is clearly spelled out.
Under Article 62, any person or entity that develops, offers, issues, or facilitates a Licensed Financial Activity —whether through platforms, protocols, dApps, or infrastructure— must obtain a license and submit to supervision. This establishes a unified authorization regime that touches nearly every corner of Web3 and digital asset services.
These licensing requirements work alongside the Payment Token Services Regulation (PTSR), effective since August 2024, which mandates full backing for payment tokens and bans algorithmic stablecoins. Together, they align token issuance and payment systems with prudential safeguards meant to protect market integrity.
On financial crime prevention, the rule extends AML/CFT obligations to virtual asset service providers, imposing KYC, monitoring, and reporting duties. This aims to standardize due diligence across both centralized and decentralized touchpoints, reducing vulnerabilities that illicit actors could exploit.
The regulation gives the CBUAE broad enforcement powers, including minimum standards for security and transaction monitoring, plus administrative and criminal penalties. Fines can reach AED 1,000 million (≈ $272.3 million) for unauthorized activities, alongside criminal penalties between AED 50,000 and AED 500 million. These measures signal how seriously non-compliance will be treated moving forward.
The UAE also signed the Crypto-Asset Reporting Framework (CARF), set to apply on 20 September 2025, introducing tax and cross-border reporting obligations that increase transparency across digital asset transactions.
For DeFi protocols and Web3 service providers, the implications are mixed. Regulatory clarity may attract institutions previously hesitant to operate in the region, yet the compliance burden raises the cost and complexity of market entry. For many builders, adaptation will be challenging but unavoidable.
Larger, well-capitalized actors will likely benefit, as these rules create a barrier to entry that filters out less-resourced or lightly governed projects, potentially raising overall market reliability.
On consumer protection, the law strengthens anti-fraud measures, security requirements, and insurance obligations, aiming to replace opacity with trust in retail-facing Web3 applications and payment use cases.
Regarding custody, the framework focuses primarily on commercial providers; self-custody remains largely outside punitive scope. Nonetheless, wallet providers will need to reassess their models amid regulatory ambiguity.
Finally, the rule accelerates the blend between traditional and digital finance. Initiatives like the Digital Dirham and regulated stablecoins such as Zand AED illustrate a future where banks, fintechs, and Web3 players operate on converging rails, requiring significant upgrades to risk management and infrastructure.
Overall, the law reshapes the landscape: it offers institutional-grade legal certainty, but demands substantial operational adaptation from Web3 builders.
