VARA Rulebook Version 2.0 — May 2025 Update Brief

Summary

On May 19, 2025, VARA announced the publication of Version 2.0 of its activity-based Rulebooks, described as “the latest milestone in Dubai’s ongoing commitment to delivering a future-ready regulatory environment.” This update marked the most significant revision to VARA’s operational regulations since the issuance of the Virtual Assets and Related Activities Regulations 2023, affecting all licensed VASPs across all seven regulated activity categories.

Background and Context

The original VARA rulebooks were issued alongside the foundational Regulations in February 2023, establishing baseline operational requirements for each regulated activity category: advisory services, broker-dealer services, custody services, exchange services, lending and borrowing, payment and remittance, and VA management and investment services.

Over the subsequent two years, VARA gained operational experience supervising licensed entities including Binance Dubai, BitOasis, OKX Middle East, and Crypto.com Dubai. This supervisory experience, combined with rapid developments in the global virtual asset industry and evolving international standards, informed the Version 2.0 updates.

The timing of the update — May 2025 — coincided with a period of intensive regulatory activity from VARA, including multiple enforcement actions against unlicensed operators and the publication of circulars addressing AML/CFT requirements, FATF high-risk jurisdiction measures, and operational compliance expectations.

Key Themes in the Version 2.0 Update

Market Integrity Strengthening

VARA’s announcement specifically cited the goal of strengthening “market integrity,” suggesting that the updated rulebooks address areas where the original rules may have been insufficient to prevent market manipulation, insider trading, or other integrity risks in virtual asset markets.

Market integrity provisions in virtual asset regulation typically cover:

• Pre- and post-trade transparency requirements
• Market surveillance and monitoring obligations
• Insider trading and market abuse prohibitions
• Order handling and best execution requirements
• Conflict of interest management

Risk Oversight Enhancement

The reference to enhanced “risk oversight” indicates that Version 2.0 strengthens the requirements for risk management frameworks maintained by licensed VASPs. This aligns with the November 2025 “Guidance on Rule III D Risk Assessments,” which provided detailed expectations for risk assessment methodologies.

Enhanced risk oversight requirements may include:

• More prescriptive risk governance structures
• Enhanced stress testing and scenario analysis requirements
• Strengthened operational resilience standards
• Updated technology risk management requirements
• Enhanced reporting obligations for material risk events

Operational Standard Updates

The “future-ready” characterization suggests that Version 2.0 addresses emerging operational challenges that were not fully anticipated in the original rulebooks, including:

• Developments in DeFi-adjacent services provided by licensed entities
• Evolution of staking and liquid staking services (building on the August 2023 custody staking amendment)
• Advances in cross-chain interoperability
• Growth of institutional virtual asset services

Impact on Licensed VASPs

Compliance Programme Updates

All licensed VASPs must review their existing compliance programmes against the Version 2.0 requirements and implement any necessary changes. This represents a significant compliance workload, particularly for entities that had recently completed the licensing process under the original rulebooks.

The compliance update process typically involves:

1. Gap analysis comparing current practices against new requirements
2. Policy and procedure updates to reflect revised rules
3. System changes where new requirements affect technology infrastructure
4. Staff training on updated compliance obligations
5. Board-level review and approval of compliance programme changes

Ongoing Supervisory Expectations

VARA’s supervisory assessments of licensed entities now benchmark against the Version 2.0 standards. Entities that fail to update their compliance programmes risk supervisory findings and potential enforcement action, as demonstrated by the MORPHEUS/FUZE case where compliance programme failures contributed to enforcement measures.

Relationship to Other Regulatory Developments

The Version 2.0 rulebooks should be understood in the context of VARA’s broader 2025-2026 regulatory programme:

• AML/CFT framework strengthening: The November 2025 federal law alignment and March 2026 AML/CFT implementation circular build on the compliance foundations established in Version 2.0
• Travel Rule implementation: The February 2026 Travel Rule circular requires operational capabilities that may have been anticipated in Version 2.0 technology requirements
• Qualified Investor classification: The January 2026 circular on investor classification reflects consumer protection priorities embedded in the updated rulebooks

Comparative Significance

The publication of Version 2.0 positions VARA’s framework as one of the most actively maintained virtual asset regulatory frameworks globally. Unlike some jurisdictions that have issued static regulatory instruments, VARA’s iterative approach — with major rulebook updates alongside continuous circular publication — creates a dynamic regulatory environment that responds to market developments.

This approach mirrors the regulatory maintenance patterns of established financial regulators and distinguishes VARA from newer virtual asset regulators that may publish initial frameworks but lack the institutional capacity for ongoing revision.

For comparison with how ADGM FSRA and DFSA maintain their virtual asset regulations, see our comparisons section.

Practical Recommendations

Licensed VASPs should:

1. Obtain and review the full Version 2.0 rulebooks from the VARA rulebooks portal
2. Conduct a gap analysis against their current compliance programmes
3. Prioritize remediation of any gaps identified, particularly in areas of market integrity and risk oversight
4. Update staff training to reflect the new requirements
5. Document the update process for regulatory review during supervisory engagements

For guidance on compliance programme management, see our compliance requirements analysis. For practical compliance guides, see our how-to section.

For broader regulatory update tracking, visit UAE Tokenization Regulations. For real-world asset implications of updated rulebooks, see UAE Tokenized RWA.

Rulebook Version 2.0 Details

On May 19, 2025, VARA published Version 2.0 of its activity-based rulebooks, described as “the latest milestone in Dubai’s ongoing commitment to delivering a future-ready regulatory framework.” The update was announced as strengthening “market integrity and risk oversight,” indicating substantive enhancements to the compliance obligations applicable to all licensed VASPs.

Scope of the Update

The activity-based rulebooks provide detailed requirements for each of VARA’s seven regulated activity categories: advisory services, broker-dealer operations, custody services, exchange operations, lending and borrowing, payment and remittance services, and VA management and investment services. Version 2.0 updated the requirements across these categories, reflecting lessons learned from VARA’s first years of operational supervision and developments in international regulatory standards.

Key Enhancement Areas

While the specific rulebook changes must be verified against the published documents, the announcement’s emphasis on “market integrity and risk oversight” suggests enhancements in several areas:

Market Integrity: Requirements addressing market manipulation, insider trading, front-running, and other market abuse practices in virtual asset markets. For exchanges like Binance Dubai, OKX Middle East, and Bybit Dubai, enhanced market integrity requirements may affect order book management, trade surveillance, and conflict-of-interest controls.

Risk Oversight: Strengthened requirements for risk management frameworks, including market risk, operational risk, credit risk, and liquidity risk. The FUZE enforcement case (August 2025) — which cited “failures in AML programme controls, related governance, compliance and internal systems and controls” — may have informed enhanced risk governance requirements in the v2.0 rulebooks.

Operational Resilience: Requirements for business continuity planning, disaster recovery, cybersecurity, and IT risk management. As virtual asset exchanges process billions in daily trading volume, operational resilience is critical for consumer protection and market stability.

Governance: Enhanced expectations for board composition, senior management qualifications, and governance reporting. Fitness-and-propriety requirements for key personnel may have been strengthened to ensure licensed entities maintain appropriate leadership.

Implementation Timeline

The May 2025 publication would have included an implementation timeline for licensed VASPs to bring their operations into compliance with the updated requirements. Given the scope of changes across all activity categories, implementation likely involves:

• Reviewing the updated rulebooks against existing compliance programmes
• Identifying gaps between current practices and v2.0 requirements
• Developing and executing remediation plans
• Updating policies, procedures, and systems
• Training staff on new requirements
• Documenting compliance readiness for VARA review

Connection to the Enforcement Record

The v2.0 rulebooks were published three months before VARA’s August 2025 enforcement actions against FUZE and UAEC Digital Fintech. The enhanced requirements provide VARA with more granular standards against which to assess compliance, potentially enabling more targeted enforcement action against entities with specific control weaknesses.

The batch enforcement actions of March 2025 (11 entities) and May 2025 (6 entities) immediately preceded and coincided with the rulebook update, suggesting a coordinated regulatory strategy: clear the market of unlicensed operators while simultaneously raising standards for licensed entities.

Comparison with International Developments

The v2.0 rulebook update occurred as other jurisdictions were also advancing their virtual asset regulatory frameworks:

• EU MiCA: Implementation timeline for the Markets in Crypto-Assets regulation was progressing
• ADGM FSRA: Continuous refinement of its virtual asset regulatory framework
• Singapore: Evolving MAS guidance for digital payment token service providers
• Hong Kong: SFC licensing regime for virtual asset trading platforms developing

VARA’s v2.0 update ensures that Dubai’s framework keeps pace with these international developments, maintaining its positioning as a leading virtual asset regulatory jurisdiction.