Skip to content 
Dubai has become renowned for embracing new technology, and nowhere is this more evident than in the evolving rules for digital assets. Within Dubai International Financial Centre (DIFC), the Dubai Financial Services Authority (DFSA) has taken notable steps to regulate tokens—particularly those based on distributed ledger technology (DLT). The DFSA’s digital assets regime highlights how the authorities in DIFC view crypto tokens, the licensing conditions for businesses and the legal framework in which these tokens operate. This article takes a detailed look at the new regime, focusing on what is regulated, what is excluded and what the road ahead might hold for crypto activities in the centre.
A new chapter for digital assets in DIFC
In recent years, the DFSA has published consultation papers outlining proposed guidelines for crypto tokens within the DIFC digital assets regime. The regulator has then refined these ideas, culminating in a structured digital assets regime. The aim is to encourage innovation while safeguarding participants and maintaining regulatory standards that match global best practices. This marks a shift, as DIFC historically focused on more traditional financial instruments. Now, it is opening doors to a broader spectrum of blockchain-based offerings, from security tokens to crypto tokens and stablecoins.
As part of this approach, the DFSA has clarified what it considers to be a security token, a crypto token or an excluded token. By doing so, it has effectively laid out which assets fall under regulatory oversight and how. Alongside these definitions, the DFSA has introduced a list of “accepted crypto tokens,” applying to any firm wanting to provide services in or from DIFC. Existing financial services providers will have to comply with additional obligations if they seek to handle or offer advice on these tokens.
Why the DFSA introduced a digital assets regime
The DFSA’s prime motivation is to enable the safe development of cutting-edge fintech solutions in the region, particularly those relying on distributed ledger or similar technology. The regulator sees an opportunity to position DIFC as a hub for digital asset innovation, balancing consumer protection and compliance demands with the agility needed for rapid experimentation.
The new framework also ensures that activities involving tokens are assessed properly. Rather than have all projects automatically regulated or prohibited, the DFSA has opted for a nuanced approach, where token classification drives the regulatory outcome. This approach covers a wide range of token types, acknowledging that the underlying technology differs substantially from older financial instruments.
What defines a token or crypto asset
Under the DFSA’s definitions, a token is any digital representation of value, rights or obligations that uses a distributed ledger or a comparable digital infrastructure for its creation, storage and transfer. Crypto tokens, in particular, depend on cryptographic methods and distributed ledgers for their perceived or inherent value, typically identified by a unique address and correlated public-private key pair. This broad definition underpins the DFSA’s classification system for security tokens, crypto tokens and excluded tokens.
Security tokens versus crypto tokens
One of the regime’s key distinctions is between security tokens and crypto tokens:
Security tokens
A security token has the characteristics of a security (for example, a share, debenture, future or option), either directly conferring investor rights or mirroring the effect of such instruments. The DFSA has integrated these into existing securities legislation, treating them as specified investments when the token’s features match or substantially resemble typical investment assets.
Crypto tokens
A crypto token covers digital representations used as mediums of exchange or for payment and investment purposes, excluding any token that qualifies as a security or an excluded token. This means that typical blockchain-based coins like Bitcoin or Ethereum, or tokens that function primarily as exchange or payment assets, are considered crypto tokens under the new regime.
By drawing this line, the DFSA aims to manage tokens that resemble conventional securities within a tried-and-tested regulatory framework, while assigning crypto tokens to a separate category that acknowledges their more decentralised or payment-oriented nature.
Our working hours: Monday to Friday, 9 AM – 6 PM GMT+4
Utility, stablecoins and hybrid tokens
Beyond security and crypto tokens, the DFSA has laid out further sub-categories:
- Utility tokens and NFTs are excluded from the digital assets regime. Utility tokens typically grant access to a service or product in a closed ecosystem and do not serve as a general payment method outside it.
- Stablecoins or asset-referenced tokens are forms of crypto tokens pegged to external assets or currency. They aim to curb volatility, referencing fiat currency, commodities or baskets of assets. They come under the crypto token umbrella, unless they exhibit further traits—like entitling holders to a share of a fund’s revenue—that might classify them as units in a fund.
- Hybrid utility tokens combine a medium of exchange function with additional rights, such as discount access on a platform or early subscription benefits. These may still fall under the DFSA’s regulated category if their role extends beyond mere utility.
These definitions help the DFSA decide whether a token is regulated, excluded or prohibited. While utility tokens and NFTs are not themselves regulated, an entity wanting to offer them in combination with regulated financial services might still face oversight, depending on the nature of the activity.
Excluded tokens in the DIFC regime
The DFSA lists some tokens as excluded, meaning they are neither banned nor regulated. They simply do not come under the DFSA’s purview. Utility tokens and central bank digital currencies (CBDCs) fall into this bracket. For example, a gaming token used within a closed-loop environment does not trigger licensing conditions, provided it remains within that ecosystem and does not confer investor rights. However, if the token acquires attributes that align with crypto tokens, the issuer may need to reconsider its classification under the DFSA regime.
Meanwhile, non-fungible tokens (NFTs) remain outside direct regulatory scope as well, given that they represent ownership of a unique asset or collectible. The DFSA acknowledges that while NFTs are tradable, they do not behave like an exchangeable or benchmark-referenced asset. However, it has proposed that NFT service providers could eventually become part of the designated non-financial business and profession (DNFBP) regime, indicating potential future compliance expectations, especially around anti-money laundering.
"Only “accepted crypto tokens” may be used for regulated financial services within DIFC. Businesses intending to offer custody, asset management, advising, or dealing in crypto must handle tokens the DFSA has included on its accepted list. "
Accepted crypto tokens
The DFSA only allows specific crypto tokens for various reasons. Each new or existing token is vetted by the DFSA, which considers factors such as:
- Regulatory status: Whether the token is recognised in reputable global jurisdictions with robust protocols.
- Liquidity and market size: The depth and breadth of trading, along with total supply and capitalisation.
- Transparency and technology: Whether the token’s blockchain, governance, consensus mechanisms and public information meet the DFSA’s standards.
- Risk and control: The token’s vulnerability to misuse, security incidents or custody shortfalls.
- Reserves and redemption: If pegged to a reference asset or basket (for instance, stablecoins), whether it has enough liquid reserves in verifiable accounts.
Once a token joins the accepted list, any firm in DIFC can use it for regulated services without separately applying for acceptance each time. If a token is not on the list, a regulated business must submit an application to the DFSA to have it considered.
Security testing approach
To clarify whether a token might be a security token, the DFSA will employ methods analogous to the Howey Test, examining factors like whether there is an investment of money in a common enterprise, an expectation of profit, and whether that profit depends on the entrepreneurial or managerial efforts of others. The DFSA also encourages firms to submit their own self-assessments, outlining how their proposed token lines up against security token criteria.
Should the DFSA conclude that a token indeed behaves as a security, the relevant issuer or operator will need to comply with the securities regime, including disclosure obligations, and possibly the need for an investment or a crypto exchange licence. For instance, an entity wanting to list security tokens on an alternative trading system (such as an MTF or OTF) must go through the usual licensing process for that platform, meeting additional requirements for technology, clearing and settlement, plus anti-market-manipulation measures.
Get the most relevant information about business life in Dubai
Possible licensing for crypto activities
Various financial services in DIFC can be extended to crypto tokens, including dealing as principal or agent, asset management, advising and arranging, clearing or settling trades, or running alternative trading systems. Entities that want to incorporate these services must ensure they handle only accepted crypto tokens, with the correct level of oversight. Key points to note:
- Representative offices cannot promote crypto token services.
- Crowdfunding platforms cannot deal with crypto tokens at this time.
- Existing firms aiming to add crypto tokens to their service offerings have to seek licence variations, showing they have the expertise, resources and processes to manage the heightened risks of dealing with or advising on crypto.
- Branches of foreign businesses are not allowed for crypto activities, as the DFSA only permits fully incorporated and authorised subsidiaries within DIFC to offer regulated services.
Impact on money service businesses
Money service businesses currently cannot offer direct access to payments, remittances or wallet services in crypto tokens. However, they can use blockchain behind the scenes (for example, as a technology platform for settlement) if it remains purely a back-office mechanism. This means the client is not directly exposed to that blockchain’s native tokens. Should the business want to provide front-end crypto solutions, it would need to apply to the DFSA under the relevant category and adhere to the accepted crypto tokens list.
Authorisation for multiple token types
Some firms may handle both accepted crypto tokens and excluded tokens. However, the DFSA does not currently permit regulated entities to provide services for excluded tokens, given that they do not fall under the regulatory remit. If a token is half utility, half exchange mechanism, or if a gaming token obtains broader payment features, the operator might have to apply for reclassification.
"The DFSA approach aims to ensure that all tokens with material investment or payment use cases remain supervised when offered to DIFC clients."
Path to final licensing and compliance
For prospective crypto companies in DIFC, the initial steps involve a thorough self-assessment:
- Token classification: Determine whether tokens are securities, crypto tokens or excluded. Where necessary, submit the token to the DFSA for acceptance.
- Licence selection: Identify the financial services—such as dealing, arranging, managing or operating an exchange—aligned with the token’s use.
- Regulatory submission: Provide a detailed application, including a robust governance plan, risk management and AML policies, plus evidence of meeting the DFSA’s capital and operational guidelines.
- DFSA review: The regulator examines the proposed business model, the token’s characteristics, the technology stack, custody solutions and any compliance measures for preventing market abuse.
- In-principle approval: If successful, the applicant must finalise any conditions—like employing experienced officers, setting up a local entity (not a branch) and establishing physical presence in DIFC.
- Licence issuance: Following a final check, the DFSA grants authorisation, allowing the business to launch crypto token services within the approved scope.
Once licensed, the firm’s journey does not end. Ongoing obligations include periodic filings on transaction volumes, market liquidity, suspicious activity monitoring and updates about any changes to the token’s underlying protocols. The DFSA also has the prerogative to delist a token from the accepted list if it no longer meets the regime’s standards, forcing businesses to adjust.
Risks and operational demands
Firms operating within the DIFC digital assets regime for crypto tokens must maintain strong controls to address:
- Custody: Secure storage or wallet solutions, with robust private key management to prevent hacks and theft.
- Technology: Understanding the blockchain, ensuring it is sufficiently decentralised or reliable, and implementing fallback methods in case of disruptions.
- Market abuse: Monitoring trades for manipulative practices. The DFSA expects an even higher vigilance for tokens, which can be more volatile and less liquid than traditional assets.
- AML and KYC: Complying with local and international anti-money laundering expectations. While blockchain can enhance transparency, criminals can still misuse crypto assets, requiring robust client onboarding and transaction monitoring.
- Disclosures: If a token is near the boundary of a security or features a stablecoin mechanism requiring a certain level of collateral, the issuer or service provider must maintain transparency about how it operates and what risks exist.
-
Existing financial services can expand into crypto if they apply for a licence variation, demonstrating expertise and compliance measures
-
Money service businesses cannot directly offer crypto payment or remittance solutions to clients, though back-office blockchain use is allowed
-
Representative offices and crowdfunding platforms are not authorised to promote crypto token services
-
The DFSA emphasizes ongoing obligations such as custody safeguards, AML/CTF compliance, robust technology and disclosures for token users
-
This evolving framework seeks to balance innovation with investor protection, positioning DIFC as a regulated hub for digital finance
The DFSA’s stance on crypto tokens
The DFSA’s stance on crypto tokens remains a work in progress. While the regulator has been clear about security tokens, stablecoins, utility tokens and NFTs, it acknowledges that technology evolves rapidly. The creation of new layered blockchain solutions, bridging protocols or improved cryptographic methods can lead to changes in how tokens function. The DFSA might update the accepted list or even reclassify tokens if certain conditions or user bases shift.
Conclusion
The digital assets regime is poised to significantly shape DIFC’s next phase of development. By crafting rules around crypto tokens, the DFSA is enabling fresh waves of fintech entrants—whether it is funds wanting to trade or manage crypto, technology providers building blockchain-based solutions or conventional financial institutions exploring tokenised assets. The interplay between stablecoins, tokenised commodities and even NFT-laden ecosystems could further expand the scope of regulated activities once the DFSA refines guidelines, especially around asset-referenced tokens.
In the meantime, businesses that plan to offer or advise on crypto tokens in DIFC must study the new laws carefully, conduct token classification assessments and build compliance frameworks.
