Skip to content 
Dubai has established itself as a progressive global financial services destination. Arguably the most significant is the Dubai International Financial Centre (DIFC). It’s respected for its modern regulatory framework, strong legal backdrop and supportive infrastructure. The Dubai Financial Services Authority (DFSA) oversees financial firms working in the DIFC and guides this reputation. As digital assets and distributed ledger technology (DLT) have become more prevalent, the DFSA has developed a framework called the DFSA tokenisation regulatory sandbox. This sandbox allows firms to experiment with tokenised investments, like equities, bonds and sukuks, under the framework of existing principles on investor protection and market integrity.
In this article, we will cover how the DFSA tokenisation regulatory sandbox operates, the rationale behind its existence and how to apply, if you are interested. We’ll also explore why DIFC is an attractive jurisdiction for financial institutions at large, and why many businesses opt for this centre for regulated tokenisation activity. We will look at the Innovation Testing Licence (ITL) as part of our analysis. On top of that, we will consider capital requirements, review any specific restrictions applying in the testing period.
The reason behind the introduction of the DFSA tokenisation regulatory sandbox
The DFSA’s existing rules governing investment tokens are from 2021. That is when the regulator attempted to include digital assets that resembled traditional securities. Over time the DFSA observed that few firms were fully embracing these regulations. The authority convened roundtables in 2024 and 2025 to gain industry insights, in response. These debates are surfacing barriers to adoption such as the high costs of compliance, uncertainty regarding how DLT would be supervised and complexities around custody arrangements.
The DFSA tokenisation regulatory sandbox solves these issues by guiding firms through a structured testing phase. It enables the regulator to see where emerging technology risks lie, and promotes interaction with companies pioneering new work. At the close of the testing period, successful participants may graduate to a full licence. That is after they’ve proved their products and services comply with DIFC’s regulatory and operational standards.
Who can participate in the sandbox?
Firms aiming to offer tokenised investments in DIFC can apply, whether they are new entities or existing authorised firms. The sandbox covers various forms of tokenised instruments, including interests in real-world assets and collective investment fund units, so long as these tokens behave like traditional securities or derivatives. The key aim is to allow legitimate experimentation in a supervised environment, giving both the firm and the DFSA a chance to evaluate technology design, risk management processes and client communications.
Crypto tokens and stablecoins are excluded from the current programme. The DFSA has decided to limit this sandbox to investments closely aligned with conventional securities, ensuring that the framework remains focused on tokenisation rather than digital currencies. It is still worth noting that businesses exploring broader possibilities in digital assets can look into a crypto licence in the UAE, which caters to a different aspect of the region’s growing crypto ecosystem.
Investment tokens under DFSA regulation
Under the DFSA, an investment token is classified as either a security token or a derivative token that relies on blockchain or similar technology. It mirrors the rights and obligations of a traditional security or derivative, but brings new technical elements, such as smart contracts and decentralised custody. Because these tokens can be traded globally with minimal friction, the regulator imposes additional requirements to address potential vulnerabilities in digital assets.
Firms must show how they intend to prevent unauthorised or fraudulent transactions, describing robust controls for security incidents. Detailed disclosures on custody arrangements are also essential, ensuring that the DFSA has a clear view of how clients’ digital assets are stored. Technology audits are another requirement, as the DFSA wants confirmation that systems can handle operational risks. In some cases, the regulator will ask for a key features document for security tokens, explaining the key details and any potential risks to prospective investors.
Our working hours: Monday to Friday, 9 AM – 6 PM GMT+4
Expressions of interest: The first step
Firms can begin the process by submitting an expression of interest to the DFSA, usually within a specified window (17 March 2025 to 24 April 2025). At this early stage, they need to outline their business model, the assets they intend to tokenise and how they plan to test these offerings with live clients. They must also confirm that they meet baseline criteria, such as having sufficient capital to handle operational costs and a management team with relevant industry experience.
Applicants pay no fees for this initial submission. Instead, the DFSA reviews the material, often within a two-week period, to identify the most promising and compliant candidates. Firms that pass this stage move on to the next phase, which involves preparing a more extensive application for the Innovation Testing Licence (ITL).
The innovation testing licence in detail
The Innovation Testing Licence is a well-established concept introduced by the DFSA in 2017. Firms accepted into the ITL can test financial products with real customers, under carefully supervised conditions. This approach is not about lowering standards. Rather, the DFSA will sometimes grant waivers or modifications of certain rules on a case-by-case basis, if these changes help the firm explore an idea without compromising crucial client safeguards.
Applicants produce a regulatory testing plan (RTP), which sets out their goals, testing timelines, technology stack, risk controls and how they intend to handle client feedback or complaints. The DFSA then works with them to refine or clarify any points. Once the plan is approved, the applicant receives an in-principle approval (IPA). This IPA remains conditional. The applicant must still meet further requirements, such as incorporating a DIFC-registered entity, appointing compliance officers and finalising documented policies for anti-money laundering, risk management and client protection.
Moving from in-principle approval to live testing
The IPA indicates that the DFSA sees merit in the firm’s proposal, but it does not grant permission to commence operations straight away. Typically, the DFSA will insist that the entity put certain measures in place, including the appointment of senior officers with the appropriate qualifications or relevant outsourced service providers (for example, compliance or finance officers).
Only after meeting these conditions can the firm receive its ITL and begin offering tokenised investments to a small and controlled client base.
"The DFSA often restricts the number of clients or the transaction volumes during the live testing phase, making sure that if an unforeseen issue arises, it is contained and does not harm the broader market."
Core components of the regulatory testing plan
Business model and proposed products
Applicants must specify precisely which tokenised assets they will offer and to which types of clients.
Testing scope and objectives
The firm describes how long the testing period will last and what success looks like. This section also covers the maximum transaction limits and the client categories participating.
Risk management and security
Detailed strategies to handle fraudulent activity, unauthorised transactions or system failures.
Client awareness and communication
The DFSA mandates that test clients are made aware they are participating in a product still under regulatory review. The applicant must confirm how it plans to inform clients about the associated risks.
Data reporting to the DFSA
Regular updates must be given to the regulator, covering metrics such as transaction frequency, issues reported and resolution steps taken.
Exit plan
If testing concludes unsuccessfully, the applicant must confirm how it will settle existing obligations to clients and wrap up operations without causing disruption.
Capital requirements when testing in DIFC
Capital obligations in DIFC vary according to the type of financial service the firm intends to perform. Firms in DIFC Category 4 typically need at least 10,000 US dollars in base capital, whereas Category 3 can require 500,000 dollars, Category 2 is 2 million dollars and Category 1 goes as high as 10 million dollars. This figure can increase, depending on three components: base capital, risk-based capital and expense-based capital. Whichever component is the highest determines the actual capital requirement.
For instance, if a firm forecasts significant annual expenses or manages large volumes of client assets, the DFSA may require it to hold more capital in reserve. Start-ups might receive certain modifications, but they still have to prove they can meet operational costs without jeopardising client interests.
Get the most relevant information about business life in Dubai
Conducting live tests: Restrictions and compliance
Once the DFSA grants an ITL, the firm can move ahead with live testing in DIFC. During this period, the firm must remain vigilant about compliance, as the DFSA closely monitors areas such as:
Transaction limits: The DFSA usually sets thresholds on the total value or number of transactions that can take place.
Client count: The regulator may limit how many clients can participate in the pilot to manage risk.
Operational checks: If the firm experiences any major technical failures, it must notify the DFSA immediately and follow any directives to protect clients.
"The DFSA has made it clear that anti-money laundering (AML), counter-terrorist financing (CTF) rules and obligations under federal law are non-negotiable. Even if certain aspects of regulation are relaxed for innovation purposes, these core areas remain fully enforced."
Completing the testing period
At the end of the agreed testing phase, the firm reviews its performance and determines whether the product meets its initial objectives. If it wishes to move forward commercially, it can apply to have the restrictions lifted. The DFSA then checks if the firm’s arrangements are sufficiently robust for standard authorisation, free from the sandbox conditions. If all requirements are met, the business can transition to a full regulatory licence.
Should the product fail or prove unfeasible, the firm can withdraw from the sandbox. It will then need to fulfil its exit plan, ensuring clients are compensated or have their assets returned. This outcome does not necessarily prevent the firm from applying in the future with a revised model.
Cost implications in DIFC
Running a financial services entity in DIFC comes with set-up fees, operational overheads and regulatory costs. The DFSA typically charges a 5,000 US dollar fee for the ITL, which covers the entire testing period. Businesses must also pay for DIFC incorporation and registration. Tech companies looking at office space in the Innovation Hub might incur around 1,500 dollars in licence fees, with co-working spaces starting at 500 dollars per desk.
Capital requirements can form the largest expense for many firms, especially those categorised higher due to client asset handling. While waivers or modifications may be available, the DFSA will not compromise on essential safeguards. Some aspects, such as AML checks and external audits, are also mandatory and can influence costs. Nonetheless, the credibility of operating under a DFSA-regulated umbrella often justifies these expenditures for firms targeting sophisticated investors and institutional partnerships.
Creating a presence in Dubai
Many firms taking part in the DFSA tokenisation regulatory sandbox find it beneficial to have a physical location in DIFC. This ties in well with procedures for relocating employees or hiring local expertise. If you plan to bring team members from abroad, you might consider reading about ways to relocate to Dubai to facilitate visas, housing and essential infrastructure.
A local presence can help a firm build credibility with potential clients, regulatory bodies and other stakeholders. DIFC also hosts networking events, accelerators and mentorship programmes that support growth. By engaging in this ecosystem, you tap into a community of legal advisers, compliance specialists and tech experts ready to assist with the complexities of regulated tokenisation.
Offshore banking and broader structures
Even though the sandbox focuses on investment tokens, you might still need efficient international banking to handle cross-border flows. Businesses that aim to diversify may find offshore banking useful. Offshore accounts can help manage foreign currencies, transactions and capital reserves. This strategy can be especially relevant when dealing with foreign investors who prefer flexible bank arrangements.
Meanwhile, if your tokenisation model evolves into digital asset offerings that extend beyond securities, it could intersect with the need for a crypto licence in the UAE.
-
Capital requirements vary on the type of DIFC licence category in question, with possible modifications if the DFSA sees merit in the business model.
-
Successful applicants must be fully set up in DIFC before live testing can start. This includes appointing compliance officers and finalising policies.
-
Once testing is complete, firms can request removal of the sandbox restrictions if they meet the DFSA’s requirements for a full licence.
-
Setting up in DIFC offers a globally recognised platform, though it involves certain costs, including licence fees, regulatory expenses and office space.
Managing compliance responsibilities
Operating in the sandbox or under a full DIFC licence demands ongoing vigilance. The DFSA expects firms to conduct periodic reviews of client onboarding practices, transaction monitoring tools and data security protocols. Audit obligations may involve presenting independent technology reviews or financial statements to confirm your firm remains in good standing.
Moreover, the DFSA regularly updates its rules to align with international best practices. Staying informed and maintaining open communication with the regulator can reduce the risk of non-compliance. This proactive approach also highlights a firm’s commitment to transparency, which is particularly valued by high-net-worth individuals and institutional clients.
Why DIFC remains an attractive choice
Setting up in DIFC gives businesses a chance to serve multiple markets from a single hub. It offers a predictable legal framework and a regulator that embraces innovation without forsaking important consumer protections. The DFSA tokenisation regulatory sandbox is evidence of DIFC’s openness to new ideas, as it combines firm oversight with an appreciation for technological change.
For many investors, a firm licensed by the DFSA in DIFC signals professionalism and trustworthiness, especially compared to unregulated or semi-regulated environments. That seal of credibility can go a long way in attracting institutional money or large private investors. Even though capital requirements, compliance costs and licensing fees may be higher than in certain other jurisdictions, the potential rewards for successful ventures are significant.
