- The United Arab Emirates’ Federal Decree-Law No. 6 of 2025 came into force on 16 September
- Article 62 places APIs, explorers and decentralized platforms under the Central Bank’s control
- Article 61 regulates all marketing, emails and online posts related to crypto services
The United Arab Emirates has enacted a sweeping new federal law that classifies core pieces of digital asset infrastructure — including Bitcoin wallets — as potentially criminal activities unless authorized by the Central Bank.
Legal specialists at Gibson Dunn have flagged the law’s unusually broad scope, warning that its wording creates substantial compliance risks for global technology providers.
The change is embedded in Federal Decree-Law No. 6 of 2025, which took effect on 16 September and has implications worldwide for developers and platforms that provide crypto access.
The law replaces the 2018 Banking Law and significantly expands definitions of regulated financial activities. What distinguishes this law is not only its breadth but also its enforcement approach.
Penalties for noncompliance range from fines of 50,000 dirhams up to 500,000,000 dirhams (approximately $136 million) and may include imprisonment.
These provisions apply not only to entities operating inside the UAE but also to services that can be accessed from within the country.
Licensing now applies to wallets, APIs and even analytics
The most consequential element of the new law is found in Article 62, which grants the Central Bank authority to regulate any technology that “participates in, offers, issues or facilitates” financial activity.
The language is broad enough to cover self-custodial wallets, API services, blockchain explorers, analytics platforms and even decentralized protocols.
This marks a fundamental shift in how crypto infrastructure is regulated in the UAE.
Previously, licensing obligations focused on traditional financial institutions, but the updated framework extends that focus to software and data tools.
Developers’ analyses indicate that publicly accessible tools — for example, market trackers and open-source Bitcoin wallets — may require licenses to be reachable by users in the UAE.
For the first time, developers could face criminal liability for offering unlicensed crypto tools, even if they are based abroad.
This extraterritorial reach signals a regulatory posture that treats access to crypto as strictly as ownership or exchange activity.
Communications and marketing fall under the rules
The restrictions are not limited to infrastructure. Article 61 makes marketing, promotion and advertising of financial services regulated activities requiring authorization.
In practice, hosting a website, publishing an article or sharing posts about unlicensed crypto services could be considered a breach if those communications are accessible to UAE residents.
The change considerably expands compliance obligations for companies and developers.
Gibson Dunn emphasizes that these provisions significantly widen enforcement reach, particularly for firms without a formal presence in the UAE.
The law applies to communications originating abroad that can be accessed within the country.
The result is a regulatory environment where developers, content creators and infrastructure providers must assess whether UAE users can indirectly access their platforms.
In many cases, avoiding legal exposure may require restricting access or suspending services entirely.
Dubai free zones no longer guarantee protection for crypto services
In recent years the UAE positioned itself as a hub for blockchain innovation.
Free zones and local regulators such as the Dubai Virtual Assets Regulatory Authority (VARA) and Abu Dhabi Global Market (ADGM) attracted global attention with purpose-built crypto licensing regimes.
However, the new federal law supersedes those free zone arrangements by asserting nationwide control under the Central Bank.
Federal law replaces any free zone rules, ending the regulatory arbitrage that once drew companies to Dubai.
This shift sits alongside the UAE’s broader history of centralized digital controls.
For example, WhatsApp calling remains blocked across the UAE, underscoring a consistent policy approach to centrally regulating digital communications and tools.
While the new law may help align the UAE with international pressures such as those from the Financial Action Task Force, it places crypto providers in a difficult position.
In other jurisdictions facing similar pressures, some companies have withdrawn entirely to avoid enforcement risk.
Enforcement begins in 2026 with further rules expected
Authorities have set a one-year compliance window from 16 September 2025; that grace period may be extended at the Central Bank’s discretion.
During this time, additional regulations are expected to clarify how the law’s broad provisions will be applied in practice.
Nonetheless, the law’s scope already raises concerns.
Language about facilitation and communications, together with severe penalties under Article 170, means global providers of crypto tools must consider the risk posed by inadvertent exposure to UAE users.
For software developers and platform operators, this represents a substantial departure from the norms of decentralized access and open-source innovation.