- The United Arab Emirates’ Federal Decree-Law No. 6 of 2025 came into force on 16 September.
- Article 62 places APIs, explorers and decentralized platforms under the central bank’s control.
- Article 61 regulates all marketing, emails and online posts about crypto services.
In a sharp departure from its previously crypto-friendly reputation, the United Arab Emirates has enacted sweeping new legislation that effectively classifies core cryptocurrency infrastructure—including Bitcoin wallets—as potentially illegal unless licensed by the central bank.
Legal analysts at Gibson Dunn have noted the law’s unusually broad scope and warned that its wording introduces significant legal risk for global technology providers.
Embedded in Federal Decree-Law No. 6 of 2025, this shift took effect on 16 September and carries global implications for developers and platforms that provide access to cryptocurrencies.
The law replaces the 2018 banking law and substantially expands the definition of financial activity. What distinguishes this legislation is not only its wide applicability but also the seriousness of its enforcement measures.
Penalties for noncompliance range from fines of AED 50,000 up to AED 500,000,000 (as much as around USD 136 million) and can include imprisonment.
Crucially, these rules apply not only to entities operating inside the UAE but also to any providers whose products are accessible from within the country.
Licenses are now required for wallets, APIs and even analytics
The most significant provision of the new law is found in Article 62, which gives the central bank authority over any technology that “engages in, offers, issues or facilitates” financial activity.
The language is broad enough to encompass self-custodial wallets, API services, blockchain explorers, analytics platforms and even decentralized protocols.
This represents a fundamental change in how cryptocurrency infrastructure is regulated in the UAE.
Where previous licensing obligations focused on traditional financial entities, the updated framework shifts that focus to include software and data tools.
Developer analysis indicates that even public tools like CoinMarketCap and open-source Bitcoin wallets may now require licenses to remain accessible within the UAE.
For the first time, developers could face criminal sanctions for offering unlicensed crypto tools, even if those developers are based overseas.
This jurisdictional expansion signals a new regulatory posture treating access to crypto as tightly as its ownership or exchange.
Communication and marketing now fall under regulation
The interventions do not stop at financial infrastructure. Article 61 of the same law classifies marketing, promotion or advertising of financial services as activities that require licensing.
In practice, this means that hosting a website, publishing an article or posting a tweet about an unlicensed crypto service could be deemed an offense if that content reaches residents of the UAE.
This change dramatically broadens the compliance footprint for companies and developers.
Gibson Dunn highlights that these provisions significantly expand the reach of enforcement, especially for businesses without a formal UAE presence.
The law applies to communications originating outside the country but accessible within it.
The result is a regulatory environment where developers, content creators and infrastructure providers must assess whether their platforms are indirectly accessible to users in the UAE.
In many cases, avoiding legal exposure may require restricting access or suspending services entirely.
Dubai free zones no longer shield crypto services
In recent years the UAE positioned itself as a hub for blockchain innovation.
Jurisdictions such as Dubai’s Virtual Assets Regulatory Authority (VARA) and the Abu Dhabi Global Market (ADGM) drew international attention with bespoke crypto licensing regimes.
However, the new federal law overrides those free zone frameworks and asserts the central bank’s authority across the entire country.
Federal law supersedes rules adopted by UAE free zones, effectively eliminating the regulatory arbitrage that once attracted firms to Dubai.
This development should be viewed in the broader context of the country’s approach to digital restrictions.
For example, WhatsApp voice calls remain blocked across the UAE, reflecting a consistent policy tendency toward centralized control of communications and digital tools.
While this shift may align the UAE more closely with international pressures from bodies such as the Financial Action Task Force, it also places crypto service providers in a difficult position.
In other jurisdictions facing similar pressure, companies have sometimes withdrawn entirely to avoid enforcement risk.
Enforcement begins in 2026 and further rules are expected
Entities have a one-year window from 16 September 2025 to comply with the rules. That grace period may be extended at the central bank’s discretion.
During this interval, additional regulations are expected to clarify how the overarching rules will be applied in practice.
Despite that anticipated guidance, the law’s broad reach already raises substantial concerns.
The wording around facilitation and communication, combined with the strict penalties under Article 170, suggests that companies offering crypto tools globally must now consider the risk of inadvertent exposure to UAE users.
For software developers and platform operators, this marks a significant departure from the norms of decentralized access and open-source innovation.