Since 16 September 2025 the UAE financial sector operates under a rewritten rulebook. Federal Decree-Law No. 6 of 2025 replaced the 2018 Central Bank Law and the 2023 Insurance Decree-Law in one move. The one-year transition window closes on 16 September 2026 — just under two months away — and the perimeter of who counts as a "financial institution" is now materially wider than most compliance teams assumed.
What Federal Decree-Law No. 6 of 2025 changed
The President of the UAE signed the decree on 8 September 2025. It was published in the Official Gazette on 15 September and entered into force the next day, with Article 184 granting a one-year reconciliation period. On paper this looks like a housekeeping update. In practice it consolidates banking, insurance, payments and financial market infrastructures under a single supervisory framework — and it shifts the analytical starting point of Central Bank of the UAE (CBUAE) oversight. Full text is on the UAE Legislation Portal.
The new starting point is a "function over form" principle. If an activity qualifies as a Licensed Financial Activity, it falls under CBUAE supervision — regardless of the technology, medium or corporate wrapper carrying it out. Article 62 spells this out explicitly for emerging technologies: virtual assets, stablecoins, tokenised real-world assets, DeFi protocols and decentralised exchanges, digital wallets, cross-chain bridges, supporting blockchain infrastructure, technology providers and API layers are all in scope where their activity crosses into regulated territory.
As Norton Rose Fulbright notes in its overview, the law is less a rewrite of the 2018 framework than a full reset of how the UAE thinks about financial supervision — with a deliberate pivot toward technology-neutral rules.
Who's affected — and how deeply
The obvious list is long. Licensed banks, insurance companies, payment service providers, exchange houses, finance companies, digital banks, Virtual Asset Service Providers (VASPs) and stablecoin issuers all sit squarely within scope. Insurance companies are worth flagging separately — the repeal of Federal Decree-Law No. 48 of 2023 folds them into the same consolidated regime.
The less obvious list matters more. Under Article 62, providers of the infrastructure supporting Licensed Financial Activities — API vendors serving PSPs, wallet-layer technology firms, custody-adjacent tech providers, node operators, DEX front-end operators — need to check whether they now sit inside the perimeter. Companies that treated themselves as pure technology vendors under the previous framework should not assume the same conclusion holds.
Payment services carried out via virtual assets are now flagged as a standalone Licensed Financial Activity, aligned with the CBUAE's Payment Token Services Regulations. That closes a specific gap that had been the source of most "are we regulated?" debates over the past 18 months.
The penalty regime: two tracks, both sharper
Enforcement risk under the new law splits into two distinct tracks, and the distinction is worth internalising early. Addleshaw Goddard summarises the split clearly.
Track one — licensed institutions in breach. The maximum administrative fine rises from AED 200 million (~USD 54.5 million) under the 2018 law to AED 1 billion (~USD 272.3 million). A five-fold increase in the headline ceiling, matched by a risk-based approach to capital and prudential requirements.
Track two — unlicensed activity. Here the change is structural, not just numerical. Promoting or carrying out financial activity without a licence carries an administrative fine starting at AED 1 million, and can be prosecuted criminally with fines from AED 50,000 up to AED 500 million and/or imprisonment. The CBUAE's 60-day service-level commitment on licensing decisions cuts the other way too: it removes the "we couldn't get an answer" defence.
For tech-enablers who had operated in a grey zone, the second track is where the practical risk sits.
Compliance checklist before 16 September 2026
Two months is enough to close the perimeter question, but not enough to do it lazily. Six items belong on the C-suite agenda now.
1. Reassess the licensing perimeter. Map every revenue-generating activity against the Licensed Financial Activity definitions in the new law and the CBUAE Rulebook. The consolidated CBUAE Rulebook entry for Federal Decree-Law 6/2025 is the authoritative reference.
2. Refresh the governance framework. Board composition, risk committees, related-party rules and outsourcing policies should be re-checked against the new consolidated standards — not against 2018 muscle memory.
3. Update AML/CFT policies. The consolidation with the insurance regime and the express inclusion of virtual assets shifts the practical scope of financial-crime controls.
4. Review tech-provider and API contracts. If a counterparty now sits inside the perimeter but is not licensed, contractual risk allocation, service continuity and audit-rights clauses need to be revisited on both sides.
5. Align virtual-asset activities with the Payment Token Services Regulations. Anyone offering payment services via VAs should treat that alignment as a hard prerequisite, not a nice-to-have.
6. Book a pre-application meeting with the CBUAE if perimeter status is genuinely unclear. The 60-day licensing SLA lets regulated entities plan around a defined clock. Article 184 also gives the CBUAE discretion to extend individual reconciliation timelines where warranted — but that discretion is not a default position; a request needs to be substantiated.
What the new law means for businesses setting up in the UAE
For founders looking at the UAE as a base for a regulated financial business — a digital bank, a PSP, a VASP, an insurtech, a stablecoin issuer — the consolidation reads as good news. The map is cleaner. The lines between the CBUAE, the DFSA (Dubai International Financial Centre), the FSRA (Abu Dhabi Global Market) and VARA (Dubai's Virtual Asset Regulatory Authority) still matter, but the internal logic of what triggers a CBUAE licence is now more predictable than it was.
As Ashurst observes, the framework rewards operators who engage with the regulator early and structure their activities around defined Licensed Financial Activities rather than around technology labels.
Garant Business Consultancy DMCC advises regulated and prospective-regulated businesses on perimeter analysis, licensing strategy and compliance planning under Federal Decree-Law No. 6 of 2025. If the 16 September 2026 date is on your calendar and the checklist above surfaces open questions, that's the right conversation to have now — not in September.


