FSRA Digital Asset Licensing Requirements for Abu Dhabi Global Market

FSRA / ADGM Regulatory Framework for Digital Assets: Infrastructure Provider Status, Licensing, and the Compliance Carve-Out

FSRA’s Regulatory Architecture for Virtual Assets

Abu Dhabi Global Market (ADGM) is one of the UAE’s three distinct regulatory environments for digital assets, alongside mainland Dubai (regulated by VARA) and the Dubai International Financial Centre (regulated by the DFSA). Within ADGM, the Financial Services Regulatory Authority (FSRA) is responsible for regulating financial services activities, including those involving virtual assets.

The FSRA operates under the Financial Services and Markets Regulations (FSMR), which provides the primary legislative framework for all regulated activities within ADGM. For digital assets, the FSRA has developed a comprehensive rulebook that addresses licensing, conduct of business, anti-money laundering, technology governance, and prudential requirements. The FSRA’s approach is distinguished by its emphasis on institutional-grade regulation: it applies the same principles-based regulatory philosophy to digital asset activities that it applies to traditional financial services, adapted for the specific risks and characteristics of blockchain-based systems.

ADGM’s regulatory framework for virtual assets has been developed iteratively since 2018, when ADGM became one of the first jurisdictions globally to introduce a comprehensive virtual asset regulatory framework. The framework has been updated multiple times, most significantly in 2024 and 2025, to address emerging activities such as staking, decentralized finance, and the evolving role of infrastructure providers in the digital asset ecosystem.

The FSRA’s regulatory architecture is built on a functional test: regulation is determined by what an entity does, not what it calls itself. An entity that provides custody services for virtual assets is regulated as a custodian, regardless of whether it describes itself as a technology company, a fintech, or a blockchain infrastructure provider. This functional approach is critical for understanding how the FSRA draws the boundary between regulated activities and unregulated infrastructure provision.

The Infrastructure Provider Carve-Out: FSRA Consultation Paper No. 10/2025

One of the most significant developments in ADGM’s virtual asset regulatory framework is the infrastructure provider carve-out introduced through FSRA Consultation Paper No. 10/2025, published in September 2025. This consultation paper addressed the regulatory treatment of virtual asset staking and, in doing so, established a critical distinction between entities that hold or control virtual assets and those that provide the technical infrastructure on which virtual asset activities are conducted.

The key language from the consultation paper states that technical infrastructure providers that do not hold or control virtual assets are excluded from the FSRA’s regulatory framework for staking. This exclusion applies specifically to entities whose function is to provide the technological rails on which regulated institutions conduct their activities, analogous to how SWIFT provides messaging infrastructure for international banking without being a bank itself.

The Functional Test: What Qualifies as Infrastructure vs. Regulated Activity

The FSRA’s carve-out is not a blanket exemption for anyone who claims to be an infrastructure provider. It is defined by a functional test that evaluates what the entity actually does in practice. To qualify for the infrastructure provider exclusion, an entity must satisfy several conditions.

First, it must not hold, control, custody, or have access to any client money, client assets, or virtual assets at any point in the transaction lifecycle. The entity provides infrastructure on which virtual assets are transacted by licensed institutions, but it never takes possession of or control over those assets.

Second, it must not perform any regulated financial service activity. It does not issue tokens, provide custody, operate an exchange, or execute trades. It provides the technological platform that enables licensed institutions to perform these activities within a compliant environment.

Third, its relationship to the regulated activity must be analogous to that of a technology vendor providing infrastructure to regulated institutions, not as a participant in the regulated activity itself. The distinction is between operating the rails and operating the trains.

This carve-out has profound implications for the design of digital asset compliance infrastructure. An infrastructure provider that satisfies the functional test can operate within ADGM without requiring a Financial Services Permission (FSP), because it is not performing a regulated activity. The licensed institutions that operate on the infrastructure are the regulated entities; the infrastructure provider is the technology platform they use. This distinction is central to zero-token blockchain infrastructure, which is designed to eliminate cryptocurrency exposure while providing compliant settlement infrastructure.

Why This Distinction Matters for Institutional Digital Asset Infrastructure

The infrastructure provider carve-out resolves one of the central challenges facing digital asset compliance: the regulatory classification of the infrastructure itself. Without this carve-out, a blockchain network designed to enforce compliance at the protocol level could face the paradox of being classified as a regulated entity simply because it handles compliant transactions, even though it never holds, controls, or has custody of any assets.

The FSRA’s functional test provides a clear pathway. If the infrastructure is designed so that no virtual assets are held or controlled by the infrastructure provider, and if the infrastructure provider does not perform any regulated activity, the infrastructure provider falls within the carve-out. Licensed institutions use the infrastructure to conduct their regulated activities, and the infrastructure provider is classified as a technology provider rather than a financial services firm.

This is not a regulatory loophole. It is the intended design. The FSRA, DFSA, and CBUAE all distinguish between entities that operate regulated activities (issuers, custodians, exchanges) and the technology platforms they operate on. The carve-out recognizes that the distinction between platform and operator is fundamental to a well-functioning digital asset ecosystem, just as it is fundamental in traditional financial services.

FSRA Licensing Categories for Virtual Asset Activities

For entities that do perform regulated virtual asset activities within ADGM, the FSRA provides a structured licensing framework with defined categories and requirements.

Financial Services Permission (FSP)

The primary licensing mechanism for virtual asset activities in ADGM is the Financial Services Permission. An FSP authorizes a firm to carry on one or more regulated activities within ADGM. For virtual asset activities, this includes operating as a virtual asset exchange, providing custody services, issuing virtual assets, and providing dealing or brokerage services. The FSP application process involves a thorough assessment of the applicant’s governance, compliance systems, financial resources, technology infrastructure, and key personnel.

Category 4 License for Fiat Referenced Tokens

In January 2026, the FSRA introduced a specific Category 4 license for Fiat Referenced Tokens (FRTs) — tokens whose value is pegged to or referenced against a fiat currency. This license category reflects the growing importance of stablecoins in the institutional digital asset ecosystem and creates a dedicated regulatory pathway for entities that issue or manage fiat-referenced tokens within ADGM. The introduction of a specific category for FRTs mirrors the CBUAE’s approach under the Payment Token Services Regulation and demonstrates the regulatory convergence occurring across UAE jurisdictions on stablecoin treatment.

COBS Rule 17.2.2: Self-Assessment and Notification

One of the most operationally significant requirements in the FSRA’s framework is the self-assessment and notification process under COBS Rule 17.2.2, which governs Accepted Virtual Assets (AVAs). Under recent amendments, the FSRA moved from an approval-based to a notification-based process for AVAs. Authorised Persons must now self-assess each virtual asset against seven pre-defined FSRA criteria before using it, and they must notify the FSRA at least five business days before commencing use of any new virtual asset.

#

Criterion

What Firms Must Evaluate

What ‘Good’ Looks Like

1

Maturity

Market presence, adoption trajectory

Established token with demonstrable presence

2

Security

Technical and operational security measures

Completed audits, robust security posture

3

Traceability

Origin and destination of transactions on-chain

Full analytics capability, transparent blockchain

4

Exchange Connectivity

Number and quality of exchange listings

Multiple regulated exchanges, geographic diversity

5

Type of DLT

Robustness, decentralization, security of blockchain

Mature consensus, distributed nodes, no major forks

6

Innovation

Technical differentiation vs alternatives

Measurable technical improvements

7

Practical Application

Real-world utility beyond speculation

Active use cases, real users

The Seven Core Mandates from COBS Rule 17.2.2

The COBS 17.2.2 framework imposes seven core mandates on authorised persons. First, self-assess before you use it: no external entity performs the assessment on the firm’s behalf. Second, document everything with objective evidence: subjective opinions or informal assessments are insufficient. Third, notify the FSRA five business days before use: this is a notification, not an approval request, but it gives the FSRA a window to intervene if concerns arise. Fourth, publish the firm’s AVA list: this must be public-facing, visible to clients and counterparties. Fifth, monitor continuously, not just once: if any criterion deteriorates, the firm must reassess. Sixth, remove tokens that no longer qualify: cease activities and notify the FSRA. Seventh, be able to prove it all: reproduce the full assessment trail on regulatory request.

The parallels between the FSRA’s COBS 17.2.2 framework and the DFSA’s GEN Rule 3A.2.1 suitability assessment framework are striking. Both regulators are shifting assessment responsibility to firms. Both require documented reasoning with objective evidence. Both impose ongoing monitoring obligations. Both require reproducible records on regulatory request. This convergence is significant because it doubles the addressable market for compliance infrastructure: firms operating in both ADGM and DIFC face fundamentally similar compliance requirements, making cross-jurisdictional compliance infrastructure commercially attractive.

FSRA Requirements That Shape Infrastructure Design

The FSRA’s regulatory requirements are not abstract policy statements. They have direct implications for how digital asset infrastructure must be designed, built, and operated. Four requirements in particular shape the architecture of compliant digital asset infrastructure within ADGM.

Pre-Transaction Compliance: Identity Before Trade

The FSRA requires that identity verification be completed before any virtual asset transaction can be executed. This is not post-trade KYC screening. It is pre-transaction identity verification: no trade can occur until the identity of both parties has been established and verified to the standard required by the FSRA’s AML/CFT framework. For traditional blockchain networks, this requirement is architecturally challenging because most blockchains default to pseudonymous wallets. Enforcing pre-transaction identity verification requires that identity be embedded in the transaction infrastructure itself, not bolted on as an application-layer add-on.

Auditable Decision Trails

The FSRA requires that regulated firms maintain auditable records of all compliance decisions. This goes beyond simple transaction logs (which record what happened) to encompass decision trails (which record why it was approved or rejected). A compliance decision trail captures the inputs to the decision (identity data, risk assessments, suitability evaluations), the rules applied (regulatory thresholds, internal policies, risk parameters), the outcome (approved, rejected, flagged for review), and the reasoning connecting inputs to outcomes. This requirement shapes infrastructure design by demanding that compliance logic be instrumented and auditable at every step, not just at the final outcome.

Real-World Accountability for Violations

The FSRA’s enforcement framework provides for real-world consequences for regulatory violations, including fines, license revocations, and referrals for criminal prosecution. This accountability framework extends to the governance of any blockchain infrastructure operating within ADGM. If the validators or operators of a blockchain network are anonymous, there is no entity to hold accountable for violations. The FSRA’s framework implicitly requires that blockchain governance structures be transparent and that the entities responsible for operating the network be identifiable, licensed, and subject to real-world regulatory consequences.

Protocol-Level Enforcement as Architectural Necessity

Taken together, these requirements — pre-transaction identity, auditable decision trails, and real-world accountability — point toward a specific architectural conclusion: compliance must be enforced at the protocol level, not at the application layer. Application-layer compliance can be bypassed by users who interact with the blockchain directly, bypassing the application’s compliance controls. Protocol-level compliance cannot be bypassed because the compliance rules are enforced by the blockchain itself, before any transaction is committed to the ledger. For regulated institutions operating within ADGM, the distinction between application-layer and protocol-level compliance is not academic — it is the difference between a compliance framework that can be circumvented and one that cannot.

The FSRA Sandbox: RegLab and Regulatory Engagement

The FSRA operates a regulatory sandbox known as the RegLab, which provides a mechanism for innovative financial services firms to test their products and services within a controlled regulatory environment. The RegLab is not a shortcut to licensing — it is a structured framework for regulatory engagement that allows firms to receive feedback on their business models, technology architectures, and compliance approaches before committing to full FSP applications.

For infrastructure providers, the RegLab offers a valuable pathway for engaging with the FSRA on questions of regulatory classification and compliance design. Rather than seeking regulatory approval (which implies a licensing obligation), infrastructure providers can seek design feedback: presenting their architecture to the FSRA, explaining how their infrastructure supports regulated activities without performing them, and receiving guidance on whether their approach satisfies the infrastructure provider carve-out.

The RegLab process typically involves several stages: an initial application describing the firm’s business model and technology; a review period during which the FSRA evaluates the proposal; a testing phase during which the firm operates under specified conditions and restrictions; and a graduation pathway to either full licensing or confirmation of infrastructure provider status. The RegLab is particularly valuable for firms whose regulatory classification is ambiguous — entities that operate at the boundary between technology provision and regulated financial service activity.

The strategic value of the RegLab for infrastructure providers is that it provides a formal, documented pathway to regulatory clarity. An infrastructure provider that has been through the RegLab process and received FSRA guidance on its classification has a defensible regulatory position that pure self-assessment cannot provide. This is especially valuable in a rapidly evolving regulatory environment where the boundaries between regulated and unregulated activities are still being defined.

ADGM as a Launchpad: Why Global Institutions Choose Abu Dhabi

ADGM has positioned itself as a premier jurisdiction for institutional digital asset activities, and this positioning is backed by several structural advantages that make Abu Dhabi an attractive launchpad for global institutions entering the digital asset space.

Common Law Jurisdiction with Global Recognition

ADGM operates under a common law legal system, directly applying English common law principles. This is unique in the Middle East and highly attractive to international financial institutions whose operations, contracts, and dispute resolution mechanisms are built on common law foundations. The ADGM Courts, staffed by internationally recognized judges, provide a dispute resolution framework that global institutions trust. For digital asset activities, where legal certainty around smart contract enforceability, token classification, and cross-border jurisdiction is critical, ADGM’s common law framework provides a level of legal predictability that few other GCC jurisdictions can match.

Regulatory Clarity and Engagement Culture

The FSRA has developed a regulatory approach that combines clear, published rules with an accessible, engagement-oriented culture. The FSRA is known for its willingness to engage with firms on complex regulatory questions, to provide guidance through mechanisms like the RegLab, and to update its framework in response to market developments and technological evolution. This engagement culture is particularly valuable for digital asset firms because the technology is evolving faster than regulation in most jurisdictions, and firms need a regulator that is capable of and willing to engage on emerging questions.

Hub71 and the Abu Dhabi Innovation Ecosystem

Hub71 is Abu Dhabi’s global technology ecosystem, backed by Mubadala, ADQ, and other sovereign wealth entities. For digital asset firms, Hub71 provides access to capital, mentorship, regulatory engagement support, and an institutional network that includes some of the largest sovereign wealth funds and financial institutions in the GCC. Being ADGM-native — building within ADGM from inception rather than migrating from another jurisdiction — provides a credibility advantage when engaging with institutional buyers who operate within or are considering operations within ADGM.

September 2026 as Market Catalyst

UAE Federal Decree Law No. 6/2025 mandates that all digital asset businesses in the UAE be fully compliant by September 2026, with penalties up to AED 1 billion for non-compliance. This deadline creates a structural demand catalyst for compliant infrastructure: every digital asset business in the UAE needs compliance infrastructure, and institutions that delay face increasing regulatory and commercial risk. ADGM-based infrastructure providers that are operational before September 2026 will be positioned to serve this demand at scale.

The “ADGM-Native by Design” Advantage

For institutions evaluating digital asset infrastructure, provenance matters. An infrastructure platform that was designed from inception to comply with FSRA requirements — pre-transaction identity verification, auditable decision trails, real-world validator accountability, and the infrastructure provider carve-out — carries a different credibility profile than one that was built for a different regulatory environment and subsequently adapted for ADGM.

The distinction is between infrastructure that is compliant by design and infrastructure that is compliant by adaptation. Compliant-by-design infrastructure embeds FSRA requirements into its architecture at every layer: identity at the protocol level, decision trails in the consensus mechanism, accountability in the validator governance, and controlled asset flows in the bridging layer. Compliant-by-adaptation infrastructure bolts compliance onto an existing architecture that was not designed with these requirements in mind, creating potential gaps between what the application layer enforces and what the protocol layer permits.

For institutional buyers in ADGM, this distinction matters because the FSRA’s regulatory framework is not static. As the framework evolves, infrastructure that was designed around FSRA principles will adapt more readily than infrastructure that was designed around different regulatory assumptions. Regulatory alignment is not a feature to be added; it is an architectural principle that shapes every design decision.

Digital Dirham Compatibility and CBUAE Alignment

A critical dimension of ADGM’s digital asset infrastructure landscape is the relationship between FSRA-regulated activities and the Central Bank of the UAE’s (CBUAE) monetary framework. The CBUAE has moved the Digital Dirham — the UAE’s central bank digital currency — from pilot to law under the Central Bank Law of 2025. The Digital Dirham is now recognized as legal tender, and its deployment creates both opportunities and constraints for digital asset infrastructure within ADGM.

The CBUAE’s Payment Token Services Regulation (PTSR) of 2024 governs stablecoins and payment tokens across the UAE, with the exception of DIFC and ADGM, which operate under their own regulatory frameworks. However, any digital asset infrastructure that operates beyond the boundaries of ADGM into the broader UAE market triggers PTSR requirements. This territorial scope creates a design constraint for infrastructure providers: infrastructure that operates exclusively within ADGM is subject to FSRA regulation, but infrastructure that facilitates transactions involving parties outside ADGM must also consider CBUAE requirements.

The PTSR defines a “Payment Token” broadly as any token referencing a fiat currency. This means that issuing an AED-pegged token — even within a permissioned blockchain environment — triggers mandatory CBUAE licensing requirements, including 1:1 AED reserve requirements. For infrastructure providers, this means that the cleanest regulatory posture involves accepting CBUAE-licensed payment tokens (such as AE Coin or, in the future, the Digital Dirham itself) rather than issuing any proprietary fiat-referenced token.

Infrastructure that is designed from inception to be compatible with the Digital Dirham — accepting sovereign digital currency as the settlement medium without issuing or controlling any monetary instrument — positions itself at the intersection of FSRA infrastructure regulation and CBUAE monetary policy. This dual alignment is architecturally demanding but commercially valuable, because it enables the infrastructure to serve both ADGM-only operations and cross-UAE transactions as the regulatory perimeter expands.

Regulatory Convergence Between FSRA and DFSA: What It Means for Compliance Infrastructure

One of the most strategically significant developments in UAE digital asset regulation is the convergence between the FSRA’s and DFSA’s approaches to firm-led assessment. Both regulators have independently moved from regulator-led to firm-led assessment models. The DFSA’s GEN Rule 3A.2.1 requires firms to assess crypto tokens against five criteria with documented evidence and reproducible records. The FSRA’s COBS Rule 17.2.2 requires firms to assess virtual assets against seven criteria with documented evidence and five-day advance notification to the regulator.

While the specific criteria differ — the DFSA uses five assessment dimensions while the FSRA uses seven — the underlying regulatory philosophy is identical: firms bear the assessment burden, must document their reasoning with objective evidence, must monitor continuously, must cease activities when material adverse developments occur, and must reproduce their assessment records on regulatory request. This convergence is not coincidental. Both regulators are responding to the same international standards from IOSCO and the Financial Stability Board, and both are grappling with the same fundamental challenge: how to ensure compliance in a rapidly evolving digital asset ecosystem without creating a regulatory bottleneck at the regulator level.

For compliance infrastructure providers, this convergence creates a compelling commercial proposition. An infrastructure platform that can support both DFSA and FSRA assessment frameworks — with configurable criteria sets, jurisdiction-specific reporting pipelines, and cross-compatible record management — serves a broader market than one designed for a single jurisdiction. The total addressable market within the UAE includes every licensed firm in both DIFC and ADGM that deals in digital assets, and the compliance infrastructure requirements are sufficiently similar that a single platform can serve both with jurisdictional configuration rather than separate products.

This convergence also has implications for cross-jurisdictional operations. A financial institution licensed in both DIFC and ADGM must comply with both the DFSA’s and FSRA’s assessment frameworks simultaneously. Without shared compliance infrastructure, this means maintaining two separate assessment processes, two sets of records, two monitoring systems, and two reporting pipelines for essentially the same underlying activity. Unified compliance infrastructure that supports both jurisdictions eliminates this duplication and reduces the operational burden on firms operating across UAE free zones.

The Build vs. Buy Decision for ADGM Institutions

Every ADGM-licensed institution dealing in virtual assets faces a fundamental build-or-buy decision for compliance infrastructure. Building in-house compliance infrastructure requires significant investment in technology development, ongoing maintenance, regulatory monitoring to keep the system aligned with evolving FSRA requirements, and specialized talent in both blockchain engineering and regulatory compliance. Industry estimates suggest that building comprehensive in-house compliance infrastructure for digital assets costs between $2 million and $5 million and takes 12 to 18 months for initial deployment, with ongoing operational costs of $500,000 to $1 million annually.

The buy alternative — using shared compliance infrastructure provided by a specialized infrastructure provider — offers a different cost-benefit profile. Shared infrastructure distributes the development and maintenance costs across multiple institutional users, reduces time to compliance, and ensures that regulatory updates are implemented once and propagated to all users. The trade-off is reduced customization and dependency on an external provider for a critical compliance function.

For most ADGM institutions, particularly those with fewer than 50 staff or less than $500 million in AUM, the economics strongly favor shared infrastructure. The compliance requirements are standardized (the FSRA defines what must be assessed, monitored, and reported), the data infrastructure requirements are common across institutions (everyone needs the same liquidity, security, and regulatory data), and the reporting formats are prescribed by the regulator. There is limited competitive advantage in building proprietary infrastructure to perform standardized compliance functions.

The September 2026 deadline intensifies the build-versus-buy calculus. Institutions that choose to build have less than six months to develop, test, and deploy institutional-grade compliance infrastructure. Institutions that choose to buy can potentially be operational within weeks of selecting a provider. For institutions that have not yet begun their compliance infrastructure buildout, the buy option may be the only realistic pathway to meeting the deadline.

The infrastructure provider carve-out in FSRA Consultation Paper No. 10/2025 further tilts the calculus toward shared infrastructure. Because technical infrastructure providers that do not hold or control virtual assets are excluded from the FSRA’s regulatory framework, shared compliance infrastructure can be provided by an unregulated technology provider — reducing the regulatory complexity of the buyer’s supply chain and enabling the infrastructure provider to serve multiple institutions across both ADGM and DIFC without requiring its own financial services license. This structural advantage means that the cost of compliance infrastructure can be distributed across the entire institutional ecosystem rather than borne individually by each firm, creating a flywheel effect: more institutional users means lower per-institution costs, which attracts more users, which further reduces costs. For the ADGM ecosystem as a whole, shared compliance infrastructure represents a public good — one that raises the compliance standard for all participants while reducing the barrier to entry for new entrants.

Sources: FSRA Consultation Paper No. 10/2025 (September 2025); FSRA COBS Rule 17.2.2; Clyde & Co, “Virtual Asset Staking in ADGM” (October 2025); King & Spalding, “ADGM FSRA Implements Amendments to Its Digital Asset Regulatory Framework” (June 2025); Pinsent Masons analysis; ADGM Guidance — Regulation of Virtual Asset Activities (VER07.100625); CBUAE Payment Token Services Regulation 2024; Central Bank Law 2025 (Digital Dirham).