In June 2026 VARA issued notices of fines against offshore virtual-asset exchanges for providing broker-dealer and exchange services to customers in Dubai without a licence, some over a period running from 2022 to early 2026, and directed them to cease and desist. The firms cooperated, complied, and said they intend to enter the licensing process. The message underneath the action is the one that matters for any virtual-asset business: a global brand and an offshore legal structure do not put you outside VARA\u2019s reach when your product reaches Dubai users. The licence perimeter is a live control, not a legal question answered once at incorporation.

That reframing is the point. Plenty of firms treat licensing as a status, something you either hold or do not, established at the start and forgotten. That view was always risky, and the June actions make the cost of it concrete. VARA is treating the perimeter as an operating boundary that has to hold every day: which legal entity is doing which activity, for which customers, promoted through which channels. When any one of those drifts across the line, the firm is offside, whether or not anyone intended it.

The perimeter is a standing rule, not a new one

Dubai Law No. 4 of 2022, Cabinet Resolution No. 111/2022 and the VARA Regulations and Rulebooks establish a general prohibition on carrying out virtual-asset activity by way of business in or from Dubai, excluding the DIFC, unless authorised and licensed by VARA. The June 2026 actions do not change that. They show VARA enforcing it against offshore operators and, in parallel, holding already-licensed firms to their post-licensing control obligations.

The perimeter has four dimensions, and a firm can be inside on three and offside on the fourth. The view below takes each dimension, what being inside it means, where firms breach it, and the control that holds the line. Tap any dimension.

The four dimensions of the licence perimeter

Tap a dimension for what inside means, where firms breach, and the control that evidences it

A general reading of how the VARA licence perimeter operates, not a compliance assessment of any firm and not advice on whether a licence is required. Licensing questions depend on your specific facts and should be confirmed with VARA and qualified legal advice.

Read across the four and the same theme returns: each dimension is only under control if the firm can evidence it, entity by entity, activity by activity, market by market. A licence certificate in a drawer proves none of it. What proves it is a live record of which entity is authorised for which activity, who was allowed to onboard, and what was approved for promotion in which market.

Excl. DIFC
VARA is the competent authority for virtual-asset services in or from Dubai, excluding the DIFC, so the perimeter is jurisdiction-specific and precise (VARA)
2022-2026
The period over which offshore exchanges were found to have served Dubai customers without a licence, showing the perimeter is tested over time, not at a moment (reported)
Two fronts
VARA is acting against unlicensed operators and, separately, against licensed firms for post-licensing control failures, so the perimeter matters before and after a licence (reported)

One dimension deserves particular care, because it trips up firms that think they have it covered: the DIFC boundary. VARA regulates virtual-asset activity in or from Dubai but not within the DIFC, which runs its own regime. A group operating across both has two perimeters, not one, and an activity that is authorised in one may be unlicensed in the other. Getting that boundary wrong is not a technicality, it is the difference between being inside the perimeter and outside it, and it has to be mapped and evidenced like every other dimension.

What a perimeter evidence system holds

For a licensed VASP, or one entering the process, the operational job is to keep the perimeter provable at all times. That is distinct from the platform that runs the trading or custody itself. It sits beside your VARA-compliant VASP platform and your custody systems, and holds the record that the perimeter held. None of it is exotic. It is the disciplined capture of decisions the firm already makes, turned into evidence.

Legal-entity and activity map

Every licensed activity tied to the exact entity authorised for it, so the group can show which entity may do what, and catch an affiliate drifting into activity it is not licensed for.

Customer-geography gating

Access controls that gate customers in or from Dubai until the entity is licensed, with a record of who was admitted and who was blocked, so serving Dubai users is a recorded decision.

Product and marketing approval

An approval workflow for products and marketing by market, so promotion reaching Dubai users is checked and recorded, since advertising without approval is a breach on its own.

Remediation and attestation

Any cease-and-desist or supervisory finding tracked to closure, with management attestations that the perimeter controls operate, so the firm can show it acted and stays inside the line.

Perimeter dimension Treated as status Treated as a live control
Legal entity We hold a licence somewhere This entity is authorised for these activities, mapped
Activity We are a licensed VASP New products checked against the licensed-activity matrix
Customer geography We are offshore Dubai users gated and the decision recorded
Marketing Global campaigns run everywhere Promotion approved per market and evidenced

A licence is a boundary to keep inside every day, across every entity, activity and market, not a place you arrive at once. The firms that get caught are usually the ones that treated it as a status set at the start.

A clear word on what we build. We build software. We are not a VARA licensing consultant, a legal adviser, or a regulated firm, and we do not decide whether your business needs a licence, whether a specific activity is in scope, or whether you are compliant. Those are matters for your legal advisers and for VARA. We build the operational evidence layer that helps a licensed firm, or one entering the process, keep its perimeter controls provable. This is not for a firm looking to keep operating without a licence, and it is not a substitute for getting one.

Questions VASPs are asking

VARA found that offshore virtual-asset exchanges had provided broker-dealer and exchange services to customers in Dubai without the necessary licence, in one case with know-your-customer failures, and imposed enforcement measures and financial penalties, directing them to cease and desist. The firms cooperated and indicated they would enter the licensing process. VARA published the notices; the fine amounts were withheld from the public notices. The authoritative text is VARA\u2019s own notice.

No, and that is the central lesson. VARA regulates virtual-asset activity carried out in or from Dubai, excluding the DIFC. Serving Dubai customers, or promoting services accessible to them, brings a firm within the perimeter regardless of where the legal entity sits. An offshore structure and a global brand do not substitute for a VARA licence when the activity reaches Dubai users.

No. We are an independent software engineering company. We are not a VARA licensing consultant, a legal adviser, or a regulated firm, and we are not affiliated with or endorsed by VARA. We do not decide whether your business needs a licence, whether an activity is in scope, or whether you are compliant. We build the operational evidence layer for perimeter controls. For licensing and legal questions, rely on VARA and qualified legal advice.

Because the perimeter has to hold after licensing too. VARA has acted against already-licensed firms for post-licensing control failures, not only against unlicensed operators. A licensed VASP still has to show that each entity stays within its authorised activities, that customer access and marketing stay inside the perimeter, and that findings are remediated. The evidence layer keeps that provable rather than assumed.

No, and we would not build it for that. The honest use of this is for a licensed firm, or one entering VARA\u2019s licensing process, that wants to keep its perimeter controls evidenced. A firm trying to operate outside the perimeter does not need software, it needs to stop or to get licensed. We would say so.

The two sit together. The VARA actions cited breaches that included both unlicensed activity and know-your-customer failures under UAE anti-money-laundering law. A perimeter that is under control still has to be backed by AML and sanctions controls that operate and can be evidenced, which is the same evidence discipline applied to a different obligation. Both are about proving a control worked, not just that a policy exists.

Dubai has moved from expanding virtual-asset licensing to supervising the market it built, and the perimeter is where that supervision starts. For a firm inside it, a licence certificate is no defence on its own. What defends the firm is the ability to show, at any moment, which entity is authorised for which activity, which customers were admitted, and what was promoted where. That evidence is buildable, and it is ordinary software work done against a boundary the regulator now treats as live. The firms entering VARA’s process with that record already in place are the ones that will find supervision, when it comes, an exercise in showing rather than scrambling.

References to VARA, Dubai Law No. 4 of 2022, Cabinet Resolution No. 111/2022, Federal Decree-Law No. 10 of 2025, the VARA Regulations and Rulebooks, and the June 2026 enforcement actions are descriptive of publicly available frameworks and publications as reported at the time of writing. Details, including the period of unlicensed activity and the withholding of fine amounts, are drawn from public reporting and official notices, are point-in-time, and represent no specific named firm. BY BANKS is an independent software engineering company; we design and build software and hand it over. We are not a VARA licensing consultant, a legal adviser, a regulated or licensed firm, or affiliated with or endorsed by VARA or any authority. On any engagement, the firm owns its licensing, regulatory, and compliance decisions and responsibility for their implications. This article is not legal, regulatory, or licensing advice; readers should obtain qualified advice for their specific circumstances and rely on VARA and its published notices for current requirements. Public sources used in this piece are listed on our Sources and Data page.