21.8 C
New York

Key points of the “VARA Dubai Technology & Information Rulebook (Updated May 2025)” – Mandatory for VASPs

ComplianceUAE ComplianceGCCUAEUAE RegulatorVARA

Published:

Reading time: 5 min.

Original source: VARA_EN_169_VER20250519

1. Regulatory Context & Applicability

VARA’s Technology & Information Rulebook forms a binding component of the broader Virtual Assets and Related Activities Regulations 2023, and applies to all licensed VASPs in the Emirate of Dubai, including free zones (except DIFC).

It supplements existing Rulebooks (Company, Compliance & Risk, Market Conduct, and activity-specific rules), which means technology governance is not optional—it is considered a core prudential and conduct requirement.

For financial practitioners, think of this Rulebook as the digital operational resilience equivalent of MiCA’s ICT controls, MAS TRM Guidelines, the EU’s DORA framework, and CBUAE’s information security circulars—but purpose-built for digital assets.

2. Technology Governance & Risk Assessment (Part I — Sections A–K)

2.1 Mandatory Technology Governance & Risk Assessment Framework

(Sections I.A.1–7)

Every VASP must maintain a holistic, risk-based tech governance framework that explicitly covers:

  • Cybersecurity principles
  • System development lifecycle
  • Wallet & key management
  • Operational resilience
  • Staff competency
  • Algorithmic governance (where applicable)
  • Periodic testing & updates

The framework must scale with business size, transaction volumes, and complexity, and must follow international standards (ISO 27001, NIST CSF, DORA-like principles).

Key governance requirement:
→ A Chief Information Security Officer (CISO) must be appointed, responsible for this framework and for all confidentiality controls.

2.2 Cybersecurity Policy Requirements

(Section I.B)

The Cybersecurity Policy must be provided during licensing and updated annually. It must cover:

  • Information security & data classification
  • Access control & authentication (including MFA and session controls)
  • Consensus protocol considerations
  • Smart contract code validation & audit
  • Physical & environmental security
  • Client transaction safeguards (e.g., MFA when address changes occur)
  • Vendor & third-party management
  • Incident response & ransomware procedures
  • Threat-intel sharing with other VASPs (where appropriate)

Practitioner insight:
This aligns with a zero-trust architecture expectation and emphasises transaction-level risk controls, reflecting the unique theft/fraud risks in VA markets.

2.3 Regulatory Alignment With UAE Laws

(Section I.C)

VASPs must comply with:

  • Dubai Electronic Security Center standards (DESC Law No. 9 of 2022)
  • UAE federal data protection law (PDPL)
  • Central Bank’s Consumer Protection Regulation

This is important because VARA is layering sector-specific rules on top of national digital security legislation.

2.4 Cryptographic Keys & Wallet Management

(Section I.D)

This is one of the most rigorous components and reflects global best practice established from major crypto incidents. Requirements include:

Core obligations:

  • No single point of failure
  • Industry-grade private key storage (with online/offline segregation)
  • Physical separation between primary key and seed backups
  • Strict access policies & full audit logs
  • Quarterly internal access reviews
  • Immediate revocation processes for key signatories
  • Guidance to clients on key protection

Practitioner insight:
VARA expects institutional-grade custody controls, similar to top custodial banks and SEC/FINRA standards applied to digital asset custodians.

2.5 Testing & Audit Requirements

(Section I.E)

VASPs must undergo:

  1. Annual independent penetration tests & vulnerability assessments
  2. Smart contract audits prior to deployment
  3. Quarterly internal audits of access and key management
  4. Threat-Led Penetration Testing (TLPT) if required by VARA

TLPT expectations mirror the CBEST/IBEST frameworks used for critical financial infrastructure. External testers must be reputable, certified, and have suitable insurance.

2.6 Transaction Controls & Blockchain Monitoring

(Section I.F)

VASPs must:

  • Prevent automated trading system manipulation or collusion
  • Implement chain-analytics screening tools for both incoming & outgoing transactions
  • Integrate Suspicious Transaction alerts into their AML/CFT procedures

This effectively mandates on-chain AML/KYT tools.

2.7 Algorithm Governance

(Section I.G)

For any algorithmic processes (trading, risk scoring, pricing, routing):

  • Board oversight must be demonstrable
  • Full documentation of logic, assumptions, data sources & potential biases
  • Ongoing testing & monitoring

This is especially relevant for market-making, liquidity-provision, and AI-based risk scoring.

2.8 Business Continuity & Disaster Recovery (BCDR)

(Section I.H)

Annual testing & updating of a BCDR is mandatory, covering:

  • Cyber events, DLT/network disruptions
  • Staff & system resource requirements
  • Data integrity validation
  • Alternate operating sites
  • Post-incident protocol upgrades

Practitioner insight:
The rulebook emphasizes DLT-specific failover risks, such as network-level forks and key compromise.

2.9 Reporting Requirements

(Section I.K)

Material cybersecurity or BCDR-triggering events must be reported to VARA within 72 hours, including full details and actions taken.

This matches global regulatory norms (GDPR, PDPL, MAS, FCA).

3. Personal Data Protection Obligations (Part II)

3.1 Compliance With PDPL & Other Jurisdictional Laws

VASPs must comply with:

  • UAE PDPL (Federal Decree-Law No. 45 of 2021)
  • Any relevant free-zone regulations
  • Any non-UAE data laws applicable to cross-border operations

The Rules emphasize:

  • Data storage location transparency
  • Cross-border transfer controls
  • Protection of personal data through lifecycle

3.2 Mandatory Data Protection Programme

Includes:

  • Appointment of a Data Protection Officer (DPO) (may also be the CISO)
  • Internal function responsible for PDLP compliance
  • Controls proportionate to data sensitivity and risk

3.3 Reporting to VARA

(Section II.C)

VASPs must notify VARA within 24 hours if:

  • They notify any data regulator (e.g., UAE Data Office), or
  • They notify a Data Subject of a breach

Summary copies of regulator reports must also be shared.

4. Confidential Information Requirements (Part III)

VASPs must:

  • Maintain strict confidentiality of all client information
  • Limit usage only to purposes for which data was collected
  • Train staff regularly and certify adherence
  • Prevent internal & external misuse
  • Prohibit use of client information for Virtual Asset trading in any capacity

This section mirrors bank-grade confidentiality standards.

5. Schedule 1 — Practical Guidance for VASPs’ Risk Frameworks

Schedule 1 offers non-binding but authoritative guidance across five risk categories:

5.1 Organisational Risks

Emphasis on:

  • Documented security frameworks
  • Secure development lifecycle (DevSecOps)
  • Workforce management controls (background checks, endpoint security)
  • Third-party risk management
  • Comprehensive infrastructure mapping

5.2 Technical Risks

Controls expected include:

  • HSM-based key generation
  • Multi-signature requirements
  • Wallet creation protocols with oversight
  • Smart contract verification
  • Strong authentication mechanisms
  • Key compromise response plans

This is one of the most detailed sections and reflects VARA’s high expectations around preventing operational crypto-asset loss.

5.3 Detection & Response

VASPs must maintain:

  • Real-time transaction monitoring (machine learning encouraged)
  • Internal behaviour analytics
  • Enhanced logging and system monitoring
  • Tactical hardening measures (rapid isolation, emergency controls)
  • On-chain forensics capabilities
  • Formal remediation protocols

5.4 Customer Virtual Asset Risks

Focus on:

  • MFA for all customer accounts
  • Withdrawal limits & cooling-off periods
  • Education against phishing & social engineering
  • Cold storage diversification strategies

5.5 Digital Operational Resilience

This mirrors the EU DORA framework, requiring:

  • Annual independent testing
  • Full-suite operational resilience tests (vulnerability scans, code reviews, gap analysis, penetration tests, scenario-based tests)
  • Continuous remediation & validation

6. Schedule 2 — Definitions

Schedule 2 provides clarity on defined terms such as:

  • VASP
  • VA Wallet
  • Critical or Important Functions
  • HSM
  • Threat-Led Penetration Testing
  • Personal Data
  • CISO / DPO
    …and more.

Key Takeaways

VARA expects VASPs to operate with the same level of cybersecurity, governance, and data protection controls as regulated financial institutions, but with additional digital-asset-specific safeguards.

Top 10 Controls VARA Considers Essential

  1. CISO appointment & governance integration
  2. Institutional key & wallet management (HSMs + multisig)
  3. Annual independent security audits & smart contract testing
  4. Threat-Led Penetration Testing (TLPT) when required
  5. Deep transaction monitoring & blockchain analytics (KYT)
  6. Strong authentication for both staff and customers (MFA minimum)
  7. End-to-end BCDR and cyber event preparedness
  8. Data protection compliance with PDPL & global standards
  9. Robust algorithm governance for automated VA operations
  10. Strict confidentiality protocols fully aligned with financial norms

Dr. Nick
Dr. Nick

Related articles

spot_img

Recent articles

spot_img
Premium Content

© Newspaper WordPress Theme by TagDiv