UAE makes Bitcoin wallets a crime risk in global tech crackdown

• The UAE’s Federal-Decree Law No. 6 of 2025 came into effect on 16 September.
• Article 62 places APIs, explorers, and decentralised platforms under Central Bank control.
• Article 61 regulates all marketing, emails, and online posts about crypto services.

In a sharp pivot from its crypto-friendly image, the United Arab Emirates has enacted sweeping new legislation that classifies basic cryptocurrency infrastructure, including Bitcoin wallets, as potentially criminal unless licensed by the Central Bank.

Legal experts from Gibson Dunn have flagged the law’s scope as unusually broad, warning that its language introduces significant risk for global technology providers.

This shift, embedded in Federal-Decree Law No. 6 of 2025, comes into force from 16 September and carries global consequences for developers and platforms offering crypto access.

The law replaces the 2018 banking statute and significantly widens the definition of financial activity. What sets this legislation apart is not only its scope but also its enforcement teeth.

Penalties for non-compliance range from fines of AED 50,000 to AED 500,000,000 (up to $136,000,000) and may include imprisonment.

Importantly, this applies not just to entities operating within the UAE but also to those whose products are accessible from within the country.

Licensing now applies to wallets, APIs and even analytics

The most consequential element of the new law is found in Article 62. It grants the Central Bank control over any technology that “engages in, offers, issues, or facilitates” financial activity.

The wording is broad enough to encompass self-custodial wallets, API services, blockchain explorers, analytics platforms, and even decentralised protocols.

This marks a fundamental change in how crypto infrastructure is regulated in the UAE.

Previously, licensing obligations focused on traditional financial entities, but the updated framework shifts this focus to include software and data tools.

According to developer analysis, even public-facing tools such as CoinMarketCap and open-source Bitcoin wallets may now require licensing to remain accessible within the UAE.

For the first time, developers may face criminal penalties for offering unlicensed crypto tools, even if they are based abroad.

This extension of jurisdiction signals a new regulatory posture that treats access to crypto as tightly as its ownership or exchange.

Communications and marketing now fall under regulation

The crackdown does not stop at financial infrastructure. Article 61 of the same law defines the marketing, promotion, or advertising of financial services as a licensable activity.

In practice, this means that simply hosting a website, publishing an article, or sharing a tweet about an unlicensed crypto service could be considered a legal violation if that content reaches UAE residents.

This change dramatically expands the compliance footprint for companies and developers.

Gibson Dunn highlights that these provisions materially broaden the enforcement perimeter, especially for firms with no formal presence in the UAE.

The law applies to communications that originate outside the country but are accessible inside it.

The result is a regulatory landscape where developers, content creators, and infrastructure providers must weigh whether their platforms are indirectly accessible by users in the UAE.

In many cases, avoiding legal exposure may require disabling access or halting service altogether.

Dubai’s free zones no longer shield crypto services

Over recent years, the UAE has positioned itself as a hub for blockchain innovation.

Jurisdictions such as Dubai’s Virtual Assets Regulatory Authority (VARA) and Abu Dhabi Global Market (ADGM) attracted global attention with purpose-built crypto licensing frameworks.

However, the new federal law overrides these free-zone arrangements, asserting Central Bank control nationwide.

Federal law supersedes any rules introduced by the UAE’s free zones, effectively dissolving the regulatory arbitrage that once drew companies to Dubai.

The broader context includes the country’s history of digital restrictions.

For instance, WhatsApp voice calls remain blocked across the UAE, reinforcing a consistent policy approach to centralised control over communications and digital tools.

While this may bring the UAE in closer alignment with international pressure from groups like the Financial Action Task Force, it also puts crypto service providers in a difficult position.

In other jurisdictions facing similar pressure, firms have withdrawn entirely to avoid enforcement risk.

Enforcement begins in 2026, with further rules expected

Entities have a one-year window from 16 September 2025 to come into compliance. This grace period may be extended at the discretion of the Central Bank.

During this time, further regulations are expected to clarify how these broad rules will be applied in practice.

Despite this, the scope of the law is already causing concern.

The language around facilitation and communication, combined with the severe penalties under Article 170, suggests that firms offering crypto tools globally must now consider the risk of incidental exposure to UAE users.

For software developers and platform operators, this marks a significant departure from the norms of decentralised access and open-source innovation.