Federal Decree-Law No. 6 of 2025 is not a policy update. It is a structural reset of how financial services, fintech platforms, and technology providers operate in the UAE mainland. The clock is running — and most businesses are behind.
On September 8, 2025, the UAE issued Federal Decree-Law No. 6 of 2025. Eight days later it was live. Every bank, insurer, payment provider, fintech platform, and technology company that facilitates financial services in the UAE mainland is now operating under its scope — whether they know it or not.
The law replaced two earlier frameworks simultaneously: the 2018 Central Bank Law and the 2023 Insurance Decree. In their place sits a single, unified regulatory structure governed by the Central Bank of the UAE (CBUAE). The consolidation is not cosmetic. It changes who needs a licence, what penalties look like, and how much authority the regulator now holds over your operations.
Affected entities have one year from September 16, 2025 to get compliant. That window closes on September 16, 2026.
First: Are You Even Subject to This Law?
Before anything else, executives need to answer one foundational question: does this law apply to your business? The answer depends on two things — what your business does, and where it operates.
The Geographic Boundary
This law governs the UAE mainland. It does not apply to entities operating within the UAE’s Financial Free Zones — specifically the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM). Those jurisdictions have their own regulatory frameworks, governed by the DFSA and FSRA respectively.
If your business is incorporated and licensed entirely within the DIFC or ADGM, Federal Decree-Law No. 6 of 2025 does not directly govern you. However, if your business operates across both a free zone and the UAE mainland — serving customers or running operations outside the free zone perimeter — the mainland activities are in scope. Many businesses that believe they are fully free-zone-protected are not, because their actual service delivery crosses that boundary.
Who This Law Actually Captures
The instinct from many leadership teams has been to treat this as a banking regulation. That instinct is wrong, and acting on it is what creates exposure.
The 2018 law regulated financial institutions. The new law regulates financial activities — and any entity that enables them. That distinction pulls in a wide range of businesses that previously sat outside the regulatory perimeter.
If your business does any of the following in the UAE mainland, you are in scope:
The law explicitly states it applies regardless of the technology or form used. That language was written to close the argument that technology providers are “just infrastructure.” Under this law, there is no just infrastructure if the infrastructure enables a licensed financial activity.
What Changed, Specifically
Scope expansion
The licensed financial activity list now expressly includes open finance services, payment services using virtual assets, and the operation of platforms or protocols that facilitate financial services. If you offer any of these — or if your technology enables someone else to — you need a CBUAE licence. Existing licensees under the 2018 framework cannot assume their current licence covers the expanded scope. Many will need to apply for additional permissions or update their regulatory classification.
Penalties and enforcement — a fundamental shift
Administrative fines: Maximum increased from AED 200 million to AED 1 billion. The CBUAE can now collect fines by directly debiting accounts held with it or any licensed financial institution — immediate recovery, no court proceedings required.
Criminal liability: Conducting a licensed financial activity without authorisation is now a criminal offence. Penalties include imprisonment and fines between AED 50,000 and AED 500 million.
Operational consequences: The regulator can revoke licences, appoint administrators to take over management, and publish enforcement decisions publicly. A published enforcement notice is not just a financial penalty — it is a permanent reputational mark in a market where institutional trust is everything.
Early intervention: The CBUAE can intervene before a business fails — requiring capital increases, structural changes, removal of senior management, or forced mergers. This is a standing power, not a last resort.
What enforcement looks like
Consider a concrete scenario: a UAE-based payment platform added virtual asset payment functionality in 2024. The team that built it did not flag it for regulatory review. No one at the leadership level assessed whether the feature constitutes a licensed financial activity under the new law.
Real-World Scenario
After September 16, 2026, the CBUAE identifies the virtual asset payment activity during a routine examination. The platform holds no licence for that specific activity. The regulator issues a formal notice. An administrative fine follow — potentially in the hundreds of millions of dirhams. The enforcement decision is published. The platform’s banking partners are notified. Existing licences come under review. Senior management faces personal scrutiny under the law’s governance accountability provisions.
The product feature that triggered this was not a core service. It was an add-on. No one asked whether it fell within scope under the new law. That single gap in governance is what makes this scenario real for many organisations operating in UAE fintech today.
A new recourse mechanism — the Grievances and Appeals Committee
For the first time, the law establishes a formal Grievances and Appeals Committee — an independent body to handle complaints against CBUAE enforcement decisions. Appeals from this committee can be escalated to the Higher Federal Court. This is a meaningful new channel for businesses that face enforcement actions. It provides structured recourse where there was none before. That said, it is a mechanism for when things go wrong — not a reason to approach the deadline with anything less than full seriousness.
Technology providers directly in scope
For the first time, the CBUAE has explicit statutory authority over digital platforms, decentralised applications, protocols, and any technological infrastructure that facilitates financial services. This is Article 62 in plain terms. If your company builds the technology that enables a financial activity, you are subject to the same licensing requirement as the entity delivering that activity to the end user.
Banking and insurance consolidated
If you operate across both banking and insurance sectors, you previously dealt with two separate legal regimes. They are now consolidated under one framework. This changes licensing structure, governance requirements, and how consumer protection obligations are met across product lines. Businesses operating in both spaces should treat the consolidation as an opportunity to streamline, but also as a trigger to audit whether their current structure reflects the unified requirements.
Digital Dirham — compliance boundary and commercial signal
The Digital Dirham now has formal legal status as currency. The CBUAE holds exclusive authority over digital payments infrastructure, tokenisation, stored value, and cross-border digital payments. For payment platform operators, this is both a compliance boundary — your virtual asset payment services must be clearly distinguished from Digital Dirham infrastructure — and a commercial signal. The UAE is building regulated digital currency infrastructure at a national level. The businesses that establish compliant operating positions now are the ones that will be positioned to participate in what comes next.
ESG embedded in statutory mandate
Sustainable finance, climate-related risk disclosures, and ESG governance are now written into the CBUAE’s core statutory objectives. Licensed institutions are expected to reflect this in board-level governance, risk frameworks, and disclosures. It is an obligation, not an aspiration — and for businesses that have not yet integrated ESG into their governance, it is an additional compliance dimension to address alongside the licensing work.
Explore The “Clean Data” Mandate: Why ESG Reporting is a Core Feature of B2B Fintech Platforms
The Compliance Timeline
The CBUAE retains discretion to extend this period. Do not plan around that possibility. Licensing processes in the UAE are detailed — they require documentation of systems, governance frameworks, capital adequacy, and controls. None of that happens in a few weeks. An application submitted in August is not the same as a licence in hand by September. The extension may or may not come. Your planning should assume it does not.
What Executives Need to Decide Now
This is not a task to assign to a compliance manager and revisit in three months. The decisions sit at the leadership level, and the time for sequential thinking — first legal, then technical — is over.
Do you know whether your activities fall within scope?
The answer requires legal analysis against the actual text of the law, not assumption based on how you described your business in 2022. The language around “facilitating” and “enabling” is deliberately broad. Many technology companies in UAE fintech have discovered they are in scope when they believed they were not.
Is your current licensing status adequate?
A trade licence is not a CBUAE regulatory licence. An existing licence under the 2018 framework may not cover activities that are newly classified as requiring authorisation under the 2025 law. Do not assume continuity where there may be a gap.
Have you assessed your technology infrastructure?
Article 149’s fraud prevention obligations alone require system-level changes at many organisations. If your platform touches financial activities — even as middleware, an API layer, or a data conduit — you may need to restructure how it operates or how it is classified.
Is your board engaged?
A documented, board-approved implementation plan with milestones and budget is not a bureaucratic formality. It is what the CBUAE expects to see as evidence of governance-level accountability for the transition. “We were working on it” is not a defensible position.
Are legal and technology tracks running together?
Your legal counsel defines what compliance requires. Your technology partner determines whether your systems can deliver it. These two tracks must run in parallel. Every organisation that starts the technology work after the legal review is done loses months it does not have.
The CBUAE extension discretion is real. The deadline may move. But plan for September 16 as a fixed endpoint. If the extension comes, you are ahead. If it does not, and you were counting on it, your business faces enforcement with no runway left to respond.
Where Mindster Fits In
Mindster is a technology development company with a UAE presence and fintech engineering experience across the Gulf region. The CBUAE compliance deadline creates a specific set of technology problems. Here is where Mindster’s work maps directly to what the law requires.
KYC / AML Systems
Automated identity verification, sanctions screening, and anti-money laundering checks embedded in onboarding and transaction flows. Article 149 makes fraud prevention and detection a legal requirement — not a product feature. Mindster builds this into the platform layer with the full audit trail CBUAE inspection demands.
Compliance-Ready Architecture
Gap analysis of existing systems against the new law’s technical requirements, then rebuild or adapt what falls short. Covers PCI-DSS adherence, encryption, data governance, consumer protection controls, and reporting infrastructure. For legacy platforms, this is typically component-level remediation — faster and more targeted than a full rebuild.
Open Finance Integration
API-first infrastructure for regulated data-sharing across banking, insurance, and financial products. Consent management, permissioned access, and secure data exchange built to the open finance standards the law formally requires. This is new territory for most organisations outside core banking.
Digital Wallet & Payment Platforms
End-to-end wallet platforms with multi-currency handling, virtual asset payment support, real-time fraud detection, and biometric authentication. Built to the monitoring and security standards the CBUAE requires — and delivered at scale across the Gulf market.
Learn how to build a digital wallet?
WPS & Exchange House Systems
Wage Protection System integrations, cross-border transfer infrastructure, and currency exchange platforms. All carry specific CBUAE licensing requirements. Mindster has delivered these for UAE exchange houses and remittance providers, with compliance controls built in from the start — not added after.
Audit Trails & Reporting
Automated compliance report generation, tamper-evident audit trail tracking, and legal compliance documentation tooling. The CBUAE’s enhanced inspection and early intervention powers mean your systems must produce records on demand. Mindster has built this for fintech and microfinance operations where regulatory auditability was a core delivery requirement.
The September 16 deadline is a technology problem as much as a legal one. The conversation about your systems needs to start now — not after your legal review concludes.
The Bottom Line
Federal Decree-Law No. 6 of 2025 is live. The deadline is September 16, 2026. There is no ambiguity about either of those facts.
If you are on the UAE mainland and your business touches a financial activity — or enables one — you need a CBUAE licence. A trade licence is not that. An old licence is not automatically that. A free zone registration is not that if your operations cross the mainland boundary.
Miss the deadline and you are looking at criminal liability, fines up to AED 1 billion, a published enforcement decision, and a regulator that now has the power to walk into your business before it even reaches that point.
Two questions need answers this week: are you in scope and are your systems ready. The first is a legal question. The second is a technology question. Five months is not enough time to answer them sequentially.
FAQ’s and Answers
1.What is Federal Decree-Law No. 6 of 2025?
Federal Decree-Law No. 6 of 2025 is a UAE law that replaced the 2018 Central Bank Law and the 2023 Insurance Decree, consolidating both into a single regulatory framework governed by the Central Bank of the UAE (CBUAE). It came into force on September 16, 2025.
The law expanded what counts as a regulated financial activity, who needs a CBUAE licence, what penalties apply for non-compliance, and how much enforcement authority the CBUAE holds. Its most significant change is that regulation now follows the activity — not the institution. Any entity that facilitates a licensed financial activity, regardless of how it describes itself, is in scope.
2. What is the compliance deadline for Federal Decree-Law No. 6 of 2025?
The compliance deadline is September 16, 2026. The law came into force on September 16, 2025, and granted affected entities a one-year transition period to regularise their position with the CBUAE. After September 16, 2026, enforcement applies in full — including criminal liability for unlicensed financial activity.
3. Can the CBUAE extend the September 16, 2026 deadline?
Yes. The CBUAE holds discretion under the law to extend the one-year transition period. As of April 2026, no extension has been announced. Businesses should not plan around one. CBUAE licence applications require detailed documentation of systems, governance, and controls — a process that takes months. If no extension is granted and a business has not started its compliance work, there will be no time to recover.
4. What did Federal Decree-Law No. 6 of 2025 replace?
The law replaced two earlier frameworks simultaneously: Federal Decree-Law No. 14 of 2018 (the Central Bank and Monetary System Law) and Federal Decree-Law No. 48 of 2023 (the Insurance Law). Both are repealed and absorbed into the unified 2025 framework under CBUAE governance.
5. Who does Federal Decree-Law No. 6 of 2025 apply to?
The law applies to any person or entity that carries on, offers, issues, or facilitates a licensed financial activity in the UAE mainland — regardless of the technology or form used. This includes banks, insurers, payment providers, fintech platforms, digital wallet operators, exchange houses, remittance companies, open finance providers, and technology companies whose platforms or APIs enable financial services. The key change from the 2018 framework: the law regulates activities, not institutions. If your technology enables someone else to conduct a licensed financial activity, you are in scope.
6. Does CBUAE Law No. 6 of 2025 apply to companies in the DIFC or ADGM?
No — the law applies to the UAE mainland only. Entities incorporated and operating entirely within the DIFC or ADGM are governed by the DFSA and FSRA respectively. However, if a DIFC or ADGM entity also serves customers or runs operations on the UAE mainland, those mainland activities are in scope. Many businesses that assume full free-zone protection are partially exposed because their service delivery crosses that boundary.
7. Are technology companies regulated under the new CBUAE law?
Yes. Article 62 explicitly extends the licensing requirement to any entity that facilitates a licensed financial activity, regardless of the medium or technology used. Digital platforms, APIs, decentralised applications, protocols, and infrastructure that enables or intermediates financial services all fall within scope. Technology providers can no longer rely on the position that they are “just infrastructure.” If what your technology enables requires a CBUAE licence, you need one too.
8. Do existing CBUAE licensed businesses need to take action before September 2026?
Yes. Businesses already licensed under the 2018 Central Bank Law cannot assume their existing licence covers all activities under the 2025 framework. The expanded scope — particularly around open finance, virtual asset payment services, and technology-facilitated activities — may require existing licensees to update their classification or apply for additional permissions. Every licensed institution should conduct a gap analysis against the new law’s activity definitions, not assume continuity.
9. Does UAE Federal Decree-Law No. 6 of 2025 apply to virtual asset businesses?
Partially. The law covers virtual assets used as a payment instrument. Payment services using virtual assets are a licensed financial activity under CBUAE. Virtual assets held or traded for investment purposes fall outside this law and may fall under VARA (in Dubai) or SCA jurisdiction. Businesses operating across both use cases may need separate licences from multiple regulators. The CBUAE deadline does not satisfy VARA or SCA obligations.
10. What is the difference between a UAE trade licence and a CBUAE regulatory licence?
A UAE trade licence permits a business to operate commercially in the UAE. A CBUAE regulatory licence specifically authorises a business to carry on a licensed financial activity under Federal Decree-Law No. 6 of 2025. They are different instruments issued by different authorities. Holding a trade licence does not satisfy the CBUAE licensing requirement. Businesses conducting in-scope financial activities with only a trade licence are non-compliant under the new law, regardless of how long they have been operating.
11. What are the penalties for non-compliance with CBUAE Law No. 6 of 2025?
Administrative fines: up to AED 1 billion, increased from the previous maximum of AED 200 million. The CBUAE can recover fines by directly debiting accounts held with any licensed financial institution — no court proceedings required. Criminal liability: conducting a licensed financial activity without CBUAE authorisation is a criminal offence, with penalties including imprisonment and fines between AED 50,000 and AED 500 million. Operational consequences: the CBUAE can revoke licences, appoint administrators, and publish enforcement decisions publicly.
12. Can the CBUAE intervene in my business before the deadline?
Yes. The new law gives the CBUAE explicit early intervention powers — the ability to act before a business reaches the point of formal enforcement. This includes requiring capital increases, mandating structural changes, removing senior management, and in extreme cases forcing mergers or appointing an administrator. These are standing powers under the law, not last resorts triggered only after a breach.
13. What is the CBUAE Grievances and Appeals Committee?
The Grievances and Appeals Committee is a new formal body established under Federal Decree-Law No. 6 of 2025 to hear complaints against CBUAE enforcement decisions. It did not exist under the 2018 framework. Decisions of this committee can be further appealed to the Higher Federal Court. It gives businesses a structured legal channel to challenge enforcement actions — meaningful recourse that was previously unavailable. It is not a substitute for compliance.
14. What technology requirements does CBUAE Law No. 6 of 2025 introduce?
Article 149 requires all licensed institutions to implement fraud prevention and detection systems, customer notification processes, and full cooperation mechanisms with CBUAE investigations. Beyond Article 149, compliant operations require KYC and AML-integrated onboarding, tamper-evident audit trail infrastructure, data governance and encryption controls, and regulatory reporting systems capable of producing records on demand during CBUAE inspections. These are system-level requirements — not policy documents. An organisation that has the policies but not the underlying technology does not meet the standard.
15. What new financial activities require a CBUAE licence under the 2025 law?
The 2025 law added three categories not explicitly covered before: open finance services (regulated data-sharing across financial products), payment services using virtual assets, and the operation of digital platforms or protocols that facilitate financial services. Insurance and insurance-adjacent services, previously governed by a separate decree, are now fully integrated into this framework. If your business touches any of these and you have not assessed your licensing position, that is the starting point.
16. How can Mindster help businesses meet the CBUAE compliance deadline?
Mindster (mindster.com) is a UAE-based technology company operating from Sharjah Research Technology and Innovation Park, with fintech engineering experience across the Gulf region. Mindster builds the technology systems that CBUAE compliance requires: KYC and AML-integrated platforms, digital wallets with real-time fraud detection, open finance API infrastructure, audit trail and compliance reporting systems, WPS integrations, and compliance-ready payment platforms. For organisations that have confirmed their legal compliance position and need the technology to deliver it, Mindster is the build partner for that work.
17. What fintech systems has Mindster built for UAE clients?
Mindster has delivered digital wallet platforms handling millions of transactions, Wage Protection System integrations for UAE exchange houses, cross-border remittance platforms, KYC and AML-integrated onboarding systems, open finance API infrastructure, and compliance reporting tooling for fintech and microfinance operators across the UAE and Gulf region. All are built with the security, auditability, and regulatory controls that licensed financial activity in the UAE demands.
Professional content writer Akhila Mathai has over four years of experience. She writes posts about the different mobile app solutions we offer as well as services related to them. Her ability to conduct thorough research and think critically enables her to produce excellent, authentic, and legitimate content. Along with her strong communication abilities, she collaborates well with her teammates to create information that is current and relevant to emerging technology.
