TGRAF — the Technology Governance, Risk and Assurance Framework — is VARA's mandatory technology-controls regime for every licensed VASP. It requires each licensed firm to implement, document, assess and remediate a comprehensive technology-governance framework on an ongoing basis.
The honest position: TGRAF is the area where I see the deepest compliance gaps in licensed VASPs, particularly those that approached the application stage with a 'documentation-first' strategy. TGRAF is not a document. It is an operating discipline.
What TGRAF actually requires.
TGRAF imposes four core obligations on every licensed VASP:
- A documented technology governance framework covering identification of technology risk, design and operation of controls, governance and accountability, and the assurance regime.
- Annual self-assessment against the framework, with evidence controls are operating as designed — not merely documented.
- Independent assurance for higher-risk categories or where VARA specifically requires it (exchange, custody, broker-dealer, asset management).
- Remediation tracking for identified gaps, with progress against milestones and board-level oversight.
The eight TGRAF domains.
TGRAF assessment covers eight technology-governance domains. Each must be evidenced as both designed and operating effectively:
| Domain | What VARA expects |
|---|---|
| 1. Technology governance & accountability | Board-level accountability, named senior owner (CIO/CTO), documented strategy, escalation framework |
| 2. Risk identification & assessment | Technology risk register refreshed quarterly, with owners, ratings and mitigation status |
| 3. Information security | ISO 27001-equivalent: access management, encryption, network security, endpoint protection, wallet key management |
| 4. Cyber resilience | Incident response framework, tested BCP/DR, scenario-tested cyber-attack response |
| 5. Outsourcing & third-party risk | Vendor inventory, due diligence, contract risk, ongoing monitoring for custody, KYC and analytics providers |
| 6. Change management | Change-management process, separation of duties, formal release approval |
| 7. Data governance | Classification, retention, deletion, UAE PDPL compliance, customer data integrity |
| 8. Technology assurance | Internal audit, independent assurance for higher-risk areas, evidence retention, board reporting |
The annual TGRAF cycle.
Each licensed VASP runs the TGRAF cycle on a 12-month rolling basis with four phases:
- Self-assessment (months 1-3). Evaluate each domain against documented controls, evidence of operation, gaps, remediation plan.
- Independent assurance (months 4-6, where required). External tester reviews material controls and issues findings.
- Remediation planning (months 6-9). Gaps become a plan with owners, milestones and target dates. Board approves.
- Remediation execution & reporting (months 9-12). Monthly tracking, board updates, refreshed self-assessment to commence next cycle.
The licensed VASPs that come out of TGRAF assessment well are those that treat TGRAF as a year-round operating discipline, not a once-a-year evidence-gathering exercise.
Where most VASPs fall short.
Across the licensed VASPs we have supported, four gaps recur:
- Thin third-party risk management. Vendor lists exist but no ongoing due-diligence cadence. Custody providers, on-chain analytics, KYC providers and infrastructure hosts all need active management.
- Untested incident response. Playbooks exist on paper but have never been tested. VARA expects evidenced scenario testing — typically one tabletop exercise per quarter.
- Missing data-classification and retention. The UAE PDPL framework requires operational enforcement, not just policy text.
- Insufficient board reporting. Board packs mention technology in passing but contain no risk-rated reporting, no control-effectiveness reporting, no remediation tracking.
What independent assurance actually involves.
Where required, the assurance provider will typically: review the documented framework against VARA expectations; test sample control operation across each of the eight domains; walk through incident-response scenarios; review board-pack content and minutes; issue a written assurance report with findings, risk ratings and recommendations.
Building TGRAF properly: a sequencing playbook.
- Months 1-2: Refresh framework documentation. Name a senior owner. Establish board reporting cadence.
- Months 2-4: Rebuild the technology risk register. Run baseline self-assessment.
- Months 3-6: Build remediation plan. Assign owners. Begin operating end-to-end.
- Month 6: Engage independent assurance (where required).
- Months 6-12: Execute remediation, report progress monthly, refresh framework at month 12.
Conclusion.
TGRAF is not optional, not a documentation exercise, and not something that can be retrofitted under regulatory pressure. The VASPs that operate TGRAF as a genuine ongoing discipline find that supervisory engagement is much shorter and much less expensive. Neo Legal supports licensed VASPs through the full TGRAF cycle as part of its monthly regulatory supervision retainer.
