VARA 2.0 refers to the consolidated supervisory framework the Dubai Virtual Assets Regulatory Authority has rolled out across all licensed VASPs since 2024. It is not a single new rulebook — it is the cumulative tightening of ongoing reporting, the formal 12-month rolling supervision cycle, and the operational rollout of TGRAF, NLA monitoring and Wind Down Plan testing as live obligations rather than application-stage documents.

Most licensed VASPs we work with are surprised at how quickly the operational compliance burden has scaled. A VARA licence is no longer a one-time achievement — it is an ongoing supervised relationship that requires a properly resourced compliance function, real-time monitoring of capital, technology assurance, and documented evidence that every major regulatory commitment is being honoured.

What the rolling 12-month supervision cycle looks like in practice.

VARA's supervision cycle is now a continuous calendar of monthly, quarterly, semi-annual and annual obligations rather than a year-end filing event. The most material items each licensed VASP needs to manage:

  • Monthly: NLA monitoring, AML/CFT transaction monitoring reports, suspicious activity reporting (where triggered), key risk indicator dashboards.
  • Quarterly: Capital adequacy and prudential reports, governance and risk committee minutes, complaints register, conflicts log review.
  • Semi-annual: TGRAF maturity self-assessments, business plan variance reviews, key personnel attestations, cyber-incident summaries.
  • Annual: Full TGRAF assessment with auditor sign-off, Wind Down Plan test and refresh, fit-and-proper re-attestation for Responsible Individuals, audited financial statements, AML/CFT independent audit, Pillar Two/QDMTT assessment for in-scope groups.

The reporting failures that trigger formal regulatory action.

The single most common cause of formal VARA action against licensed VASPs is reporting failure — not substantive misconduct. Three categories account for the majority of issues we see:

  1. Late filing. Submitting a return one day late carries the same regulatory significance as a non-filing. The submission window matters more than most operators realise.
  2. Incomplete content. Forms submitted with placeholder responses, omitted sections, or attached documents that pre-date the reporting period are routinely rejected and may be treated as non-compliant filings.
  3. Inconsistency across reports. Where two reports across the same period disclose different headcount, capital, or transaction volumes, VARA will request reconciliation and may open a broader supervisory review.
The licensed VASPs that come out of supervisory engagement well are those that treat each report as if it will be the document VARA holds against them in a future enforcement action. Because eventually one of them will be.

TGRAF: the most under-resourced obligation.

The Technology Governance, Risk and Assurance Framework is one of VARA's most technically demanding obligations and the area where we see the deepest compliance gaps. TGRAF requires:

  • A documented technology governance framework covering risk identification, mitigation, and assurance.
  • Annual self-assessment against the framework, with documented evidence of operating effectiveness.
  • Independent assurance for higher-risk categories.
  • Remediation plans for identified gaps, with documented progress against milestones.
  • Board oversight evidenced through minutes, risk reporting and accountability allocation.

Most VASPs that approached licensing with a thin TGRAF (sufficient to pass application review) now find themselves rebuilding the framework from scratch to support live supervision. Building TGRAF as a real operational discipline — rather than a documentation exercise — is the only sustainable approach.

NLA: the calculation that the operations team must own.

Each VARA licence category carries a Net Liquid Asset (NLA) minimum threshold that must be maintained continuously. The thresholds vary materially by category and operating profile, and VASPs must:

  • Calculate NLA monthly (at minimum), with the operations and finance teams owning the methodology and evidencing it.
  • Notify VARA proactively when NLA approaches threshold — typically at 110% of minimum.
  • Have a documented remediation plan that the board has reviewed and approved.
  • Maintain a Wind Down Plan that includes capital projections under stress scenarios.

NLA breaches that are self-reported and properly remediated are treated very differently from those VARA identifies through return reconciliation. The discipline of monitoring rather than reacting is what distinguishes the well-supervised VASP from the one in regulatory difficulty.

The Wind Down Plan: tested, not just written.

Every licensed VASP must maintain a current, tested Wind Down Plan. 'Tested' is the key word — VARA expects the Plan to be subjected to a documented annual test that simulates an orderly cessation. This means the operations, finance, technology and legal teams should rehearse the plan, identify gaps, and refresh the document. We routinely find Wind Down Plans dated from the original licence application that have never been updated. That is a material supervisory issue waiting to happen.

Governance: the board's evidenced role.

VARA expects the board of every licensed VASP to have evidenced oversight of compliance, risk, capital, technology and culture. In practice this means board packs that include compliance, capital and risk reporting; minutes that record specific consideration and challenge; committee structures (Audit, Risk, Compliance) where the licence justifies them; and named individuals accountable for each regulatory commitment. Boards that meet quarterly with no substantive challenge or recorded decisions are the ones that struggle most under supervisory pressure.

What every licensed VASP must do now.

Five specific actions distinguish the VASPs that will navigate VARA 2.0 well from those that will not:

  1. Build a regulatory calendar. Map every monthly, quarterly, semi-annual and annual obligation to a named owner with a working escalation path.
  2. Rebuild TGRAF as an operating discipline. Move from documentation to evidenced operation: real risk identification, real assurance activities, real remediation tracking.
  3. Stand up monthly NLA monitoring with a 110% pre-alert. Pull capital into the operating cadence rather than the finance team's quarterly close.
  4. Test the Wind Down Plan annually. Simulate cessation, identify gaps, refresh the Plan, document the test.
  5. Empower the board. Reporting packs, recorded challenge, named accountability, real committee structure where the licence justifies it.

Conclusion.

VARA 2.0 is not a new rulebook — it is the cumulative tightening of ongoing supervision into a live discipline that every licensed VASP must resource and operate. The licensed firms that come through the next supervisory cycle well are the ones treating supervision as an operational reality, not a quarterly compliance task. Neo Legal supports VASPs through a monthly regulatory supervision retainer that covers the full calendar of obligations — building the discipline rather than reacting to gaps.