Token issuance is one of the highest-risk activities in the virtual-asset space, and VARA's expanded issuance framework reflects that. The framework regulates not just licensed VASP issuers but any party offering, marketing or facilitating the offering of virtual assets in or from the Emirate of Dubai — with classification rules, white-paper standards, marketing restrictions and ongoing reporting obligations that materially exceed earlier ICO-era expectations.

For issuers, the framework requires planning at the earliest stage. Token classification, jurisdictional structuring, white-paper drafting, KYC architecture, marketing perimeter and ongoing obligations all need to be designed together — not bolted on after the technology is built.

Token classification: the foundation of the framework.

VARA's issuance rules apply different regulatory treatment depending on token classification. The categories — consistent with international taxonomy — are:

  • Payment tokens — tokens designed primarily as a means of exchange (e.g. stablecoins, payment-rail tokens). These engage VARA payment-services frameworks and may also engage the Central Bank's stored-value facility framework.
  • Utility tokens — tokens that give holders access to a product, service or platform function, without economic profit-sharing or security characteristics. Subject to issuance rules but with lower regulatory burden.
  • Asset-referenced tokens — tokens stabilised by reference to assets (commodities, fiat baskets, virtual-asset baskets). Subject to enhanced disclosure and reserve requirements.
  • Security tokens — tokens with profit-share, equity-like, debt-like or other security characteristics. Subject to the most demanding regulatory standards and often cross-engagement with the federal CMA framework.
  • Hybrid tokens — tokens combining features of multiple categories. Classified by reference to their dominant economic character, with treatment scaled to the highest-risk feature.

The classification is substantive, not formal. Labels do not control: a token labelled 'utility' that pays holders a share of platform revenue will be reclassified as a security token, with the regulatory consequences that flow.

The white paper: VARA's mandatory disclosure document.

Every regulated issuance requires a VARA-compliant white paper. The white paper must cover, at a minimum:

  • Issuer identification — legal entity, beneficial owners, governance, jurisdiction of incorporation, licensing status.
  • Token classification and characteristics — type, rights, economic structure, tokenomics including supply schedule, vesting, lock-ups, allocation between insiders / treasury / public.
  • Project description — the technology, the product, the team, the road map, the use of proceeds.
  • Risk disclosures — technology, market, regulatory, counter-party, key-person and conflict risks. Generic disclosures will not satisfy the requirement; specific, accurate risk assessment is expected.
  • Smart-contract and audit details — addresses, audit reports, code-freeze position, upgrade governance.
  • Marketing and offering structure — how the token will be offered, to whom, in which jurisdictions, with what investor-eligibility checks.
  • Post-issuance obligations — reporting, ongoing disclosure, key-person changes, material-event notification.
The white paper is not a marketing brochure. It is a regulatory document that VARA reviews substantively, that holders rely on, and that determines the issuer's ongoing disclosure obligations. Get it wrong and the entire issuance can be enjoined.

The marketing perimeter and the AED 10 million penalty.

Under the VARA Marketing Regulations 2024, only VARA-licensed entities may market virtual-asset activities — including token issuances — in or targeting Dubai. The framework reaches:

  • The issuing entity itself.
  • Intermediaries promoting the offering — including exchanges listing the token, influencers, KOLs, affiliates.
  • Marketing platforms that knowingly facilitate the campaign.
  • Payment processors that knowingly enable subscription flows.

Penalties run to AED 10 million per breach, with VARA exercising the power against parties at every level of the marketing chain — not just the issuer. The grey-zone influencer campaign for an unauthorised offshore offering is no longer commercially viable.

The structural decision: issue from where?

Even within the regulated framework, issuers have structural choices. The main pathways:

PathwaySuitable for
Direct VARA-licensed issuer (Dubai-incorporated VASP issuance)Issuers committed to a permanent Dubai operating base, with the substance, governance and capital to support an authorised entity
ADGM FSRA-licensed issuer (under the FSRA virtual-asset framework)Issuers with sophisticated investor focus, fund-related structures, or where the ADGM common-law platform is preferred
RAK DAO foundation issuanceDAO-native projects, where the foundation structure suits the governance model; can pair with separate VARA-licensed operational entity
Offshore issuer + UAE marketing licenceWhere the issuer's primary structure is established offshore but UAE marketing exposure justifies an authorised marketing arm
Restricted-jurisdiction offering (no UAE participation)Where the issuer cannot meet UAE standards and is willing to geofence Dubai out of the offering entirely

Ongoing obligations: issuance is not a one-time event.

VARA-authorised issuers carry ongoing regulatory obligations long after the token-generation event:

  • Material event reporting — smart-contract changes, key-person changes, material business changes, security incidents.
  • Periodic disclosure — treasury position, vesting unlocks, audit reports, project milestones.
  • Marketing approval — new marketing campaigns require notification or approval where they extend the original offering perimeter.
  • Wind-down planning — the issuer's plan for managing token-holder interests in the event of project cessation.
  • AML/CFT obligations — ongoing transaction monitoring, suspicious-activity reporting, sanctions screening — especially where the issuer or treasury interacts directly with token holders.

The pre-issuance checklist.

  1. Classify the token correctly — substantive analysis based on economic structure, not the marketing label.
  2. Decide the issuance structure — jurisdictional entity, regulator engagement, operating model.
  3. Build the white paper as a regulatory document — not a marketing brochure with technical disclaimers.
  4. Design the KYC / investor-eligibility framework — including geofencing where required.
  5. Engage exchanges and intermediaries within the marketing perimeter — or geofence them out.
  6. Plan the post-issuance regulatory cadence — reporting calendar, key-person obligations, treasury governance.
  7. Build the legal opinion — for sophisticated investor reliance, for exchange listing applications, for downstream compliance interactions.

Conclusion.

VARA's issuance framework brings token offerings into the same regulatory perimeter as financial services. For serious issuers it is the platform that enables long-term operation with regulatory certainty and institutional capital access. For the grey-zone offshore offering targeted at Dubai users, it is the framework that closes the window. Neo Legal advises issuers on the full lifecycle from token classification and jurisdictional design through white-paper drafting, regulator engagement, exchange listing, and ongoing supervision.