MiCA Decoded is a 12-article weekly series for Bitcoin.com News, co-authored by LegalBison’s Co-Founding and Managing Directors: Aaron Glauberman, Viktor Juskin and Sabir Alijev. LegalBison advises crypto and FinTech companies on MiCA licensing, CASP and VASP applications, and regulatory structuring across Europe and beyond.
The Myth: All Major Crypto Frameworks Are Converging Toward the Same Model
When founders compare jurisdictions, the conversation usually goes one of two ways. Either they treat regulatory regimes as roughly equivalent, differing only by cost and timeline, or they treat them as wholly incomparable, each so unique that comparison is meaningless. Neither position is accurate.
The Markets in Crypto-Assets Regulation (MiCA), Dubai’s Virtual Assets Regulatory Authority (VARA) framework, and Singapore’s licensing regime under the Financial Services and Markets Act 2022 (FSM Act) and the Payment Services Act 2019 (PS Act) share a resemblance from the outside. All three require licensing. All three impose fit-and-proper assessments, capital requirements, and anti-money laundering controls. All three claim to balance innovation with consumer protection.
But beyond the similarity, each regime reflects a specific regulatory philosophy, a specific theory of who crypto risk falls on and why, and a specific answer to the question of what a licensed crypto firm actually is. These differences are not procedural details. They determine whether a specific business model is licensable at all, how much substance an entity needs to carry, and what a founder is committing to when they apply.
What the Regulation Actually Says: Scope and Services
The three regimes start from different definitions of regulated activity, and those definitional choices carry significant consequences.
MiCA defines ten categories of crypto-asset services, ranging from custody and trading platform operation through portfolio management and investment advice on crypto-assets. The framework creates a single authorization, a Crypto-Asset Service Provider (CASP) license, that covers whichever subset of those ten services the applicant intends to provide. The scope is EU-wide, meaning a single CASP license passports across all 27 EU member states and the 3 EEA countries (Norway, Iceland, Liechtenstein) without secondary applications in each.
VARA organizes regulated activity into distinct categories including Broker-Dealer Services, Custody Services, Exchange Services, Lending and Borrowing Services, and Advisory Services, among others. Each category carries its own rulebook requirements and its own paid-up capital threshold. A firm holding a VARA license for Exchange Services carries different ongoing obligations from one licensed for Advisory Services alone.
Singapore operates across two statutory frameworks depending on the nature of the activity. Crypto exchanges and custody providers dealing in digital payment tokens operate under the PS Act as Major Payment Institutions (MPI). Firms providing digital token services outside Singapore, which is the FSM Act’s defined scope, are regulated as Digital Token Service Providers (DTSPs) under Part 9 of the FSM Act. The FSM Act covers ten distinct service types within its First Schedule, including dealing in digital tokens, facilitating the exchange of digital tokens, and safeguarding digital tokens with control over client assets.
The practical consequence of these different scoping approaches becomes visible when a founder tries to map their business model onto the regulatory architecture. This is particularly challenging for border-case platforms like prediction markets that sit at the intersection of Web3 and speculative gaming, where founders must carefully assess whether they require a crypto authorization or a standalone gambling license.
As we saw in a previous entry, a DeFi protocol could very well be banned under MiCA. Under VARA, the same protocol must assess whether any identifiable entity exercises control over the platform, which VARA evaluates using a substance-over-form approach. Under Singapore’s framework, the FSM Act focuses on service delivery from or by Singapore-connected entities, meaning offshore protocol operators structured outside Singapore may fall outside the licensing perimeter entirely, but only if they genuinely avoid the prescribed nexus points.
Why the Confusion Exists: Passporting, Geographic Reach, and Regulatory Intent
The most consequential structural difference between the three frameworks is passporting. MiCA creates it. VARA and Singapore do not.
A CASP authorized in Estonia can notify the relevant home member state authority and begin offering services to clients across the entire EU and EEA without additional licensing. The authorization travels with the entity. This Europe-wide passporting is a major catalyst for complex Web3 models like online games making use of crypto-assets, which frequently look to complement their crypto architecture with, for example, an online gambling license in Estonia. For a business targeting EU retail customers across multiple countries, this is not a convenience feature, it is the central commercial argument for MiCA authorization. One compliance infrastructure serves 450 million potential customers.
VARA licensing is Dubai-specific. It governs virtual asset activity conducted in, or targeting, the Emirate of Dubai, as established under Dubai Law No. 4 of 2022. A VARA-licensed exchange serving clients across the GCC or internationally does so on the basis of other jurisdictions’ frameworks, or on the basis that it is not triggering local licensing requirements in those markets. The VARA license itself provides no cross-border passporting mechanism.
Singapore’s FSM Act DTSP license applies to entities that operate from Singapore or are Singapore-incorporated but conduct digital token services outside Singapore. That is the intended scope. Singapore does not claim to regulate offshore activity by foreign firms at the retail consumer level through the FSM Act, though MAS does impose restrictions on what licensed and unlicensed DTSPs may do in relation to Singapore residents.
These differences reflect genuinely different regulatory theories. MiCA’s passporting design reflects the EU’s single market logic, where fragmentation of financial service access is treated as a regulatory failure. VARA’s Dubai-specific scope reflects a jurisdiction-building strategy, where the objective is making Dubai a hub, not regulating global crypto activity. Singapore’s FSM Act framework reflects a reputational risk-management approach, where MAS has been explicit that licensing is granted in extremely limited circumstances and that the regime is designed to anchor high-quality players rather than accommodate broad market entry.
Capital Requirements: Three Different Answers to the Same Question
All three regimes impose capital requirements. The numbers and the logic behind them are not the same.
Under MiCA, minimum capital for a CASP ranges from EUR 50,000 (Class 1), to EUR 125,000 (Class 2), to EUR 150,000 (Class 3). The MiCA regime also applies an ongoing fixed overheads requirement, meaning a firm must hold the higher of the fixed minimum or one quarter of its preceding year’s fixed overheads. A CASP with EUR 10 million in annual operating expenses faces a EUR 2.5 million effective capital floor, regardless of which service class applies.
VARA applies a paid-up capital model that is activity-specific and has higher absolute minimums. Advisory Services require AED 100,000. Providers of Custody Services require base capital equal to the higher of AED 600,000 or 25% of fixed annual overheads. For Broker-Dealer Services, the capital requirement depends on their custody arrangements: those using a VARA-licensed custodian require the higher of AED 400,000 or 15% of fixed annual overheads, whereas those that do not use a VARA-licensed custodian require the higher of AED 600,000 or 25% of fixed annual overheads.
Similarly, the capital requirement for Exchange Services, the most capital-intensive category, is the higher of AED 800,000 or 15% of fixed annual overheads if the VASP uses a VARA-licensed custodian, and the higher of AED 1,500,000 or 25% of fixed annual overheads in all other instances.VARA also imposes a separate Net Liquid Assets requirement, requiring VASPs to hold current liquid assets such that their surplus over current liabilities equals at least 1.2 times their monthly operating expenses, reconciled daily, and reported to VARA monthly with quarterly aggregation. VARA also requires professional indemnity insurance, directors and officers insurance, and commercial crime insurance for assets stored in hot wallets.
Singapore’s FSM Act DTSP framework sets a base capital floor of SGD 250,000, applicable uniformly to corporations, partnerships, and sole proprietors, with the expectation stated in MAS guidelines that the capital buffer should realistically cover six to twelve months of operating expenses. MAS has been explicit that DTSPs are not subject to the same prudential regulation as deposit-taking institutions and do not have safety nets like deposit insurance. The SGD 250,000 floor is a market entry threshold, not a risk-calibrated prudential buffer in the MiCA or VARA sense.
The practical difference is not only the numbers. VARA’s Net Liquid Assets and insurance requirements create a multi-layered financial soundness obligation that MiCA and the FSM Act address differently or less prescriptively. A firm calculating its VARA compliance exposure needs to work through paid-up capital, net liquid assets, and insurance adequacy simultaneously, and reconcile all three on specific frequencies, with VARA as a stated beneficiary of the capital trust account or surety bond.
Consumer Protection Philosophy: Risk Disclosure, Suitability, and Access Limits
Where consumer protection is concerned, MiCA, VARA, and Singapore have different intuitions about what regulators should actually prevent.
MiCA treats crypto-asset service providers as financial services operators subject to conduct obligations, suitability assessments for portfolio management and advice, best execution requirements, and ongoing disclosure duties. For retail holders, the regulation requires meaningful risk disclosures in white papers and marketing communications, but the specific mechanisms for holder protection depend on the type of token. For retail holders purchasing crypto-assets other than asset-referenced tokens (ARTs) and e-money tokens (EMTs) directly from an offeror, MiCA imposes a 14-day withdrawal right. However, this withdrawal right does not apply to ARTs and EMTs; instead, holders of these tokens are protected by a permanent right of redemption at any time against the issuer.
But MiCA does not restrict access to crypto trading by retail participants. It assumes that informed retail participation is legitimate and structures its conduct rules accordingly.
VARA’s Market Conduct Rulebook requires client agreements, complaints handling, and investor classification. VARA classifies investors into three categories: Retail Investors, Qualified Investors, and Institutional Investors, with service parameters adjusting by classification. The marketing regulations VARA issued in 2024 are among the most detailed in any crypto jurisdiction, providing specific guidance and illustrative case studies on what constitutes prohibited marketing, including extensive treatment of social media posts, influencer arrangements, and educational content that may cross into promotion.
Singapore’s approach is the most restrictive of the three toward retail participation. MAS has consistently warned the public against cryptocurrency speculation since 2017 and has restricted advertising of DPT services in public spaces. The 2022 consultation paper on proposed measures for Digital Payment Token Services introduced the initial proposals requiring DPTSPs to assess retail customer knowledge before providing any DPT service, apply consumer access restrictions, and avoid offering incentives for retail trading.
MAS’s stated position is that regulation cannot and should not give retail customers the impression that licensed platforms are safe investment venues. The DTSP licensing guidelines describe admission as occurring in extremely limited circumstances, reinforcing that the Singapore framework is not designed for broad retail market access by licensed providers.
Operational Substance: What Living Inside the Regime Looks Like
The ongoing compliance burden across all three regimes is substantial. But the character of that burden differs.
MiCA imposes governance requirements, business continuity obligations aligned with the Digital Operational Resilience Act (DORA), AML/CTF frameworks aligned with EU Directives, ongoing reporting, and a mandatory fit-and-proper assessment for management and qualifying shareholders. The regime requires a place of effective management in the EU and at least one EU-resident director. Authorization is service-specific, meaning each CASP license specifies which of the ten service categories the holder is authorized to provide.
VARA operates through a rulebook system where several books apply to all VASPs simultaneously: the Company Rulebook, Compliance and Risk Management Rulebook, Technology and Information Rulebook, and Market Conduct Rulebook, alongside the specific activity rulebook for each licensed VA Activity. The Technology and Information Rulebook requires a Chief Information Security Officer, a cybersecurity policy submitted to VARA, and a technology governance and risk assessment framework covering five defined risk categories. VARA requires a legal entity in Dubai, clear chain of ownership with identifiable ultimate beneficial owners, and written approval for any material change to company structure.
Singapore‘s FSM Act framework requires a permanent place of business or registered office in Singapore with a representative present at least ten days per month for a minimum of eight hours each day. The DTSP licensing guidelines require a penetration test of proposed services before the licence is granted, independent external auditor assessment on technology and cybersecurity as a condition of in-principle approval, and compliance arrangements proportionate to the scale and nature of the business. MAS conducts interviews with key management personnel as a standard part of the review, and consultants and external legal counsel are explicitly not permitted to attend those interviews.
Each of these substance requirements means something for a firm that has never built inside that regulatory environment before. VARA’s requirement that paid-up capital be secured, whether held in a trust account with a UAE bank naming VARA as beneficiary or guaranteed through a surety bond by an authorized UAE surety company, is a structural dependency that must be established before authorization. Singapore’s interview requirement means the CEO and compliance officer must be able to explain the business model, its risk controls, and its compliance approach without referential support from advisors. These are not obstacles in the abstract, they are operational conditions.
What We Decoded: Jurisdictional Strategy Implications
The three frameworks do not compete with each other in any simple sense. A firm choosing between them is usually making a decision about what market it is actually trying to serve and what kind of regulatory relationship it is prepared to maintain.
- MiCA is the only one of the three that provides direct access to a unified retail market of continental scale through a single authorization. For any crypto-asset service provider whose primary business involves EU retail clients, MiCA is not optional, it is the framework that determines whether that business can operate legally in the EU at all. The transitional period ends on July 1, 2026.
- VARA is a Dubai-specific license that serves firms whose commercial strategy is anchored in the UAE and MENA markets, or whose branding benefits from a Dubai-based licensed presence. The capital requirements are higher than MiCA in absolute terms, the marketing regulations are among the most detailed globally, and the multi-book compliance architecture is substantive. A VARA license does not carry into other jurisdictions, but for firms targeting the Gulf region or seeking to operate a compliant exchange in Dubai specifically, there is no equivalent alternative.
- Singapore‘s DTSP license is the most restrictive of the three to obtain and is explicitly designed for a narrow class of applicants: firms that are Singapore-connected but conduct digital token services outside Singapore, and that can demonstrate they are already regulated to international standards elsewhere, that their business model makes economic sense, and that MAS does not have concerns about their structure. Obtaining this license is not a straightforward market entry pathway. It is closer to a regulatory endorsement, available to a small number of operators that meet a high threshold.
The regimes are not functionally interchangeable, and they were not designed to be. A firm applying to all three simultaneously because it wants global coverage is making three different commitments to three different regulators with three different theories of what a licensed crypto firm should look like. Getting that coordination right requires more than a parallel application process. It requires understanding what each regulator is actually trying to accomplish and whether the business can credibly commit to it.
This article is based on a study conducted by LegalBison in May 2026. The content is for informational purposes only and does not constitute legal advice.
