vCISO for VARA Compliance: Meeting Dubai's CISO Requirement (2026)

If you hold or are applying for a VARA licence in Dubai, you are required to appoint a Chief Information Security Officer. This is not guidance or best practice. It is written into Part I of VARA's Technology and Information Rulebook, and the role has to sit with someone other than your Compliance Officer.

For most virtual asset firms, that one requirement creates a problem. A CISO with the standing and experience VARA expects is expensive to hire full time, and the heaviest part of the work, building the governance framework and getting through the testing regime, lands before the licence has produced any revenue. Appointing a virtual CISO solves both sides of that. You get a named, qualified security executive in the role of record without carrying a full C-level salary from day one.

What follows is what the rulebook actually requires of the CISO, where firms get this wrong, and how the vCISO route works in practice.

Does VARA require a CISO?

Yes. Under Part I, Section I of the Technology and Information Rulebook, every licensed VASP must appoint a CISO who is accountable for the firm's compliance with the technology, security and confidential information rules. VARA reissued this framework as Rulebook 2.0 on 19 May 2025, with compliance mandatory from 19 June 2025, so any application still built against the older 2023 rules is already behind.

Four points in the rule tend to catch firms out.

The CISO has to be a different individual from your Compliance Officer. You cannot fold security oversight into the compliance function to save a seat. VARA treats them as separate control functions and looks for that separation during review.

The same person is allowed to act as your Data Protection Officer. VARA permits the CISO to also hold the DPO role, which is useful in practice because the two functions overlap heavily and one appointment can cover both.

The CISO must be of good standing and appropriately experienced. This is the bar that quietly rules out a nominal or junior appointment. A reviewer is judging whether the person can credibly own the role, not whether a name has been entered into a form.

Senior management does not get to step back once a CISO is named. The rulebook keeps the board and senior management responsible for reviewing how well the firm's controls are working and for assigning duties in a way that avoids conflicts of interest.

What the VARA CISO is responsible for

The CISO's remit is broad. It runs across most of Part I of the Technology and Information Rulebook and into Part III, which means the role owns far more than a single policy document. In practice it covers:

• The Technology Governance and Risk Assessment Framework that everything else sits under

• The firm's Cybersecurity Policy and its alignment with other legal and regulatory obligations

• Controls over cryptographic keys and virtual asset wallets, including hot and cold wallet architecture

• The testing and audit regime, which requires independent vulnerability assessment and penetration testing at least annually and before any new system, application or product goes live

• Business continuity, disaster recovery, and the handling of cybersecurity events

• Staff competency on security matters, and the notifications the firm has to make to VARA

• Protection of confidential information under Part III

The testing obligation is worth pulling out on its own. VARA expects independent, qualified third parties to run the assessments, and its expectations now extend to threat-led penetration testing for the activities that warrant it. This is not a scan you run once to tick a box. It is a recurring program the CISO has to scope, schedule and act on, and a weak round of testing is one of the more common reasons applications stall.

Why hiring a full-time CISO first is usually the wrong call

None of this means your first move should be a permanent C-level hire. For most VASPs at the licensing or early operating stage, a full-time CISO is the wrong instrument, for three reasons.

Cost. An experienced CISO in the UAE commands a senior-executive salary, and you are committing to it before the licence has earned a dirham. Carried across a year of build-up and review, that is a heavy fixed cost against an uncertain runway.

Workload shape. The effort is front-loaded. Building the governance framework, writing the policies, standing up key management controls and clearing the first round of independent testing is intense work concentrated in the months around licensing. Once that is in place, the role settles into oversight and periodic review. Paying for forty hours a week from day one buys idle capacity later.

The experience bar. VARA wants someone of good standing and appropriately experienced, which tends to price out the hire a young firm can actually afford. The candidate who fits the budget often does not satisfy the requirement, and the candidate who satisfies the requirement is out of budget.

How a vCISO meets the requirement

A virtual CISO is an experienced security executive who takes the CISO role on a retained, part-time basis. For VARA purposes the appointment is real. The vCISO is named as the firm's CISO of record and carries the accountability the rulebook assigns, while you pay for the level of involvement the firm genuinely needs.

In a VARA engagement that usually means the vCISO builds and owns the Technology Governance and Risk Assessment Framework, writes the Cybersecurity Policy, sets up oversight of key and wallet controls, runs the independent testing and TLPT program, and prepares the firm's CISO notifications and submissions to VARA. The same person carries the role through the licensing assessment, then moves to a steady-state cadence once the framework is operating.

Two features of the rulebook make this route clean. Because the CISO must be separate from the Compliance Officer, an external vCISO satisfies the separation requirement without you having to create a second internal hire. And because VARA allows the CISO to also act as DPO, a single engagement can cover both the security and data protection obligations rather than splitting them across two appointments.

Choosing a vCISO for VARA

Not every vCISO is set up for this. VARA's framework is specific, and an arrangement that works for a generic SaaS company will not necessarily hold up in front of a VARA reviewer. A few things worth checking before you appoint anyone.

VARA-specific experience. Has the person actually worked against the Technology and Information Rulebook, or only against ISO 27001 and general enterprise security? The frameworks overlap, but they are not the same, and the crypto-specific controls have no equivalent in standard IT.

Standing and credentials. Recognised certifications such as CISSP and CISM, alongside a track record a reviewer will accept, are what satisfy the good standing and appropriately experienced test.

Crypto-native controls. Wallet architecture, key ceremonies and segregation, on-chain monitoring and smart contract risk are core to a VASP. The CISO has to understand them in detail, not in outline.

Delivery, not just advice. The role calls for someone who will build the framework and run the testing program, not hand you a report and leave the execution to your team.

How Dynova handles VARA CISO engagements

Dynova provides vCISO and DPO-as-a-service to regulated firms in the UAE, including virtual asset businesses operating under VARA. Our work covers the frameworks that matter in this market: ISO 27001, PCI DSS, UAE PDPL, and the CBUAE and VARA regimes. We led OGold's ISO 27001 certification with BSI, and we have run information security assessments for virtual asset firms against UAE requirements.

The model is built for how VARA work actually lands. A senior CISO takes the role of record, builds the governance framework and testing program through licensing, then holds the steady-state oversight the rulebook requires, without the firm carrying a full-time C-level salary.

If you are applying for a VARA licence, or already hold one and need a qualified CISO in place, we can take the role and the build that comes with it. Book a call and we will map what your licence category requires and where the gaps sit.

Frequently asked questions

Does VARA require a CISO?

Yes. VARA's Technology and Information Rulebook requires every licensed VASP to appoint a CISO who is responsible for the firm's technology, security and confidential information compliance.

Can our Compliance Officer also be the CISO?

No. VARA requires the CISO to be a separate individual from the Compliance Officer. The two are treated as distinct control functions and the separation is checked during review.

Can the CISO also be our Data Protection Officer?

Yes. The rulebook allows the same person to hold both the CISO and DPO roles, which is why a single vCISO engagement can often cover both obligations.

Can a vCISO be appointed as our CISO for VARA?

Yes. A vCISO can be named as your CISO of record and carry the accountability the rulebook assigns. The appointment is real; only the working arrangement is part-time.

Does VARA apply inside the DIFC?

No. VARA regulates virtual assets across Dubai's mainland and free zones, with the exception of the DIFC, which has its own regulator. A firm operating inside the DIFC falls under a different regime.

How does a vCISO compare in cost to a full-time CISO?

A vCISO costs a fraction of a full-time CISO salary, because you pay for the involvement the role actually needs. That involvement is heaviest around licensing and lighter once the framework is running.