Fintech Sandbox UAE: How DIFC And ADGM Approve Testing

Both financial free zones offer sandbox programmes, but they work differently and suit different stages of product readiness

Fintech firms that want to test regulated financial services in the UAE's two financial free zones face a choice between two sandbox models with different application formats, testing periods, fee structures, and exit routes. Picking the wrong one, or applying before the product is ready, wastes time and capital.

• The DFSA Innovation Testing Licence (ITL) is a restricted financial services licence that has operated since 2017. Over 200 firms have applied and more than 80 have been accepted. The programme uses an open window format, meaning firms can apply at any time rather than waiting for a cohort intake. Testing periods run for 12 months, with restrictions on client numbers and transaction volumes set on a case-by-case basis. Applications are processed in 10 to 12 weeks from complete submission.
• The DFSA launched a separate Tokenisation Regulatory Sandbox in March 2025, receiving 96 expressions of interest from firms across the UAE, UK, EU, Canada, Singapore, and Hong Kong. Selected firms entered the ITL programme for live testing in mid-2025. Proposals covered tokenised bonds, sukuk, fund units, and custody services.
• The FSRA RegLab in the ADGM was the first regulatory sandbox in the Middle East. It operates through themed cohorts, with the fifth cohort (focused on DeFi and Web3) opening in 2022. RegLab participants test under a tailored regulatory framework with reduced initial compliance requirements, supervised by the FSRA through the ADGM Digital Lab, a cloud-based environment for real-time regulatory monitoring.
• Neither sandbox eliminates regulation. Both require applicants to meet minimum capital requirements, pass fit-and-proper assessments for senior management, and comply with AML/KYC obligations during the testing phase. The sandbox reduces the scope and intensity of regulatory requirements, not the existence of regulation.
• The DIFC also offers a separate, non-regulated Innovation Licence at a subsidised annual fee of USD 1,500 for two to five years. This licence is for technology firms that do not conduct financial services. It provides access to co-working space and the DIFC Innovation Hub but does not authorise regulated activity. Firms whose products involve payments, lending, investment management, or other regulated services cannot operate under this licence and must apply for the ITL or a full DFSA authorisation instead.

Who this applies to

This article is for fintech founders, technology companies, and financial institutions that want to test regulated products or services in the DIFC or ADGM before committing to full licensing. It also applies to financial services lawyers in the UAE advising on sandbox applications, and to venture capital investors assessing the regulatory positioning of portfolio companies operating in or entering these jurisdictions.

If the firm's product does not involve a regulated financial service, the sandbox is not the right route. Technology providers, SaaS platforms, and data analytics firms that serve financial institutions without conducting regulated activities should consider the DIFC Innovation Licence or a standard ADGM commercial licence instead.

How the DFSA Innovation Testing Licence works

The ITL is a restricted version of a standard DFSA financial services licence. It authorises the holder to conduct specific regulated activities within defined parameters for a limited period. It is not a separate regulatory category. The ITL holder appears on the DFSA public register alongside fully authorised firms, with its restricted status visible to clients and counterparties.

Eligibility

To qualify, the applicant must meet four criteria. The product or service must involve innovation, meaning it uses new or emerging technology or applies technology to an existing financial service in a way the DFSA considers novel. The activity must be a regulated financial service under the DFSA Rulebook. The applicant must be ready for live testing with actual customers, not at a conceptual or prototype stage. And the applicant must intend to operate on a broader scale from the DIFC after completing the test.

The DFSA also assesses whether the applicant has sufficient funding to meet minimum capital requirements, whether senior management has relevant experience, and whether the firm has a credible plan for consumer protection during testing.

If the product is already fully operational and the firm has the compliance infrastructure to meet full regulatory requirements, the DFSA may direct the applicant to apply for a conventional licence instead.

Application process

The process has two stages. The applicant first submits an ITL Pre-application Form, which provides basic information about the business model and the innovation. The DFSA reviews this within approximately two weeks. If the pre-application meets the eligibility criteria, the applicant is invited to submit a full ITL Application Form, which includes a detailed Regulatory Testing Plan and KYC documentation for all proposed authorised individuals (shareholders, directors, and senior management).

The DFSA targets a decision within eight weeks of receiving a complete application, followed by an In-Principle Approval. The firm then prepares for operational readiness, after which the ITL is issued. End to end, the timeline from pre-application to licence issuance is typically 10 to 12 weeks, subject to the quality of the submission and how quickly the firm responds to follow-up questions.

Testing period

Testing runs for 12 months. The DFSA imposes restrictions tailored to each firm, typically limiting the number and type of clients, the volume and value of transactions, and the geographic scope of operations. The firm must operate from the DIFC and can source customers from across the UAE.

During testing, the firm must maintain AML/KYC systems, transaction monitoring, and audit trails to a standard the DFSA considers production-grade, even though the activity is restricted. The DFSA conducts periodic reviews and expects the firm to be available for supervisory engagement, including unannounced visits.

Exit routes

At the end of the 12-month testing period, the firm must apply to the DFSA either to remove the restrictions on its licence and transition to full authorisation, or to withdraw the licence. There is no option to remain in the sandbox indefinitely.

To exit into full authorisation, the firm must demonstrate that it meets all regulatory requirements for an unrestricted DFSA licence, including higher capital thresholds, full compliance infrastructure, and governance arrangements. If the DFSA rejects the exit application, the firm must surrender its ITL.

Fees

From 2025, the DFSA aligned ITL fees with its standard licensing fee structure rather than charging a flat programme fee. The application processing fee is approximately USD 2,500, the registration fee approximately USD 5,000, and the annual supervisory fee approximately USD 10,000. These fees are non-refundable, including if the firm surrenders its licence before the testing period ends.

For a broader overview of fintech licensing options in the UAE, including how the sandbox route compares to direct full-licence applications, see our fintech setup guide.

How the DFSA Tokenisation Regulatory Sandbox works

The Tokenisation Regulatory Sandbox is not a separate programme from the ITL. It operates through the ITL framework but targets a specific use case: firms developing tokenised financial products and services.

The DFSA launched the sandbox in March 2025 with a time-limited Expression of Interest window (17 March to 24 April 2025). It received 96 submissions from firms proposing to tokenise financial assets including bonds, sukuk, money market fund units, property fund units, and custody of tokenised assets. The DFSA assessed applicants based on business model viability, clarity of use case, and readiness to test.

Selected firms were placed into one of two tracks. Some entered the ITL programme for live testing under a restricted licence. Others, whose products were assessed as sufficiently mature, were directed to apply for full DFSA authorisation under existing regulatory frameworks, including the DFSA's Crypto Token regime (in force since 2022) and the Investment Token regime (introduced in 2021).

The Tokenisation Regulatory Sandbox signals the DFSA's strategic priorities. The DFSA has made tokenisation a focus area within its 2025-2026 Business Plan, and the sandbox gives the regulator direct visibility into emerging business models before policy positions harden. For firms with tokenisation propositions, the sandbox offers structured regulatory engagement that a standalone application does not.

How the ADGM RegLab and Digital Lab work

The FSRA's approach differs from the DFSA's in two respects: the application format and the testing environment.

RegLab

The ADGM RegLab is a tailored regulatory framework, not a restricted licence. Participants receive a bespoke authorisation that allows them to test within a controlled environment without meeting the full suite of FSRA regulatory requirements from day one. The scope of permitted activity, the duration of testing, and the conditions imposed are negotiated between the FSRA and the applicant.

The RegLab has operated through themed cohorts. The fifth cohort, opened in 2022, focused on decentralised finance, Web3, and tokenisation. Each cohort has a defined application window and a thematic focus aligned with the FSRA's strategic interests. This contrasts with the DFSA's open-window model, where applications are accepted on a rolling basis year-round.

To qualify, applicants must demonstrate an innovative technological solution that is ready for testing, does not fall within an existing FSRA regulatory framework that would allow direct licensing, and would benefit from a supervised testing phase. The FSRA evaluates the commercial viability of the proposition, the applicant's technical readiness, and the potential benefits to the UAE financial services market.

Digital Lab

The ADGM Digital Lab is a cloud-based virtual environment hosted on UAE data centres. It was launched in 2019 to supplement and, over time, replace the offline testing model of the original RegLab. The Digital Lab allows fintech firms, financial institutions, and the FSRA to collaborate in a shared digital environment where prototypes can be tested, APIs integrated, and supervisory monitoring conducted in real time.

The Digital Lab is not restricted to RegLab participants. Financial institutions and technology vendors that do not require FSRA authorisation can also join as members to collaborate on innovation projects. Founding partners included Abu Dhabi Commercial Bank, First Abu Dhabi Bank, and Abu Dhabi Islamic Bank, among others.

For RegLab participants, the Digital Lab serves as the primary testing platform. The FSRA uses supervisory technology (SupTech) tools within the Digital Lab to monitor sandbox activity, reducing the reliance on periodic offline reporting that characterised earlier RegLab cohorts.

Exit routes

RegLab participants that complete their testing programme can apply for full FSRA authorisation under the relevant licensing category. The FSRA does not publish a fixed exit timeline equivalent to the DFSA's 12-month cap, and the duration of RegLab participation varies by firm and cohort. Firms that do not proceed to full licensing must wind down their sandbox operations.

The DIFC Innovation Licence is not a sandbox

A common point of confusion is the relationship between the DFSA Innovation Testing Licence and the DIFC Innovation Licence. They are separate products issued by different bodies for different purposes.

The DIFC Innovation Licence is a commercial licence issued by the DIFC Authority (DIFCA), not the DFSA. It authorises non-regulated technology activity within the DIFC. It does not permit the holder to conduct any financial service. Firms holding this licence cannot accept deposits, provide payment services, manage investments, arrange deals, or advise on financial products.

The licence is subsidised at USD 1,500 per year for the first two years, with extended subsidies available for up to seven years depending on firm size and headcount. It includes access to co-working space within the DIFC Innovation Hub, discounted visa packages, and participation in accelerator programmes such as FinTech Hive. Over 700 firms operate under this licence.

The Innovation Licence is the right entry point for technology companies that build products for financial institutions without conducting regulated activity themselves, such as software developers, data analytics providers, cybersecurity firms, and AI companies selling tools to banks or insurers. If the firm's business model crosses into regulated territory, it must apply for a DFSA licence (either a full authorisation or an ITL) and cannot rely on the Innovation Licence as a substitute.

For guidance on which DIFC licence category applies to a specific business model, see our guide to DIFC trade licence activities.

Comparing the DIFC and ADGM sandbox models

What the sandbox does not do

Firms entering either sandbox should be clear about what the programmes do not provide.

The sandbox does not guarantee a path to full licensing. Completing a 12-month ITL testing period or a RegLab programme demonstrates that the firm can operate under restricted conditions. It does not prove the firm can meet full regulatory requirements, which include higher capital, broader compliance infrastructure, and governance arrangements that the sandbox waives or reduces. Both regulators assess the full-licence application on its merits. Firms that perform well during testing still face rejection if they cannot demonstrate readiness for unrestricted operations.

The sandbox does not provide immunity from enforcement. Both the DFSA and FSRA retain full supervisory and enforcement powers over sandbox participants. A firm that breaches its sandbox conditions, fails to maintain AML controls, or harms consumers during testing faces the same enforcement toolkit as a fully licensed firm, including fines, public censure, and licence revocation.

The sandbox does not replace legal structuring. Firms still need to incorporate in the relevant free zone, appoint directors and authorised individuals, execute shareholder agreements, and comply with UAE corporate tax obligations. The regulatory sandbox reduces the licensing burden, not the corporate or tax obligations that apply to any DIFC or ADGM entity.

For an overview of the broader UAE regulatory framework that applies to fintech firms across all licensing routes, see our guide to banking and financial services law in the UAE.

Common mistakes in sandbox applications

Three errors recur across sandbox applications in both jurisdictions.

The first is applying too early. Firms at the prototype or concept stage do not qualify. Both the DFSA and FSRA require the product to be ready for live testing with actual users. A firm that applies before reaching this stage will be rejected or told to return later, and the time spent on the application cannot be recovered. The DFSA is explicit: if the business is only at a conceptual stage, no financial service is being conducted, and no licence is required.

The second is underestimating compliance costs. The sandbox reduces some regulatory requirements, but it does not eliminate the need for AML/KYC systems, transaction monitoring, compliance officers, and audit infrastructure. Firms that budget for the DFSA's application and supervision fees but not for the compliance technology and personnel required during testing discover the gap after the ITL is granted, when the 12-month clock is already running.

The third is treating the sandbox as the end rather than the beginning. The sandbox is a testing period with a defined exit point. Firms that use the 12 months to test product-market fit without simultaneously building toward full regulatory readiness reach the end of the testing period unprepared to apply for an unrestricted licence. Both regulators expect firms to plan the transition from day one, not from month 10.

Which sandbox should a fintech firm choose in 2026

The DFSA ITL suits firms that are ready to test a regulated financial product or service with live clients and want a defined 12-month runway with a clear exit pathway. Its open-window format means firms do not need to wait for a cohort intake. Its listing on the DFSA public register provides market credibility during the testing phase, which helps with client acquisition and investor confidence. Firms with tokenisation propositions should assess whether the DFSA's Tokenisation Regulatory Sandbox offers a more structured entry point than a general ITL application.

The ADGM RegLab and Digital Lab suit firms whose products align with the FSRA's thematic priorities for a given cohort, or firms that benefit from the collaborative testing environment the Digital Lab provides, including direct engagement with Abu Dhabi-based financial institutions. The ADGM model may also suit firms that need longer than 12 months to reach full licensing readiness, given the FSRA's more flexible approach to testing duration.

Neither programme is a shortcut. Both require serious preparation, meaningful capital, and a clear plan for what happens after the sandbox ends. The firms that benefit most are those that treat the testing period as a regulated environment for proving commercial viability, not as a way to defer the cost of full compliance.

For firms assessing which regulatory sandbox is appropriate for their product, or for firms preparing sandbox applications, our financial services team advises on eligibility assessment, test plan development, AML compliance during the sandbox period, and the transition from restricted to full licensing in the DIFC and ADGM.

‍