Saudi Arabia’s Capital Market Authority (CMA) issued its Digital Assets Regulatory Framework in Q3 2024, establishing the Kingdom’s first comprehensive legal structure for tokenized securities. The framework covers 14 distinct activity categories, from issuance and custody to secondary market trading of digital asset securities. As of March 2026, 127 entities hold CMA licenses across these categories, with 34 specifically authorized for digital asset activities.
Framework Architecture
The CMA Digital Assets Regulatory Framework operates on three tiers. The first tier establishes the legal classification of digital assets as securities under the Capital Market Law. The second tier defines licensing requirements for entities wishing to issue, trade, or provide custody for digital asset securities. The third tier governs market conduct, disclosure obligations, and investor protection standards specific to tokenized instruments.
This three-tier approach mirrors the structure Saudi Arabia has used for conventional securities regulation since the CMA’s establishment in 2003 under Royal Decree No. M/30, but adapts it for the technical and operational realities of blockchain-based settlement systems. The CMA’s approach positions Saudi Arabia alongside the UAE’s VARA framework as one of only two Gulf jurisdictions with a dedicated digital asset regulatory architecture. The framework sits within a broader fintech ecosystem that has reached 261 companies by end of 2025 — exceeding the Vision 2030 target of 230 by 13% — with cumulative investment of SAR 7.9 billion ($2.1 billion), surpassing the 2025 target by 204%.
Legal Classification of Digital Assets
Under the CMA framework, digital assets are classified into three categories:
- Digital Asset Securities — tokens that represent ownership in an underlying asset or entitlement to cash flows, functionally equivalent to conventional securities
- Digital Asset Units — tokens used within specific platforms or ecosystems that do not carry security-like characteristics
- Utility Tokens — tokens providing access to goods or services without investment characteristics
The classification determines which regulatory requirements apply. Digital Asset Securities fall under full CMA oversight, requiring licensed intermediaries for issuance, trading, and custody. Digital Asset Units may require CMA registration depending on their characteristics. Utility Tokens are generally exempt from CMA jurisdiction but remain subject to SAMA’s payment token regulations if used for payment purposes.
This classification system draws on the CMA’s analysis of 47 international regulatory frameworks, with particular attention to the EU’s MiCA regulation and Singapore’s Payment Services Act. The Saudi framework differs from both by integrating Sharia compliance requirements at the classification level — a token’s compliance with Islamic finance principles affects its regulatory treatment. The CMA licenses five core activity types — Dealing (as principal or agent), Arranging, Managing, Advising, and Custody — with license terms of 10 years that are automatically renewable, and decisions issued within 30 days of complete application.
Licensing Categories for Digital Asset Activities
The CMA has established seven specific license categories for digital asset activities:
| License Category | Requirements | Entities Licensed |
|---|---|---|
| Digital Asset Issuance | SAR 10M minimum capital, Sharia board | 8 |
| Digital Asset Trading Platform | SAR 50M minimum capital, matching engine certification | 4 |
| Digital Asset Custody | SAR 25M minimum capital, cold storage requirements | 11 |
| Digital Asset Advisory | SAR 2M minimum capital, qualified advisor requirement | 18 |
| Digital Asset Fund Management | SAR 15M minimum capital, fund governance framework | 7 |
| Digital Asset Clearing | SAR 100M minimum capital, CCP requirements | 2 |
| Digital Asset Settlement | SAR 75M minimum capital, DLT infrastructure certification | 3 |
The minimum capital requirements are substantially higher than those in Bahrain or the UAE, reflecting the CMA’s emphasis on institutional-grade participants. The SAR 50M (approximately $13.3M) requirement for trading platforms, for example, exceeds VARA’s equivalent requirement by a factor of three.
Sandbox Operations
The CMA Sandbox, launched in January 2024, provides a controlled environment for testing digital asset products and services. As of March 2026, 19 entities have entered the sandbox, with 7 graduating to full licenses and 3 exiting without proceeding to licensing.
Sandbox Eligibility and Process
Sandbox applicants must demonstrate:
- A clearly defined digital asset product or service
- Technical readiness for controlled deployment
- Adequate risk management frameworks
- Minimum capital of SAR 1M (reduced from full licensing requirements)
- A Saudi-domiciled legal entity or a commitment to establish one within the sandbox period
The sandbox operates in three phases, each lasting 6-12 months:
Phase 1: Controlled Testing — Limited to 100 users and SAR 5M in transaction volume. The entity operates under direct CMA supervision with weekly reporting requirements.
Phase 2: Expanded Operations — User base expanded to 1,000 with SAR 50M transaction volume cap. Monthly reporting replaces weekly requirements. The entity must demonstrate compliance with all applicable regulations.
Phase 3: Pre-License Assessment — Full operational testing with no user or volume caps, but with enhanced monitoring. CMA conducts a comprehensive assessment for license readiness.
The average time from sandbox entry to full license has been 14 months, though entities with existing CMA licenses for conventional securities activities have completed the process in as few as 8 months.
Sandbox Participants and Outcomes
Among the 19 sandbox participants as of March 2026:
- Graduated to full license (7): Primarily existing financial institutions adding digital asset capabilities, including Tadawul-affiliated entities and two fintech firms backed by Saudi venture capital
- Active in sandbox (9): A mix of domestic fintech companies, international digital asset platforms seeking Saudi market entry, and joint ventures between Saudi banks and global technology providers
- Exited without license (3): Two entities withdrew due to capital requirements, and one was removed by CMA for compliance failures
The sandbox has attracted particular interest from entities focused on tokenized sukuk issuance and digital custody services, reflecting the market’s assessment that these will be the first high-volume digital asset activities in Saudi Arabia.
Sharia Compliance Integration
A distinguishing feature of the Saudi CMA framework is the mandatory integration of Sharia compliance into digital asset regulation. All Digital Asset Securities must obtain a Sharia compliance certificate from a CMA-approved Sharia board before issuance.
The CMA has published Sharia Compliance Guidelines for Digital Assets, covering:
- Token structure requirements — The underlying asset or cash flow must comply with Islamic finance principles, prohibiting interest-bearing instruments, speculative derivatives, and assets connected to prohibited industries
- Smart contract governance — Smart contracts governing token behavior must be reviewed by Sharia scholars for compliance with Islamic contract law principles
- Trading conduct — Secondary market trading of digital asset securities must comply with Islamic trading rules, including restrictions on short selling and requirements for asset-backed settlement
This Sharia integration creates additional compliance complexity but also positions Saudi digital asset securities as the default choice for Islamic institutional investors globally. The global sukuk market’s $820 billion outstanding volume represents a significant potential demand base for Sharia-compliant tokenized instruments. The CMA’s FinTech Lab — launched in 2017 — has issued 68 experimental permits as of Q2 2025, with 36 companies operational, 5 graduated to full licensing, and 50 companies currently registered in the Lab. Innovation areas span robo-advisory, crowdfunding, digital trading, investment fund distribution, debt instruments, and real estate investment platforms.
Enforcement and Penalties
The CMA has established a graduated enforcement framework for digital asset violations:
- Administrative penalties — Up to SAR 10M per violation for licensed entities
- License suspension or revocation — For material compliance failures
- Criminal referral — For fraud, market manipulation, or operating without a license
- Investor compensation — Mandatory compensation for investor losses caused by licensed entity failures
As of March 2026, the CMA has issued 4 administrative penalties related to digital asset activities, totaling SAR 12.3M. Three penalties were for unlicensed digital asset promotion to Saudi residents, and one was for a sandbox participant’s failure to maintain minimum capital requirements.
International Coordination
The CMA has signed memoranda of understanding with 11 international regulators specifically covering digital asset cooperation:
- Gulf regulators: UAE Securities and Commodities Authority, Central Bank of Bahrain, Qatar Financial Centre Regulatory Authority
- Asian regulators: Monetary Authority of Singapore, Hong Kong Securities and Futures Commission, Securities Commission Malaysia
- European regulators: BaFin (Germany), AMF (France), FCA (United Kingdom)
- International bodies: IOSCO, Financial Stability Board
These agreements facilitate information sharing on cross-border digital asset activities, regulatory arbitrage monitoring, and coordinated enforcement actions. The CMA’s participation in IOSCO’s Fintech Task Force has influenced several aspects of the Saudi framework, particularly around cross-border custody arrangements and investor protection standards.
Outlook: 2026-2028 Regulatory Roadmap
The CMA has published a three-year regulatory roadmap for digital assets, targeting:
- 2026: Launch of the regulated digital securities trading platform integrated with Tadawul infrastructure; expansion of sandbox to include DeFi protocol testing
- 2027: Introduction of tokenized government sukuk, enabling digital issuance of Saudi sovereign debt instruments; establishment of a digital asset SRO (Self-Regulatory Organization)
- 2028: Full integration of digital asset securities into the mainstream CMA regulatory framework, eliminating the distinction between conventional and digital securities regulation
This roadmap positions Saudi Arabia to have one of the most comprehensive digital asset regulatory frameworks in the Gulf by 2028, complementing the Kingdom’s broader Vision 2030 financial sector transformation objectives.
Industry Response and Market Assessment
The digital assets framework has drawn significant industry response since its Q3 2024 publication:
Positive Reception: Industry participants have praised the framework’s clarity on digital asset classification, the tiered sandbox approach, and the integration of Sharia compliance at the regulatory level. The availability of the ELDAP accelerated pathway for existing licensees has been particularly well-received, enabling institutions to add digital asset capabilities without duplicating their entire regulatory infrastructure.
Cost Concerns: The high capital requirements — particularly the SAR 50M minimum for trading platforms and SAR 100M for clearing entities — have been cited as barriers by smaller fintech firms. Several potential applicants have opted to launch initially in Bahrain or the UAE where capital requirements are lower, with plans to enter Saudi Arabia once they achieve scale.
International Benchmarking: IOSCO has cited the Saudi framework as a reference model for emerging market digital asset regulation, particularly noting the comprehensive disclosure requirements, the investor protection fund extension to digital assets, and the graduated enforcement approach. The framework’s treatment of digital asset custody — with its 95% cold storage mandate and quarterly proof-of-reserves — has been described as the most protective in any G20 jurisdiction.
Talent Demand: The framework’s implementation has created significant demand for regulatory, compliance, and technology talent in Saudi Arabia. Fintech Saudi estimates that the digital asset sector requires approximately 500 additional qualified professionals by 2028, spanning legal, compliance, blockchain development, and Sharia advisory roles. Saudi university blockchain research programs are expanding to meet this demand.
FATF Alignment and International Regulatory Standing
The CMA Digital Assets Regulatory Framework benefits from Saudi Arabia’s FATF membership (since 2019) and G20 participation, which provide both international credibility and practical infrastructure for cross-border regulatory cooperation. The FATF’s 2024 mutual evaluation rated Saudi Arabia’s digital asset framework as “largely compliant” with Recommendations 15 and 16, placing the Kingdom among the top-rated jurisdictions globally for virtual asset regulation.
This FATF standing directly impacts the framework’s market attractiveness. International institutional investors routinely assess a jurisdiction’s FATF compliance status before allocating capital to digital asset markets. Saudi Arabia’s “largely compliant” rating — achieved on the framework’s first evaluation — provides international investors with independent assurance that the Kingdom’s AML/CFT standards meet global benchmarks.
The framework’s architecture reflects FATF principles at multiple levels: the travel rule implementation at SAR 3,750 threshold (below the FATF’s recommended $1,000 threshold), the mandatory blockchain analytics deployment for all licensed entities, and the beneficial ownership disclosure requirements that trace ownership to the ultimate natural person level. These provisions ensure that the Saudi framework not only meets current FATF standards but positions the Kingdom to comply with anticipated stricter requirements as the FATF continues to evolve its virtual asset guidance.
Saudi Arabia’s leadership in IOSCO’s Fintech Task Force — where the CMA co-chairs the Crypto-Assets Working Group — further embeds the Kingdom’s regulatory approach into emerging international standards. The CMA’s contributions to IOSCO’s 2025 recommendations on digital asset custody and investor protection have resulted in international guidelines that reflect key elements of the Saudi framework, including the 95% cold storage requirement and the tiered investor classification system.
Saudi Digital Academy and Workforce Readiness
The CMA’s regulatory framework implementation has been supported by the Saudi Digital Academy’s (SDA) specialized training tracks in blockchain regulation and digital asset compliance. SDA, operating under the Ministry of Communications and Information Technology, launched a dedicated “Digital Capital Markets” certification program in Q1 2025, training 120 regulatory professionals across CMA, SAMA, and Tadawul in the first year. The certification covers distributed ledger technology fundamentals, smart contract risk assessment, digital asset custody oversight methodology, and cross-border regulatory coordination protocols.
The Elm Company — Saudi Arabia’s leading digital solutions provider and a PIF portfolio company — has contributed digital identity infrastructure that underpins the framework’s investor protection requirements. Elm’s Nafath digital identity platform provides the biometric verification layer used by all 34 CMA-licensed digital asset entities for investor onboarding, enabling consistent KYC standards across the ecosystem. The integration of Elm’s identity infrastructure with the CMA’s AML/CFT framework demonstrates the institutional depth supporting Saudi Arabia’s digital asset regulatory architecture — the framework operates not in regulatory isolation but within a comprehensive national digital infrastructure that includes government digital identity, open banking APIs, and real-time payment systems.
For institutional inquiries regarding CMA licensing: info@sauditokenisation.com