Skip to content
Resources

Policy Effects

DAC8 impact on crypto businesses

Compliance costs, reporting systems, sensitive data and economic incentives for crypto-asset service providers.

Updated

Short answer

For a crypto business, DAC8 is not just a tax form: it is an information-system, compliance, customer-support and risk-management project. The provider must identify reportable users, collect and verify self-certifications, apply tax-residence logic, aggregate transactions and produce structured reporting files, backed by retention policies and internal procedures. DAC8 also changes the security posture of the business: it concentrates larger volumes of identity-linked crypto data that users may hold the provider responsible for if the reporting systems become a source of exposure. The burden weighs more heavily on smaller firms, which favors market concentration, while some users are pushed outside the regulated perimeter, in direct contradiction with the goal of MiCA.

Key facts

DimensionWhat DAC8 imposes on the CASP
Technical costsIdentify reportable users, collect self-certifications, apply tax-residence logic, verify the consistency of the information, aggregate transactions, produce structured reporting files
Organizational costsDevelopment work, controls, audits, internal procedures, data-retention policies, customer support, coordination with tax administrations
Security postureHandle larger volumes of identity-linked crypto data; risk of being held responsible by users if the reporting systems become a source of exposure
Commercial costsRegulated providers may be seen as more exposing than unregulated channels; a deterrent effect that weakens the appeal of compliant actors
Market concentrationLarge platforms absorb costs more easily; small actors consolidate, cut their offering or leave markets; less diversity, more dependence on a few infrastructures
Contradiction with MiCACoherent policy should keep users inside the regulated perimeter; DAC8 pushes them to leave it

A technical project, not a form

Providers must identify reportable users, collect self-certifications, apply tax-residence logic, verify the consistency of the information, aggregate transactions and produce structured reporting files.

These obligations require development work, controls, audits, internal procedures, data-retention policies and coordination with tax administrations. They also draw in customer support, which becomes a point of contact on sensitive tax matters.

A new security posture

DAC8 changes the security posture of the business. The provider must handle larger volumes of identity-linked crypto data. If its reporting systems become a source of exposure, users may hold it responsible. The very data collected to comply becomes a risk to protect.

Commercial costs

Users may perceive regulated providers as more exposing than unregulated channels. This creates tension with MiCA, whose goal is precisely to draw activity toward a compliant, supervised perimeter.

If DAC8 compliance becomes a deterrent, it weakens the appeal of regulated actors.

Concentration risk

Larger platforms can absorb compliance costs more easily. Smaller actors can be pushed to consolidate, cut their offering or leave certain markets. The burden favors larger firms and pressures smaller compliant providers.

This dynamic can reduce the diversity of the European market and reinforce dependence on a few massive infrastructures.

The policy choice

Coherent public policy should encourage users to stay inside the regulated perimeter. DAC8 risks doing the opposite: making the compliant service more dangerous in terms of confidentiality and personal safety, and pushing some users toward services outside the regulated perimeter.