Understanding DAC8
DAC8 reporting requirements
Who must report under DAC8, what information is collected and how due diligence works.
Updated
Short answer
DAC8 requires reporting crypto-asset service providers to identify reportable users, determine tax residence, collect tax information and report annual crypto-asset transaction information to a competent EU tax authority. The information can then be exchanged automatically between EU Member States.
DAC8 is the European Union reporting route. CARF is the OECD global model behind similar automatic crypto-asset tax reporting outside the EU.
Key facts
| Question | Answer |
|---|---|
| Who reports? | Reporting crypto-asset service providers and operators in scope |
| Who is reportable? | Users, and in some cases controlling persons, whose tax residence makes them reportable under DAC8 |
| What is reported? | Identity (name, home address, date of birth), tax residence, TINs, crypto-asset types, values, transaction categories and transfers |
| Where does data go? | Provider to a competent EU tax authority, then through automatic exchange to relevant Member States |
| When does it apply? | Core DAC8 crypto reporting rules apply from 1 January 2026, with first exchanges following in 2027 |
| Why it matters | DAC8 turns regulated crypto services into automatic tax-reporting collection points |
Providers
The obligation can apply to exchanges, brokers, custodians, payment services and other providers that effectuate or facilitate reportable crypto-asset transactions.
This is broader than a narrow “exchange only” rule. The practical question is whether a provider or operator is in scope because it carries out or facilitates reportable crypto-asset services for reportable users.
Users
Reportable users are users whose activity falls within the DAC8 reporting scope, including users resident for tax purposes in an EU Member State.
Entity structures can also matter. In some cases, reporting can involve controlling persons of an entity, not only the immediate account or service user.
Transactions
DAC8 can cover acquisitions and disposals of reportable crypto-assets, crypto-to-fiat exchanges, crypto-to-crypto exchanges, transfers and other reportable transaction categories implemented through covered providers.
Self-custody is not the same as provider reporting. A private wallet does not itself become a reporting service provider merely because it exists. But transactions involving a reporting service can create reportable data points that connect a person, a tax residence and crypto activity.
Reported data
Reported information can include customer identity (name, home address, date of birth), tax residence, tax identification numbers, transaction categories, values, dates, units, counts and transfers.
The most sensitive issue is the combination of identity and crypto activity. When civil identity, tax residence, transaction values and potentially distributed-ledger information are linked, the resulting dataset is more exposed than ordinary financial reporting.
Due diligence
Reporting providers must collect and verify information needed to determine whether a user is reportable. That can include self-certifications of tax residence, consistency checks against information already held by the provider and procedures for updating user records.
The provider operational process
DAC8 imposes a complete operational chain: identify the user, determine tax residence, collect the relevant information (including self-certifications), check its consistency and reasonableness, classify and aggregate transactions, then report the data annually to the competent authority in a structured format. This annual reporting turns commercial and operational data into transmissible tax data, so as to enable automatic exchange between tax administrations.
Crypto-asset service providers (CASPs) thus become international tax-compliance infrastructure. The provider is no longer only a trading or custody service: it becomes a data collection and reporting node connected to national tax administrations. It must integrate collection, verification, classification and reporting flows into its systems. For businesses, this means new systems, customer workflows, controls and reporting formats.
This cost is not only technical. It changes the relationship between the user and the provider: using a regulated service becomes synonymous with automatic exposure. For users, crypto activity carried out through reporting providers becomes visible by default.
Exchange between authorities
DAC8 is not only a domestic reporting rule. A provider reports to a competent tax authority, and that authority can exchange relevant information with other EU Member States through the administrative cooperation framework.
That is why DAC8 should be understood together with CARF and the CARF countries list: the EU system is part of a wider move toward automatic international crypto tax reporting.
Risk
The problem is not the existence of tax reporting. The problem is the creation of a broad dataset that can expose crypto holders beyond tax administration.
For Bull Bitcoin, DAC8 is disproportionate because it normalizes mass collection before suspicion, investigation or individualized justification. A targeted information request can be justified in a concrete tax inquiry. Default automatic reporting of ordinary users is a different model.
The proportionality problem
A targeted request can be proportionate when it concerns an identified taxpayer. Automatic mass collection reverses the logic: everyone is collected first, then the data is possibly used afterwards.
It is this reversal that Bull Bitcoin challenges.