Who Must Report Under DAC8? Understanding Reporting Entities

DAC8 places its reporting obligations squarely on crypto-asset service providers (CASPs). But the directive's definition of who qualifies as a reporting entity is broader than many in the industry initially expected. This article examines exactly which entities must report, how the directive handles borderline cases, and what happens when a CASP operates across multiple jurisdictions.

The Core Definition: Reporting Crypto-Asset Service Providers

Under DAC8, a Reporting Crypto-Asset Service Provider is any entity that provides one or more of the following services:

Exchange services. Entities that facilitate the exchange of crypto-assets for fiat currency, or the exchange of one crypto-asset for another, on behalf of their clients. This covers centralized exchanges, over-the-counter (OTC) desks, and brokerages.

Custody and administration services. Entities that safeguard or administer crypto-assets on behalf of clients, or that provide the means to control those crypto-assets. This includes custodial wallet providers, institutional custody services, and any platform that holds crypto-assets in escrow or trust for its users.

Transfer services. Entities that provide services enabling the transfer of crypto-assets from one address or account to another on behalf of a client. This includes payment processors and remittance services that use crypto-assets as a transfer mechanism.

Advisory and portfolio management services. Under DAC8's alignment with MiCA, entities that provide advice on crypto-asset investments or manage crypto-asset portfolios on behalf of clients may also fall within the scope of reporting obligations, particularly if they also handle transaction execution or custody.

The MiCA Connection

DAC8 explicitly ties its definition of CASPs to the MiCA regulation. Any entity that holds or is required to hold a MiCA authorization is automatically within the scope of DAC8's reporting obligations. This means that the MiCA licensing process and the DAC8 compliance process are inherently linked — obtaining a MiCA license triggers DAC8 obligations, and failing to obtain a required MiCA license does not exempt an entity from DAC8.

This linkage has important implications. CASPs that are currently operating under national transitional arrangements pending full MiCA authorization should already be preparing for DAC8 compliance, as their reporting obligations will begin as soon as DAC8 takes effect on January 1, 2026, regardless of the status of their MiCA application.

Non-EU CASPs Serving EU Clients

One of DAC8's most significant provisions concerns CASPs that are not established in the EU but that provide services to EU-resident clients. Under the directive, these entities may be required to register in an EU Member State specifically for the purpose of DAC8 reporting.

This provision targets a common scenario in the crypto industry: platforms based in jurisdictions outside the EU that nonetheless have significant EU user bases. Such platforms cannot avoid DAC8 obligations simply by being incorporated outside the EU. If they serve EU-resident users, they must comply.

The registration requirement is triggered when the non-EU CASP provides reportable services to users who are tax residents of one or more EU Member States. The CASP must register in a single EU Member State (typically the one where it has the most users) and report from that jurisdiction.

Decentralized Protocols and Borderline Cases

DAC8's treatment of decentralized finance (DeFi) and decentralized exchanges (DEXs) is one of its most debated aspects. In principle, purely decentralized protocols with no identifiable service provider fall outside DAC8's scope, as there is no entity to bear the reporting obligation.

However, the directive's drafters were aware of this potential gap. DAC8 includes provisions that can capture entities that provide front-end interfaces to decentralized protocols, operate governance mechanisms for decentralized platforms, or receive fees or commissions from facilitating transactions on decentralized platforms. The determination of whether a specific DeFi arrangement triggers reporting obligations will depend on the degree of centralization, the existence of identifiable operators, and the nature of the services provided.

Member States may interpret these provisions differently, creating potential inconsistencies across the EU. CASPs operating in the DeFi space should seek jurisdiction-specific legal advice.

Crypto-Asset Operators

In addition to traditional CASPs, DAC8 introduces the concept of "Crypto-Asset Operators." This broader category captures entities that may not fit neatly into the MiCA classification of CASPs but that nonetheless facilitate reportable crypto-asset transactions. Examples may include peer-to-peer trading platforms that facilitate matching between buyers and sellers, crypto-asset ATM operators, and token issuers that facilitate secondary trading.

Multiple Jurisdictions and Avoiding Duplicate Reporting

CASPs that operate across multiple EU Member States face the challenge of avoiding duplicate reporting. DAC8 addresses this through the principle that reporting should occur in the Member State where the CASP is registered or authorized. For CASPs with multiple EU registrations, the directive provides mechanisms to coordinate reporting and prevent the same transaction from being reported multiple times.

The automatic exchange of information between Member States ensures that the tax authority of each user's jurisdiction of residence receives the relevant data, regardless of where the CASP submitted its report. This system relies on the proper collection of tax residency and TIN information from each user.

Obligations of Reporting Entities

Beyond the basic obligation to file annual reports, DAC8 reporting entities must implement and maintain robust due diligence procedures for all users, data collection systems capable of capturing all required information at the point of onboarding and throughout the customer relationship, transaction monitoring and classification systems that correctly categorize each transaction, reporting infrastructure that generates valid XML files in the required format, record-keeping systems that retain all reported information for the period required by national law (typically five to ten years), and internal controls to ensure the accuracy and completeness of reported data.

Consequences of Being a Reporting Entity

Being classified as a reporting entity under DAC8 carries significant operational implications. CASPs must invest in technology, processes, and personnel to meet their obligations. Failure to report, late reporting, or inaccurate reporting will expose CASPs to penalties that will be determined by each Member State.

Beyond penalties, non-compliance with DAC8 may also have implications for a CASP's MiCA authorization. Member States may consider DAC8 compliance as part of their ongoing supervisory assessment of licensed CASPs, meaning that reporting failures could ultimately threaten a CASP's ability to operate in the EU market.

Conclusion

DAC8 casts a wide net over the crypto industry. Any entity that provides exchange, custody, transfer, or advisory services for crypto-assets — whether based in the EU or serving EU clients from abroad — should assume that it falls within the directive's scope. Early assessment of reporting obligations, combined with proactive investment in compliance infrastructure, is the most effective strategy for managing the impact of this new regulatory reality.