Regulation of Cryptoassets: EU vs EEA Countries

Updated on: April 24th, 2020
This content has been Fact-Checked.
Regulation of Cryptoassets: EU vs EEA Countries

A Comparative Analysis of the Regulation of Cryptoassets in EU & EEA countries:

The Sandbox

The Financial Conduct Authority (FCA) has established the following initiatives with the aim of promoting and supporting innovation, while at the same time providing new opportunities for investors willing to participate in the crypto-assets sector:

  • Regulatory Sandbox
  • Direct Support
  • Advice Unit
  • Green Finance cohort engagement

The Regulatory Sandbox is a structured and controlled environment set up by the FCA, where firms willing to participate in the UK crypto-assets sector can apply and live-test their innovations under the regulator’s supervision. In this way, regulations can be created to meet the needs of the customers, investors and innovators alike. In this way, the Sandbox aligns compliance with regulation whilst avoiding overregulating the sector, thus providing regulatory certainty which will attract the attention of potential applicants. It also attracts the attention of different players since the Sandbox offers protection to the customers, innovators, regulators and investors willing to partake in the industry, by operating in a safe and supervised environment. FinTech firms from other EU member states also use the Sandbox as a passporting mechanism for their business to the UK. EU firms may still apply to engage and operate in the Regulatory Sandbox, even in the event that the UK leaves the EU, although the passporting right conferred by membership within the EU may be potentially affected by Brexit.   

Participation in the Sandbox is a four-step process, which involves:

  • Application
  • Authorisation
  • Testing
  • Exit

Eligibility Criteria

The FCA has also set up a list of criteria which needs to be satisfied for a firm to be considered eligible to apply to operate from the Regulatory Sandbox. The only institutions which shall be eligible to apply to operate in the Sandbox are those institutions which do not fall under any other authority except for the FCA. The criteria for eligibility include:

  • The intention for the innovation to operate in the UK market;
  • The innovation being offered is new or significantly different from other offerings in the market
  • The innovation offers benefits to consumers and promotes healthy competition in the market;
  • The innovation does not fit in the existing legal framework and thus needs added regulation;
  • The firm has set up a testing plan and clear objectives, with sufficient safeguards to protect consumers.


Any eligible firm, whether licensed or not, is allowed to partake in the Sandbox so long that it meets the eligibility criteria. Thus, the firm need not be a licensed entity to operate from within the Sandbox. This is so that any new firms can work on and test their innovations within a safe and regulated environment. The Sandbox itself does however grant authorisation for firms, tailored for each firm, to work within it through its cohorts. It sets out a list of cohorts or categories under which the firms can fall under according to their area of business. The firms are put in their respective cohorts after being chosen for testing depending on their sector, the size of the firm, and their location.

The Global Sandbox

The FCA, along with 11 other financial regulatory bodies, have also set up the Global Financial Innovation Network, which is based on the concept of a Global Sandbox. The main functions of the GFIN were set up, such functions including:

  • The function of the GFIN acting as a network for other regulators to collaborate and share experience of innovation in their respective markets;
  • The provision of a forum for joint policy work and discussions;
  • The provision of environment which could test cross-border solutions for firms.


Exchanges fall within the scope of regulations for derivatives because there are no laws regulating exchanges of tokens or the licensing of exchanges in the UK legal framework at present. This does not mean that the exchange of tokens does not require authorisation from the FCA. Exchanges under the UK legal framework require registration with the FCA under the scope of these regulations. The regulations for derivatives require that any financial instrument falling under the scope of these regulations need to be registered and authorised by the FCA. Any gains or losses of cryptocurrencies made by investors are also subject to capital gains tax.

Regulation of Cryptoassets: EU vs EEA Countries

Liechtenstein – Regulation of Cryptoassets

The aim behind the recent Acts enacted in Liechtenstein with regards to blockchain and crypto-assets was to not only facilitate innovation, but to make laws which will remain applicable for future technology generations. It is for this reason that the Blockchain Act is addressed to ‘transaction systems based on trustworthy technology’ (TT systems). They are setting higher standards in the crypto-industry by not only regulating it, but also enabling a holistic legal framework.  The goal is to ensure user and service provider protection and building trust in digital legal regulations.

Licensing Requirements

The Blockchain Act also proposes to regulate tokens and the exchange of tokens in a legally secure manner, thus tapping the token economy to its full potential. Tokens are considered as representations of financial instruments and are consequently regulated in the Liechtenstein legal framework as so, by triggering the supervision of the Financial Markets Authority and corresponding licensing obligations. Licensing obligations exist on a case-by-case basis, depending on the type of business model, functions, and relevant criteria of the token. Tokens used as a method of payment are not covered under the scope of the regulation, and thus do not have any special statutory licensing obligation. The different types of licenses are applicable to the following offerings:

  • Regulated Security Token Offerings (STO)
  • Initial Public Offerings (IPO)
  • Initial Coin Offerings (ICO)
  • Other token sales

Book-entry systems have also been accepted in Liechtenstein law, and book-entry securities in dematerialised form can be replaced by entry into a book-entry register. In this way, securities can be represented by means of a physical certificate, even if being used on a TT system.


The Blockchain Act was developed to also assist exchange transactions on a blockchain platform. Legal certainty in relation to the exchange transactions on a blockchain platform was achieved with the help of a high degree of standardisation and high-quality requirement with respect to the intermediary. The term ‘virtual currency’ in the Act is understood to mean digital monetary units which, although do not qualify as a legal tender, can be exchanged for a legal tender or be used as methods of payment as a store of value.

Any exchanges performed from fiat currency to cryptocurrency need to be reported to the FMA, so that the Due Diligence Act may be applied. The Liechtenstein Due Diligence Act (SPG) essentially aims at combatting terrorist financing, money laundering and organised crime. It mainly applies in instances where a commercial exchange from fiat currency to cryptocurrency is performed. The reason behind this is that this activity would qualify as a currency exchange, thus falling under the scope of the Act. On the other hand, exchanges between cryptocurrencies is viewed as a normal currency exchange, and thus the Due Diligence Act does not apply in such exchanges.

The Act also speaks of the role of the currency exchange office, which oversees the exchange of virtual currencies and tokens, both in cases of exchange between tokens or virtual currencies, and also exchanges between tokens or virtual currencies and fiat. The Liechtenstein Due Diligence Act (SPG) defines the office of the ‘bureau de change’ as the natural or legal body whose activity consists of the exchange of virtual currencies against a legal tender, or vice versa. Since this office is defined in the SPG, and includes the exchange of virtual tokens against legal tenders as part of its definition, it can thus be said that the exchange of tokens and virtual currencies falls under the scope of anti-money laundering, organised crime, and anti-terrorist financing regulations of Liechtenstein, thus promoting more regulatory certainty. This definition also confirms the legal status of tokens and virtual currencies in Liechtenstein, whilst also confirming that they can assume the function of a legal tender or as a store of value. The FMAG also specifies that the currency exchange office is subject to the supervision of the FMA. The Act also sets out the role of a TT Exchange Office Operator, who is in charge of disclosing the current market prices of exchange tokens and crypto-exchanges against legal tenders.

There seems to be no licensing regime for exchange of tokens in Liechtenstein.

Token Economy

The main aim of the Blockchain Act is to establish a solid foundation for the token economy found in Liechtenstein by increasing legal certainty and offering more consumer protection. The concept of token economy is largely based on transactions and the ability to reproduce transactions efficiently. Efficient transactions are also based on trust of the users in both the companies who provide the service, and the TT platforms. The trust must also extend to the service providers in relation to the creation of tokens and the transactions. The full potential of the token economy cannot be reached without the trust of its participants. The classification of tokens also plays a major role in the establishment of the token economy.  This is because the token economy can cover both digital tokens and also rights arising out of contracts or physical objects, and thus there must be a clear distinction between the different types of tokens, which are classified as such:

Regulation of Cryptoassets: EU vs EEA Countries

Estonia -Regulation of Cryptoassets

Estonia is considered to be very advanced in relation to the implementation of blockchain systems and cryptocurrencies. It intends to support innovation in the financial and financial instrument industry by adopting a technologically-neutral approach towards these innovations while creating new opportunities for issuers and investors alike.

Applicable Law

Estonia regulates cryptocurrencies in an open and technology-neutral manner, with the aim of facilitating innovation in the crypto-assets industry. Although crypto-assets do not have the same legal status as FIAT currency in Estonia, they can be exchanged amongst persons or be used as a means of payment.   There is no specific Act or Regulation in Estonia’s legal framework dealing explicitly with crypto-assets and cryptocurrencies. Because of this, the legal nature of cryptocurrencies in the Estonian legal system remains unsettled, so much so that the framework does not provide a clear definition of the term ‘cryptocurrency’. There is also no case law that indicates the position of cryptocurrencies in Estonian law and this could lead to some legal uncertainties for issuers.

Estonia’s crypto-asset industry depends heavily on the anti-money laundering (AML)/counter-financing terrorism (CFT) regulation recently enacted, and the MLTFPA is the main source of legislation in the industry. This being the main source of law has posed certain problems in the past, especially with regards to the exchange and trade of virtual currencies or tokens.  The case involved the proprietor of a platform called Otto de Voogd, on which Bitcoin was trading. de Voogd brought action against the Estonian FIU because the Estonian version of the platform was halted for reasons that the FIU requested information on all the platform’s clients. The question arose regarding whether Bitcoin trading falls under the remit of Estonian AML/CFT regulations, and whether Bitcoin exchange providers fall under the definition of ‘alternative means of payment service provider’, as defined in the AML/CFT regulation. This case did provide a better insight into the applicability of AML/CFT laws to issues dealing with cryptocurrencies and other financial innovation, but since these regulations are not specifically dealing with cryptocurrencies and crypto-assets, there are still some regulatory gaps which could potentially pose legal problems for issuers and investors alike.

Implementation of Decentralised Technology

The entire digital infrastructure found in Estonia is based on X-Road, which is an e-solution platform on which a full range of services are provided to both the public sector and the private sector. It is a decentralised and open-source database which connects multiple information systems across the country. However, even though X-Road is not a centralised network and uses crypto-graphic hash networks, it is not a system based on a blockchain. The Estonian government has still developed KSI, which is a blockchain platform, with the aim of eliminating system administrators and any breaches caused by hackers. It is currently being used for government data registries, such as in hospitals and courts, but this system has still not been applied to the private sector instead of X-Road. Many consider Estonia to be at the forefront of blockchain and decentralised technology due to projects like KSI and X-Road.

Position on ICOs and STOs

Initial coin offerings in Estonia are mainly regulated by the EFSA, which issued unofficial guidelines on ICOs. These guidelines categorise ICOs into two:

  • Category 1: tokens that generate profit
  • Category 2:
  • Payment tokens
  • Charity tokens
  • Utility tokens.

The EFSA has also specified that if a token falls under the definition of ‘security’ as stipulated in the Securities Markets Act and represent a unitholder’s share in the assets of a common fund, then that shall be considered as an STO.  If this is the case, it will then be required to register a respective prospectus with the EFSA. The STO must fall under one of the following categories to be registerable with the EFSA:

  • An offer of securities is addressed solely to qualified investors
  • An offer of securities is addressed to fewer than 150 persons per Contracting State, other than qualified investors
  • An offer of securities is addressed to investors who acquire securities for a total consideration of at least 100,000 euros per investor, for each separate offer
  • An offer of securities with the nominal value or book value of at least 100,000 euros per security
  • An offer of securities with a total consideration of less than 2,500,000 euros per all the Contracting States in total calculated in a one-year period of the offer of the securities.

We can thus conclude that the Estonian regime on crypto-assets is riddled with many regulatory gaps, which leave a lot of room for legal uncertainty. While Estonia is still more developed in terms of their implementation of blockchain and decentralised technology, they have not yet established a clear framework for crypto-currencies.

Regulation of Cryptoassets: EU vs EEA Countries

France – Regulation of Cryptoassets

A new regime for Digital Asset Service Providers (DASPs) is being introduced in France which will regulate entities offering services related to digital assets which are not financial securities or currencies, thus financial instruments are excluded from this regime. The French regulator which is in charge of regulating crypto-assets is the Autorité des Marchés Financiers (AMF).

The categorisation of Service Providers

Services are divided into 5 categories:

  • Store digital assets or private cryptographic keys on behalf of third parties.
  • Buy or sell digital assets against legal currencies.
  • Exchange digital assets against other digital assets.
  • Manage a trading platform for digital assets.
  • Various services such as portfolio management of digital assets on behalf of third parties, advice to subscribers on digital assets and underwriting of digital assets.

The first two categories must be registered, while obtaining a licence for the rest of the categories is optional.

The following outline the DASP categories under the French regime:

  • Category 1: Store digital assets or private cryptographic keys on behalf of third parties.
  • Category 2: Buy or sell digital assets against legal currencies.
  • Category 3: Exchange digital assets against other digital assets.
  • Category 4: Manage a trading platform for digital assets.
  • Category 5: Various services such as advice to subscribers on digital assets.
  • Category 5: Various services such as reception and transmission of orders on digital assets on behalf of third parties.
  • Category 5: Various services such as portfolio management on digital assets on behalf of third parties.

The distinction drawn between Category 2 and 3, wherein exchanging digital assets against fiat currencies under Category 2 requires mandatory registration, whilst exchanging digital assets against other digital assets under Category 3 does not require registration.


Dealings which do not occur on an exchange take place over-the-counter (OTC), typically through brokers. Category 4 of the French framework envisages a broker-dealer service as the manager of the trading platform can engage his own capital.

Furthermore, a brokerage service is also envisaged under Categories 2 and 3 of the French framework. Reception and transmission of orders and portfolio management are provided under Category 5 of the French regime.

Licensing Requirements

With regards to services under Categories 1 and 2 which are subject to mandatory registration, the AMF must verify that senior managers and shareholders are of good repute and competence through obtaining documents such as identification, a Curriculum Vitae and a statement that they are not the subject of a criminal conviction or a prohibition to engage in an activity. The AMF must also verify that the DASP has AML/FT procedures in place. DASPs which apply for an optional licence must provide the AMF with documents such as identification, proof of competence and good repute of senior managers and shareholders and financial information.


The French regime stipulates various obligations which all licensed DASPs must fulfil. The French regime provides that DASPs must have an adequate security and internal control system, and a secure computer system.

The framework requires management of conflicts of interest and also requires communication of clear and accurate information to the client, with whom there must be a written agreement.

The French regime also stipulates specific obligations applicable to each category of services. For example, DASPs providing services under the first category must set out a safekeeping policy and ensure that digital assets kept on behalf of clients are returned without delay.

Under categories 2 and 3, DASPs must, namely, set out a non-discriminatory commercial policy, publish a firm price of the digital assets or the pricing method applicable to the digital assets, and publish the volumes and prices of the transactions completed. Under category 4, the framework sets out specific obligations when managing a trading platform for digital assets. Under the French regime, DASPs must set out functioning rules, ensure fair competition, and publish the details of the orders and transactions completed on the platform.


In the event of non-compliance, the AMF may hand down sanctions and withdraw licenses. The AMF may also publish a “blacklist” of DASPs that do not comply with the regulations and may block websites offering fraudulent services in digital assets.

This optional nature provides a degree of flexibility on the one hand and security of the financial market on the other, however, it could potentially pose certain risks. For example, reception and transmission of orders and portfolio management are equivalent to traditional brokerage services. When these services are unregulated, investors risk financial loss without the option of compensation.

Regulation of Cryptoassets: EU vs EEA Countries

Gibraltar – Regulation of Cryptoassets

DLT activities in Gibraltar are regulated under the DLT Regulatory Framework which came into force on January 1st 2018. Entities seeking to provide services involving the use of distributed ledger technology (DLT) for “storing or transmitting value belonging to others” must be licenced by the Gibraltar Financial Services Commission (GFSC). Thus, cryptocurrency exchanges must be regulated in Gibraltar. The framework, however, is limited to the provision of such services. Thus, other activities which fall outside the remit of this definition, such as Initial Coin Offerings (ICOs), are currently not regulated. Security tokens fall within the remit of the definition of a security with regards to its promotion and sale, thus they are regulated, however utility tokens and payment tokens are not captured by any regulatory framework.

The regulations are based on nine core principles which provide that DLT service providers must:

  • Conduct their business with honesty and integrity.
  • Pay due regard to the interests and needs of customers and communicate with them in a way that is fair, clear and not misleading.
  • Maintain adequate financial and non-financial resources.
  • Manage and control their business effectively, and conduct business with due skill, care and diligence; including having proper regard to risks to its business and customers.
  • Have effective arrangements in place for the protection of customer assets and money when responsible for them.
  • Have effective corporate governance arrangements.
  • Ensure that all systems and security access protocols are maintained to appropriate high standards.
  • Have systems in place to prevent, detect and disclose financial crime risks such as money laundering and terrorist financing.
  • Be resilient and have contingency arrangements for the orderly and solvent wind down of its business.

The reason behind a principle-based approach is to allow flexibility and innovation in light of the fact that development is rampant in the sector, however, this does not provide legal certainty.

Licencing Process

In order to obtain a license from the GFSC, prior to applying for license firms must first consult with the Risk and Innovation team to determine whether the proposed business plan falls within the remit of the DLT framework. Through this pre-application engagement, the GFSC advises the prospective applicants regarding the authorisation process and the application proposal.

Firms must then submit an initial application assessment against a fee of £2,000. At this stage, the GFC analyses the risks associated with the proposed business and the complexity category of the business by considering several factors such as:

  • The use of DLT;
  • Whether smart contracts will be employed;
  • Whether there will be provision of brokerage services;
  • The target market;
  • Interplay with other regulations such as the provision of other regulated or unregulated services;
  • Exposure to money laundering or financing of terrorism; and
  • The size of the proposed project.

Upon assessment, the GFSC categorizes the business into one of the three complexity categories and establishes the price for the full application accordingly. The applicable fees are as follows:

Regulation of Cryptoassets: EU vs EEA Countries

The determination of the category is completely at the discretion of the GFSC on the basis of the factors mentioned above.

Once the fee is paid and the full application is submitted, the applicant will be required to deliver a presentation to show how they intend to comply with the GFSC’s requirements. The presentation must include details on the skills and experience of the business’s key people, the business plan and proposed product, financial projections, and the strategy which will be used to satisfy the nine core principles of the regulation. The application is then assessed, and the final decision is communicated to the applicant. Once the licence is granted, licenced DLT Providers must comply with all ongoing obligations.

The Government of Gibraltar and the GFSC jointly issued a press release in February 2018 stating that legislation is currently being drafted for the regulation of tokens and services ancillary to such including sale and distribution, secondary market activities and provision of investment advice. The proposed regulations will include, namely, rules for disclosure of information to prospective token buyers and specific measures regarding AML/CFT. The bill was expected to be proposed to Parliament in the second quarter of 2018, however it has not yet been promulgated.

Regulation of Cryptoassets: EU vs EEA Countries


Switzerland’s outlook on cryptocurrencies is quite positive, with a dedicated ‘blockchain/ICO working group’ set up by the Swiss Federal Government to ensure that the country is kept abreast with developments in the sector. The Financial Market Supervisory Authority (FINMA) issued a series of statements with the intention of regulating the landscape, including the publication of guidelines on the regulation of ICOs in February 2018. Furthermore, the Swiss Federal Council launched a public consultation on the draft law titled ‘Federal Act on the Amendment of Federal Laws in light of the Developments regarding DLT’, which is expected to be promulgated in January 2020. However, as of yet, there is no ad hoc legislation which specifically regulates DLT assets.

The following analysis is based on the ‘Guidelines for enquiries regarding the regulatory framework for initial coin offerings (ICOs)’ issued by FINMA.

FINMA categorizes tokens into three categories, based on their underlying economic function:

  • Payment tokens: tokens which are intended to be used, now or in the future, as a means of payment for acquiring goods or services or as a means of money or value transfer. Cryptocurrencies give rise to no claims on their issuer.
  • Utility tokens: tokens which are intended to provide access digitally to an application or service by means of a blockchain-based infrastructure.
  • Asset tokens: represent assets such as a debt or equity claim on the issuer. In terms of their economic function, therefore, these tokens are analogous to equities, bonds or derivatives. Tokens which enable physical assets to be traded on the blockchain also fall into this category.

A token may fall within more than one category; asset and utility tokens can also have characteristics of payment tokens. Such hybrid tokens would be subject to the requirements of both categories.

ICOs are subject to regulation based on whether the tokens on offer are classified as securities, based on the definition in the Financial Market Infrastructure Act; “standardised certificated or uncertificated securities, derivatives and intermediated securities, which are suitable for mass trading.” In order to be suitable for mass trading, securities must be publicly offered for sale in the same structure and denomination or are placed with more than 20 clients, insofar as they have not been created especially for individual counterparties. Derivatives are defined as “financial contracts whose value depends on one or several underlying assets and which are not cash transactions”. Although tokens are not classified as certificated securities, certain types of tokens can be classified as uncertificated securities, derivatives or intermediated securities. If tokens are classified as such, then they are subject to regulation under financial market law.

Payment tokens are not considered as securities since their function is one of payment and they do not have any characteristics pertaining to traditional securities. Utility tokens are also not classified as securities if their sole purpose is to grant digital access rights without having any features of an investment and no connection with capital markets. If the purpose or one of the purposes of a utility token is investment, then it is considered as a security. Asset tokens are considered as securities if they represent an uncertificated security or a derivative and are standardised and suitable for mass trading. Classification of a token as a security, however, is not automatic due to the flexible nature of tokens which allows various forms, for example hybrid tokens. Furthermore, the time of issuance of tokens has a bearing on this classification. Tokens issued during the fundraising phase of an ICO might constitute securities, while the same tokens might no longer be considered as such after funds have been raised.


Currently, there is no specific legislation regulating ICOs. Certain legislation might still be applicable depending on the particular type of token;

  • If the funds raised through an ICO are treated as deposits, a banking licence is required.
  • If the funds raised through an ICO are managed by third parties, then the provisions of the Collective Investment Schemes Act apply.
  • If  payment tokens are issued through an ICO which can be transferred on a blockchain, at the time of the ICO or at a later date, then the provisions of AMLA apply. This imposes certain requirements such as establishing the identity of the beneficial owner, and affiliating to a self-regulatory organisation or being subject to supervision by FINMA.
  • If the tokens issued through an ICO constitute securities, then securities regulation applies, however under the Stock Exchange Act (SESTA) uncertificated securities are unregulated thus authorisation is not required.
  • If the tokens issued through an ICO are derivatives in the form of securities, then regulations apply and authorization as a bank or securities firm is required.
  • If the tokens issued through an ICO classify as equities or bonds, prospectus requirements may apply.

Service Providers

The following table outlines the legal obligations of different financial institutions:

Regulation of Cryptoassets: EU vs EEA Countries


Authorisation of operation of an exchange as a financial market infrastructure is only required if the tokens being traded are classified as securities, such as asset tokens. Non-security tokens such as payment tokens do not impose this requirement. If the exchange involves the trading of payment instruments, then the provisions of the Anti-Money Laundering Act (AMLA) apply.

Federal Act on the Amendment of Federal Laws in light of the Developments regarding DLT’

The proposed legislation, which is expected to be promulgated in January 2020, will regulate secondary markets for security tokens. One of the proposals is the introduction of ‘DLT securities’; a new class of uncertificated securities which will be subject to similar regulations as certificated securities, with the aim of enhancing the issuance and transfer of tokens which have similar characteristics to traditional instruments. Payment and utility tokens can also be classified as DLT securities if they represent a claim. Some of the requirements which will be imposed include registration of the DLT securities onto a DLT register, which must provide data integrity and functional safety.

Another proposal is the introduction of a new licence category for ‘DLT trading facilities’ which allow multilateral trading of DLT securities between market participants and non-discretionary conclusion of contracts. DLT trading facilities will require licencing from FINMA. Unlike traditional financial market infrastructures such as stock exchanges, a DLT trading facility must also admit natural persons and unregulated legal persons, apart from regulated firms. Licencing requirements are similar for those of stock exchanges, however only DLT securities and tokens that do not classify as securities, such as payment and utility tokens, can be traded. DLT securities admitted to a DLT trading facility are still subject to insider trading and market manipulation rules in the same way as securities admitted to traditional trading venues. Another key proposal is related to bankruptcy, whereby cryptoassets in the custody of a bank can be segregated from the bankruptcy assets.

Regulation of Cryptoassets: EU vs EEA Countries


German law does not provide specific legislation to regulate cryptocurrencies. In February 2018, the German Federal Financial Supervisory Authority (BaFin) published an advisory letter on the ‘Supervisory classification of tokens or cryptocurrencies underlying “initial coin offerings” (ICOs) as financial instruments in the field of securities supervision’, with the aim or providing some clarity on the relevant legal implications. However, the letter was vague and the German regulatory landscape still fails to provide legal certainty. BaFin subsequently published an article titled ‘Blockchain Technology—Thoughts on Regulation’ which provides some clarity with regards to the classification of different tokens and pertinent regulation. The article provides the following definitions for the three identified classes of tokens:

Payment tokens

BaFin classifies payment tokens as financial instruments in the form of units of account. Units of account are not legal tender, but have the function of replacing currency in private payment. This classification implies that certain authorisation requirements pertaining to financial instruments might be applicable to payment tokens. Payment tokens might require authorisation if they are used for purposes other than payment. Financial services involving payment tokens might thus require licencing. Furthermore, certain obligations are imposed such as due diligence requirements, establishing internal safeguards and record-keeping.

Equity tokens

A token may be classified as a financial instrument based on the definitions found in the German Securities Trading Act and MiFID II. A token may be classified as:

  • A security;
  • A unit in a collective investment undertaking;
  • A capital investment; or
  • An underlying asset for a derivative contract.

In order to be classified as a security, a token must satisfy the following criteria:

  • Transferability;
  • Negotiability on a financial or capital market;
  • Embodiment of rights in the token representing shares or claims; and
  • Not meet the requirements of an instrument of payment.

Tokens which are classified as securities are subject to the capital market law requirements for securities. This entails specific obligations such as publishing a prospectus pursuant to the Securities Prospectus Act and the EU Prospectus Regulation, and the rules pertaining to trading obligations and market supervision established in MiFIR.

Utility tokens

Pure utility tokens which solely provide the acquisition of goods or services and not financial compensation are not subject to regulation. If such tokens take a hybrid form, such as features of payment and securities tokens, an in-depth assessment must be carried out and subsequently the token might be classified as a unit of account and financial instrument thus being subject to the pertinent regulations.          

Service Providers                 

Provision of services involving tokens may require authorisation as a banking business, namely as;

  • Principal brokering services;
  • Underwriting business; or
  • Financial services which include, inter alia:
    • Investment broking;
    • Investment advice;
    • Operation of a multilateral or organised trading facility;
    • Contract broking; and
    • Portfolio management.

The authorisation requirement of such services largely depends on whether the token involved in the service qualifies as a financial instrument in terms of the German Banking Act. The definition found therein has a wider scope than the definition found in the German Securities Trading Act, as it also captures units of account thus payment tokens are classified as financial instruments. Entities seeking to provide services involving tokens should seek clarification from BaFin to avoid any risks, since the current framework does not provide legal certainty.

The legal position is evidently complex, and entities wishing to provide services involving cryptocurrencies must determine whether the cryptocurrency to be involved is classified as a financial instrument or a security under German law, as such a classification would require authorisation. Specific requirements arise depending on the type of activity to be undertaken. For example, with regards to ICOs, the German Capital Investment Code must be considered to determine whether the tokens constitute units or shares in investment funds. If the tokens qualify as such, then a license must be obtained under the aforementioned code.


There are currently no specific laws regulating the cryptocurrencies industry in Luxembourg. The reason behind this is that the government of Luxembourg was previously reluctant to include cryptocurrency regulations into their framework, as they were regarded as very volatile and not an actual currency. That being said, Luxembourg’s legislative attitude has developed into quite a progressive one, and the government has come up with incentives to support the development of the crypto industry in Luxembourg.

The CSSF & Licensing Obligations

The Commission de Surveillance du Secteur Financier (the CSSF) is the financial regulator of Luxembourg and is tasked with the regulation of cryptocurrencies and any type of financial instrument in Luxembourg falls under the scope of the CSSF. Thus, the cryptocurrency service providers are bound by the same rules and requirements as other financial instruments, with such rules including AML/CFT reporting regulations, among other rules. The provision of any type of financial services must be licensed with the CSSF. ICOs are also subject to the current existing laws regulating financial instruments, namely the AML/CFT regulations.

Cryptocurrency service providers thus require a payment institution license before they can trade or provide exchange services. This authorisation may be obtained from the Finance Minister. With the payment institutions license, the cryptocurrency institution will then be classified as an e-money institution. The payment institution license is also attractive for investors due to its broad territorial compliance coverage. BitFlyer is also the first fully licensed payment service provider in Luxembourg, and is fully licensed with the CSSF.

Despite the movement towards integrating cryptocurrencies into Luxembourg’s legislation, there still remains a lot of uncertainty with regards to the implementation of cryptocurrencies into the finance industry. Cryptocurrencies have only quite recently been accepted as a means of payment in Luxembourg but are still not classified as legal tender. They are recognised only as an intangible asset, and not as an actual currency. The CSSF also seems quite wary of the investments in ICOs, STOs and virtual tokens, and has issued multiple warnings with regards to them. The reasoning behind these warnings was because these assets are not backed by any central bank, thus lack regulation, certain business models lack transparency, and most cryptocurrencies are highly volatile.

Bill 7363

This Bill, which was issued in February 2019, sought to amend the 2001 law which regulated the circulation of securities in Luxembourg. The aim of the new law is to provide more transparency and added legal certainty to financial market participants, whilst reducing workmanship by removing intermediaries. The amendments set out facilitate the use of blockchain in the financial services sector, namely in the transfer of securities. The amendments now allow the account holders to record their securities in an electronic recording mechanism, including in a distributed electronic database such as blockchain.

The Bill acknowledges that a token stored in a blockchain represents a security, and thus proof of the possession of the token is also proof of the holding of a security. That being said, holding tokens on a blockchain platform as a security does not limit the applicability of the 2001 law relating to traditional securities, including certain principles pertaining fungibility, location, validity and enforceability of collateral arrangements. The Bill also does not seek to regulate ICOs or STOs. This is because the amendment only governs the circulation and the holding of securities on a blockchain.

Taxation Matters

Cryptocurrencies are considered as an intangible asset in Luxembourg, and therefore are taxed as such. Any revenue, expenses and costs generated by cryptocurrencies need to be determined in Euros with legal tender. Income of cryptocurrencies resulting from activities including mining, operation of online stock exchange, and vending machines of virtual currencies fall under the definition of commercial income, thus becoming taxed as commercial activities.

Funding Regime for Tokens

Many investors are seeking to set up an AIF in Luxembourg to store their tokens or cryptocurrencies. This is mostly because AIFs with funds that are under the threshold of €100,000,000 are subsequently not regulated in Luxembourg under the AIMFD. This means that such AIFs do not need a custodian, an auditor, a regulated manager and a bank account in Luxembourg. The AIF may also start operating without the consent of the CSSF, as they are not required to have prior approval of the regulator.

Unregulated alternative funds can be set up in Luxembourg as a Special Limited Partnership under the AIMFD. The SLP is formed by a General Partner, who must be the person who founded the SLP, and a Limited Partner, who is required to be a professional investor as in the definition of MiFiD II. An SLP can invest in any type of asset, including equities, bonds, loans, hedge funding, liquid instruments, etc. SLPs are also fully tax and VAT exempt.

In the process of setting up an AIF, a document needs to be prepared containing information related to the project details and timelines, the amount of capital required, the type of financial instrument to be used, such as virtual tokens, and the dividends to be paid to investors per token.

Alternatively, a token may also be structured in a way to quality as a unit in an investment fund, and represent a unit in a collective investment undertaking.

Regulation of Cryptoassets: EU vs EEA Countries


The Maltese landscape is regulated by three principal acts;

  • The Virtual Financial Assets Act;
  • The Innovative Technology Arrangements and Services Act; and
  • The Malta Digital Innovation Authority Act.

The Maltese Virtual Financial Assets Act (VFAA) regulates Virtual Financial Assets (VFAs) which are defined as any form of digital medium recordation that is used as a digital medium of exchange, unit of account, or store of value and that is not electronic money, a financial instrument or a virtual token. The Malta Financial Services Authority (MFSA) is the competent authority which regulates VFA service providers.

The VFA Act stipulates that all VFA service providers must obtain a licence from the MFSA. The Second Schedule to the VFAA lists all licensable VFA services:

  • Reception and Transmission of Orders;
  • Execution of orders on behalf of other persons;
  • Dealing on own account;
  • Portfolio management;
  • Custodian or Nominee Services;
  • Investment Advice;
  • Placing of VFAs; and
  • The operation of a VFA exchange.

The VFA Rulebook issued by the MFSA lists the 4 classes of licenses which a prospective service provider must obtain:

  • Class 1: Licence holders authorised to receive and transmit orders and/ or provide investment advice in relation to one or more virtual financial assets and/ or the placing of virtual financial assets. Class 1 Licence Holders are not authorised to hold or control clients’ assets or money.
  • Class 2: Licence holders authorised to provide any VFA service but not to operate a VFA exchange or deal for their own account. Class 2 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA service.
  • Class 3: Licence holders authorised to provide any VFA service but not to operate a VFA exchange. Class 3 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA service.
  • Class 4: Licence holders authorised to provide any VFA service. Class 4 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA service.

Licensing Requirements

Applicants seeking to obtain a licence under the VFA Act must undergo the fitness and properness test. The assessment is applicable to qualifying shareholders, beneficial owners, directors, senior managers, the MLRO and compliance officers. The test is based on integrity, solvency, and competence. Chapter 3 of the VFA rulebook also stipulates initial capital requirements for each class of VFA Service Providers.

The VFA Rulebook stipulates that Service Providers must have risk management policies and procedures in place, and a risk management function which implements such policy. Licence Holders must also ensure that IT infrastructures ensure privacy and confidentiality, and security of stored data.

The framework also requires management of conflicts of interest, with the MFSA Rulebook expressly requiring a conflict of interest policy to be in place. The VFA Rulebook requires execution policies to provide the best possible results for clients who must be provided with adequate information on such policy.

The VFA Rulebook also stipulates specific requirements for different classes of licenses. For example, where a license holder is authorised to hold or control clients’ assets the Licence Holder must hold such assets in segregated accounts, among other obligations. Under Class 4, the framework sets out specific obligations when managing a trading platform for digital assets or VFAs. For example, it sets out obligations to ensure pre-trade and post-trade transparency. Pre-trade obligations include publishing current bid and offer prices, while post-trade obligations include publishing the price, volume and time of the transactions. Licence Holders must also issue clear and transparent bye-laws, similar to the functioning rules required under the French framework.


The VFAA defines Initial Virtual Financial Asset Offering (IVFAO) as “a method of raising funds whereby an issuer is issuing virtual financial assets and is offering them in exchange for funds”. Thus, under the Maltese framework, an IVFAO is the equivalent of an ICO. Chapter 2 of the VFA Rulebook issued by the MFSA provides the requirements and obligations which issuers of IVFAOs in or from within Malta must adhere to, which will be outlined hereunder.

General Requirements

An issuer must be a legal person duly formed in Malta, whose business must be managed according to the dual control principle; whereby at least two individuals direct or manage the business. The issuer must commence the IVFAO within 6 months from the date of registration of the whitepaper with the MFSA. Prior to the IVFAO, the Financial Instrument Test must be carried out in order to determine whether the DLT asset qualifies as a Virtual Financial Asset (VFA). An issuer must also draw up a compliance certificate and an AML/CFT Report on an annual basis. A Board of Administration must also be appointed which must monitor the issuer’s business. Furthermore, an issuer must appoint the following functionaries:

  • A Systems Auditor (where required);
  • A VFA Agent;
  • A Custodian;
  • An Auditor; and
  • a Money Laundering Reporting Officer (‘MLRO’).

Registration Process

In order to offer VFAs to the public in or from within Malta, the Issuer must register a whitepaper with the MFSA which complies with the requirements set out in the VFAA. The process for registration consists of the following steps:

  • Financial Instrument Test
  • Appointment of a VFA Agent
  • Fit and Proper Test carried out by VFA Agent on the issuer
  • Establishing a Cyber-Security Framework & secure I.T. infrastructure
  • Drawing up of whitepaper & smart contracts disclosure
  • Submitting the following documents to the MFSA:
    • Whitepaper and any supplementary documentation signed by the Board of Administration;
    • Copy of the Financial Instrument Test signed by the Board of Administration and endorsed by the VFA Agent;
    • Confirmation from the Systems Auditor that the Issuer’s Innovative Technology Arrangement complies with MDIA guidelines;
    • Annual audited Accounts for each of the last three (3) financial years, and/or if the Issuer is part of a Group – the consolidated accounts of the Group;
    • Certified copy of constitutional documents; and
    • Payment of whitepaper registration fees of €8,000.

Ongoing Obligations

The Issuer is subject to certain ongoing obligations, including:

  • Record Keeping for a minimum of 5 years which records must be accessible to the MFSA;
  • Annual filing of the following documents to the MFSA:
    • the Annual Compliance Statement submitted by VFA Agent on behalf of the Issuer;
    • the Audited Financial Statements; and
    • the Auditor Report.
  • Once the IVFAO is complete, the Issuer must draw up an Annual Compliance Statement and pay the Annual Supervisory Fees.

The Regulatory Sandbox

The MFSA has recently issued a set of Regulations which contain the initiative to implement a Regulatory Sandbox in the Maltese legal framework with the aim of supporting sustainable financial innovation and reducing regulatory uncertainty in the Maltese FinTech industry. The Regulations lists a number of principles upon which the Regulatory Sandbox is being based, which include the following:

  • Fostering innovation;
  • Ensuring effective investor and consumer protection;
  • Enhancing the firm’s understanding of regulatory expectations;
  • Knowledge sharing.

Although the Regulatory Sandbox is still not in operation yet, there are still many advantages which applicants may benefit from participating in the Sandbox. Such advantages include:

  • Testing and offering an innovation in a safe and contained space;
  • Safeguards both the consumer and the service provider;
  • Provides an open dialogue between the Authority and the firm;
  • Authority can regulate to meet the needs and wants of both the service provider and the consumer, without overregulating;
  • Firms are highly supervised by Authority, thus posing less risks.

The key differences between the UK Regulatory Sandbox and the Maltese Sandbox are highlighted in the table below:

Regulation of Cryptoassets: EU vs EEA Countries

Jonathan Galea
Jonathan is regarded as a thought-leader in the industry. He’s also the CEO of BCA Solutions, a go-to crypto firm for all regulatory and governance-related matters. He is currently advising the Governments of Malta and Serbia, enabling companies such as exchanges and ICOs to set up in Malta through their VFA Agent license. He is a lawyer and a certified C developer. He also authored one of the world’s first legal theses on the subject, titled “The Effect of Bitcoin in Money Laundering Law”, in 2015. He is also the President and co-founder of Bitmalta, the first and the largest blockchain and DLT association in Malta. The one thing he loves about his job is going around the world and talking about how blockchain is the future and everyone needs to get on board. You can connect with Jonathan on Linkedin.

Like what you read? Give us one like or share it to your friends and get +16

newest oldest most voted
Akshara Singh
Akshara Singh

Good Comprehensive Answer! Thanks for sharing this wonderful article! Coinsclone.

Rahimuddin Alrashel
Rahimuddin Alrashel

Resourceful informative written


Well written and easy to understand read.

Hungry for knowledge?
New guides and courses each week
Looking to invest?
Market data, analysis, and reports
Just curious?
A community of blockchain experts to help

Get started today

Already have an account? Sign In