Bitcoin

‘We Are DeFi, so MiCA Does Not Apply to Us.’ Sorry, but EBA and ESMA Have a Different Point of View – Bitcoin News

Joseph Rees 1 Views 0 Comments


MiCA Decoded is a 12-article weekly series for Bitcoin.com News, co-authored by LegalBison’s Co-Founding and Managing Directors: Aaron Glauberman, Viktor Juskin and Sabir Alijev. LegalBison advises crypto and FinTech companies on MiCA licensing, CASP and VASP applications, and regulatory structuring across Europe and beyond.

This week’s entry has been written by Eira Järvi, Senior Lawyer at LegalBison, leading global regulatory research and the implementation of CASP licensing and other complex licenses. Eira actively implements global research into active client-facing products.

DeFi on the Rise

Decentralized finance has been on the rise in recent years. The crypto industry has been witnessing the emergence of new DeFi projects almost on a daily basis. New blockchain networks, protocols, and decentralized applications ( dApps) form a digest for discussions of DeFi enthusiasts and newsletters. They revolve around the subjects of efficiency, transparency, composability, privacy, and accessibility of DeFi. With MiCAR (Markets in Crypto-Assets Regulation) coming into effect, many DeFi development teams are now contemplating expanding their projects into the EU markets.

However, within this context, one subject remains more pivotal than all others. How does the team ensure that the project they are building is legally compliant?

For most DeFi startups, the answer may seem simple: MiCAR contains an exemption for “fully decentralized” projects that many startups confidently rely on when justifying their confidence in launching their projects in the EU without seeking any legal guidance, let alone MiCAR compliance.

This article seeks to dispel the popular belief that if a project is decentralized enough, MiCAR is of no concern to the team. Sorry, but regulatory guidelines bust that myth!

The Myth: MiCA Doesn’t Affect DeFi and Non-Custodial Service Providers

Article 3(1), point 1 of MiCAR defines distributed ledger technology (“DLT”) as “a technology that enables the operation and use of distributed ledgers,” and point 2 defines “distributed ledger” as “an information repository that keeps records of transactions and that is shared across, and synchronised between, a set of DLT network nodes using a consensus mechanism.”

Recital 22 of MiCAR provides the most critical guidance on DeFi’s relationship with the Regulation. It states that MiCAR is designed to encompass services and activities performed, provided, or controlled, whether directly or indirectly, by natural or legal persons and certain undertakings engaged in crypto-asset services, even in cases where decentralization is involved.

However, the Recital contains the following crucial language: “Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation.” The import of this provision lies within two key phrases: “fully decentralised” and “without any intermediary.”

The text of the Regulation itself does not define “fully decentralised” anywhere in its operative provisions. The only source of this term is within Recital 22, which forms part of the preamble rather than the legally binding formal provisions. Recital 83 further provides that “hardware or software providers of non-custodial wallets should not fall within the scope of this Regulation,” without explicitly defining the extent to which hardware or software provision constitutes a fully decentralized service excluded from MiCAR.

Recital 109 recognizes these interpretive challenges and assigns the development of draft regulatory and implementing technical standards to the European Banking Authority (“EBA”) and the European Securities and Markets Authority (“ESMA”).

'We Are DeFi, so MiCA Does Not Apply to Us.' Sorry, but EBA and ESMA Have a Different Point of View

In determining whether services fall within MiCAR’s scope, two conditions may be distilled from Recital 22 and subsequent regulatory guidance:

  • First, no single entity may exercise control over protocol parameters, governance mechanisms, or the core technological infrastructure upon which the crypto-asset service operates.
  • Second, users must access what amounts to a “common good resource” rather than purchasing services from a designated provider with whom a contractual service-provider relationship exists.

These conditions are critical for assessing whether any DeFi project falls within or outside the scope of MiCAR.

The Pitfall of Overestimating the State of Decentralization

In a world with rapidly emerging technologies, geopolitical instability, and the fragmented financial systems dependent on manual processes and intermediaries, DeFi presents a transparent and borderless solution that fundamentally changes the way transactions are initiated, processed, and executed. Instead of traditional financial system models where transactions must first pass through a number of intermediaries and institutional backends before being executed and settled, in DeFi, users transact by interacting directly with the underlying blockchain network through decentralized protocols and interfaces, thus eliminating the need for intermediaries and complex system infrastructures.

In the world of the on-chain law, the line between full decentralization and lack of it is thinner than it may seem. Before any work may begin, a lawyer working with a decentralized Web3 project will first figure out whether the project may be considered decentralized by analysing and assessing the project’s layers, their state of decentralization, as well as the team’s plans on the ownership and governance.

At this initial stage of the legal strategizing, there are many technical and architectural elements that must be assessed by a lawyer to come to a definitive agreement about the state of the project’s decentralization. While the team may be convinced that their project is fully decentralized, with all its elements, such as the DLT, the protocol, and the dApp, in reality, the initial assessment may reveal the opposite.

To accomplish the state of true, full decentralization, all elements of the project must meet the criteria of full autonomy and lack of internal or external influence throughout the project’s ecosystem and its many elements, including but not limited to governance, ownership, interfaces, etc., which, upon closer inspection, very few projects manage to achieve.

This takeaway may be best illustrated by a recent event in the DeFi world. On 21 April 2026, Arbitrum’s Security Council froze over 30 ETH (approximately USD 71M) associated with the Kelp DAO exploit. A governing body consisting of 12 members was able to react to the compromise by moving the funds into the intermediary wallet, which can only be released through a governance vote, effectively making the funds locked in the wallet.

This example points out the existence of discretionary operational control: even though Arbitrum is, by definition, a layer-2 permissionless and seemingly fully decentralized network, the exercise of control over the user assets is precisely what would fail MiCAR’s full decentralization test. Substance-over-form, in this case, determines the regulatory scope, regardless of the permissionlessness of the underlying ledger.

'We Are DeFi, so MiCA Does Not Apply to Us.' Sorry, but EBA and ESMA Have a Different Point of View

As such, a simple claim that a DeFi project is fully decentralized is not sufficient to rule out the obligation to comply with MiCAR and obtain a necessary authorization as a CASP. Lawyers will primarily assess the project’s technical architecture, the ownership logic, and the governance rules, meaning that they invoke the substance-over-form assessment over semantics. The European regulatory bodies, such as the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA), fully support this approach.

ESMA’s and EBA’s Perspective on DeFi

The ESMA’s perspective on decentralized finance has evolved substantially through multiple consultation packages and, most significantly, through the Joint Report with EBA on Recent Developments in Crypto-Assets published on 13 January 2025 (ESMA75-453128700-1391 / EBA/Rep/2025/01), prepared pursuant to Article 142 of MiCAR.

ESMA’s reasoning on the spectrum of decentralization is foundational to this assessment. In its second consultation package on regulatory and implementing technical standards, ESMA proposed a definition of “permissionless distributed ledger technology” as “a technology that enables the operation and use of distributed ledgers in which no entity controls the distributed ledger or its use or provides core services for the use of such distributed ledger, and DLT network nodes can be set up by any persons complying with the technical requirements and the protocols.”

This definition draws from the Financial Stability Board’s consultative document, which distinguishes between permissionless (fully decentralized) DLT, permissioned DLT allowing a degree of centralization, and centralized platforms. The ESMA acknowledges that “the exact scope of this exemption remains uncertain” and considers that an assessment of each system should be made on a case-by-case basis, considering the features of the system.

ESMA recognizes that decentralization is not a binary concept but exists on a spectrum from centralization to varying degrees of decentralization: “With DEXs, the blockchain takes the place of the intermediary. DEXs use autonomous code (often referred to as smart contracts) to execute trades directly on the settlement layer of the blockchain (with differing degrees of decentralisation).”

The January 2025 Joint Report provides empirical data supporting the analytical framework. DeFi represents approximately four percent of the global crypto-asset market capitalization, with somewhat higher penetration rates observed among EU-based users. The Report confirms that very few DeFi systems achieve truly full decentralization in the manner contemplated by Recital 22. The Report identifies that even ostensibly decentralized protocols typically have identifiable entities that exercise varying degrees of control over governance, protocol upgrades, smart contract deployment, and fee structures.

'We Are DeFi, so MiCA Does Not Apply to Us.' Sorry, but EBA and ESMA Have a Different Point of View

Regarding hardware and software providers of CASP-ancillary services, the position emerging from ESMA’s guidance is that entities merely creating and selling software development tools, applications, or platforms for crypto-asset provision or trading are not automatically classified as CASPs if their activities are confined to the creation and sale of the said services.

However, entities overseeing the creation and development of software or platforms for providing crypto-asset services may be deemed CASPs if they retain control or sufficient influence over the crypto-assets, software, protocol, platform, or business relationships with users. The critical test is therefore one of control and influence rather than mere technological involvement.

The role of contractual relationships in defining full decentralization is further underscored by ESMA’s analysis of Article 73 of MiCAR, which pertains to the outsourcing of services or activities to third parties. ESMA concludes that there exists no legal basis to categorize permissionless DLTs used by CASPs as a third-party provider, as no formal contractual relationship is required to interact with permissionless blockchains. This leads to the significant conclusion that permissionless DLTs may be regarded as a form of “common good” resource, whereas permissioned DLTs operated by commercial enterprises typically entail formal contractual arrangements and therefore constitute a “third-party provider” relationship. This distinction is the backbone of the further assessment in this memorandum.

The Joint Report further addresses ML/TF risks and ICT considerations applicable to decentralized systems. The absence of traditional AML/CFT controls in purely decentralized systems presents significant regulatory concerns, as know-your-customer procedures and transaction monitoring are typically absent or incomplete. The Report notes that ICT risks are among the primary concerns, with a majority of DeFi-related financial losses attributable to smart contract vulnerabilities, oracle manipulation, and front-running attacks, including maximal extractable value (“MEV”) exploitation.

These risk factors, while not determinative of regulatory classification, inform the supervisory approach to entities operating at various points on the decentralization spectrum.

FATF Framework and Contractual Relationships

The FATF’s guidance on VASPs and DeFi provides a foundational analytical framework that has been adopted and further developed by ESMA. According to the FATF Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (October 2021), a person who creates or sells a software application or a virtual asset platform may not constitute a Virtual Asset Service Provider when solely engaging in the creation or sale of the application or platform, with the emphasis on the word solely.

In cases where creators, owners, operators, or other individuals appear to maintain control or exert sufficient influence over DeFi arrangements, even if those arrangements appear decentralized, they may fall under the FATF definition of a VASP if they are providing or actively facilitating VASP services. Control or significant influence may manifest through control over assets or aspects of the service’s protocol, and through an ongoing business relationship between the operator and users, even if this control is exercised through a smart contract or, in some instances, through voting protocols.

The FATF’s reasoning lays the foundation for the assessment of decentralization under MiCAR by establishing two crucial principles:

  • First, the owners and operators and their degree of control over DeFi can often be identified by their relationship to the activities being undertaken rather than by the labels applied to the arrangement.
  • Second, partial centralization cannot be automatically excluded even if parties other than the main service provider are involved in the service or if portions of the process are automated through smart contracts.

The role of contractual relationships in the assessment of decentralization deserves particular attention. Article 73 of MiCAR, which pertains to the outsourcing of services or activities to third parties for the performance of operational functions, regulates how CASPs should address risks associated with third-party providers.

However, as the ESMA Second Consultation Paper acknowledges, there exists no legal basis to categorize permissionless DLTs used by CASPs as a third-party provider, because no formal contractual relationship, such as a service level agreement, is required to interact with permissionless blockchains. The ESMA concludes that permissionless DLTs may be regarded as a form of “common good” resource, whereas permissioned DLTs operated by commercial enterprises typically entail contracts available for white-labelled blockchain products, thereby constituting a third-party provider relationship.

This conclusion has profound implications for the regulatory assessment of platforms built on permissionless infrastructure. If a platform deploys smart contracts on a permissionless blockchain such as Ethereum, the use of that blockchain infrastructure does not, in itself, establish a third-party service provider relationship.

However, if the platform operator retains control over the smart contracts, can upgrade or modify their functionality, controls access to the front-end interface, or maintains administrative keys that can pause, freeze, or modify the protocol, these centralized elements bring the operator within the scope of MiCAR regardless of the permissionless nature of the underlying ledger.

The test is therefore functional rather than technological: it asks what control the operator actually exercises, not what technology the system is built upon.

Key Takeaways:

Taking the foregoing analysis into account, and in particular ESMA’s reasoning as set forth in the consultation papers and the January 2025 Joint Report, we are of the opinion that the following propositions hold true for the purposes of this assessment.

  • First, as long as no individual or entity controls a DeFi protocol or platform and its usage, and no individual fulfills a fundamental and indispensable role in its operation without which the technology cannot be utilized, the DeFi protocol or platform may be deemed exempt from MiCAR’s scope of application by virtue of being “fully decentralised” within the meaning of Recital 22.
  • Second, the mere development of software or auxiliary tools for CASPs is not considered a crypto-asset service unless additional MiCAR-regulated aspects, such as influencing the offer, sale, transfer, custody, or trading of crypto-assets, are included in the scope of activities undertaken by the developer.

However, the practical application of these principles to any DeFi project requires careful examination of its ecosystem’s actual governance and operational characteristics. In case a project’s architecture indicates centralized control over token issuance, protocol parameters, or ecosystem governance, it is unlikely to satisfy the “fully decentralised” exemption of Recital 22, and the services provided in connection with such a project must be assessed under MiCAR’s provisions.

What We Decoded

The “Fully Decentralised” Exemption is Exceptionally Narrow: MiCA’s Recital 22 states that services provided in a “fully decentralised manner without any intermediary” fall outside the regulation’s scope, but achieving this true state of full decentralization is incredibly rare. If any single entity exercises control over governance, protocol parameters, or core infrastructure, the exemption does not apply.

Substance Over Form Dictates Compliance: Regulators look past marketing claims and technical semantics to assess actual operational control. The regulatory test is functional, not technological: if an operator maintains administrative keys, controls the front-end interface, or has the ability to upgrade or pause smart contracts, they fall within MiCA’s scope.

Decentralization Exists on a Spectrum: ESMA does not view decentralization as a binary concept. Even if a project relies heavily on autonomous code and smart contracts, the presence of identifiable entities exercising varying degrees of control over fee structures, protocol upgrades, or governance will trigger regulatory scrutiny.

Permissionless Blockchains are “Common Goods”: Relying on a public, permissionless blockchain does not establish a formal third-party outsourcing relationship under Article 73 of MiCA, as ESMA categorizes these as “common good” resources. However, deploying smart contracts on a common good infrastructure does not shield the platform operator from MiCA if they retain functional control over those contracts.

Software Developers Are Not Automatically CASPs: Merely creating and selling non-custodial software or hardware does not automatically classify an entity as a Crypto-Asset Service Provider (CASP). However, if the developers or operators retain sufficient influence over the crypto-assets, the platform, or the ongoing business relationships with users, they cross the regulatory threshold and will be regulated as CASPs.

pastedGraphic.png

This article is based on a study conducted by LegalBison in April 2026. The content is for informational purposes only and does not constitute legal advice.



Source link

You May Also Like

Bitgo Launches MCP Server to Power AI-Driven Crypto Development Tools – Crypto News Bitcoin News

Joseph Rees 0

Cambodian Parliament Approves New Law Imposing Life Sentences for Crypto Scammers – News Bytes Bitcoin News

Joseph Rees 0

Wall Street Is Migrating to Blockchain Faster Than Most Realize, Expert Insight – Featured Bitcoin News

Joseph Rees 0

A16z Is Uniswap’s Top Voter, One-Third of Voters Unidentifiable – Bitcoin News

Joseph Rees 0

From Viral Clip to Web3 Career: Lyka Camdas on Changing Her Mind About Crypto

Joseph Rees 0

Majority of US Crypto Users Unaware of New Tax Rules, Survey Finds

Joseph Rees 0

Leave a Reply

Your email address will not be published. Required fields are marked *