Leave an application

Legal services:

Comprehensive legal solutions for contracts, disputes, and compliance. Our expert team ensures legal protection and strategic guidance for your business.

More

AML consulting:

Specialised AML consulting to develop and maintain robust anti-money laundering policies. We assess risks, offer ongoing support and provide tailored AML services.

More

Obtaining a crypto license:

We offer licensing and ongoing support for your crypto-business. We also offer licences in the most popular jurisdictions.

More

Registration of legal entities:

Efficient legal entity registration support. We manage documentation and interaction with the authorities, ensuring a seamless process for establishing your business.

More

Opening bank accounts:

We facilitate the opening of bank accounts through our extensive network of partners (European banks). Hassle-free process, tailored to your business needs.

More

COREDO TEAM

Nikita Veremeev
Nikita Veremeev
CEO
Pavel Kos
Pavel Kos
Head of the legal department
Grigorii Lutcenko
Grigorii Lutcenko
Head of AML department
Annet Abdurzakova
Annet Abdurzakova
Senior Customer Success Manager
Basang Ungunov
Basang Ungunov
Lawyer at Legal Department
Egor Pykalev
Egor Pykalev
AML consultant
Yulia Zhidikhanova
Yulia Zhidikhanova
Customer Success Associate
Diana Alchaeva
Diana Alchaeva
Customer Success Associate
Johann Schneider
Johann Schneider
Lawyer
Daniil Saprykin
Daniil Saprykin
Head of Customer Success Department

Our clients

COREDO’s clients are manufacturers, traders and financial companies, as well as wealthy clients from European and CIS countries.

Effective communication and fast project realisation guarantee satisfaction of our customers.

Exactly
Unitpay
Grispay
Newreality
Chicrypto
Xchanger
CONVERTIQ
Crypto Engine
Pion

Blog

See all news
07.02.2026
Crypto custody in Germany BaFin license for key storage

I regularly meet executives who are ready to scale work with digital assets, but are stuck on two things: the BaFin license and the architecture of secure key storage. Since 2016 the team COREDO has supported dozens of projects for company registration in the EU and Asia, obtaining financial licenses and building compliance functions. During this time I have gathered a set of proven approaches that really save time and reduce operational risks. In this text I will systematically go through the path from legal structure to key architecture and regulatory reporting – with a focus on Germany and BaFin, but taking into account MiCA and EU requirements.

Our experience at COREDO has shown: a strong custody service doesn’t start with HSM, but with a clear regulatory model, a comprehensible operational architecture and compliance discipline. Technology is an important layer here, but without the right license, contractual framework and AML/KYC procedures the business risks getting a stop signal at the start.

Regulatory framework of Germany and the EU

Illustration for the section «Regulatory framework of Germany and the EU» in the article «Crypto custody in Germany BaFin license for key storage»
The regulatory framework of Germany and the EU increasingly shapes requirements for the handling and storage of crypto-assets, setting standards for licensing, supervision and investor protection. Below we will examine the key elements of oversight – including the role of BaFin and the specifics of regulating crypto custody.

BaFin regulation of crypto custody

In Germany, crypto custody (Kryptoverwahrgeschäft) is a licensed activity for the storage of third parties’ private keys. A BaFin license for key storage is required if you provide clients with custody of cryptocurrencies for business purposes, including corporate wallets, sub-accounts and API access. The regulator refers to the KWG (banking law), MaRisk (risk management) and BAIT (IT requirements), as well as the German AML law (GwG). Crypto-custody regulation in Germany implies segregation of client assets (segregation of client assets), clear internal controls, independent risk management and audit.
A couple of important nuances. BaFin supervision closely looks at the actual storage of private keys and operational processes, not only the legal structure. And if your model includes custodial staking, the regulator expects risk disclosures, a liquidity policy, management of slashing risk and contractual mechanisms for the allocation of rewards and costs.

MiCA: impact on BaFin custodians

The MiCA regulation forms a pan-European framework for crypto-asset service providers, including custodians. For Germany this means alignment of requirements, the possibility to passport custody services within the EU when meeting pan-European standards, and harmonization of reporting. COREDO’s practice confirms: if you build processes “according to MiCA” already at the stage of preparing for a BaFin license, subsequent expansion to other EU countries proceeds faster.
MiCA does not eliminate national specifics – BaFin will retain the right to inspections, the requirement for IT resilience and expectations for incident management. But the common language for compliance, risk-based approach and information security will become unified across the EU, which simplifies scaling.

AMLD5 and AMLD6: AML/KYC and GDPR

AMLD5 and AMLD6 set the level of control for business KYC providers, AML transaction monitoring and sanctions screening. In Germany these rules are implemented in the GwG; the regulator expects a risk-oriented approach, client segmentation, monitoring scenarios and a documented escalation methodology. In custody GDPR and key storage intersect through personal data of owners, activity logs (audit trail) and access logs. I recommend implementing data minimization and a strict role-based access model: this reduces risk and facilitates passing inspections.

BaFin license for crypto custody

Illustration for the section «BaFin license for crypto custody» in the article «Crypto custody in Germany BaFin license for key storage»
BaFin‑Licensing of crypto custody requires strict compliance with regulatory requirements and transparent documentation. Below we will examine in detail the stages and structure of obtaining the license, including the key legal, operational and technical criteria for successfully completing the process.

How to obtain a BaFin custody license

I recommend starting with the legal structure for custody in the EU (GmbH, AG). For crypto custody in Germany a GmbH is usually suitable, while mature players planning to raise capital choose an AG. Capital requirements for custody depend on the service profile; for pure storage of private keys the starting capital is usually from €125,000, and is higher when combined with payment services. The cost of obtaining a BaFin license consists of document preparation, technology implementations (HSM/MPC), hiring key personnel (MLRO, CISO, Head of Risk), certifications (ISO 27001, sometimes SOC 2 Type II), insurance and legal support.

According to COREDO’s observations, a conservative project budget often falls in the mid- to multi-million euro range, depending on scale, geography and degree of automation.

Process stages:

  • Pre-licensing gap analysis against BaFin/BAIT/MaRisk and MiCA.
  • Designing the operational model: custody vs non-custodial, cold/hot storage, MPC or multisig, key ceremony protocol and key rotation policy.
  • Building compliance: AML/KYC, sanctions screening, risk-based approach, incident management and notifications to the regulator.
  • IT and security: HSM (Hardware Security Module) or MPC (Multi-Party Computation), cold key storage infrastructure, air-gapped signing, audit trail and logging.
  • Documentation and submission: policies, regulations, client agreements, legal agreements for HSM outsourcing.
  • On-site inspections and responses to inquiries.

Checklist for preparing for a BaFin inspection

The COREDO team has conducted dozens of pre-licensing “dry” audits and compiled a checklist for preparing for a BaFin inspection:
  • Governance: qualified executives, independent risk and compliance, information security committee.
  • Policies and procedures: private key storage requirements, access management and role models in custody, key ceremony and backup, disaster recovery plan and business continuity plan.
  • IT governance under BAIT: asset inventory, vulnerability management, change management, incident response.
  • Security: BaFin HSM security requirements, description of MPC/threshold signatures, multisignature and key storage, cold wallet architecture and hot wallet risk.
  • Quality control: penetration testing and red team, bug bounty programs, security audit for crypto custody, SOC 2 Type II audit if available, ISO 27001 certification.
  • Finance: capital requirements, OPEX vs CAPEX model, ROI calculation for security investments and overall financial plan.
  • Contract framework: preparation of custody agreements for corporate clients, SLA 99.9% availability, key storage regulations and GDPR, fiduciary duty for custodians, segregation of client assets, trustee model custody.
  • Reporting: BaFin regulatory reports, security metrics for BaFin reporting, incident notification policies.

Supervision and incident reporting

BaFin expects transparent incident management and notifications to the regulator in case of material failures, breaches or risks to clients’ funds. Notification timings align with GDPR (generally within 72 hours for personal data) and internal regulations. I recommend drafting in advance a criticality matrix, an escalation procedure, a communications role model and message templates for the regulator and clients. Regular regulatory reports to BaFin include information security and operational resilience KPIs.
Enforcement action precedents show that the regulator is particularly sensitive to commingled asset storage, weak access policies and insufficient transaction monitoring. COREDO’s practice confirms: a mature audit trail, forensic readiness and automated access control simplify communication with supervision.

Key storage architecture

Illustration for the section "Key storage architecture" in the article "Crypto custody in Germany BaFin license for key storage"
Building the technological architecture for key storage defines a set of decisions responsible for the security, availability and manageability of cryptographic materials. In the following subsections we consider the role of HSMs and outsourcing options for critical components to show how different approaches affect risks and operational requirements.

Outsourcing critical components and HSM

HSMs, the de-facto standard for protecting master keys, are especially important when supporting Bitcoin and Ethereum in custody and managing corporate sub-accounts. BaFin looks at HSM certification (e.g., FIPS 140-2/3), key lifecycle management, load/unload policies and role models. Outsourcing HSMs and the legal risks must be addressed separately: agreements with providers, third-party risk management, requirements for locations and verification procedures.
The solution developed at COREDO usually combines HSMs for root secrets and MPC for operational flexibility. This approach increases resilience and simplifies scaling as the number of clients and transactions grows.

MPC, multisig and secret sharing

MPC for key storage and threshold signatures allow the signing computation to be split across multiple independent nodes, reducing the risk of a single point of failure. Multisignature and multisig key storage architectures remain relevant for Bitcoin’s UTXO model and some enterprise scenarios. Shamir’s Secret Sharing is suitable for backups and recovery procedures, but I don’t use SSS for online signing when MPC is available.
A combination of cold wallet architecture with air-gapped signing and a hot environment with limited limits increases security and operational flexibility. Key rotation policy must take L2 protocols and smart contracts into account, especially for cross-chain custody and when working with wrapped tokens. Key ceremony and backup procedures are documented in detail, with video recording and checklists.

Fault tolerance, scaling and audit

Designing a fault-tolerant key architecture includes distributed key storage for scaling, geo-replication, independent quorum channels and deterministic run-books for incidents. A multi-tenant custody platform requires strict segmentation, circuit isolation and continuous monitoring. Audit trail and logging must cover administrative actions, transactions, access to secrets and configuration changes.

I build in forensic readiness: time synchronization, immutable logs, a retention policy and regular recovery tests. Incident response and notification are practiced scenarios with roles, timers and feedback loops. This saves hours during real crises and increases client trust.

Custodial staking: risks

Staking-as-a-service for corporate clients raises questions about liquidity management, reward distribution, validator fees and slashing risk. Liquidity management in custodial staking requires buffers, transparent unbonding rules and synchronization with accounting. In contracts I record protocol risks, responsibility for validator selection and the compensation procedure for slash events.
Smart contracts, custodial vs non-custodial models, support for ERC-20 and ERC-721 and integration of layer-2 and custody (for example, rollups): all of this is reflected in risk methodologies. Our architects at COREDO form a risk profile for each network stack separately.

Assets, integrations and SLA

Support for Bitcoin (Bitcoin UTXO model) and Ethereum requires different addressing logic, monitoring and nonce/fee control. For business I set up custody API integrations with exchanges and brokers via API integration (REST, WebSocket), with restrictions by keys, IP allowlist and a fine-grained limit system. Enterprise onboarding processes include corporate client Due Diligence, issuance of sub-accounts and configuration of role models.
SLA 99.9% availability is a fair benchmark for custody, while transaction creation time and approval delays depend on the number of signatures and the limit policy. Setting SLAs for crypto custody services provides RTO/RPO for infrastructure, maintenance windows and a plan for functional degradation.

Risk management and compliance

Illustration for the section «Risk management and compliance» in the article «Crypto custody in Germany BaFin license for key storage»
Effective risk management and strict compliance require a systemic approach to identifying and mitigating financial threats. In this context, AML/KYC and regular transaction monitoring become key tools to prevent fraud and money laundering.

AML/KYC: transaction monitoring

Compliance for crypto custody Germany is built on a risk-based approach: segmentation of clients by jurisdictions, types of activity and volumes. AML KYC for crypto custody requires reliable KYC providers, periodic review processes (KYC refresh), sanctions checks and transaction monitoring using behavioral and blockchain analytics. Sanctions screening and lists of high-risk wallets are better automated, but manual review should be retained for complex cases.
AML transaction monitoring should include scenarios for the microstructure of transfers, analysis of sources of funds and behavior when using mixers. I define clear rules for escalation and suspension of operations so the team does not lose time on approvals at critical moments.

Resilience and security

ISO 27001 certification for custodians and a SOC 2 Type II audit are strong arguments for BaFin and corporate clients. They are complemented by regular penetration testing and red team exercises, bug bounties and independent code reviews for custom components. Transparency through the implementation of proof of reserves for custodians and attestation reports increases trust, especially with large corporate deposits.
Security metrics for BaFin reporting and key KPIs for CTO/CISO may include: MTTR for incidents, proportion of critical vulnerabilities, average patch-management time, percentage of MFA/SSO, frequency of key rotation, share of transactions processed through expedited scenarios, and results of independent audits.

Insurance and fiduciary duties

Insurance of crypto custody assets: a separate track. Custody insurance policy and underwriting of crypto risks take into account limits for hot and cold wallets, exclusions and deductibles. How to choose an insurance product for a custodian? I assess the insurer’s financial stability, cyber-risk coverage, limits on social engineering and control requirements.

Fiduciary duty (fiduciary duty for custodians) and segregation of client assets are critical in the event of a custodian’s bankruptcy and in protecting clients. A proper contractual and operational model (for example, trustee model custody) helps separate client assets from the insolvency estate. COREDO’s experience has shown: clear ownership registers and segregation at the level of addresses/smart contracts simplify law enforcement.

Data privacy and regulations

The key storage policy and GDPR go hand in hand with data governance: minimization of personal data, encryption «at rest» and «in transit», access management and retention. Logging and observability should not disclose sensitive elements of key infrastructure, and log sizes should not exceed what is reasonably necessary. We balance this through anonymization, pseudonymization and strict telemetry control.

Strategy and economics of launching a service

Illustration for the section «Strategy and economics of launching a service» in the article «Crypto custody in Germany BaFin license for key storage»
The project’s economics and the chosen strategy shape the decision-making framework during preparation and launch of the service, setting priorities for resources and the acceptable level of risk. Below we will examine in detail the cost model, required capital and key ROI metrics to build a justified go-to-market plan.

Cost model and ROI

OPEX vs CAPEX модель помогает прозрачнее коммуницировать с советом директоров. CAPEX, HSM, сети, лицензии на ПО, сертификации; OPEX – штат комплаенса и ИБ, страховки, аудит, колокации, bug bounty. Стоимость получения лицензии BaFin и последующее содержание зависят от масштаба.

The ROI estimate for launching a crypto-custody service is built on revenue from custodial services, transaction fees, staking rewards (if applicable), and cost savings from in-house risk control.
How to estimate ROI from implementing your own crypto-custody? I model scenarios along three lines: organic growth of the corporate customer base, cross-sales (for example, exchange/trading/payments) and retention thanks to high SLA and security. The ROI calculation for security investments takes into account the probability of incidents and potential damage; this is an important argument before the investment committee.

In-house vs third-party and white-label

The comparison of in-house vs third-party custody boils down to control, speed of launch, and the regulatory curve. White-label custody solutions allow faster market entry but increase dependence and requirements for third-party risk management. Migration of crypto-assets between custody providers — a scenario I plan for at the start — includes procedures for key rotation, attestation of balances and client notifications.

Outsourcing HSM legal agreements require clear SLAs, audit rights, requirements for data geography and recovery plans. Third-party risk management includes periodic assessments, stress tests and forensic clauses in contracts.

Operational resilience and SLA

Operational resilience: not only data-center redundancy, but also disaster recovery plan drills, degraded-mode business processes and client communications. SLAs should cover availability, transaction processing time, maintenance windows and RTO/RPO. I always link SLA settings for crypto-custody services to team KPIs and bonus models: this way SLA ceases to be “paper” and becomes a practical tool.

COREDO case studies: licensing and integration

In a series of COREDO case studies we show practical steps – from obtaining a license to real bank integration scenarios. Using the example of Germany, we examine BaFin’s requirements, key architecture and technical solutions necessary to comply with regulatory and banking requirements.

BaFin: license and key architecture

The COREDO team recently implemented a project for a fintech planning custody for large corporate clients. We chose a GmbH, prepared the BaFin submission package, deployed HSMs for master keys and MPC for operational signing. The client obtained ISO 27001 certification, underwent a SOC 2 Type II audit and set up proof-of-reserves methodologies with regular attestation reports. The contractual framework established segregation of client assets and a trustee-model custody, as well as terms for custodial staking and disclosure of slashing risk.

At the pre-audit stage we ran a practical checklist to prepare for the BaFin review, ‘dry’ key ceremonies, an incident response test and tuning of regulatory reports. The solution proved resilient, and the final regulatory dialogue took less time than we had planned in our risk scenarios.

EU passporting after launch

Another client launched custody in Germany with an eye on the EU. We built a model compatible with MiCA and prepared EU passporting for custody services. The legal structure and policies immediately accounted for Cyprus and Estonia’s requirements for IT resilience and staffing, which accelerated regional expansion.

Our experience at COREDO has shown: unifying policies and a single key architecture reduces total cost of ownership and simplifies change management.

Integration into a banking group

A separate case — implementing custody in a banking group with presence in the UK, Singapore and Dubai. We integrated custody into the bank’s structure via API, REST/WebSocket, supporting corporate accounts and sub-accounts. For the CTO/CISO we set up key KPIs, reports for risk committees and regular red team exercises.

Practice has shown that BAIT discipline and banking IT standards map harmoniously onto crypto custody if roles and processes are organized correctly.

Practical tools

To minimize risks when choosing a custody provider, rely on practical methods and tools that turn abstract requirements into concrete checks. Below is a compact checklist for reviewing custody providers with key criteria for security, compliance and operational reliability.

Checklist for reviewing custody providers

Reviewing custody providers: a checklist for the director

  • Licenses and supervision: BaFin license for crypto custody, MiCA plans, regulatory history, inspection precedents.
  • Security: HSM/MPC, key ceremony protocol, air-gapped signing, penetration testing, bug bounty, ISO 27001/SOC 2.
  • Operations: SLA 99.9%, incident response, disaster recovery, business continuity, audit trail.
  • Compliance: AML/KYC, sanctions screening, AML transaction monitoring, GDPR.
  • Legal: segregation of client assets, trustee model custody, insurance, outsourcing, HSM legal agreements.
  • Technology: support for Bitcoin/Ethereum, ERC-20/ERC-721, layer-2 and custody, cross-chain custody, API REST/WebSocket.
  • Economics: fees, limits, OPEX vs CAPEX, ROI assessment.
  • Migration: export of keys/addresses, proof of reserves during transition, timelines and risks.

What to include in contracts and SLAs

Preparing custody agreements for corporate clients should specify:

  • Scope of services, supported assets, custodial staking requirements.
  • Segregation of assets, fiduciary duty, insurance and limits.
  • Incident management and regulator notifications, RTO/RPO, maintenance windows.
  • Key policies: private key storage requirements, key rotation, access controls.
  • Proof of reserves and attestation reports, audit rights.
  • Management of custody operational risks and third-party risk management.

Recovery after key compromise

A key recovery plan after compromise should include:

  • Identification of the affected area and containment scenario.
  • Generation of new keys (key ceremony), transfer of assets, policy updates.
  • Communications: clients, regulator, counterparties.
  • Forensics package: collection of artifacts, preservation of logs, independent analysis.
  • Post-incident plan: lessons learned, control updates, retesting and attestations.

Frequently Asked Questions and Short Answers

Which legal structures are optimal for custody in Germany? GmbH – a flexible start; AG: for mature capital and exchange plans. In both cases consider capital requirements and governance requirements.
How to obtain a BaFin license for custody and how long does it take? The readiness of the company and the documentation package determines the timelines. Mature processes and IT significantly speed up the dialogue. Budget and team are key to predictability.
What SLA metrics are important for corporate custodian clients? Availability, signature latency, RTO/RPO, incident handling time and reporting accuracy. Plus security metrics: key rotation frequency, MFA coverage and time to patch.
How to choose an insurance product for a custodian? Look at coverage of hot/cold wallets, exclusions, limits, payout terms and control requirements. Compare underwriting criteria and the insurer’s financial stability.
How to assess the ROI of implementing your own crypto custody? Sum new revenue, risk savings, synergy with existing services and cost of capital. Don’t forget growth scenarios and stress tests.

Conclusions

Custody is not just about storing keys. It’s about trust, predictability and a mature operational model. I’ve seen projects with strong architecture and compliance discipline obtain a BaFin license for key custody and quickly scale across the EU thanks to MiCA. I’ve also seen the opposite: when savings on processes and documentation come back as delays and additional requirements.

COREDO doesn’t offer magical shortcuts. But we do have the tools, practices and experience that make this path manageable: from choosing between HSM and MPC to BaFin regulatory reports and proof of reserves. If you are planning a custody case in Germany, Czechia, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore or Dubai – let’s break it down into clear modules, calculate ROI and build an architecture that will withstand both regulatory audits and the requirements of your corporate clients. COREDO’s experience shows: a systematic approach pays off faster than promises to ‘do everything in three weeks’.

Read more
07.02.2026
Taxation of crypto holdings in Portugal in 2026

I have been building COREDO since 2016 and have set up dozens of structures in the EU, the UK, Singapore, Dubai and Central Europe through incorporation, licensing and tax planning. In recent years Portugal has become a notable hub of European crypto business. The COREDO team has implemented a number of projects to create crypto holdings in Lisbon and Porto, and by 2026 the picture has become significantly more mature: MiCA comes fully into force, DAC8 and CARF change the rules of information exchange, and the Portuguese tax regime (IRC) is finally adapting to crypto assets.

In this article I have compiled a practical roadmap: how to choose a legal form, meet substance requirements, obtain CASP registration, set up AML/KYC and accounting under IFRS, plan profit repatriation and withstand tax audits. I rely on specific COREDO cases and break down the key issues: taxes on crypto assets in Portugal, corporate tax (IRC) for Portuguese crypto companies, transfer pricing, Pillar Two and the implications of MiCA/DAC8/CARF.

Portugal’s regulatory landscape 2026

Illustration for the section «Regulatory landscape of Portugal 2026» in the article «Taxation of crypto-holdings in Portugal 2026»

By 2026, the Portuguese ecosystem looks structured. Autoridade Tributária (the Portuguese Tax Authority, AT) issues guidance on crypto operations and monitors declarations. Banco de Portugal oversees the registration of crypto-asset service providers (CASPs), including AML requirements/KYC and the Travel Rule. The Portuguese Securities Market Commission (CMVM) supervises security tokens, prospectuses and trading venues for tokenized securities.

MiCA (Markets in Crypto‑Assets Regulation) introduces unified rules in the EU: By 2026, CASPs operate under standards for licensing and operational risk, reserve requirements for stablecoins and risk disclosure. DAC8 expands the automatic exchange of information on crypto-assets, while the OECD CARF sets a global reporting framework. COREDO’s practice confirms: the “do the minimum and hide” strategy no longer works. Build compliance from the start “for audit” — it saves years, not months.

Private limited company vs public limited company and tax residency

Illustration for the section «Lda vs SA and tax residency» in the article «Taxation of crypto holdings in Portugal 2026»
The following are most suitable for holdings and operating crypto companies in Portugal:

  • Sociedade por Quotas (Lda) – equivalent of a private limited company, flexible management structure, moderate capital requirements.
  • Sociedade Anónima (SA): a form for large structures and public plans, stricter corporate procedures and a board of directors.
When I create a crypto holding in Portugal I start by assessing the group’s prospective structure and investors’ requirements. If a client is preparing for a listing or a Security Token Offering under CMVM supervision, an SA removes a number of barriers in advance. For a family-office holding or a fund, an Lda is more economical to administer. A company’s tax residency in Portugal is determined by its place of effective management: the board of directors, the making of key decisions, local directors and office — the elements on which the AT places emphasis.

substance of a crypto-holding in Portugal

Illustration for the section «substance of a crypto-holding in Portugal» in the article «Taxation of crypto-holdings in Portugal 2026»

Economic justification of substance — not about a “paper” office, but about real activity. I set out the minimum:
  • a resident director with fintech/crypto experience and a real management role;
  • a physical office where meetings are held and originals of documents are kept;
  • local functions: risk management, an AML officer, accounting, preparation of financial reports;
  • contracts with local providers (custody, audit, legal support), reflecting the ‘centre of interests’ in Portugal.
The economic justification of substance pays off twice. Banks open accounts faster, and tax rulings are resolved predictably. A solution developed at COREDO for one crypto group with assets in the EU and Asia reduced banking KYC friction fourfold by transferring the risk function and data governance to Lisbon.

IRC for crypto holdings

Illustration for the section «IRC for crypto holdings» in the article «Taxation of crypto holdings in Portugal 2026»

Crypto-holding Portugal taxes are about IRC and related regimes. The basic IRC rate: 21% on the mainland, to which a municipal surcharge of up to 1.5% and a state surtax on large profits applied progressively are added. For small and medium enterprises a reduced rate applies to the “first tier” of profits. Details change with budgets, but the Effective Tax Rate is usually 22–26%, which is above the Pillar Two threshold.
The conditions for applying the participation exemption in Portugal allow dividends and capital gains on shareholdings to be exempt from tax when the criteria are met: generally a shareholding of at least 10%, a holding period of at least 12 months, taxation of the investee by a comparable corporate tax and absence from a “blacklist”. For a crypto-holding this is the key to tax-optimizing repatriation of funds from subsidiaries in the EU and certain third countries.
Profit repatriation and withholding taxes in Portugal depend on bilateral double tax treaties (DTT) and EU directives. Standard WHT rates in Portugal are 25% on dividends, interest and royalties, but DTTs and the Parent-Subsidiary Directive reduce or eliminate them when conditions are met. The COREDO team implemented a cascaded structuring of payments using the participation exemption and DTTs, reducing aggregate withholding to zero without aggressive schemes.

Taxes on crypto-assets in Portugal

Illustration for the section 'Taxes on crypto-assets in Portugal' in the article 'Taxation of crypto-holdings in Portugal 2026'

AT in 2026 bases its approach on the functional nature of the transaction. For companies, income and losses from crypto-assets form part of the IRC taxable base. The classification of tokens for tax purposes in Portugal is based on their economics:
  • utility tokens, a right of access to a service, accounted for as an intangible asset or a prepayment;
  • security tokens – characteristics of a security, supervision by the CMVM, potential application of rules for financial instruments;
  • asset-backed, asset tokenization, a distinct legal and fiscal profile.
The tax consequences of staking, mining and airdrops differ. Staking is often recognized as operational income as rewards are accrued; mining – entrepreneurial activity taxable under IRC taking into account expenses (electricity, equipment); airdrops and hard forks are taxable events at fair value on the date of receipt with subsequent recognition of gain/loss on disposal. Labeling transactions as: disposals, acquisitions, swaps – allows correctly separating capital gains vs operational income.
Taxes on token exchanges and token-swaps in a corporate environment arise both on sale and on exchange of one asset for another if beneficial ownership or the economic substance of the asset changes. For illiquid tokens I apply conservative valuation models: DCF (if there are cash flows), market comparables from transactions, or last round for tokens related to equity. AT readily accepts documented methodologies; COREDO’s practice shows that a transparent model and independent valuation reports materially reduce the risk of dispute.

VAT on trading crypto assets and NFTs

VAT and cryptocurrency trading: Portuguese rules follow the EU Hedqvist case, fiat/crypto exchange is exempt from VAT as a payment transaction. But not all crypto services fall under the exemption. Custodial services, technical support, SaaS access to protocols, market-making and listing packages are usually subject to 23% VAT in mainland Portugal.

Taxation of transactions with NFTs and tokenized assets depends on their substance. The sale of a digital work of art is an electronic service subject to VAT at the place of consumption (rules for B2C digital services); tokenization of rights to a real asset carries the VAT/stamp implications of the underlying asset and may require registration in the country where the asset is located. VAT refunds and indirect tax relief on the provision of crypto services are possible with correct determination of the place of supply and by keeping separate accounting of input VAT.

CASP Registration: AML/KYC Requirements

The definition of VASP/CASP and registration requirements by 2026 are established by MiCA and local law. Banco de Portugal registers conversion providers, exchangers, custodians, issuers, platform operators.

AML/KYC requirements for crypto holdings and CASPs include:

  • AML‑Risk Assessment, written policies and procedures;
  • KYC/KYB, PEP‑screening and enhanced Due Diligence for investors;
  • Blockchain‑analytics and AML tools (on‑chain monitoring), Travel Rule;
  • financial monitoring and sanctions compliance (FATF Guidance on virtual assets and VASP).
The cost of AML/CTF compliance and a holding’s operational expenses are not a penalty but insurance. In one project COREDO implemented a cascading verification model: auto‑scoring + manual EDD for high risks, integrations with on‑chain monitoring providers and centralized case management. False positives decreased by 37%, and onboarding time was reduced from 12 to 5 days, with total savings of more than 200 person‑hours per month.

UBO Beneficiary Register and Privacy

The UBO register (Registo de Titular Beneficiário) in Portugal is mandatory for all companies. Investor confidentiality and the implications of CARF for UBOs require careful structuring: nominee holders do not solve the problem. I recommend aligning disclosures with the group’s legal strategy, conducting a DPIA under the GDPR for CARF/DAC8 data flows, and drafting contractual provisions with custodian/exchange providers on the division of controller/processor roles.

MiCA, DAC8, CARF: crypto business models

The impact of MiCA and DAC8 on the business models of crypto holdings is expressed in three ways. Firstly, Licensing of CASP and capital/risk management requirements raise the entry barrier but provide a “passport” to the EU market. Secondly, the expansion of reporting under DAC8/CARF makes anonymous schemes expensive and risky. Thirdly, B2B clients demand transparency of the transaction chain and on-chain reports as the standard.
OECD CARF and the automatic exchange of information on crypto transactions are not just about retail. Institutional providers are subject to reporting obligations, and the group must build master data: a single client identifier, beneficiary registers, transaction metadata. Our experience at COREDO has shown: if you design data governance from the start for CARF/DAC8, auditors close issues faster, and AT asks for clarifications less often.

Impact of GloBE on crypto structures

Pillar Two / GloBE rules and the calculation of the effective tax rate are important for groups with revenue ≥ 750 million. Portuguese companies most often report an ETR above 15%, but local incentives and tax credits can shift the calculation. For a holding company, a GloBE “dry run” is useful: detail timing differences, verify the qualification of tax credits, and ensure that participation in reduced-tax regimes will not lead to a top-up in another jurisdiction.
BEPS 2.0 strengthens requirements for economic presence (economic substance) and transparency. I take this into account in the design of holdings: a genuine asset-management function in Portugal and documented processes reduce the risk of adjustments in source jurisdictions.

Transfer pricing for tokens

Transfer pricing: the CUP, TNMM and cost plus methods for token transactions are applicable in the same way as for traditional assets. For intercompany transfers of tokens with market quotations the CUP method most often works (arm’s length at the market price with adjustments for liquidity and lock‑ups). For protocol development and market‑making operations – cost plus or TNMM with margin benchmarking.
Transfer pricing documentation for crypto groups in Portugal is mandatory upon reaching revenue and intercompany turnover thresholds. I prepare the master file and local file, a token valuation policy, a functions/risks/assets analysis, as well as procedures for unpriced events (airdrops, hard forks). Advance Pricing Agreement (APA) and pre‑ruling decisions remove uncertainty; tax resolutions (binding rulings) in Portuguese practice are issued within reasonable timeframes when filed properly.

Accounting for crypto-assets under IFRS and in Portugal

Accounting for crypto-assets under IFRS and Portuguese accounting standards in 2026 follows the approach: crypto-assets: intangible assets (IAS 38), except where traders hold them as inventory at fair value. Impairment, impairment tests and disclosures are mandatory, and the valuation policy is subject to audit. The IFRS project on crypto assets is moving toward clarifying classification and disclosures, and auditors are scrutinizing accounting policies.

Valuation policies and accounting policies for tokens in the annual report must record the choice of mark‑to‑market vs cost basis, sources of prices, and the liquidity hierarchy. Cold wallet vs custodial wallets carry different operational and tax consequences: custodial fees (custody fees) may be charged to expenses, while cold‑storage requires internal access controls and SOX-like procedures for public groups. Internal controls and key management are among the first topics in any due diligence.

Declaration, audits and disputes by 2026

The procedure for declaring cryptocurrencies in the Portuguese tax return is set out in AT instructions: report income/losses, disclose valuation methodologies, and provide notes on non-standard transactions. Tax inspections and audits of a crypto-holding in 2026 focus on three triggers: mismatch between on‑chain movements and accounting, lack of TP documentation for intercompany token transfers, and weak AML procedures.
How to prepare for a tax audit of a crypto-holding in 2026? Maintain reconciliations on‑chain/off‑chain, independent valuation reports, board minutes on key decisions, and reports from the AML officer. Legal support and obtaining tax rulings for the holding help stabilize positions before a dispute begins. The COREDO team successfully closed AT claims on the classification of staking income by providing correspondence with the regulator and justification for income recognition under the accrual method.

Dividends and WHT: profit repatriation

Withholding tax (WHT) on dividends, interest and royalty payments in Portugal is standardly 25%, but bilateral treaties (DTT) allow lowering the rates. Double taxation treaties: Portugal’s WHT rates often fall to 5–15% on dividends and 10% on interest/royalties, and in the EU zero is possible if directive requirements are met. Dividend repatriation and the tax optimization of repatriating funds from a crypto-holding are built around participation exemption and a managed payout schedule.
Re-investment of profits and tax consequences should be aligned with the business cycle: losses on tokens can be carried forward (tax loss carryforward) with a restriction on the share of profits, and R&D credits and tax benefits and incentives for investment holdings in Portugal reduce the burden when developing technologies. I set KPIs: ROI metrics taking into account tax efficiency and compliance costs, so the board sees the full picture, not only the “nominal” rate, but also the cost of compliance.

International structures, family offices

International structures: a branch or a subsidiary for crypto operations, the question of control and taxation at source. A branch is easier to set up, but its profit will be taxed directly in Portugal; a subsidiary is more convenient for participation exemption and managed WHT on dividends. Using a Portuguese holding structure for funds and a family office provides predictability, access to DTT and a clear regime for asset management.
Cross-border transfers of tokens do not fall under customs in the classical sense, but they trigger currency and sanctions compliance, and sometimes local licensing rules. Cross-border payments and banking compliance in Portugal are standardized, but banks require proven substance and transparent sources of funds. Repatriation of capital should be accompanied by banking AML checks and pre-prepared dossiers on counterparties.

DeFi: derivatives and custodial services

Taxation of income from DeFi, yield farming and liquidity aggregation depends on the legal qualification of the contract: rewards – operating income, while derivatives: financial instruments with separate accounting for fair value. In the corporate environment, record the protocol terms, counterparty risk and the PnL valuation methodology. Crypto custody and the tax regime for custodial services in Portugal imply VAT taxation of the service and IRC on the margin.
Security token exchange and CMVM regulation set the framework for STO/listings. ICO/STO and the tax treatment of fees and income require separate accounting: what is a prepayment for a service, what is a debt obligation, what is equity. The COREDO team structured the STO of an infrastructure project under CMVM supervision, agreeing the prospectus and the accounting model for amortization of token liabilities; the investor-side audit passed without remarks.

Governance / responsibility / due diligence

Corporate governance (CG) practices for international crypto holdings include independent directors, a risk and audit committee, SOX‑like requirements for public holdings, and key‑control tests. Liability of directors and executives for tax non‑compliance is real: AT and CMVM expect personal involvement, minutes of meetings, and approval of policies.

Situational due diligence when acquiring a crypto holding checks three areas: tax (IRC, VAT, WHT, TP‑documentation), regulatory (CASP, AML/KYC, CMVM licenses, Banco de Portugal), finance (IFRS, impairment tests, valuation reserves). The role of the tax adviser and the lawyer in structuring the holding is to synchronize these tracks and secure timely binding rulings.

Risks of double taxation and CbCR

Risks of double taxation in cross‑border operations with cryptoassets arise when countries classify transactions differently. Double taxation: exemption, credit, DTT consultations – the standard toolkit, but crypto adds a layer of valuations and events. Country‑by‑Country Reporting (CbCR) for multinational groups requires an agreed allocation of profits and personnel, and crypto functions (protocol development, liquidity management, AML functions) should be reflected where they actually occur.

COREDO cases – what works

  • European crypto exchange and custody. The COREDO team obtained CASP registration with Banco de Portugal, implemented an AML framework with on-chain analytics and obtained an APA on intra-group market-making commissions under TNMM. Result: predictable tax burden and fast bank onboarding for large clients.
  • Family office with tokenized assets. The solution developed at COREDO used Lda as a holding, the participation exemption for dividends from the EU and DTT for royalties. We obtained a binding ruling classifying NFT income as electronic services, established VAT accounting and secured a refund of input VAT on development.
  • DeFi liquidity provider. Our experience at COREDO showed that a documented methodology for valuing remuneration and a compact master file for TP smooth out the rough edges in audits. AT accepted a cost-plus model for service functions and CUP for intra-group liquidity transfers with a discount for locking.

How to set up a crypto holding in Portugal

  • Choice of form (Lda vs SA) and group design under participation exemption and DTT.
  • Confirmation of tax residency: directors, office, board meeting calendar.
  • Registration of CASP (if necessary), appointment of an AML officer, implementation of KYC/KYB, PEP screening, Travel Rule and on-chain monitoring.
  • UBO registry, GDPR‑DPIA and data‑governance policies under DAC8/CARF.
  • Accounting policy: IFRS, token valuation (mark‑to‑market or cost), impairment tests, key control.
  • TP policies: CUP/TNMM/cost plus for token transactions, master/local file, where possible: APA.
  • VAT model: exemptions, electronic services, place of supply, refund of input VAT.
  • Banking compliance: counterparty dossiers, description of flows, confirmation of substance.
  • Audit plan and AT checks: on‑chain/off‑chain registers, AML reports, board minutes.
  • ROI model: tax rate, cost of compliance (KYC/AML, reporting, audits), repatriation and re‑investment scenarios.

Scaling and Exit Strategies

Strategies for scaling the crypto‑business that take tax burden into account rely on diversification of functions within the EU, expansion of the CASP‑license and integration with institutional custody providers. Exit strategies: M&A, asset sale, IPO and tax consequences require early planning, TP‑history, clean IFRS reporting and the absence of “skeletons” in the AML closet increase the deal multiple.

The tax consequences of tokenising assets on the holding’s balance sheet and of custody models need to be recorded in prospectuses and contracts. CMVM closely examines the economics of token rights, and AT looks at the recognition of income and reserves. I recommend preparing pre‑rating solutions and binding rulings before market entry.

Non-compliance risks: case law

Consequences of non-compliance with VAT and AML rules for a holding – from additional assessments and penalties to administrative and criminal sanctions for tax violations. Tax audits: key triggers for audits of crypto‑operations: discrepancies between DAC8/CARF data and reporting, “gray” staking schemes and the lack of a documented valuation of tokens. legal risks and case law on crypto disputes in Portugal are developing rapidly, and predictability increases for those who have obtained AT rulings in advance and agreed prospectuses with the CMVM.

What is important to remember

Taxation of crypto-holdings in Portugal 2026: it’s a system, not a set of life-hacks. Choose a form (Lda or SA), confirm substance, build CASP compliance and AML frameworks, establish the TP model and accounting policies under IFRS, and then plan repatriation taking into account the participation exemption and DTT. Pillar Two, MiCA, DAC8 and CARF do not hinder business – they require discipline and transparency.
COREDO’s practice confirms: the earlier you embed tax and regulatory architecture into the product and processes, the faster you can scale and the lower your cost of capital. If you are planning to establish a crypto holding in Portugal or are reviewing an existing structure, build three steps into the plan: risk assessment, compliance design and preliminary decisions with regulators. This is one of those cases when strategic preparation creates an advantage measured not in words, but in the figures on the P&L and exit multiples.
Read more
06.02.2026
MiCA and DeFi regulation of decentralized protocols

I have been leading COREDO since 2016, and from the early years I saw how international business in fintech faces not “barriers” but labyrinths. Company registration, obtaining financial licenses, AML/sanctions compliance, building processes across different jurisdictions — these are not a set of disparate tasks but a single architecture of risk management. The COREDO team builds this architecture in the EU, the United Kingdom, Singapore and Dubai, truly integrating legal, financial and technological solutions. Below I share how to think about MiCA, DeFi and compliance today so as not to “keep up with” regulation, but to get ahead of it and monetize predictability.

MiCA: regulation of crypto-assets in the EU

Illustration for the section «MiCA: regulation of crypto-assets in the EU» in the article «MiCA and DeFi – regulation of decentralized protocols»

The MiCA regulation ends the phase of “ruleless experiments” in Europe. Crypto-asset service providers (CASP) have received clear licensing requirements, passporting across the entire EU and obligations on disclosure, risk management and operational resilience. National regulators issue authorisations, while ESMA and EBA set supranational standards and coordinate supervision, including through MiCA technical reporting standards. In practice this means uniform approaches to capital, internal controls, outsourcing and incident reporting.
The token classification under MiCA distinguishes, in particular, e‑money tokens (EMT) and asset‑referenced tokens (ART), including significant asset‑referenced tokens (significant ART). For issuers, there are separate prudential requirements, capitalization and reserve funds for stablecoins, requirements on reserves, liquidity management and MiCA whitepaper obligations. Issuer liability under MiCA increases responsibility for the accuracy of the whitepaper, marketing messages and continuous disclosure of risks, which directly affects the cost of capital and listing conditions.
MiCA has created a new transparency standard: disclosure and whitepaper requirements, proof‑of‑reserves and independent attestation methodologies, passporting requirements for access to the EU market, as well as oversight by ESMA/EBA on top of national control. COREDO’s practice confirms: competent early preparation for licensing of CASP halves time‑to‑market thanks to the right group structure, proactive IT audit and readiness for regulatory questions.

Who is responsible in DeFi under MiCA?

A pressing question is the application of MiCA to DeFi and the regulation of decentralized finance in Europe. Regulators look at actual control and “points of contact” with the user: the front‑end, hosting, search aggregators and gateway sites; key contributors; DAO decisions that affect protocol parameters; oracle operators and administered treasury multisigs. If there is a centralized provider that operates the interface, routes traffic, manages upgrades or receives fees, it may be qualified as a CASP with licensing requirements.
The legal status of DAOs in Europe remains fragmented, but predictability is emerging: a legal wrapper mechanism for DAOs (foundation model vs corporate wrapper) is used to fix liability, enter into contracts and implement AML/KYC for on‑ramps and off‑ramps. The COREDO team has implemented structures with foundations and operator companies that allocate responsibility between on‑chain governance and off‑chain governance through clear corporate documents, upgrade and delegation policies. This reduces front‑end liability risks and simplifies engagement with regulators and exchanges.
Extraterritorial application of rules and enforcement is a reality: if a service is available to EU clients, it may be required to be brought into compliance with MiCA and AMLD5/AMLD6. Inter-regulatory cooperation (ESMA, EBA, and central banks) strengthens data and practice sharing, and this raises the stakes: it is better to build compliance‑by‑design in advance than to respond to external requests.

Requirements for stablecoin issuers

Stablecoins under MiCA are divided into e‑money tokens (EMT) and asset‑referenced tokens (ART). For EMT, rules similar to electronic money apply: capital requirements, issuance and redemption at par, segregation of funds and liquidity. For ART — obligations on reserves and their management, including high‑quality liquid assets, regular reports, stress tests and, for significant ART, higher buffers and EBA supervision. Disclosure via the whitepaper and ongoing disclosures supports investor and partner confidence.
Proof‑of‑reserves: a working tool, but not a silver bullet. It needs methodologies covering not only assets but liabilities, related parties, as well as exception procedures and incident reporting. COREDO experts introduce combined procedures: independent attestations, on‑chain evidence, SLAs with custodians and auditors, and mechanisms to suspend operations when reserve covenant breaches occur. The result is liquidity resilience and a reduction in the risk premium on listing and partner integrations.

AML/KYC in DeFi – compliance with FATF/MiCA

Illustration for the section «AML/KYC in DeFi - compliance with FATF/MiCA» in the article «MiCA and DeFi – regulation of decentralized protocols»

Compliance with AML requirements and conformity with FATF and MiCA are the basis for access to banking services and partner ecosystems. FATF guidelines (VASP and FATF guidance for DeFi) and the European AMLD5/AMLD6 framework enshrine CDD (customer Due Diligence), beneficial ownership, sanctions lists, the travel rule and SAR (suspicious activity reporting). For DeFi teams the key is to separate the on‑ramp/off‑ramp and protocol parts, implementing a risk‑based approach (RBA) for critical points: fiat on‑ramps, token bridges, centralized infrastructure components.
Sanctions compliance and monitoring of on‑chain transactions require integrating blockchain analytics providers, counterparty risk assessment scenarios, sanctions lists and on‑chain blocking when prohibited addresses are detected. At COREDO we build escalation and SAR playbooks, automate flags and reporting, and establish compliance KPIs so the board of directors can see the dynamics: share of automated decisions, time to escalation, number of cases involving law enforcement.
The travel rule is not only a legal but also a technical challenge. For CASP and VASP we design routing of identifiers, exchange of payer/recipient attributes, storage of minimally sufficient data and rejections when a counterparty is absent. In decentralized applications we address this via on‑ramp/off‑ramp, gateway services and partner VASPs, which allows preserving the permissionless core of the protocol while meeting requirements.

How to implement KYC in a DEX without compromising UX

Choosing a “strict KYC for everyone” approach is simple but costly in terms of liquidity outflow. A more resilient option is flow segmentation: KYC for functionality that triggers legal requirements (for example, fiat on‑ramp; elevated limits; professional accounts), and risk scoring for the rest of the traffic. zk‑KYC and privacy‑preserving KYC based on zero‑knowledge proofs help verify attributes without revealing personal data to the protocol. This enables a balance between privacy and transparency (privacy vs transparency) without compromising AML.
Integrating KYC providers with on‑chain UX requires an architecture: where to store proofs, how to synchronize statuses on the front end, how to handle appeals. The solution developed at COREDO includes a modular API layer, an event log, sanctions monitoring logic and re‑verification mechanisms. For the travel rule we apply messaging protocols between VASPs and configure failure modes at the smart contract/front end level when attributes are absent.

Smart contract risks and compliance

Illustration for the section 'Smart contract risks and compliance' in the article 'MiCA and DeFi – regulation of decentralized protocols'

Smart contract audits and compliance requirements are not a formality. We build a secure development lifecycle with threat modeling, static/dynamic analysis, bug bounty programs and formal verification of smart contracts when justified by risk. Smart contract upgradeability and fork risks are addressed by upgrade policies, timelocks, on-chain governance and audit logs. Fork governance and allocation of responsibilities are recorded in documentation to avoid ‘surprises’ during contentious upgrades and emergency patches.
Oracles are a critical component. We translate oracle risks and their legal regulation into practical oracle SLAs: update frequency, sources, failure procedures, deviation limits, as well as oracle decentralization across multiple providers and a fallback mechanism. Methods to mitigate oracle risk include TWAP, cross-checking sources, quorum confirmations and a trading halt mechanism for extreme deviations. This is an important part of operational resilience and the SLA requirements regulators ask about.
MEV, frontrunning and regulatory risks are no longer exclusively a technical topic. We set up MEV-bot monitoring, implement anti-frontrunning mechanisms (private mempool, commit-reveal, batching) and document a risk disclosure policy for users. For AMMs and DEXs legal requirements differ from CEXs: centralized exchanges carry full responsibility for custody and execution, while DEXs focus on front-end liability, analytics data and points of centralized control. Liquidity pools and pool mechanics require disclosure of impermanent loss as a business risk and description of effects for LPs in the whitepaper and the interface.
Flash-loan attacks and legal response mechanisms include incident reporting, interaction with law enforcement and regulators, freezing funds at partners’ custody nodes and a documented response playbook. Custody vs non-custodial: legal consequences differ; for custodial models custodian requirements apply, including multisignature wallets (multisig), threshold signature schemes (TSS) and multi-party computation (MPC) for custody, controlled through internal policies and external audits.
Finally, third-party and supply chain software risk, cloud-hosting risks and provider dependencies require a registry of critical dependencies, supplier due diligence, resilience tests and contractual SLAs. Operational resilience is a separate MiCA module: continuity plans, stress scenarios, backup channels, availability KPIs and reporting on security incidents and breaches.

Consequences of MiCA for blockchain startups

Illustration for the section «Consequences of MiCA for blockchain startups» in the article «MiCA and DeFi – regulation of decentralized protocols»

Our experience at COREDO has shown: MiCA is not only a “cost of compliance”, but also a reduction in the cost of capital and barriers to market entry. Passporting of services under MiCA (passporting) opens up scaling in the EU without re‑licensing in each country, provided CASP capital requirements are met and risk policies are configured. For cross‑chain compliance and bridges it is important to address cross‑border enforcement and jurisdictional risks: record the place of service provision, KYC/sanctions policies at transitions, and locking mechanisms.
risk management of composability risk requires a registry of dependencies: oracles, lending markets, insurance, bridges. TVL (total value locked) as a risk metric is not an end in itself: liquidity resilience, creditor concentration and correlations with external shocks are more important. Emission policy and token regulation must take into account the legal status of tokens and tokenomics: for governance tokens, legal liability arises when holders or a council of delegates exercise de facto control. The separation of on‑chain governance vs off‑chain governance through corporate documents and regulations helps here.
Regulatory sandboxes for DeFi are an effective tool for testing KYC models, the travel rule and oracle solutions. In a COREDO project with a startup in the EU, a sandbox allowed agreeing on a zk‑KYC mechanism and tuning SAR automation before production launch. For due diligence when launching a DeFi project we perform legal and technical audits, assess smart‑contract insurance and market solutions, and also plan protocol migration under MiCA: action plan, timelines, KPIs and budget.
Assessment of compliance costs and ROI for DeFi projects includes a cost‑benefit analysis of AML implementation, compliance efficiency metrics and KPIs, as well as an evaluation of the effect of listings, partnerships and banking access. Compliance‑as‑a‑service reduces fixed costs through outsourcing reporting, monitoring, the travel rule, sanctions screening and incident management. When the board of directors sees transparent metrics, the decision to invest in compliance ceases to be a “necessary evil” and becomes a growth driver.

COREDO launch plan under MiCA

Illustration for the section ‘COREDO launch plan under MiCA’ in the article ‘MiCA and DeFi – regulation of decentralized protocols’

  • Jurisdictional strategy. Define the entry point into the EU considering the type of services (CASP), capital requirements and operational base. Take into account access to talent, regulatory practice and authorization timelines with the national regulator.
  • Licensing and passporting. We assemble the licensing package, describe controls, and plan passporting to the second wave of EU countries. We embed MiCA technical reporting standards and procedures for interaction with ESMA/EBA.
  • AML/sanctions and the travel rule. We design RBA, CDD, beneficial ownership, SAR and sanctions processes. We set up KYC for on‑ramp and off‑ramp; travel rule: technical and legal implementation, rejection policies.
  • Technology and security. SDLC, audits and formal verification, upgrade policy, oracle SLA, MEV controls, custody architecture (multisig/TSS/MPC). We set up incident reporting and a response playbook.
  • Transparency and disclosure. Whitepaper obligations under MiCA, best practices for risk disclosure (impermanent loss, oracle/MEV, liquidity), proof-of-reserves and methodology limitations.
  • Governance and DAO. Legal wrapper for the DAO (foundation or corporate), allocation of responsibilities, on‑chain/off‑chain governance rules, front‑end liability and agreements with providers.
  • Operational resilience. SLA, continuity plan, redundancy, third‑party and cloud risks, stress-scenario testing, incident reporting and interaction with law enforcement.
  • Listing and scaling. Preparation for listings/integrations, compliance KPIs, passporting, inter-regulatory communications and a migration plan for MiCA updates.

Case studies: practice becomes the standard

First case — a DEX with Asian roots that requested access to EU clients. The COREDO team implemented a hybrid model: a permissionless core of the protocol, KYC/AML and the travel rule on on‑ramp/off‑ramp and professional accounts, zk‑KYC to preserve UX and integration with blockchain analytics providers. As a result, the project obtained CASP licensing for part of the services, a whitepaper on MiCA and a passporting route. The user funnel and TVL grew thanks to institutional partners for whom compliance predictability is critical.
Second case, an issuer of a stablecoin of the asset‑referenced token (ART) type with the ambition to reach significant ART status. We built a reserve policy, developed a proof‑of‑reserves with independent attestations and on‑chain publication, as well as liquidity stress tests and risk disclosures. The regulator accepted the whitepaper and the continuity plan, and custodian partners confirmed SLAs for the reserve assets. This is a typical example where regulatory requirements became the foundation for listing and integrations into payment rails.
Third case, a DAO launching a lending protocol with oracle dependencies. At COREDO we proposed a legal wrapper via a foundation and an operating company with a clear allocation of responsibilities, implemented oracle decentralization and a fallback mechanism, an upgrade policy and a timelock. Additionally, we set up MEV monitoring and SAR procedures, recorded front‑end liability in contracts with hosting and gateway sites. The project passed due diligence with institutions and obtained smart contract insurance with a premium discount thanks to a mature SDLC.

Compliance: tools and automation

Automation of compliance and compliance-as-a-service is KPI dashboards, AML scenarios, control points for the travel rule and sanctions, and dependency registers for composability risks. We implement on-chain analytics and blockchain forensics, build SAR and reporting channels, and configure performance metrics: share of alerts closed automatically, average TTR/TTI, flag accuracy, conversion to listings/partnerships after compliance improvements. This approach makes it possible to relate compliance CAPEX/OPEX to revenue and ROI metrics.
For proof-of-reserve we apply combined methodologies: cryptographic proofs, confirmations from custodians, independent attestations of liabilities, and reports for users and regulators. We are candid about PoR’s limitations and propose countermeasures: reporting frequency, coverage completeness, and ‘red button’ mechanisms. Transparency: it’s not a one-time publication, it’s a process.

Frequently asked questions and answers

  • CEX vs DEX: regulatory distinction. Centralized exchanges have the full range of CASP obligations, including custody. For DEXs, attention is on the interface, centralized components, AML on on-/off-ramps and the responsibility of DAOs/developers when there is de facto control.
  • Who bears responsibility in permissionless protocols? Where there is control or influence (front-end, admin keys, oracles, treasury), the regulator sees those responsible. A legal wrapper for the DAO and distribution of functions reduce risks and improve manageability.
  • How to apply the travel rule in decentralized applications? Through partner VASPs for fiat and centralized bridges, attribute exchange, refusing transfers when data is absent, and logic on the front-end/contracts.
  • Proof‑of‑reserves: limitations. Without accounting for liabilities and affiliated risks, PoR is misleading. A combined methodology and regular independent audits are needed.
  • MEV and frontrunning: how to reduce regulatory risk? Implement anti-frontrunning mechanisms, disclose risks, monitor abuses, document response policies and incident reporting.

Compliance as a scaling strategy

MiCA raised the bar, but at the same time made the market predictable. When a founder has a clear roadmap, CASP licensing, AML/KYC and the travel rule, operational resilience, proof‑of‑reserves, a whitepaper and passporting – access to capital and partnerships expands. At COREDO this is not theory: the practice of projects in the EU, the UK, Singapore and Dubai has shown that mature compliance reduces the cost of risk and accelerates sales.
I am convinced: DeFi and decentralized protocols will grow where the architecture of legal and technological solutions is designed in advance. The COREDO team helps embed compliance‑by‑design into the product: from a legal wrapper for DAOs and governance models to oracle SLAs, SDLC and automated AML. If you are facing the decision to register a structure in the EU, come under MiCA, obtain licenses for crypto services and build AML frameworks, there should be no guesswork — only data, methodologies and a partner you can trust for the long term. This is exactly how we build projects that withstand scrutiny by the market and time.
Read more
See all news
LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt