Leave an application
COREDO > Blog > Crypto custody in the EU regulatory requirements and licensing

Crypto custody in the EU regulatory requirements and licensing

Avatar photo
Updated: 12.01.2026
Content

Crypto custody in the EU is no longer a “grey area”. For me as the founder of COREDO this is one of the most telling areas: over the past few years the team has accompanied the evolution from experimental crypto platforms to mature financial infrastructures that are subject to the same strict regulatory requirements as banks and payment institutions.

In this article I will lay out what cryptocurrency regulation in the EU actually means, how MiCA, DAC8 and CARF are changing the rules of the game, and what needs to be built into the crypto custody business so it doesn’t just “survive 2026”, but use it as a point of growth.

Crypto custody in the EU: what is considered custody

Illustration for the section «Crypto custody in the EU: what is considered custody» in the article «Crypto custody in the EU - regulatory requirements and licensing»
When an entrepreneur tells me: “We’re not a bank, we just hold clients’ assets in wallets,” to the regulator that sounds like a classic crypto custody service.

The custody of crypto assets in the EU typically covers services that:

  • have access to clients’ private keys or can initiate transactions on their behalf;
  • provide a wallet structure (hot, cold, custodial) with responsibility for the safekeeping of assets;
  • offer trust management, margin services, staking, if in doing so they control access to the funds.

The key mistake I often see is the attempt to “hide” the activity behind the wording “we’re just an IT platform.” For the regulator, what matters is not what you call the service in a pitch to investors, but:

  • whether the user has full and exclusive control over the private keys;
  • who legally owns the assets;
  • who is responsible to the client in the event of loss or freezing of funds.

If you control the keys or manage assets on behalf of clients, you fall under the scope of a crypto-asset service provider (CASP) and you need the appropriate status and Licensing of crypto platforms in the EU.

MiCA: regulation of cryptocurrencies in the EU

Illustration for the section «MiCA: regulation of cryptocurrencies in the EU» in the article «Crypto custody в ЕС - регуляторные требования и лицензирование»
The MiCA regulation ends the era of fragmented cryptocurrency regulation in Europe. For businesses, it is both a challenge and an opportunity.

Who CASPs Are and Why It Matters

MiCA introduces a single category – Crypto-Asset Service Provider (CASP). For crypto custody platforms this means:

  • you cannot work with EU clients in a custodial capacity without a CASP license;
  • after obtaining the license you get a single authorization for the EU market: you can serve clients via the «passporting» model without re-licensing in each Member State;
  • all key requirements for capital, governance and compliance are now set at the regulation level, rather than being «spread out» across national rules.
One of the projects that the COREDO team supported in the EU started as a small crypto exchange with custodial wallets. When scaling to institutional clients, we immediately built the architecture as for a future CASP, rather than a «minimally necessary» model. This allowed the client to move into the MiCA framework without a full process restart and to use the transition period as a window to expand the business, rather than as a fight for survival.

MiCA requirements for crypto-custody

For crypto-asset storage services, MiCA sets out a set of basic building blocks:

Capital and financial resilience

Minimum own capital requirements depend on the type of services, volume of operations and risk profile. Custodial services typically fall into a «heavier» category because they are responsible for the safekeeping of assets.

corporate governance of CASPs
The owner of a crypto custody business can no longer remain simply a «tech entrepreneur». The regulator expects:

  • a transparent ownership structure;
  • a board of directors/management with relevant experience in finance and compliance;
  • a documented risk management system;
  • an independent compliance function and, for large entities, internal audit.

Organization of storage and IT security
MiCA strongly encourages:

  • segregation of client assets and company funds;
  • a policy for allocating storage between hot and cold wallets;
  • procedures for managing private keys (generation, storage, rotation, backups, access on a «least necessary» basis).
In practice, the COREDO team often comes into an operating business and sees a «menagerie of solutions»: some assets on exchanges, some on custom-built nodes, some in hardware wallets without formalized access. Bringing such a structure up to a level acceptable to the MiCA regulator is a full-scale reengineering project, not just «adding procedures».

MiCA transition period and deadlines

For existing crypto companies, the European Union has provided a MiCA transition period that ends by mid-2026. This is the window in which you need to:

  • determine whether you fall into the CASP category;
  • choose the country for primary licensing;
  • restructure business processes to meet MiCA requirements;
  • submit a full set of documents and obtain authorization.
Clients often ask me: «Can my platform continue to operate without a MiCA license after July 2026?».
In most cases: no. After the transition period ends, operating without CASP status for regulated services will mean the risk of:

  • a ban on operating in the EU;
  • being added to a «blacklist of crypto platforms»;
  • sanctions up to criminal liability for management in certain jurisdictions.

DAC8 and CARF: taxation of crypto-assets

Illustration for the section “DAC8 and CARF: taxation of crypto-assets” in the article “Crypto custody in the EU - regulatory requirements and licensing”
If MiCA covers “licensing and investor protection”, then DAC8 and CARF cover tax transparency.

What DAC8 means for crypto platforms

The DAC8 directive extends the European framework for administrative cooperation in tax matters to crypto-assets. For crypto custody and crypto platforms this means:

  • an obligation to transmit client data and their transactions to tax authorities;
  • integration into the regime of automatic exchange of crypto-asset data between countries;
  • establishing processes to identify unpaid tax liabilities and prevent tax avoidance.
DAC8 makes no distinction between large exchanges and relatively small platforms with custodial wallets if they serve clients who are EU residents. In one of the cases COREDO supported an Asian platform that had long worked with European traders while formally having no presence in the EU. When DAC8 and CARF entered an active phase, it became impossible to ignore European residents: we structured the operating model either via a European CASP subdivision or by sharply restricting access for EU residents. Both options are strategic decisions, not purely legal.

CARF: the reporting standard for crypto-assets

CARF reporting standards: an OECD initiative that essentially does for crypto-assets what the CRS did for standard financial accounts:

  • a single message format for automatic exchange of information;
  • a unified data set: client identification, crypto-asset balances, transaction history, transfers between accounts;
  • the ability for tax authorities of different countries to view crypto-assets in the context of a client’s overall financial flows.
For your business this means you need to:

  • implement reporting automation under CARF;
  • synchronize internal data (KYC, accounting, transactions) with the exchange formats;
  • ensure the quality and completeness of data to avoid disputes with tax authorities.

KYC/AML and a risk-based approach in crypto

Illustration for the section 'KYC/AML and risk‑based approach in crypto' in the article 'Crypto custody in the EU - regulatory requirements and licensing'
Regulation no longer works without effective AML/CFT and KYC in crypto businesses. MiCA, DAC8, AMLR and national laws expect platforms to have mature, documented and verifiable compliance.

KYC/AML for crypto custody: basic framework

When we at COREDO build AML/CFT processes in crypto, for crypto custody platforms we typically form the following blocks:

KYC policy

  • identification of natural persons and legal entities;
  • document verification, screening against sanction and PEP lists;
  • data updates on a schedule or by triggers (change in activity, suspicious transactions).

Risk‑based AML/CFT approach in crypto

  • client segmentation by risk in crypto services (retail, professional, institutional, high‑risk jurisdictions, complex ownership structures);
  • assigning a baseline risk rating during onboarding;
  • reviewing risk ratings when new data emerges, client behavior changes or adverse information is detected.

transaction monitoring of cryptocurrencies

  • scenarios for automatic detection of atypical or potentially suspicious transactions;
  • transaction thresholds under DAC8 and internal limits for enhanced review;
  • integration with blockchain analytics systems.

Blockchain analytics for compliance

Today, quality compliance for cryptocurrency platforms is impossible without blockchain analytics. From practice:

  • in one licensing project for a crypto exchange we implemented integration with several blockchain analytics providers to:
    • check the ‘cleanliness’ of incoming and outgoing cryptocurrency;
    • track links to darknet markets, mixers, sanctioned addresses;
    • analyze transaction chains according to typical risk scenarios.
Sometimes entrepreneurs try to save on analytics, treating it as an “option”. For regulators, however, the presence and proper use of such tools is a critical element of the control system.

How to securely store crypto assets

Illustration for the section «How to securely store crypto assets» in the article «Crypto custody in the EU - regulatory requirements and licensing»
MiCA and DAC8 define the “what” and the “why”. The question of “how” is engineering and operational design.

Hot, cold and non-custodial wallets

For crypto custody in the EU the key decisions are:

Hot wallets (hot wallets)

  • provide high transaction speed;
  • carry increased risks of hacking attacks and device compromise;
  • require strict limits, multi-signatures, segregation by types of operations.

Cold wallets (cold wallets) and hardware devices

  • used for the bulk of assets;
  • integrated into multi-stage access procedures (multisig, physical safes, offline storage);
  • entail a considered policy for storing seed phrases and backups of private keys (including the use of safes and bank deposit boxes).

Non-custodial wallets and regulation

Used where the client retains maximum control. In some models this can reduce the scope of regulated services, but it is often not possible to completely remove a business from under MiCA: regulators pay attention to actual controllability and risks, not just the technical scheme.
In one of COREDO’s projects for a staking platform we audited the architecture: some operations went through custodial hot wallets, others through a scheme where clients managed their own validators. We separated these flows in detail, documented the boundaries of responsibility and adapted AML/KYC for each model, which became a key argument in discussions with the regulator.

Monitoring and reporting integration

To meet the requirements of MiCA, DAC8 and CARF, companies build:

  • a single data‑layer that consolidates:
    • KYC/AML data;
    • transaction history;
    • monitoring and investigation statuses;
    • information for regulatory and tax reporting;
  • transaction monitoring systems capable of:
    • online analytics;
    • generating reports on request from regulators and tax authorities;
    • documenting all decisions (why an operation was approved, rejected, sent to enhanced Due Diligence).
In one of COREDO’s cases we were engaged after the start of a regulatory inspection. The main problem was not that the business had broken the rules, but that the compliance officers’ decisions were not formalized and reproducible. We built a minimal but structured log of events and rules, after which the regulator gained the ability to “trace” the decision-making process. This drastically reduces the risk of sanctions for non-compliance with MiCA and AML standards.

Licensing crypto platforms in the EU 2026

Given MiCA, DAC8 and CARF the question ‘where to get licensed’ turns from a tax issue into a strategic decision about the company’s positioning in Europe.

Choosing a jurisdiction for a CASP license

When choosing a country for the primary CASP‑license I always advise founders to look at several parameters:

  • speed and transparency of interaction with the regulator;
  • practice of licensing crypto companies;
  • capital requirements;
  • approach to AML/CTF and tech solutions;
  • ecosystem: banks, payment providers, consultants, auditors.
In certain projects COREDO chose EU jurisdictions based not only on the regulator’s ‘leniency’, but also on where it is easier to gain access to financial infrastructure: banks, EMI, PSP. Crypto custody without clear accounts and payment channels is a beautiful interface without the ability to perform full-scale operations.

How to prepare for CASP licensing?

To avoid entering the process chaotically, I usually structure the preparation into four blocks:

Business and product model

  • which crypto services in the EU you actually provide (custody, exchange, staking, tokenization, etc.);
  • for which client categories (retail, HNWI, corporate, institutional);
  • geography: only the EU or global coverage with an EU‑focus.

Corporate structure and governance

  • a legal entity in the EU with a clear beneficial ownership structure;
  • a board of directors and top management with verifiable experience;
  • internal policies: risk management, compliance, IT security, business continuity.

Compliance framework

  • KYC/AML policies taking into account a risk‑based approach;
  • transaction monitoring procedures and blockchain analytics;
  • internal investigation processes and reporting of suspicious transactions.

IT and operational infrastructure

  • wallet architecture (hot/cold/non-custodial);
  • logging and activity audit system;
  • integration with analytics and reporting providers for CARF/DAC8.
In practice COREDO often takes on the role of the ‘general contractor’ for such a project: lawyers, finance, AML, IT architects and project management work as a single team. This is critical, because a weak link in such a system quickly becomes the focus for the regulator.

Strategic issues for executives 2026

In conversations with owners and chief financial officers of crypto platforms, several strategic topics usually come into focus.

MiCA: competitive advantage

MiCA simultaneously:

  • raises the barrier to entry for crypto businesses;
  • creates a predictable framework for those willing to invest in regulation and compliance.
For small and medium platforms this means the need for a deliberate choice:

  • either become a full‑scale CASP with a strong compliance unit;
  • or focus on niche solutions (for example, technology services without custody), where the licensing burden is lower.

Return on investment in compliance

The question “what is the ROI from implementing blockchain analytics and reporting automation” is logical.
From my experience:
  • costs for AML/KYC tools and reporting under DAC8/CARF are better viewed as investments in:
    • access to large clients (banks, funds, institutional investors that require strict compliance);
    • reduced likelihood of sanctions and inspections;
    • increased company valuation when raising capital or exiting the business.
  • One of COREDO’s clients managed to increase the company’s valuation in a funding round precisely because it already had a prepared MiCA‑ready compliance framework and a clear plan for CASP licensing. For the investor this meant a manageable regulatory risk.

Scaling the business in the EU and abroad

MiCA with CASP passporting makes the EU one of the most structured markets. For many Asian and Middle Eastern players that COREDO works with, the strategy looks like this:

  • create a regulated storefront in the EU under MiCA, DAC8, CARF;
  • use it as an “anchor of trust” for global clients;
  • build additional jurisdictions around it with a different focus (for example, experiments with DeFi, new tokenization models) in more flexible regimes, but relying on the European standard of compliance.

How COREDO helps develop crypto custody businesses

My personal interest in the crypto market has always been pragmatic: those who can operate under changing regulation survive in the long term. Over years of work with the EU, the United Kingdom, Cyprus, Estonia, Singapore and Dubai, the COREDO team has developed several strategies for supporting crypto projects:

From idea to CASP license

When a founder comes to us with an operating platform lacking a formalized status, we:

  • translate the business model into the regulator’s terminology;
  • identify areas that fall under MiCA;
  • build a roadmap: from choosing a jurisdiction to submitting the full package of documents and defending the model before the regulator.

Reengineering existing crypto custody for MiCA/DAC8

For existing platforms COREDO performs a comprehensive audit:

  • wallet architectures and transaction chains;
  • KYC/AML procedures;
  • readiness for automated reporting under CARF/DAC8;
  • risks of being placed on the “blacklist of crypto platforms” and potential sanctions for non-compliance with MiCA.

As a result, the client receives not a “list of problems”, but a change plan with prioritization and an assessment of the impact on the business model.

Comprehensive support after obtaining licenses
Registration and licensing are the start, not the finish. In practice COREDO remains by your side afterwards:

  • helps prepare for regulator inspections;
  • adapts processes to new recommendations from the EBA, the European Commission and national regulators;
  • participates in updating AML/KYC policies and procedures when launching new products and entering new markets.
For me as a founder, the most important thing is when a client continues to grow years later on the architecture we built together, rather than “patching holes” under the pressure of yet another regulatory reform. In crypto custody in the EU this is especially noticeable: those who, in time, see MiCA, DAC8 and CARF not as a problem but as a new market infrastructure become the reliable link for their clients and partners on which long-term financial relationships can be built.
If your business involves storing crypto assets, licensing crypto platforms, or you expect 2026 to be a point of regulatory review, it’s worth taking an early look at your model through the eyes of a European regulator. That’s exactly the perspective we at COREDO work from every day.
LEAVE AN APPLICATION AND GET
A CONSULTATION

    By contacting us you agree to your details being used for the purposes of processing your application in accordance with our Privacy policy.

    +420 228 886 867

    K Cervenemu dvoru 3269/25a, Prague, 130 00, Czech Republic

    Sitemap    © 2026 Copyright © RES JUDICATA s.r.o. All rights reserved | llms.txt