Investment company crypto assets where in the EU is this permitted

Nikita Veremeev

27.12.2025 | 6 min read

Updated: 27.12.2025

An investment company can indeed work with crypto-assets in the EU, but today this is no longer a ‘gray area’, it is a strictly regulated activity: MiCA, DORA, AML/CFT and DAC8 set clear yet fairly strict rules of the game for investment companies and crypto-asset service providers (CASPs).

Below: my practical view as the founder of COREDO on how an entrepreneur, CEO or CFO can build a sustainable, regulated model for working with crypto-assets in the EU: from company registration to licensing, AML/KYC, custody infrastructure and reporting.

Investment company strategy with crypto-assets in the EU

Illustration for the section “Investment company strategy with crypto‑assets in the EU” in the article “Investment company - crypto-assets - where in the EU this is permissible”

When clients come to me with the question: “Can we, as an investment company, work with crypto‑assets in the EU?”, I always start with three basic points:

Type of activity
You need to clearly answer what exactly you want to do:
- manage clients’ investment portfolios of crypto‑assets;
- act as a CASP (Crypto‑Asset Service Provider) – exchange, broker, custodian;
- issue tokens or stablecoins;
- launch funds, SPVs, tokenize assets;
- integrate crypto‑payments into an existing business.
Target jurisdiction in the EU
Conditions and requirements vary significantly by country. In practice COREDO most often works with:
- Estonia, Malta, Cyprus – as more “friendly” jurisdictions toward digital assets;
- Germany (BaFin), sometimes France – as examples of stricter regulation and high capital and governance requirements.
Regulatory perimeter: what will apply to you
For most clients, the picture looks like this:
- MiCA (Markets in Crypto‑Assets Regulation) – defines who a CASP is, how to obtain authorization, and how passporting works across the EU.
- AML/CFT + KYC/EDD – anti-money laundering and counter-terrorist financing requirements, including the Travel Rule and on‑chain monitoring.
- DORA (Digital Operational Resilience Act) – digital and operational resilience, IT and cyber security.
- DAC8: automatic exchange of crypto-asset data and expanded reporting on crypto transactions.
- National laws on securities, taxation, and the financial services market.

My experience shows: companies that, at the start, honestly answer these three questions and build their model to fit regulatory frameworks enter the market faster, with lower costs and without costly “reworks” later.

Where in the EU is it easiest for an investment company to operate with crypto-assets?

Illustration for the section “Where in the EU it is easier for an investment company to operate with crypto-assets” in the article “Investment company - crypto-assets - where in the EU this is permitted”

I am often asked: “In which EU countries is it easier and faster to obtain a license to work with crypto-assets?”. There is no one-word answer, but you can build a practical checklist.

Comparison of popular jurisdictions

Jurisdiction	Regulatory approach to crypto-assets	Typical cases
Estonia	High AML requirements, transparent CASP authorization, strong focus on substance	Exchanges, wallet services, fintech platforms
Malta	One of the early crypto hubs, developed licensing practice, close cooperation with the regulator	Platforms with multiple services, tokenization
Cyprus	Combination of MiCA + investment and payment licenses, convenient for groups with SPV structures	Investment companies, forex brokers, payment solutions
Germany (BaFin)	The strictest regulation, high capital thresholds and tight supervision	Institutional crypto funds, regulated custody

A typical scenario in COREDO’s practice is:

an investment fund / a company oriented to the EU — Cyprus, Malta, Estonia are considered. Criteria: CASP licensing speed, substance requirements, taxes, possible EU passporting.
An institutional player focused on “top-level” reliability — here Germany or Austria and sometimes France appear. Regulatory complexity and costs are higher, but for some investors a license from BaFin or AMF is a strong argument.

I always tell clients: don’t choose a country based on hearsay. At COREDO we perform a jurisdictional screening: taxes, capital requirements, CASP authorization timelines, DORA-related costs, local AML expectations, passporting possibilities.
After that it becomes clear where a jurisdiction supports your model and where it works against it.

Registration of a legal entity and corporate structure

Illustration for the section “Registration of a legal entity and corporate structure” in the article “Investment company - crypto-assets - where in the EU is it allowed”
Once you’ve decided on the jurisdiction and type of activity, the next step is the structure.

Typical options

An operating company (CASP) in one of the EU countries through which all crypto activity is conducted.
SPV for individual tokenization projects, issuance of stablecoins, pilot programs.
Fund structures (investment funds, sub‑funds, AIFs, etc.) – if the main focus is on managing a portfolio of crypto assets.
Subsidiary structures in the EU for a group based, for example, in Asia or the Middle East, using MiCA passporting to access the entire EU market.

When the COREDO team designs a structure, I always insist on three things:

Risk segregation: custody of assets, trading, token issuance, IT development and IP — we separate them into different legal entities where possible.
Transparent corporate governance boards of directors, risk committees, internal control, an independent compliance officer. This is not ‘for show’; it’s the key for regulators and banks to trust your structure.
Readiness for beneficiary and source-of-funds checks. In the EU, registers, UBO disclosure, KYC/EDD have long become the norm. Hidden structures simply don’t work.

Licensing CASP and MiCA: what it means in practice

Illustration for the section “Licensing CASP and MiCA: what it means in practice” in the article “Investment company - crypto-assets - where in the EU this is allowed”
MiCA formalised the concept of CASP (Crypto‑Asset Service Provider) and set unified rules for:

operators of trading platforms for crypto-assets;
brokers and dealers;
custodial services (custody solutions);
crypto-fiat and crypto-to-crypto exchange providers;
advisors and portfolio managers in relation to crypto-assets.

Key MiCA requirements for CASPs

From COREDO’s experience I would highlight:

Authorization and capital requirements The regulator looks not only at the registered capital but also at financial resilience: provisioning, liquidity, stress testing. Issuers of stablecoins are separately subject to increased reserve requirements.
Governance and internal control It is necessary to demonstrate a functioning system of internal controls: risk management, compliance, audit, procedures for conflicts of interest, client protection and protection of their assets.
AML policies/CFT and KYC/EDD For the crypto industry regulators expect an enhanced risk‑based approach, including KYC/EDD for high-risk and institutional clients, transaction monitoring, sanctions screening and the Travel Rule.
Reporting and disclosure Regular and ad‑hoc reporting to the regulator, public disclosures for clients, including on tokens, stablecoins, risks and the models used.

In one of COREDO’s projects we helped a European investment company transform into a fully regulated CASP with passporting capability. At the start the client had a strong IT platform but lacked formalised risk management and AML processes. After we “completed” the governance, developed a MiCA‑compliant policy framework and implemented transaction monitoring, the company obtained authorization and today operates across the EU through the European passport mechanism.

DORA: resilience and cybersecurity

Illustration for the section «DORA: resilience and cybersecurity» in the article «Investment company - crypto-assets - where in the EU this is allowed»

Many underestimate DORA. For crypto companies and investment firms working with digital assets, it is not just an “IT regulation” but a test of your entire infrastructure’s resilience.

Key areas we address for clients:

Assessment and management of ICT risks: from system architecture to dependencies on third‑party providers (including custodians and providers of blockchain infrastructure).
Incident response and business continuity: a clear action plan for hacks, key leaks, cloud provider outages, and hot‑wallet compromises.
Testing and security audit: regular pentests, code review, smart‑contract audit, assessment of HSM/MPC/cold‑storage architecture.
Provider management: if you use white‑label custody or third‑party SaaS for compliance/analytics, the regulator expects you to control the risks of those providers.

In my experience, preparing for DORA often becomes a driver of maturity: the company starts treating IT and cybersecurity as a key business risk, not as a technical detail.

DAC8: reporting on crypto-assets

DAC8 strengthens requirements for tax and regulatory reporting on crypto-assets in the EU and introduces automatic exchange of information between tax authorities.

What this means for investment firms and CASP:

you must be prepared to collect and transmit an expanded set of data about clients and their transactions;
IT systems must support formats compatible with DAC8 reporting schemes;
you need to synchronize KYC, AML, tax data and GDPR requirements to avoid conflicts between mandatory reporting and personal data protection.

In one of COREDO’s projects for a crypto platform with clients in several EU countries, we designed a data architecture for DAC8: what data is collected at the KYC stage, how it is stored, how it is linked to transactions and how it is aggregated for automatic reporting. As a result, the client avoided duplication of processes and costs by combining AML, tax and regulatory reporting into a single coordinated model.

AML/KYC, on-chain compliance and Travel Rule

The AML/CFT issue for the crypto industry has long extended beyond basic KYC.

Key AML elements for a crypto investment company

Risk‑based approach under the FATF standards: risk assessment by client types, jurisdictions, types of crypto‑assets, sources of funds, use of anonymizers, etc.
KYC and EDD
- Full KYC for individuals and legal entities.
- EDD for high‑risk and institutional clients: an expanded document package, verification of source of wealth and origin of funds.
On‑chain analytics and blockchain forensics Integration with chain analytics solutions (typical providers like Chainalysis, Elliptic and others) to:
- risk scoring of addresses and transactions;
- tracking links to the darknet, fraud, and sanctioned wallets;
- incident investigation.
Travel Rule Exchange of information between providers when transferring crypto‑assets: name, payer and payee identifiers, transaction details. In COREDO projects we integrate the Travel Rule via specialized gateways so that the client complies with requirements without manual work and the risk of data leakage.
Transaction monitoring and AML risk scoring Systems that monitor and analyze client and transaction behavior in near real‑time: limits, patterns, anomalies, links to sanctions lists.

In one case COREDO assisted a CASP platform that already had a basic KYC procedure but lacked on‑chain monitoring. After implementing chain analytics, risk scoring and scenario‑based monitoring, we prepared the client for enhanced scrutiny by the regulator and partner banks, which unlocked correspondent relationships and new channels for fund inflows and outflows.

Custody infrastructure: HSM, MPC, cold storage

For an investment company working with crypto‑assets, one of the key questions is how to securely store clients’ assets and its own.

Main models

In‑house custody
- HSM, MPC, cold and hot wallets;
- an in‑house IT team responsible for architecture and security;
- full control, but also full responsibility, including regulatory.
Third‑party custodian / white‑label solutions
- a licensed custodian to whom custody and part of the operational risk are transferred;
- important to check: licenses, asset segregation policy (asset segregation), availability of custody insurance, approach to proof‑of‑reserves.
Hybrid model
- hot wallets – in‑house, long‑term storage with an external custodian;
- segmentation by asset type, jurisdictions, or client segments.

When designing a custody model, at COREDO we always raise the following questions:

legal allocation of responsibility between the company and the custodian;
the existence of a contractual framework (including ISDA equivalents and custody agreements adapted for digital assets);
the asset segregation regime and prohibitions on rehypothecation, if this is important for clients;
compliance with DORA and requirements for operational resilience.

Tokenization and Stablecoins: Token Qualification

Many clients come with ideas for tokenizing assets or issuing stablecoins. It is important to resolve three questions from the very beginning:

Token qualification
- Utility token,
- security token,
- hybrid models.
This determines whether you fall under MiCA, securities law, or both at once. At COREDO we create a token classification framework: analysis of token functionality, investor rights, the distribution mechanism and applicable law.
Whitepaper and disclosure
MiCA sets specific whitepaper disclosure requirements: risk factors, a description of the business model, token holders’ rights, and the mechanism of circulation and redemption. In one project COREDO revised a client’s whitepaper, turning a marketing document into a legally robust prospectus compatible with MiCA.
Stablecoins and reserve requirements
Issuers of stablecoins in the EU are subject to enhanced reserve requirements:
- transparent reserve structure;
- audit and regular reports;
- a redemption mechanism and a legal regime for holders.
It is critical here to properly design both the financial and the legal model: where the reserves are held, how holders’ rights are protected, and what the guarantee structure is.

Taxation and international structure

When working with crypto‑investments, the tax aspect must not be left ‘for later’.

Key elements we analyze with clients:

Capital gains tax on transactions with crypto‑assets: how profits from trading and investment operations are treated in a particular EU country.
Transfer pricing (transfer pricing): especially where the structure includes multiple legal entities across different jurisdictions (SPV, funds, management company, etc.).
The impact of global initiatives such as Pillar Two on groups with an international presence.
Tax consequences for EU‑resident clients and their reporting obligations, taking DAC8 into account.

In one COREDO project for an international crypto fund we restructured the value creation chain so that investment profit was appropriately allocated between jurisdictions, and the transfer pricing documentation would withstand tax authority audits.

Directors’ liability in corporate governance

Working with crypto-assets increases legal and reputational risks for directors and senior management.

We always raise the following topics with clients:

personal liability of the director for compliance with licensing, AML/CFT, DORA, and tax requirements;
the role of the board of directors and risk committees;
the need to document key decisions (including token listings, launching new products, changes to the custody model);
risk coverage through D&O insurance and properly drafted restrictions in corporate documents.

Well-structured governance not only reduces risks but also increases the trust of regulators, banks, and institutional investors.

Technical and legal roadmap: steps

To provide a practical reference, I often distill everything into a roadmap that we use in COREDO projects.

Strategy and model selection

Determine the type of activity: investment firm, CASP, token/stablecoin issuer, tokenization platform, etc.
Choose the primary jurisdiction(s) in the EU taking into account MiCA, taxes, capital requirements and DORA.
Form the initial business case and ROI metrics: portfolio returns, service margin, cost of compliance and infrastructure.

Corporate structure and legal entity formation

Design the corporate structure: operating company, SPV, fund structures.
Register the legal entity in the chosen jurisdiction.
Establish corporate governance: articles of association, policies, committees, allocation of authorities.

Compliance foundation

Develop and implement a MiCA-compliance framework:
- risk management policies, conflicts of interest, client protection;
- preparation of the documentation package for CASP authorization (if applicable).
Build an AML/CFT system: KYC/EDD, Travel Rule, on-chain analytics, transaction monitoring, sanctions screening.
Set up processes and IT controls for DORA: risk management, incident response, disaster recovery, testing.
Develop a DAC8-compliant data and reporting model.

Infrastructure and operational processes

Choose and implement a custody solution: in-house (HSM, MPC, cold storage), third-party custodian, or hybrid.
Set up a secure IT infrastructure: key management, access controls, audit logging, cybersecurity.
Integrate reporting APIs for regulators and tax authorities.

Testing, stress tests and launch

Conduct stress testing of the crypto-asset portfolio: liquidity, volatility, “black swan” scenarios.
Validate AML models and transaction monitoring on real and simulated data.
Assess readiness for regulator inspection: internal “pre-audit” sessions.

Scaling and passporting

If necessary, use MiCA passporting to expand into other EU countries.
Add new products: tokenization, stablecoins, derivatives on crypto-assets: only after assessing regulatory and tax implications.
Continuously update policies to reflect changes in MiCA, DORA, AML/CFT, DAC8 and national laws.

My personal conclusion after many implemented projects: an investment company can not only “legally” operate with crypto-assets in the EU, but also build a sustainable, regulated and scalable business around them. But this requires a systematic approach: the right jurisdiction, a well-thought-out corporate structure, strict compliance and technical infrastructure that complies with MiCA, DORA, AML/CFT and DAC8.

It is at the intersection of these elements that the COREDO team brings the greatest value – from strategic design to practical implementation and support at all stages of growth.

Conclusion

In short, an investment company in the EU can work with crypto assets, but success here depends not on “boldness” but on the quality of the architecture: business model → jurisdiction → Licensing → AML/KYC + on-chain → custody → DORA/DAC8 → tax and governance. Once you assemble this into a single system, crypto stops being “risk for the sake of risk” and becomes a normal regulated business line that banks, regulators and institutions are ready to understand and serve.

I would highlight three practical takeaways that most often save clients months of time and hundreds of thousands of euros on reworks:

Don’t start with “where it’s cheaper” – start with “what exactly we do”.
CASP, portfolio management, tokenization, custody, exchange, advisory – these are different risk regimes and different regulator expectations. A clear qualification of activities at the start automatically simplifies MiCA authorization, reduces the number of AML questions and makes bank onboarding realistic.
Compliance is a product, not a folder of policies.
MiCA/AML/DORA/DAC8 require not “texts” but working processes: who makes decisions, what control looks like, where logging is, how transaction monitoring is set up, how the source of funds is verified, how the Travel Rule is implemented, how resilience is tested. Where this is built as a system, onboarding with banks and infrastructure providers goes much more smoothly.
Custody and data architecture are the market’s main “trust points”.
Clients and partners evaluate you by how assets are protected and how data is managed: HSM/MPC/cold storage, segregation, access controls, audits, incident response, DORA compliance, readiness for DAC8 reporting. These are the blocks that most often distinguish a “project” from an “institutional player”.

If you are currently at the stage of deciding “do we enter the EU or not”, I recommend acting pragmatically: do a regulatory and jurisdictional screening tailored to your model, then create a roadmap across 3 horizons: (1) launch, (2) resilience, (3) scaling and passporting. This provides predictable timelines, budget and reduces the risk that in 6–9 months a regulator or bank will force you to rebuild half the system.

The COREDO team in such projects typically helps cover the entire cycle: from choosing jurisdiction and structure to preparing for authorization, building AML/on-chain compliance, designing the custody model, DORA resilience and DAC8 data contours. If you want, you can send your target model (what exactly you do, client geography, custody approach, expected volumes/types of assets) – and we will create a short checklist of “what is mandatory / what is optional / where the most expensive risks are” tailored to your case.