Menu
Mise en conformité DAC8 pour les PSCA : guide pratique
Back
Articles
22 March 2026

DAC8 Compliance for Crypto-Asset Service Providers (CASPs)

Alexandre Lourimi
Auteur
Alexandre Lourimi

In addition to marking the end of the grandfathering clause for obtaining a MiCA license, the year 2026 also represents the deadline for DAC8 compliance for Crypto-Asset Service Providers (CASPs).

Transposed into French law by the Finance Act for 2025 and Decree No. 2025-1276, the Directive imposes a new tax transparency framework for crypto-assets which will rely heavily on the compliance efforts of CASPs.

Elevated to the status of tax reporting agents [tiers de confiance fiscaux], CASPs falling within the scope of the regime (1) must implement sophisticated internal procedures (2) in order to accurately report, starting in 2027, their users’ transactions (3), subject to severe penalties (4).

Download our guide

Scope of Application: Is your entity required to prepare for DAC8 compliance?

DAC8 applies to providers offering a number of crypto-asset services (1.1). To determine the place of filing, CASPs must adjudicate between the jurisdictions in which they operate according to the criteria defined by the Directive (1.2).

Reportable Crypto-Asset Services

The reporting obligation applies to any provider offering crypto-asset services within the meaning of the MiCA Regulation, as well as several other services:

  • Regulated Services: Custody, exchange, operation of a trading platform, and portfolio management, etc.
  • Services not regulated as such: Often provided alongside regulated services (custody), the framework has taken care to also target products generating passive income in crypto-assets: (i) staking services; a provider organizing a staking solution without custody must ensure its DAC8 compliance; (ii) crypto-asset lending services.

Conversely, a number of services should remain outside the scope of the DAC8 framework, notably:

  • Provision of storage solutions: Self-hosted storage solutions (e.g., Ledger, Metamask) are technically excluded from automatic reporting;
  • Services provided in a decentralized manner should not fall within the scope of the regime either (due to the lack of a framework to identify a responsible party to date).

Crypto-asset services subjected to DAC8 reporting

The place of supply of crypto-asset services

Given the cross-border nature of the actors, and in order to ensure the effectiveness of reporting while preventing redundancy within the Union, precise rules are provided to determine the State with which the CASP must file its reports and ensure its DAC8 compliance.

Very broad criteria allow each State to claim jurisdiction to receive DAC8 reports. Thus, the CASP must, in principle, file its reports at the:

  • Place of supervision: In the State in which it obtained MiCA authorization or with which it filed its MiCA notification (for financial entities).
  • Place of operation: Failing being regulated in the State, the CASP must still file its DAC8 reports in the State where it is incorporated or effectively managed or operated;
  • Place of execution: Failing that, a report must still be filed in the State where the CASP has a branch executing transactions.

In order to prevent a provider from being forced to multiply the same reports within different Partner States, the provider is, however, exempt from reporting when it can demonstrate that it fulfills equivalent reporting obligations in a Partner State.

A Partner State or territory is an EU Member State or a State that has concluded an agreement requiring it to provide the French tax administration with the information referred to below. To date, in addition to the 27 EU Member States, 49 States have politically committed to participating in the framework and 28 other States have already signed such an agreement (South Africa, Bahamas, Barbados, Brazil, Canada, Chile, Colombia, South Korea, Costa Rica, United Arab Emirates, Gibraltar, Guernsey, Isle of Man, Cayman Islands, Faroe Islands, Indonesia, Iceland, Israel, Japan, Jersey, Liechtenstein, Mauritius, New Zealand, Norway, Panama, United Kingdom, San Marino, Singapore, Switzerland).

States participating to automatif exchange of information on crypto-assets

Procedures to be established to ensure DAC8 compliance

In order to ensure the quality of reports, the CASP must organize the reliable collection of tax data on its users (2.1) and implement appropriate due diligence and internal procedures to ensure its DAC8 compliance (2.2).

Collection and verification of self-certifications

CASPs must now collect a self-certification from their users. This self-certification must be collected:

  • For users onboarded after January 1, 2026, upon registration, and before any transactions are carried out;
  • For existing users as of December 31, 2025, before January 1, 2027.

To be valid, this self-certification must:

  • be dated and signed;
  • include, for natural persons, the surname, first name, address, date of birth, States of tax residence, and Tax Identification Numbers (TIN);
  • include, for legal entities, the corporate name, address, States of tax residence and associated TINs, as well as the self-certifications of its ultimate beneficial owners where applicable.

In addition to collecting the information, the CASP must verify the “reasonableness” of the self-certification by comparing it with other data in its possession (notably those collected as part of its AML-CFT procedures).

In case of doubt, it must require documentary evidence exhaustively listed by the texts (such as a valid official identity document, a certificate of tax residence, or official documents for entities).

If the user does not provide the required information, the CASP shall be obliged, after two reminders, to block or close their account.

Internal procedures and internal control to ensure DAC8 compliance

User Information. Simultaneously, the CASP will be required to individually inform each user that the data collected about them will be communicated to the tax administration. It must allow them, upon request, to exercise their GDPR rights (access, rectification, etc.).

Internal Procedures. The provider must maintain a register centralizing all due diligence carried out in the context of the implementation of its obligations.
To ensure their effectiveness, the CASP must implement internal control procedures allowing for the regular review and rectification of its procedures.
All or part of this due diligence may be outsourced, but the CASP shall remain liable.

The CASP must ensure the secure archiving of data and evidence for the duration of the data retention period, fixed at ten years in France.

The annual report to be communicated to ensure DAC8 compliance

Each year, before June 15, reporting entities must communicate a standardized file to the tax administration (3.2) including all transactions carried out by their users.

The content of the DAC8 report

Reporting entities must, by default, report the transactions of all their users:

  • whether they are natural persons or legal entities (companies, associations, etc.);
  • provided they are tax residents of a Partner State.

Thus, transactions carried out by users residing in non-partner States will not be included in the reports, nor will those carried out by a few specific types of entities (listed companies, public entities, international organizations, and central banks will not be concerned).

CASPs must transmit to the tax administration a file including a list, aggregated by type of transaction, of the operations carried out by their users. Transactions are divided into two main types:

  • Exchange transactions: This refers to purchase, sale, or exchange operations of crypto-assets, for which providers must report the total value of the year’s operations, the number of crypto-assets acquired, disposed of, or exchanged, as well as the number of transactions carried out;
  • Transfer transactions: This refers to deposits and withdrawals for which the provider must specify the number of operations, the number of crypto-assets, and their market value. It must subdivide them by type of transfer when it has knowledge of the reason for these movements (e.g., AML-CFT information). It must, for example, mention if the crypto-assets are received as part of an airdrop or staking operations. Finally, providers must report the value and number of crypto-assets transferred to an external wallet, unless that wallet is known to be associated with another CASP.

Transactions will however be aggregated (e.g., 10 BTC sold for cryptos in 5 transactions; 50 ETH transferred to the account in 10 transactions), as shown below.

DAC8 reporting example

Reporting format and deadlines to ensure DAC8 compliance

Reports must be sent each year to the tax administration before June 15.

Reporting entities must archive the exhaustive history of transactions (crypto-fiat exchanges, crypto-crypto, transfers, and payments). In France, the register of procedures and the underlying raw data must be kept for ten years. These registers will allow the administration to audit the accuracy of the aggregated flows transmitted.
The report will be transmitted in a standardized format (XML) via a centralized directory established and maintained by the European Commission.

Download our guide

Risks of sanctions in the absence of DAC8 compliance

The legislator has calibrated the penalties so that it is more costly to defraud than to comply.

  • Failure to report within the deadlines, omissions, or inaccuracies will be punished by a fine of €15 per transaction, inaccuracy, or omission, within the limit of €2,000,000 per service provider and per year (except for a first offense committed during the current calendar year and the three preceding years when the provider has spontaneously remedied its omission, or upon the first request of the administration before the end of the report transmission period).
  • Non-compliance with due diligence obligations for user identification will be punished by a tax fine not exceeding €50,000.
  • In the event of persistent failures, the MiCA license allowing the CASP to operate could be withdrawn.

This new regime thus represents a real challenge for CASPs already facing MiCA compliance. But these reporting obligations may only constitute the first step in the recognition of CASPs as tax reporting agents. This step could be followed by the obligation to issue a Single Tax Form [imprimé fiscal unique – IFU] to simplify taxpayers’ obligations, or even to operate withholding taxes to simplify the work of the tax administration.

ORWL Avocats is at your disposal to assist you in your DAC8 compliance (implementation of procedures, reporting format, etc.).

Download our white paper

Our latest posts
All posts
Automatic Exchange of Information on Crypto-Assets
Reports
22 March 2026
[White Paper] Automatic Exchange of Information on Crypto-Assets
L’ACPR précise les conditions de l’agrément allégé pour les PSCA offrant des services sur EMT
Articles
20 February 2026
ACPR clarifies conditions for simplified authorisation for CASPs offering services on EMTs
DAC 8 : la fin justifie-t-elle les moyens?
Articles
19 February 2026
DAC8: Does the end justify the means?