Absence of a CASP authorisation is enough: strict liability for the unauthorised provision of crypto‑asset services

Auteur

William O’Rorke

On 26 June 2025, the Grenoble Court of Appeal ordered a crypto‑asset platform to reimburse in full a user who had been hacked, on the basis of strict liability for the unauthorised provision of a regulated service, independently of any failure in vigilance or security measures.

Handed down in the absence of any representative of the platform at the hearing, the judgment sheds light on the civil liability of providers of services on crypto‑assets. It also raises strategic issues for all crypto‑asset service providers (CASPs), whether already registered, in the process of achieving MiCA compliance, or active within decentralised finance.

Timeline

2017: the customer opens an account on the platform.
21 January 2021: a suspicious login from Luxembourg and a misappropriation of €28,000 in ETH. The platform alerts the user but allows withdrawals to continue.
4 March 2024: the Grenoble Judicial Court dismisses the victim, who appeals.
26 June 2025: the Court of Appeal overturns the first‑instance decision and orders full reimbursement on the basis of strict liability for the unauthorised provision of a crypto‑asset service.

Regulatory status at the time of the hack

The platform only obtained PSAN registration on February 2023. At the date of the hack—two years earlier—it was therefore not authorised to provide its services to the French market.

What does the judgment tell us?

Subject to caution in its interpretation (see below on the scope of “unlawful exercise”), the Grenoble Court of Appeal recognises strict liability for the unauthorised provision of a regulated service, distinct from the traditional grounds of liability for lack of vigilance or inadequate security. This distinction strengthens providers’ liability exposure on the compliance of their services.

Strict liability for the unauthorised provision of a regulated service

The Court recalls that the provision of services on crypto‑assets was (until 2024) subject to prior DASP authorisation and, since 2025, to MiCA authorisation. It finds that “the platform therefore unlawfully carried on this activity” and holds that this irregularity alone suffices to establish civil liability, without the need to evidence any specific technical or legal breach. The fault is thus both automatic (the absence of registration or authorisation suffices, without examining concrete obligations) and comprehensive (the provider is fully liable).

To delineate this scope, the Court considers that:

the DASP framework prohibited the provider from accepting this client (a debatable point: see Scope of the unlawful exercise below);
the regulatory breach made the damage possible in its entirety;
consequently, this unlawful‑exercise fault allows the platform to be held liable for the full amount of the loss.

Cumulative liability where vigilance duties are breached

The judgment confirms that failures to comply with vigilance obligations (e.g., strong customer authentication under DORA, preventive freezing, withdrawal controls) may be invoked in addition, with the judges then conducting a concrete assessment based on the evidence produced. In this case, the Court found that the platform had reacted diligently enough, excluding any fault on that ground. Absent the unlawful‑exercise fault, the provider would likely have escaped liability.

Scope of the “unlawful exercise”

Targeting of the European or French market

The Court notes that the platform “offers in France, to French users, custody and exchange services”. This finding is, in our view, debatable. In a fully adversarial procedure, the provider could have challenged that characterisation by demonstrating the absence of any active solicitation in France, using the AMF General Regulation criteria (website language, distribution network, marketing communications, etc.). A cassation appeal could argue that a Luxembourg provider operating exclusively under reverse solicitation (i.e., without targeting the French market) should not see its liability engaged for the unauthorised provision of services.

Unauthorised provision of a regulated service—beyond crypto

The notion of unlawful exercise is not limited to crypto‑asset services: it may also apply to any investment service subject to authorisation, such as portfolio management, collective management, derivatives dealing or order reception‑transmission. For example, a DeFi protocol offering an activity akin to collective portfolio management without authorisation, or a CASP offering such services to its clients, could fall within this strict‑liability head, with the same consequence: full reimbursement of the client in the event of loss.

Practical consequences for CASPs

For authorised CASPs

For providers authorised to offer crypto‑asset services in Europe, the risk of falling within this strict‑liability head is limited to:

the provision of crypto services before obtaining authorisation;
the provision of other regulated services (e.g., investment services on security tokens or collective investment products) outside the scope of their licence.

For unauthorised providers

For these actors, the judgment is a reminder that the real risk does not only come from the regulator, but also from civil actions brought by their users. They must refrain from providing services to an EU client unless the initiative comes exclusively from the client (reverse solicitation).

The ESMA Guidelines of 26 February 2025 set out six cumulative criteria to avoid falling within the scope of the EU framework:

no communication in EU languages;
no active marketing campaign towards the EU (advertising, influencers, SEO);
geo‑blocking of EU IPs;
systematic refusal of IBAN/SEPA;
clear ineligibility disclaimers;
retention of a log of inbound requests.

Combining an active offer (FR website, local app store, EUR support) with no authorisation exposes a provider to:

automatic civil liability towards French clients;
inclusion on the AMF blacklist, with financial penalties of up to 12,5% of turnover or €5,000,000 (MiCA, art. 111);
blocking of its domain name in Europe and of payment flows by payment service providers. For a CASP, controlling its communications is therefore essential.

For non‑CASP actors (e.g., DeFi)

“Decentralised” does not mean immune, and regulators and courts are likely to assess decentralisation strictly. MiCA makes clear that its exclusion only covers services provided “in a fully decentralised manner without any intermediary”.
For centralised—or even partially centralised—projects, injured users will have the strict‑liability ground available to obtain compensation without proving negligence.

To defend themselves, those responsible for exposed front‑ends, oracles or multisigs will need to document the absence of centralised control.

How should a CASP manage this risk?

Defence strategies will primarily rely on demonstrating:

absence of targeting (for non‑EU actors): in practice, via a body of evidence excluding targeting—geo‑blocking, audience statistics, configuration of communication and distribution channels, communication policy, languages, etc.;
full decentralisation (for DeFi): evidence that the operator has no control (immutable smart contract, burned key) and that the user acts in full knowledge of the facts;
compliance with vigilance duties: 2FA logging, multiple alerts, manual freeze options, logs, user notifications, etc. Meeting this obligation requires regular audits of procedures and Terms & Conditions in light of this financial‑activities‑specific liability regime.