[White Paper] Automatic Exchange of Information on Crypto-Assets

Since January 1, 2026, the entry into force of DAC8 and CARF—organizing the automatic exchange of information for crypto-assets—marks a decisive milestone for the industry.

While this transparency could foster better integration of crypto-assets into the global financial system and simplify tax obligations for taxpayers, this shift toward industrial reporting also imposes new due diligence and reporting requirements on service providers, backed by significant sanctions. For users, this massive pool of tax data creates unprecedented risks, both in terms of tax audits and data protection and security.

This white paper analyzes these challenges to help every stakeholder navigate this new regulatory framework:

Reporting Entities: Who is required to report? Who must report in France?
Reporting Scope: Which information is transmitted (crypto-to-fiat, crypto-to-crypto, transfers, payments) and in what format?
Procedures and Sanctions: Mandatory self-certification mechanisms and financial risks (fines of up to €2,000,000).
Fundamental Rights: The impact of this mass surveillance on privacy and data security (the “honey pot” risk).

Excerpts

Automatic Exchange of Information on Crypto-Assets

Download our White Paper

Our services in tax audits and crypto-assets

Since 2018, ORWL has been the French leader in supporting Web3 and crypto projects.

The firm stands out for its recognized experience, in-depth understanding of the sector’s challenges, and multidisciplinary approach.

The complementary nature of its teams enables the firm to advise companies and individuals on securing their Web3 projects and optimizing their tax situation with a global vision. The firm is also able to represent them in any disputes that may arise from their activities.

With our extensive experience, we regularly assist investors and projects in:

Compliance for their activities: regarding the automatic exchange of crypto-information, we conduct activity audits, implement the necessary documentation and procedures, and prepare the data to be monitored and reported annually.
Regularization of past tax filings.
Defense of their interests before the tax authorities and the courts.

FAQ about tax audits and crypto assets

What is the automatic exchange of information regarding crypto-assets?

It is a new standard for tax transparency where Crypto-Asset Service Providers (CASPs) are required to collect and massively transmit their users’ transaction data to tax authorities. This system is based on the EU Directive DAC8 and the OECD’s CARF (Crypto-Asset Reporting Framework), both of which entered into force on January 1, 2026.

Which entities are required to report crypto transactions?

The framework applies to entities providing crypto-asset services as defined by the MiCA regulation (exchange, broker, custodians), but also includes staking and lending services. Decentralized Finance (DeFi) services may also be subject to these rules under certain conditions.

What types of operations are reported to tax authorities?

The reporting is near-exhaustive and includes:

Crypto-to-fiat and crypto-to-crypto exchanges.
Inbound transfers (staking, mining, airdrops, loans) and outbound transfers.
Payments for goods and services made in crypto, notably via platform-issued debit cards.

What personal information is collected by platforms?

Under the mandatory self-certification process, providers must collect name, address, Member States of tax residence, Tax Identification Number (TIN), and date of birth. This data is then cross-referenced with KYC/AML documents to verify its plausibility.

What happens if user refuses to provide my tax information?

The regulation is strict: if a user fails to respond to information requests after two reminders, the provider is obligated to block the account within 60 days.

What are the penalties for non-compliant providers (CASPs)?

The financial stakes are high to ensure cooperation:

Up to €50,000 in fines for failures in due diligence procedures.
Up to €2,000,000 per year for any omissions or inaccuracies in the annual report.
A risk of deregistration and a ban on operating within the EU in case of persistent non-compliance.

How will tax administrations use this data?

The massive pool of data received will allow for automated cross-referencing with your income tax returns to detect inconsistencies via algorithmic targeting. Eventually, this could lead to the pre-filling of capital gains tax returns by the providers themselves.

Are there risks to the security of my financial data?

Yes, the centralization of this information creates a “honey pot.” The circulation of this data between reporting entities, central registries, and residence States increases the risk of data leaks, which could lead to targeted criminal threats (extortion, physical theft) against holders.