One of the more persistent misconceptions doing the rounds in crypto compliance circles is the idea that MiCAR doesn’t really bite until July 2026. It’s half true. Article 143 of MiCAR allows crypto-asset service providers who are already authorised under national regimes to continue operating until that date, provided they submit their MiCAR application by the end of December 2024. The key word here is “provided”. The transitional period exists, but it is not a holiday from compliance. Nor does it shield you from everything that comes next.
On the first of January 2026, DAC8 however becomes enforceable across the European Union and irrespective of any transitory regime being availed of. DAC8 is not MiCAR’s junior cousin. It is an entirely separate regulatory instrument with its own reach, its own logic, and its own obligations. It will apply whether you are MiCAR authorised or not. It will apply whether you are based in the EU or not. It will apply if your platform, your wallet, your bridge, your front-end or your token interface enables EU users to access crypto-assets in any meaningful way.
At that point, you are not merely building or facilitating. You are reporting. To the tax authorities. With real data. Personal information, wallet addresses, transaction volumes, gains, transfers, identifiers, cross-border flows, residency checks. And all of that information will move between EU tax administrations by default. This is the trap that many operators will fall into.
The transitional period under MiCAR does not protect you from DAC8. MiCAR governs who can offer crypto services in the EU and how they must be supervised. DAC8 is not about authorisation. It is about exposure. It creates a net that starts with the user and works backwards. It cares very little for legal form or institutional status. It focuses instead on whether you played a role in facilitating access to crypto-assets for EU taxpayers. And if you did, it does not care whether you consider yourself decentralised, unauthorised, or exempt.
There is a particular quiet ruthlessness in the way DAC8 is structured. MiCAR goes out of its way to avoid sweeping decentralised systems into its scope. It draws the line around identifiable entities offering structured services. DAC8 has no such hesitation.
If a natural or legal person hosts or operates a tool that helps an EU resident access, exchange, or store crypto-assets, then that person may be considered a reporting service provider. That includes decentralised finance interfaces, token bridges, smart contract dashboards, yield routers, and yes, even DAOs with a recognisable front-end. The test is not central control, its facilitation.
The United Kingdom is not bound by DAC8, but British platforms with any presence or user base within the EU will not be immune. If your infrastructure services EU clients, DAC8 applies. The penalties for non-compliance will not be theoretical. Tax authorities are not known for their flexibility, nor for their tolerance of regulatory ignorance.
This means that by the time you are preparing to meet the July MiCAR deadline, you are already six months late on DAC8. You will have missed the actual moment when reporting obligations crystallise. And you may already be subject to enforcement by a tax authority you never previously dealt with.
Unlike MiCAR, DAC8 has no licence. There is no portal to apply through, no register to appear on, no phased transition. You are either compliant or in breach. Thus, it is critical, to understand the full shape of the regulatory perimeter forming around crypto in the EU. MiCAR will decide who is authorised. DAC8 will reveal who is active. One governs the institutional layer. The other maps the individual. Together, they form a comprehensive framework that is no longer hypothetical and no longer future tense. The time for reading the recitals is over. The implementation is already in play.
CASPS/VASPS, providers need to start preparing and make their services and systems compliant as the clock is ticking. As I intimated above, those who assume that decentralisation offers insulation will be among the first to be surprised. DAC8 was designed precisely to prevent that assumption from holding true. It does not need to capture the protocol. It only needs to capture the access point. And those access points, in most cases, are human.
Article by Dr Ian Gauci