EU to regulate markets in crypto-assets

Author info

On 24 September 2020, the EU launched its digital finance package, including a number of strategies and legislative proposals. In this blogpost, we will focus particularly on two proposals regarding crypto-assets and distributed ledger technology.

Strategies and proposals

In terms of strategy, the Digital Finance Strategy outlines how the EU aims to support the digital transformation of finance. In short, the EU aims to tackle fragmentation in the finance Digital Single Market to further enable cross-border services. Digital innovation for consumers and market efficiency must be facilitated, particularly solutions using distributed ledger technologies (DLT) and artificial intelligence (AI). Data-driven innovation will be promoted as well. This will include strengthening the data sharing implemented through the Second Payment Services Directive (PSD2). Last, new challenges and risks relating to the digital transformation must be tackled. 

A second strategy focuses on retail payments. This strategy focuses on four pillars: increasingly digital and instant payment solutions with pan-European reach; innovative and competitive retail payments markets; efficient and interoperable retail payment systems and other support infrastructures; and efficient international payments, including remittances. The goal of this strategy is to facilitate and increase consumers’ trust in instant payments, to provide interoperable and accessible end-user solutions – which would including standardizing QR-codes and opening up NFC-chips on phones – and to provide European solutions in this market. PSD2 will be reviewed and strengthened, including stronger security requirements.

In terms of regulatory proposals, a first proposal is for a regulation on digital operational resilience in the financial sector. It aims to impose uniform requirements for the security of network and information systems of financial entities. In doing so, it should be considered as a sector-specific regulation in the sense of article 1(7) of the NIS Directive. Under this regulation, financial entities must have in place internal governance and control frameworks that ensure an effective and prudent management of all ICT risks. This includes adopting an ICT risk management framework to ensure their digital operational resilience. It includes steps for the prevention of incidents, detection, as well as for response and recovery. As under the NIS Directive, major incidents must be reported. Testing of digital resilience is key under this framework, which includes processes for threat led penetration testing. As many financial entities rely on the services of third parties, third-party ICT risk management is also one of the key aspects of this proposed regulation. Specific contractual provisions are needed to manage those risks, with regulatory oversight on critical third-party ICT service providers. 

Regulation on markets in crypto-assets

The proposed regulation on markets in crypto-assets aims to provide legal certainty, support innovation, provide adequate consumer and investor protection, and ensure financial stability. In doing so, it aims to address the current situation where crypto-assets used as means of payment – such as bitcoin, but also the more recent stablecoins – are not regulated under the EU’s legal frameworks of e-money or payment services, but where some crypto-assets used as means of investment – such as DAO tokens or tokens issued through an initial coin offering – could already fall under the EU’s MiFID framework. In its preparatory analysis, the European Commission did consider putting stablecoins under the legal framework of e-money, but it decided against this as this legislation was not deemed fit for purpose. Nevertheless, it is acknowledged that some stablecoins could indeed have several features in common with e-money. Because of this, the Commission decided to follow an approach that fully harmonizes the regulation of crypto-assets across the EU. 

Scope and definitions

According to article 2, the regulation would apply to “persons that are engaged in the issuance of crypto-assets or provide services related to crypto-assets in the Union”. However, if such crypto-assets can be considered as financial instruments, e-money, deposits, structured deposits or securitisation, they are regulated under the appropriate frameworks for those instruments, and under not this regulation. The regulation would not apply to the European Central Bank, other central banks, insurance undertakings, liquidators or administrators in an insolvency procedure, the European investment bank, the European Financial Stability Facility and Mechanism, public international organisations, and “persons who provide crypto-asset services exclusively for their parent companies, for their subsidiaries or for other subsidiaries of their parent companies”. Authorised credit institutions and investment firms are exempt from some aspects of this framework when issuing asset-referenced tokens or when providing crypto-asset services in the framework of their normal operations. 

Crypto-assets are defined as “digital representations of value or rights which may be transferred and stored electronically, using distributed ledger technology or similar technology”. Asset-referenced tokens are “a type of crypto-asset that purports to maintain a stable value by referring to the value of several fiat currencies that are legal tender, one or several commodities or one or several crypto-assets, or a combination of such assets”. A e-money token is a special kind of crypto-asset “the main purpose of which is to be used as a means of exchange and that purports to maintain a stable value by referring to the value of a fiat currency that is legal tender”. 

The issuer of such tokens is the one who offers it to the public, meaning “an offer to third parties to acquire a crypto-asset in exchange for fiat currency or other crypto-assets”. The regulation also provides a list of possible crypto-asset services, including the custody and administration thereof on behalf of third parties, the operation of a trading platform for crypto-assets, the exchange of crypto-assets for fiat currency that is legal tender, the exchange of crypto-assets for other crypto-assets, the execution of orders for crypto-assets on behalf of third parties, placing of crypto-assets, the reception and transmission of orders for crypto-assets on behalf of third parties, and providing advice on crypto-assets. 


Crypto-assets may only be offered to the public by legal entities and after having published a white paper describing the project, the offer, and the associated risks. The white paper must be notified to the supervisory authority and must comply with the provisions of article 5 of the proposed regulation. A standard form or template may be provided by the ESMA. Any significant changes to the project require the publication of a modified white paper. Some derogations to the white paper duty apply, such as when the crypto-assets are offered for free, when they are offered to less than 150 people, or when the consideration is less than EUR 1 million over a period of 12 months. Important to note is that when personal data are provided as consideration in exchange for the assets, they are not considered to be offered for free. Consumers have a 14-calendar day right to withdrawal from their purchase. The issuer is liable for any damages caused by his unfair, unclear or incomplete communication. Civil liability cannot be excluded.

Asset-referenced tokens

Asset-referenced tokens may only be issued by entities authorized to do so and after publishing a white paper. For the white paper, article 17 lists a number of requirements in addition to those mentioned before. Derogations apply for credit institutions, when the average outstanding amount over the last 12 months does not exceed EUR 5 million, or when the offer is addressed solely to qualified investors – though in such cases a white paper is still required. The issuer must apply for an authorisation in its home Member State. As usual under EU financial laws, this leads to a license and passporting possibilities across the EU. The licensing requirements are fairly similar to what is already present under, for instance, the payment services and e-money frameworks. Important is that the entities must also provide “a legal opinion that the asset-referenced tokens do not qualify as financial instruments, electronic money, deposits or structured deposits”. Also here, the issuer is liable for any damages caused by his unfair, unclear or incomplete communication and civil liability cannot be excluded. 

Apart from the white paper and authorisation duty, issuers of asset-referenced tokens must comply with a number of operational requirements, not unlike those for existing financial entities. This means that they must prevent, identify, manage and disclose conflicts of interest. They are subject to clear governance requirements, for instance by having a clear organisational structure staffed with managers of good repute and competence. This essentially means that members of the management must undergo a so-called fit & proper test. The organisation must conduct a risk management exercise and ensure business continuity. Entities must maintain a reserve for each category of asset-referenced tokens that they offer. These reserve assets must be held in custody by a credit institution or crypto-asset service provider – depending on the type of asset – and be segregated from the entity’s own assets. A part of reserve assets may be invested, but only in highly liquid financial instruments with minimal market and credit risk. They must maintain own funds of EUR 350.000 or 2% of the average amount of the reserve assets. A policy must be in place to detail the stability mechanism of such tokens. When the holders of asset-referenced tokens hold a right on the issuer – such as redemption rights – a policy must be in place to safeguard that right. When no such rights are granted, the liquidity of the token must be ensured. The acquisition of issuers of asset-referenced tokens must be notified to and assessed by competent authorities. 

Apart from regular asset-referenced tokens, the EBA may classify an asset as being a significant asset-referenced token. These are tokens where at least three of the following criteria are met: the size of the customer base of the token, the value or market capitalisation, the number and value of transactions, the size of reserve assets, the significance of cross-border activities, and the interconnectedness with the financial system. The specific thresholds for these criteria will be elaborated by the Commission through a delegated act. Regulatory oversight on significant asset-referenced tokens will be conducted by the EBA itself, and thus not by national authorities. Issuers of significant asset-referenced tokens are subject to more stringent operational requirements. For instance, custody should be spread over different service providers. They are also required to hold a higher percentage of reserve assets. 

E-money tokens

E-money tokens may only be issued by e-money institutions – as regulated under the E-money Directive – and after publishing a white paper. E-money tokens are for these purposes considered as e-money, meaning that they must confer a right on the issuer and be issued at par value and upon receipt of funds. Also here a derogation applies when the tokens are only offered to qualified investors or when the average outstanding amount does not exceed EUR 5 million. As for the other types of tokens, the white paper for e-money tokens is subject to specific requirements. Also the same liability provisions apply. Similar to significant asset-referenced tokens, the EBA may classify some e-money tokens as being significant and place them under its own supervision. 

Crypto-asset service providers

Those providing crypto-asset services are also subject to authorisation in their home Member State. Such authorisation will allow these service providers to provide their services in other Member States as well, through the right of establishment, branches, or the freedom of services. Cross-border service providers are not required to have a physical presence on the territory of the host Member State. The authorisation procedure is again similar to what it currently required for obtaining a license as payment service provider, with some particular requirements depending on the type of crypto-asset service that are provided. 

Crypto-asset service providers are subject to similar operational and organisational requirements as issuers of asset-referenced tokens. They must ensure to communicate with fair, clear, and non-misleading information. They are subject to minimum capital requirements, including own funds requirements. A specific insurance policy is required. Clients’ crypto-assets must be segregated and safeguarded. The acquisition of crypto-asset service providers must be notified to and assessed by the competent authorities. 

Specific requirements may apply depending on the type of services provided. Custody services providers must have a clear agreement with their clients and keep a register of their clients’ positions. They are liable for the loss of their clients’ crypto-assets as a result from a malfunction or hacks up to the market value of the crypto-assets lost. Operators of trading platforms are subject to additional operational requirements, including due diligence on the assets allowed for trading. Exchanges must have a non-discriminatory commercial policy. Those executing orders for their clients must take steps to provide the best possible result to their clients. Effective execution arrangements are needed for this. Those placing crypto-assets are subject to specific information duties. The receipt and transmission of orders requires prompt and proper transmission. Last, advice on crypto-assets must be tailored to the clients’ needs. This implies a certain know-your-customer obligation. 

Prevention of market abuse

All of the aforementioned entities are subject to rules preventing market abuse. This includes disclosing inside information as soon as possible, though unlawful disclosure is prohibited. Disclosure can only be delayed in specific circumstances. Insider dealing is prohibited. Market manipulation – for instance by publishing misleading information or entering into transactions with the aim of affecting the price of crypto-assets – is prohibited as well. 

Competent authorities

Member States must designate the competent authorities at their national level. At the level of the EU, the EBA and ESMA are the competent authorities. The national authorities are responsible for the authorisation procedures, as mentioned before, and for conducting oversight on the market for crypto-assets. They are granted specific regulatory and investigatory powers for this. Also the EBA and ESMA receive additional powers for their supervision. Cooperation between national and EU authorities is arranged for as well. Infringements to this legal framework are subject to administrative fines and measures. Fines can generally go up to EUR 700.000 for natural persons, and up to EUR 5 million or 3% of the annual turnover for legal persons. For some infringements, fines up to EUR 15 million or 15% of the annual turnover are possible. 

Pilot for DLT market infrastructures

Another proposed regulation provides for a pilot regime for market infrastructures based on distributed ledger technology (DLT, also referred to as blockchain). The main reason for this proposed framework is that the European Commission found that the uptake of this technology on the European market could be hindered, and that therefore a more specific regime would be needed to facilitate this technology. 

The proposed regulation specifically targets multilateral trading facilities (MTF) and securities settlement system using DLT. Together, these two are addressed as DLT market infrastructures. A DLT multilateral trading facility is a multilateral trading facility, operated by an investment firm or a market operator, that only trades DLT transferable securities and which may be allowed to ensure the initial recording of DLT transferable securities, to settle transactions in DLT transferable securities against payment, and to provide safekeeping services in relation to DLT transferable securities or to related payments and collateral. A DLT securities settlement system is a securities settlement system, operated by a central securities depository, that settles transactions in DLT transferable securities against payment. 

DLT transferable securities must either be shares from an issuer with a market capitalisation of less than EUR 200 million, or bonds of an issuance size of less than EUR 500 million. Sovereign bonds may not be admitted to trading under the proposed regulation. The total market value of securities recorded in a DLT infrastructure may not exceed EUR 2,5 billion. 

A DLT MTF is, in principle held to the general requirements for MTF’s under the MiFID regime. When an exemption is asked, other guarantees will need to be provided, for instance with regard to safekeeping and information provided to customers. Similarly, a central securities deposit (CSD) operating a DLT securities settlement system must comply with the requirements for CSD’s. Also here certain exemptions may be granted, subject to strict conditions and requirements. 

Apart from general conditions, DLT market infrastructures are also subject to additional requirements. These relate, for instance, to their business plan, (cyber)risk management, information duties, safekeeping and transition strategy. The operation of DLT market infrastructures is subject to home Member State licensing. Cooperation duties are foreseen between operators of DLT market infrastructures, competent authorities and the ESMA.


The digital finance package, and particularly its proposed regulations on crypto-assets and DLT market infrastructures, is an important step in recognising and regulating crypto-assets in the EU. This step has been in the making for a few years now, as it was clear for some time already that the EU would have to take some initiative in this field, but it remained unclear what direction the European legislator would take. With extremes of shoehorning crypto-assets in existing legislation and of adopting an entirely new framework, the European Commission has taken more of a middle ground in saying that some existing legislation can apply but that also some new rules are needed for these particular assets. 

Interesting is that the proposed regulation assumes that some crypto-assets could be considered as e-money and should therefore be regulated under that framework. This is a clear step away from an earlier communication that considered virtual currencies – including what is now defined as crypto-assets – to not be regulated at the European level. While we have argued before that it is certainly theoretically possible for a crypto-asset to fulfil the requirements of the e-money definition under EU law, we do not have immediate knowledge of such an asset where that would be the case today. Moreover, the legislator introduces a strange duality in the sense that e-money tokens are regular e-money in the sense of the E-money Directive, but that they are at the same time also a particular kind of e-money subject to additional requirements. It remains to be seen how this notion will evolve during the legislative procedure and how it would eventually be operationalised. 

Of course, all of this is only a first draft. During the legislative procedure, we will undoubtedly still see a number of aspects change significantly once other actors start weighing in on this debate. At Timelex, we will be closely following this evolution for our clients. 

If you have questions in the meantime on how this would affect your business, please contact Timelex.