‘We Are DeFi, so MiCA Does Not Apply to Us.’ Sorry, but EBA and ESMA Have a Different Point of View

MiCA Decoded is simply a 12-article play bid for Bitcoin.com News, co-authored by LegalBison’s Co-Founding and Managing Directors: Aaron Glauberman, Viktor Juskin and Sabir Alijev. LegalBison advises crypto and FinTech companies connected MiCA licensing, CASP and VASP applications, and regulatory structuring crossed Europe and beyond.

This week’s introduction has been written by Eira Järvi, Senior Lawyer astatine LegalBison, starring planetary regulatory probe and the implementation of CASP licensing and different analyzable licenses. Eira actively implements planetary probe into progressive client-facing products.

DeFi connected the Rise

Decentralized finance has been connected the emergence successful caller years. The crypto manufacture has been witnessing the emergence of caller DeFi projects astir connected a regular basis. New blockchain networks, protocols, and decentralized applications ( dApps) signifier a digest for discussions of DeFi enthusiasts and newsletters. They revolve astir the subjects of efficiency, transparency, composability, privacy, and accessibility of DeFi. With MiCAR (Markets successful Crypto-Assets Regulation) coming into effect, galore DeFi improvement teams are present contemplating expanding their projects into the EU markets.

However, wrong this context, 1 taxable remains much pivotal than each others. How does the squad guarantee that the task they are gathering is legally compliant?

For astir DeFi startups, the reply whitethorn look simple: MiCAR contains an exemption for “fully decentralized” projects that galore startups confidently trust connected erstwhile justifying their assurance successful launching their projects successful the EU without seeking immoderate ineligible guidance, fto unsocial MiCAR compliance.

This nonfiction seeks to dispel the fashionable content that if a task is decentralized enough, MiCAR is of nary interest to the team. Sorry, but regulatory guidelines bust that myth!

The Myth: MiCA Doesn’t Affect DeFi and Non-Custodial Service Providers

Article 3(1), constituent 1 of MiCAR defines distributed ledger exertion (“DLT”) arsenic “a exertion that enables the cognition and usage of distributed ledgers,” and constituent 2 defines “distributed ledger” arsenic “an accusation repository that keeps records of transactions and that is shared across, and synchronised between, a acceptable of DLT web nodes utilizing a statement mechanism.”

Recital 22 of MiCAR provides the astir captious guidance connected DeFi’s narration with the Regulation. It states that MiCAR is designed to encompass services and activities performed, provided, oregon controlled, whether straight oregon indirectly, by earthy oregon ineligible persons and definite undertakings engaged successful crypto-asset services, adjacent successful cases wherever decentralization is involved.

However, the Recital contains the pursuing important language: “Where crypto-asset services are provided successful a afloat decentralised mode without immoderate intermediary, they should not autumn wrong the scope of this Regulation.” The import of this proviso lies wrong 2 cardinal phrases: “fully decentralised” and “without immoderate intermediary.”

The substance of the Regulation itself does not specify “fully decentralised” anyplace successful its operative provisions. The lone root of this word is wrong Recital 22, which forms portion of the preamble alternatively than the legally binding ceremonial provisions. Recital 83 further provides that “hardware oregon bundle providers of non-custodial wallets should not autumn wrong the scope of this Regulation,” without explicitly defining the grade to which hardware oregon bundle proviso constitutes a afloat decentralized work excluded from MiCAR.

Recital 109 recognizes these interpretive challenges and assigns the improvement of draught regulatory and implementing method standards to the European Banking Authority (“EBA”) and the European Securities and Markets Authority (“ESMA”).

In determining whether services autumn wrong MiCAR’s scope, 2 conditions whitethorn beryllium distilled from Recital 22 and consequent regulatory guidance:

• First, nary azygous entity whitethorn workout power implicit protocol parameters, governance mechanisms, oregon the halfway technological infrastructure upon which the crypto-asset work operates.
• Second, users indispensable entree what amounts to a “common bully resource” alternatively than purchasing services from a designated supplier with whom a contractual service-provider narration exists.

These conditions are captious for assessing whether immoderate DeFi task falls wrong oregon extracurricular the scope of MiCAR.

The Pitfall of Overestimating the State of Decentralization

In a satellite with rapidly emerging technologies, geopolitical instability, and the fragmented fiscal systems babelike connected manual processes and intermediaries, DeFi presents a transparent and borderless solution that fundamentally changes the mode transactions are initiated, processed, and executed. Instead of accepted fiscal strategy models wherever transactions indispensable archetypal walk done a fig of intermediaries and organization backends earlier being executed and settled, successful DeFi, users transact by interacting directly with the underlying blockchain web done decentralized protocols and interfaces, frankincense eliminating the request for intermediaries and analyzable strategy infrastructures.

In the satellite of the on-chain law, the enactment betwixt afloat decentralization and deficiency of it is thinner than it whitethorn seem. Before immoderate enactment whitethorn begin, a lawyer moving with a decentralized Web3 task volition archetypal fig retired whether the task whitethorn beryllium considered decentralized by analysing and assessing the project’s layers, their authorities of decentralization, arsenic good arsenic the team’s plans connected the ownership and governance.

At this archetypal signifier of the ineligible strategizing, determination are galore method and architectural elements that indispensable beryllium assessed by a lawyer to travel to a definitive statement astir the authorities of the project’s decentralization. While the squad whitethorn beryllium convinced that their task is afloat decentralized, with each its elements, specified arsenic the DLT, the protocol, and the dApp, successful reality, the archetypal appraisal whitethorn uncover the opposite.

To execute the authorities of true, afloat decentralization, each elements of the task indispensable conscionable the criteria of afloat autonomy and deficiency of interior oregon outer power passim the project’s ecosystem and its galore elements, including but not constricted to governance, ownership, interfaces, etc., which, upon person inspection, precise fewer projects negociate to achieve.

This takeaway whitethorn beryllium champion illustrated by a caller lawsuit successful the DeFi world. On 21 April 2026, Arbitrum’s Security Council froze implicit 30 ETH (approximately USD 71M) associated with the Kelp DAO exploit. A governing assemblage consisting of 12 members was capable to respond to the compromise by moving the funds into the intermediary wallet, which tin lone beryllium released done a governance vote, efficaciously making the funds locked successful the wallet.

This illustration points retired the beingness of discretionary operational control: adjacent though Arbitrum is, by definition, a layer-2 permissionless and seemingly afloat decentralized network, the workout of power implicit the idiosyncratic assets is precisely what would neglect MiCAR’s afloat decentralization test. Substance-over-form, successful this case, determines the regulatory scope, careless of the permissionlessness of the underlying ledger.

As such, a elemental assertion that a DeFi task is afloat decentralized is not capable to regularisation retired the work to comply with MiCAR and get a indispensable authorization arsenic a CASP. Lawyers volition chiefly measure the project’s method architecture, the ownership logic, and the governance rules, meaning that they invoke the substance-over-form assessment implicit semantics. The European regulatory bodies, specified arsenic the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA), afloat enactment this approach.

ESMA’s and EBA’s Perspective connected DeFi

The ESMA’s position connected decentralized finance has evolved substantially done aggregate consultation packages and, astir significantly, done the Joint Report with EBA connected Recent Developments successful Crypto-Assets published connected 13 January 2025 (ESMA75-453128700-1391 / EBA/Rep/2025/01), prepared pursuant to Article 142 of MiCAR.

ESMA’s reasoning connected the spectrum of decentralization is foundational to this assessment. In its 2nd consultation bundle connected regulatory and implementing method standards, ESMA projected a explanation of “permissionless distributed ledger technology” arsenic “a exertion that enables the cognition and usage of distributed ledgers successful which nary entity controls the distributed ledger oregon its usage oregon provides halfway services for the usage of specified distributed ledger, and DLT web nodes tin beryllium acceptable up by immoderate persons complying with the method requirements and the protocols.”

This explanation draws from the Financial Stability Board’s consultative document, which distinguishes betwixt permissionless (fully decentralized) DLT, permissioned DLT allowing a grade of centralization, and centralized platforms. The ESMA acknowledges that “the nonstop scope of this exemption remains uncertain” and considers that an appraisal of each strategy should beryllium made connected a case-by-case basis, considering the features of the system.

ESMA recognizes that decentralization is not a binary conception but exists connected a spectrum from centralization to varying degrees of decentralization: “With DEXs, the blockchain takes the spot of the intermediary. DEXs usage autonomous codification (often referred to arsenic smart contracts) to execute trades straight connected the colony furniture of the blockchain (with differing degrees of decentralisation).”

The January 2025 Joint Report provides empirical information supporting the analytical framework. DeFi represents astir 4 percent of the planetary crypto-asset marketplace capitalization, with somewhat higher penetration rates observed among EU-based users. The Report confirms that precise fewer DeFi systems execute genuinely afloat decentralization successful the mode contemplated by Recital 22. The Report identifies that adjacent ostensibly decentralized protocols typically person identifiable entities that workout varying degrees of power implicit governance, protocol upgrades, smart contract deployment, and interest structures.

Regarding hardware and bundle providers of CASP-ancillary services, the presumption emerging from ESMA’s guidance is that entities simply creating and selling bundle improvement tools, applications, oregon platforms for crypto-asset proviso oregon trading are not automatically classified arsenic CASPs if their activities are confined to the instauration and merchantability of the said services.

However, entities overseeing the instauration and improvement of bundle oregon platforms for providing crypto-asset services whitethorn beryllium deemed CASPs if they clasp power oregon capable power implicit the crypto-assets, software, protocol, platform, oregon concern relationships with users. The captious trial is truthful 1 of power and power alternatively than specified technological involvement.

The relation of contractual relationships successful defining afloat decentralization is further underscored by ESMA’s investigation of Article 73 of MiCAR, which pertains to the outsourcing of services oregon activities to 3rd parties. ESMA concludes that determination exists nary ineligible ground to categorize permissionless DLTs utilized by CASPs arsenic a third-party provider, arsenic nary ceremonial contractual narration is required to interact with permissionless blockchains. This leads to the important decision that permissionless DLTs whitethorn beryllium regarded arsenic a signifier of “common good” resource, whereas permissioned DLTs operated by commercialized enterprises typically entail ceremonial contractual arrangements and truthful represent a “third-party provider” relationship. This favoritism is the backbone of the further appraisal successful this memorandum.

The Joint Report further addresses ML/TF risks and ICT considerations applicable to decentralized systems. The lack of accepted AML/CFT controls successful purely decentralized systems presents important regulatory concerns, arsenic know-your-customer procedures and transaction monitoring are typically absent oregon incomplete. The Report notes that ICT risks are among the superior concerns, with a bulk of DeFi-related fiscal losses attributable to smart contract vulnerabilities, oracle manipulation, and front-running attacks, including maximal extractable worth (“MEV”) exploitation.

These hazard factors, portion not determinative of regulatory classification, pass the supervisory attack to entities operating astatine assorted points connected the decentralization spectrum.

FATF Framework and Contractual Relationships

The FATF’s guidance connected VASPs and DeFi provides a foundational analytical model that has been adopted and further developed by ESMA. According to the FATF Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (October 2021), a idiosyncratic who creates oregon sells a bundle exertion oregon a virtual plus level whitethorn not represent a Virtual Asset Service Provider erstwhile solely engaging successful the instauration oregon merchantability of the exertion oregon platform, with the accent connected the connection solely.

In cases wherever creators, owners, operators, oregon different individuals look to support power oregon exert capable power implicit DeFi arrangements, adjacent if those arrangements look decentralized, they whitethorn autumn nether the FATF explanation of a VASP if they are providing oregon actively facilitating VASP services. Control oregon important power whitethorn manifest done power implicit assets oregon aspects of the service’s protocol, and done an ongoing concern narration betwixt the relation and users, adjacent if this power is exercised done a smart contract or, successful immoderate instances, done voting protocols.

The FATF’s reasoning lays the instauration for the appraisal of decentralization nether MiCAR by establishing 2 important principles:

• First, the owners and operators and their grade of power implicit DeFi tin often beryllium identified by their narration to the activities being undertaken alternatively than by the labels applied to the arrangement.
• Second, partial centralization cannot beryllium automatically excluded adjacent if parties different than the main work supplier are progressive successful the work oregon if portions of the process are automated done smart contracts.

The relation of contractual relationships successful the appraisal of decentralization deserves peculiar attention. Article 73 of MiCAR, which pertains to the outsourcing of services oregon activities to 3rd parties for the show of operational functions, regulates however CASPs should code risks associated with third-party providers.

However, arsenic the ESMA Second Consultation Paper acknowledges, determination exists nary ineligible ground to categorize permissionless DLTs utilized by CASPs arsenic a third-party provider, due to the fact that nary ceremonial contractual relationship, specified arsenic a work level agreement, is required to interact with permissionless blockchains. The ESMA concludes that permissionless DLTs whitethorn beryllium regarded arsenic a signifier of “common good” resource, whereas permissioned DLTs operated by commercialized enterprises typically entail contracts disposable for white-labelled blockchain products, thereby constituting a third-party supplier relationship.

This decision has profound implications for the regulatory appraisal of platforms built connected permissionless infrastructure. If a level deploys smart contracts connected a permissionless blockchain specified arsenic Ethereum, the usage of that blockchain infrastructure does not, successful itself, found a third-party work supplier relationship.

However, if the level relation retains power implicit the smart contracts, tin upgrade oregon modify their functionality, controls entree to the front-end interface, oregon maintains administrative keys that tin pause, freeze, oregon modify the protocol, these centralized elements bring the relation wrong the scope of MiCAR careless of the permissionless quality of the underlying ledger.

The trial is truthful functional alternatively than technological: it asks what power the relation really exercises, not what exertion the strategy is built upon.

Key Takeaways:

Taking the foregoing investigation into account, and successful peculiar ESMA’s reasoning arsenic acceptable distant successful the consultation papers and the January 2025 Joint Report, we are of the sentiment that the pursuing propositions clasp existent for the purposes of this assessment.

• First, arsenic agelong arsenic nary idiosyncratic oregon entity controls a DeFi protocol oregon level and its usage, and nary idiosyncratic fulfills a cardinal and indispensable relation successful its cognition without which the exertion cannot beryllium utilized, the DeFi protocol oregon level whitethorn beryllium deemed exempt from MiCAR’s scope of exertion by virtuousness of being “fully decentralised” wrong the meaning of Recital 22.
• Second, the specified improvement of bundle oregon auxiliary tools for CASPs is not considered a crypto-asset work unless further MiCAR-regulated aspects, specified arsenic influencing the offer, sale, transfer, custody, oregon trading of crypto-assets, are included successful the scope of activities undertaken by the developer.

However, the applicable exertion of these principles to immoderate DeFi task requires cautious introspection of its ecosystem’s existent governance and operational characteristics. In lawsuit a project’s architecture indicates centralized power implicit token issuance, protocol parameters, oregon ecosystem governance, it is improbable to fulfill the “fully decentralised” exemption of Recital 22, and the services provided successful transportation with specified a task indispensable beryllium assessed nether MiCAR’s provisions.

What We Decoded

The “Fully Decentralised” Exemption is Exceptionally Narrow: MiCA’s Recital 22 states that services provided successful a “fully decentralised mode without immoderate intermediary” autumn extracurricular the regulation’s scope, but achieving this existent authorities of afloat decentralization is incredibly rare. If immoderate azygous entity exercises power implicit governance, protocol parameters, oregon halfway infrastructure, the exemption does not apply.

Substance Over Form Dictates Compliance: Regulators look past selling claims and method semantics to measure existent operational control. The regulatory trial is functional, not technological: if an relation maintains administrative keys, controls the front-end interface, oregon has the quality to upgrade oregon intermission smart contracts, they autumn wrong MiCA’s scope.

Decentralization Exists connected a Spectrum: ESMA does not presumption decentralization arsenic a binary concept. Even if a task relies heavy connected autonomous codification and smart contracts, the beingness of identifiable entities exercising varying degrees of power implicit interest structures, protocol upgrades, oregon governance volition trigger regulatory scrutiny.

Permissionless Blockchains are “Common Goods”: Relying connected a public, permissionless blockchain does not found a ceremonial third-party outsourcing narration nether Article 73 of MiCA, arsenic ESMA categorizes these arsenic “common good” resources. However, deploying smart contracts connected a communal bully infrastructure does not shield the level relation from MiCA if they clasp functional power implicit those contracts.

Software Developers Are Not Automatically CASPs: Merely creating and selling non-custodial bundle oregon hardware does not automatically classify an entity arsenic a Crypto-Asset Service Provider (CASP). However, if the developers oregon operators clasp capable power implicit the crypto-assets, the platform, oregon the ongoing concern relationships with users, they transverse the regulatory threshold and volition beryllium regulated arsenic CASPs.

This nonfiction is based connected a study conducted by LegalBison successful April 2026. The contented is for informational purposes lone and does not represent ineligible advice.