・10 min read・Crypto
DAC8 in compliance: what EU digital asset reporting means for exchanges, custodians, and their users
A practical DAC8 compliance guide for crypto exchanges and custodians: who must report, what's in scope, due diligence rules, and 2026/2027 deadlines
If your platform effectuates exchange transactions for users tax-resident in an EU member state, DAC8 applies to you as a Reporting Crypto-Asset Service Provider (RCASP), regardless of where you're incorporated. Data collection began January 1, 2026. For member states with enacted legislation, RCASP filing deadlines with competent authorities range from January through July 2027; some member states have not yet published a filing deadline. The EU-wide inter-governmental exchange deadline is September 30, 2027. The framework requires more granular reporting than any prior EU reporting directive and, unlike its predecessors, captures domestic EU residents, not just foreign account holders.
DAC8 is EU Directive 2023/2226, adopted October 17, 2023. It implements the OECD Crypto-Asset Reporting Framework within the EU's administrative cooperation structure. A US-based exchange serving users tax-resident in EU member states faces substantially the same data collection, due diligence, and reporting obligations as an EU-based exchange; registration mechanics and local implementation details differ by member state, but the core RCASP reporting requirements do not.
This guide covers what DAC8 requires, how it differs from CRS and FATCA, and what platforms need to do now.
What is DAC8?
From CARF to DAC8: the EU's implementation
The OECD published the final Crypto-Asset Reporting Framework on October 10, 2022 and formally adopted it as an international standard (including the Commentary and 2023 CRS amendments) in June 2023. The EU adopted it through DAC8, amending Directive 2011/16/EU on administrative cooperation in taxation. As DAC8 Recital (9) states, the directive takes into account the OECD CARF as "sources of illustration or interpretation" to "ensure consistency in application across Member States."
The timeline:
- OECD publishes final CARF: October 10, 2022; formal adoption as international standard: June 2023
- DAC8 adopted by EU Council: October 17, 2023
- Member state transposition deadline: December 31, 2025
- Data collection begins: January 1, 2026
- First reporting to competent authorities: 2027 (per national legislation)
- Automatic exchange between member states: by September 30, 2027
As of April 2026, most EU member states have enacted transposing legislation. Several adopted after the January 1, 2026 effective date, with retroactive application to the start of the first reporting period. Luxembourg adopted its DAC8 law on March 19, 2026 with first reports due by June 30, 2027. Poland published its implementing legislation in the Official Gazette on March 17, 2026, with a June 30, 2027 filing deadline. Estonia's Tax and Customs Board confirms first reports are due June 2027. Belgium's Parliament adopted its implementing law on March 12, 2026 with first reports due June 2027. The Czech Financial Administration states first reports are due by April 30, 2027. Transposition status is evolving; verify current status against the EUR-Lex national measures database before relying on country-specific information for compliance decisions.
Why DAC8 is structurally different from CRS and FATCA
CRS and FATCA are offshore financial account frameworks. They were designed to capture non-resident account holders. A German exchange reporting under CRS would not report on its German users; domestic residents are not "foreign account holders."
DAC8 changes this. As DAC8 Recital (13) explicitly states: "the reporting obligation should cover both cross-border and domestic transactions in order to ensure the effectiveness of the reporting rules, the proper functioning of the internal market, a level playing field and respect of the principle of non-discrimination."
The scope expansion isn't incremental; it's structural. CRS and FATCA were built to catch offshore evasion by non-residents. DAC8 is built to give EU tax authorities full visibility into crypto activity by their own residents. That's a different problem requiring a different compliance posture, and platforms that built their programs on CRS assumptions have a material gap to close.
The residents-in-scope rule
The residents-in-scope rule is embedded in the original DAC8 text. DAC8 requires a reporting crypto-asset service provider to report on all reportable users, defined as crypto-asset users who are resident in a reportable jurisdiction and not otherwise excluded. There is no carve-out for residents of the member state where the reporting entity is established.
The European Commission's DAC8 page makes this explicit: RCASPs must "start collecting data on reportable crypto-asset transactions of all EU-resident users, including residents of the Member State where you are established, from 1 January 2026."
A Dutch exchange reports all of its reportable users, both Dutch and non-Dutch, to the Dutch competent authority. The Dutch authority retains data on its own domestic residents and automatically exchanges data on non-residents with their respective member states. A US exchange serving German users must similarly report all of those German users, not a subset.
Who must report: the RCASP definition
Entities in scope
DAC8 defines a "crypto-asset service provider" as any individual or entity that, as a business, effectuates exchange transactions for or on behalf of customers, including by acting as counterparty or intermediary, or by making available a trading platform. "Reporting crypto-asset service provider" means any crypto-asset service provider that is not an excluded crypto-asset service provider.
This captures: centralized exchanges, custodial wallet providers, crypto brokers and dealers, crypto ATM operators, and certain DeFi platforms. Whether a decentralized exchange qualifies as an RCASP depends on the degree of control or influence it exercises over user transactions; this is a fact-pattern analysis, not a categorical rule.
Non-EU platforms: the extraterritoriality rule
DAC8 applies extraterritorially. A crypto-asset operator not authorized under the EU's Markets in Crypto-Assets Regulation (MiCA) that serves users tax-resident in EU member states must register in one EU member state before the end of the period in which it first has reporting obligations.
Registration is not optional. If a non-EU operator fails to register, member states must take enforcement measures including, as a last resort, preventing the operator from operating in the EU.
Non-EU platforms have two paths: MiCA authorization (which confers passporting rights and satisfies the DAC8 registration requirement across all member states), or direct registration as a crypto-asset operator in a single member state. Note that reporting in a non-EU jurisdiction with an applicable EU information-sharing agreement may satisfy DAC8 obligations, but only where an effective qualifying competent authority agreement is in place between the non-EU jurisdiction and the relevant EU member states.
What must be reported
Reportable transaction types
DAC8 defines two categories of reportable transactions: exchange transactions and transfers. Exchange transactions subdivide by consideration type, and transfers include a separately defined subcategory for retail payments, producing four distinct reporting lines in practice:
- Exchanges between relevant crypto-assets and fiat currency (crypto-to-fiat and fiat-to-crypto)
- Exchanges between one or more forms of relevant crypto-assets (crypto-to-crypto trades)
- Reportable retail payment transactions: transfers of relevant crypto-assets in consideration of goods or services where the value exceeds USD 50,000
- Transfers of relevant crypto-assets, including to unhosted wallets (wallet addresses not known to be associated with a virtual asset service provider or financial institution), where the RCASP cannot determine the transaction is an exchange transaction
Transfers to unhosted wallets are particularly significant. Even where no taxable event occurs, the transfer must be reported, including aggregate fair market value, number of units, and transaction count per asset type.
Reporting is aggregate by reportable crypto-asset type, distinguishing between inward and outward transactions, crypto-to-fiat and crypto-to-crypto exchanges.
Assets in scope and exclusions
Under DAC8, "relevant crypto-asset" means any crypto-asset other than a central bank digital currency, a specified electronic money product, or a crypto-asset that the RCASP has adequately determined cannot be used for payment or investment purposes.
In scope: Bitcoin, Ethereum, and other cryptocurrencies; stablecoins; utility tokens (assessed case by case); asset-backed tokens; and NFTs. As DAC8 Recital (14) states, NFTs require a case-by-case assessment of whether they "can be used for payment and investment purposes"; the collectible label does not automatically exclude them.
Excluded: central bank digital currencies; specified electronic money products (single-currency, par-value redeemable products regulated as such); and closed-loop systems with no payment or investment use.
Customer due diligence and self-certification
What platforms must collect
DAC8 requires reporting CASPs to obtain a self-certification from each crypto-asset user establishing jurisdiction(s) of tax residence and TIN. For individual users, valid self-certifications must include: full name, residence address, jurisdiction(s) of tax residence, TIN for each reportable jurisdiction, and date of birth.
For pre-existing users (accounts established before January 1, 2026), the CARF model allows a 12-month completion window from the effective date of the rules, placing the pre-existing account due diligence deadline at January 1, 2027 for most EU member states.
The 60-day suspension rule
DAC8 Annex VI Section V(A)(2) establishes one of the most operationally significant requirements in the framework: "Where a Crypto-Asset User does not provide the information required under Section III after two reminders following the initial request by the Reporting Crypto-Asset Service Provider, but not prior to the expiration of 60 days, the Reporting Crypto-Asset Service Provider shall prevent the Crypto-Asset User from performing Reportable Transactions."
The 60-day window is a product and engineering requirement, not just a legal formality. Platforms must build initial outreach, two reminder workflows, day-count tracking, and conditional transaction blocks, all while maintaining GDPR-compliant communication design that avoids the appearance of phishing.
The GDPR notification requirement
DAC8 requires reporting CASPs, as data controllers under Regulation (EU) 2016/679, to notify users. Unlike the OECD CARF base model and US §6045 broker reporting, DAC8 requires platforms to ensure users are informed that their transaction data is being processed and shared with tax authorities. Privacy policies, account communications, and onboarding flows all need to reflect this.
This is a European-only obligation. Platforms building a unified global CARF compliance program should treat the GDPR notification layer as an EU-specific addendum, not a global default.
Penalties
What the directive requires and what member states have enacted
DAC8 Recital (42) and Article 25a require member states to establish penalties that are "effective, proportionate and dissuasive." The directive does not prescribe specific amounts; those are set in each member state's transposing legislation, and the variation across the EU is significant.
Enacted penalty ranges across selected member states (as of April 2026):
| Member state | Penalty range | Key trigger |
|---|---|---|
| Netherlands | Up to €1,100,000 | License revocation for repeat failure |
| Austria | Up to €200,000 (intentional) / €100,000 (gross negligence) | Reporting or registration violations |
| Luxembourg | Up to €250,000 (intentional) / €5,000 (late/non-filing) | Registration or reporting failure |
| France | €15/transaction (capped at €2,000,000) / up to €50,000 | Late, omitted, or inaccurate reporting; self-certification failure |
| Belgium | Registration: up to €25,000 (€50,000 if continuing after revocation); reporting: up to €25,000 (€50,000 if fraudulent) | Registration or reporting violations |
| Slovakia | €30,000 (intentional) / €15,000 (negligence) | Non-compliance |
| Ireland | €3,000–€4,000 per violation | Any infringement |
| Croatia | €260–€26,540 | Reporting or registration violations |
| Sweden | 2,500–12,000 SEK annually | Tiered by severity and continuation |
Penalties can be triggered by failure to register, failure to report on all qualifying users (including domestic residents), late or inaccurate reports, failure to implement the 60-day suspension rule, and failure to maintain required records. Records must be retained for not less than five years and not more than ten years after the end of the relevant reporting period.
For non-MiCA operators, non-compliance with reporting or other obligations after two reminders from the member state of registration triggers registration revocation and, potentially, prohibition from EU operations.
Practical compliance steps
Step 1: determine if you're in scope
The threshold question: does your platform, as a business, effectuate exchange transactions for users who are tax-resident in an EU member state? If yes, you are a reporting CASP under DAC8 regardless of where you're incorporated. The secondary question is whether any of the four relevant transaction types occur on your platform; for exchanges and custodians, they do.
Step 2: implement self-certification collection
For new users, self-certification must be obtained when establishing the relationship. For pre-existing users, outreach programs targeting the January 1, 2027 deadline need to be underway now. Campaigns must be GDPR-compliant in design and phishing-safe in appearance: confirmed sender domains, consistent branding, and links directing only to the platform's own domain.
Step 3: build 60-day reminder and suspension logic
From initial request to transaction restriction: two reminders, minimum 60 days. The technical requirements include timestamp tracking from initial outreach, automated second-reminder workflows, account-level flags enabling transaction restriction without full account closure, and a reinstatement process for accounts that provide valid self-certifications after restriction.
Step 4: upgrade transaction data infrastructure
DAC8 requires aggregate reporting by relevant crypto-asset type across the full calendar year, distinguishing transaction categories. Year-end snapshots are not sufficient. Platforms need ongoing logging at the asset and category level.
Step 5: establish EU member state registration (if applicable)
Non-EU platforms serving users tax-resident in EU member states must register in a single member state. Registration deadlines vary by member state; platforms that have not yet registered face growing compliance risk, and the European Commission has already initiated infringement proceedings against member states that failed to transpose on time.
What this means for EU investors
The five compliance steps above describe obligations for platforms. For individual EU residents, the same rules produce a different outcome: your exchange is now legally required to report your transaction data to tax authorities, regardless of which exchange you chose or where it is incorporated.
If you are an EU resident who uses any crypto exchange, including US-based exchanges, your transaction history is being collected by your exchange for calendar year 2026. That data will be reported to the competent authority of your jurisdiction of tax residence in 2027, with EU-wide exchange completed by September 30, 2027. The reporting covers crypto-to-fiat sales, crypto-to-crypto trades, retail crypto payments above USD 50,000, and transfers out of the exchange including to unhosted wallets.
Your exchange is required to collect your taxpayer identification number and confirm your jurisdiction of tax residence. If you don't respond to those requests within the required timeframe, your account can be restricted from trading. Providing accurate information is a legal obligation under the member state legislation implementing DAC8.
Expect crypto activity cross-referenced on your tax return starting with calendar year 2026. The data collection infrastructure is operational now.
Conclusion
DAC8 took effect on January 1, 2026. The first reporting period covers all of 2026, with member state filing deadlines running from January through mid-2027 and the EU-wide exchange ceiling of September 30, 2027. Platforms that began self-certification collection in January 2026 are on schedule. Those that haven't started face increasing compliance risk with each passing quarter.
The system build timeline is measured in months. First filings are less than 12 months away.
See our CARF guide for the global framework DAC8 implements.
Request a consultation
Learn how CoinTracker supports exchanges and custodians building DAC8-compliant reporting infrastructure.
Frequently asked questions
What is DAC8 and who does it apply to?
DAC8 is EU Directive 2023/2226, which implements the OECD Crypto-Asset Reporting Framework within the EU. It applies to any Reporting Crypto-Asset Service Provider that effectuates exchange transactions for users tax-resident in an EU member state — regardless of where the platform is incorporated. US-based exchanges serving EU users are in scope.
When did DAC8 take effect?
DAC8 data collection obligations began January 1, 2026. The first reporting period covers the full 2026 calendar year. Filing deadlines with national competent authorities vary by member state, ranging from January through mid-2027. The EU-wide automatic exchange between member states is due by September 30, 2027.
How is DAC8 different from CRS and FATCA?
CRS and FATCA were designed to capture offshore account holders — domestic residents were never in scope. DAC8 explicitly closes that gap. It requires RCASPs to report on all EU-resident users, including residents of the same member state where the exchange is established. That makes it structurally different from any prior EU tax reporting directive.
What transactions must be reported under DAC8?
DAC8 requires reporting across four transaction types: crypto-to-fiat exchanges, crypto-to-crypto trades, transfers including those to unhosted wallets, and retail crypto payments exceeding USD 50,000 in value. Transfers to unhosted wallets are reportable even when no taxable event occurs — a significant departure from the US broker reporting framework under IRC §6045.
What happens if a user doesn't provide a self-certification?
If a user fails to provide required tax residency and TIN information after two reminders within a 60-day window, the platform must block that user from performing reportable transactions. This is a hard technical requirement embedded in DAC8 Annex VI, not a discretionary enforcement option. Platforms need to build reminder workflows, day-count tracking, and conditional transaction restriction logic to comply.
Do non-EU crypto exchanges need to comply with DAC8?
Yes, if they serve users tax-resident in EU member states. Non-EU platforms that are not MiCA-authorized must register in a single EU member state before the end of the first period in which they have reporting obligations. Failure to register can result in enforcement measures including being blocked from operating in the EU entirely.
Key sources
- Council Directive (EU) 2023/2226 of 17 October 2023 (DAC8): Amending Directive 2011/16/EU on administrative cooperation in the field of taxation. **eur-lex.europa.eu**
- European Commission, DAC8 implementation page. **taxation-customs.ec.europa.eu**
- OECD (2023), International Standards for Automatic Exchange of Information in Tax Matters: Crypto-Asset Reporting Framework and 2023 update to the Common Reporting Standard, OECD Publishing, Paris. **https://doi.org/10.1787/896d79d1-en**
- Regulation (EU) 2023/1114 (MiCA): Markets in Crypto-Assets Regulation. **eur-lex.europa.eu**
- EUR-Lex national transposition measures database: Current member state transposition status for Directive 2023/2226. **eur-lex.europa.eu/legal-content/EN/NIM/?uri=CELEX:32023L2226**