January 1, 2026: the European Big Brother arrives

From 2026, every movement of bitcoin and digital assets executed through supervised intermediaries will be recorded and shared among the tax authorities of the 27 EU countries.

With the entry into force of the DAC8 directive, starting from January 1, 2026, every movement of bitcoin and other digital assets carried out through supervised intermediaries will be subject to greater tax control, through an automatic exchange of information system that will involve all 27 member states of the European Union. The regulatory change extends to the digital asset ecosystem the same information exchange mechanism already applied to other income (employment, pensions, dividends, etc.).

Directive 2023/2226/EU (DAC8) forces the entire sector to confront a reality in which every exchange, custodial wallet and provider will effectively become a tax control agent. With this regulation, Europe follows the OECD standards of the Crypto-Asset Reporting Framework (CARF), which will create a global monitoring system that will involve over 67 countries by 2027/28. CARF was conceived as the crypto version of the traditional CRS (Common Reporting Standard) model for bank accounts.

The DAC8 directive does not emerge from nothing, but fits into a regulatory path that began over a decade ago with directive 2011/16/EU on administrative cooperation in tax matters. What we now call DAC (Directive on Administrative Cooperation) has been progressively expanded through eight successive amendments, each aimed at filling specific gaps in European tax transparency.

The previous versions of DAC had mainly focused on:

• DAC1: automatic exchange of information on specific income categories (wages, pensions, dividends);
• DAC2: extension of automatic exchange following the OECD’s Common Reporting Standard (CRS);
• DAC3: cross-border advance tax rulings;
• DAC4: country-by-country reporting of multinationals;
• DAC5-7: further refinements and expansions.

DAC8 constitutes the eighth evolution of the European system of fiscal administrative cooperation and represents the definitive expansion to the world of digital assets. Adopted on October 17, 2023 and published in the Official Journal of the EU on October 24, the regulation requires member states to transpose it by December 31, 2025, with effective application from January 1, 2026.

The directive integrates with the MiCA Regulation (Markets in Crypto-Assets), creating a regulatory ecosystem that covers both authorization and tax aspects. While MiCA defines the operational rules for Crypto-Asset Service Providers (CASP), DAC8 establishes the tax reporting obligations for Reporting Crypto-Asset Service Providers (RCASP), defined as “individuals and entities that provide services that execute relevant crypto-asset transactions.”

The European Commission has justified the urgency of DAC8 with the growing diffusion and the cross-border and decentralized nature of crypto-assets. According to the EU Council, DAC8 aims to effectively combat “tax evasion, fraud and avoidance,” reduce information asymmetries between EU countries and discourage so-called “tax whistleblowing.” The stated objective is to provide member states with a “complete vision” of crypto-assets held by European taxpayers, minimizing the possibility that income and capital gains are hidden or not declared as a result of exchanges or investments in digital assets.

Technical definitions

The regulation adopts the MiCA definitions for crypto-assets, understood as “digital representations of value or rights transferable and storable electronically, using distributed ledger technology or similar.” However, DAC8 introduces some distinctions:

• EMT (Electronic Money Tokens): tokens comparable to electronic money, subject to the traditional Common Reporting Standard (CRS) regime;
• ART (Asset Referenced Tokens): tokens linked to the value of underlying assets, which follow CARF rules;
• Utility tokens and other crypto-assets: which fall into a residual category with specific obligations.

Operational mechanism

The functioning of DAC8 is based on a system that involves various sector operators. Crypto service providers collect detailed data on their users through enhanced customer due diligence procedures (KYC/AML). Such data includes complete personal information, tax codes, declared tax residence and all details of operations carried out.

The directive introduces a “European Tax Identification Number” (TIN), a unique code for each taxpayer who resides and operates in EU territory. Through this unique identifier, it will be possible to link all information relating to an individual’s income and economic movements, including digital assets.

The collected information is transmitted to national tax authorities by January 31 of the following year.

Obligations for operators

Sector operators – exchanges, custodial wallets, providers – must:

1. register and obtain MiCA authorization: by December 31, 2025, all operators must obtain the authorization required by the MiCA regulation;
2. identify each user: collection of identity documents and European tax code through enhanced KYC/AML (Know Your Customer & Anti-Money Laundering) procedures;
3. apply due diligence procedures: constant verification of customers’ identity and tax residence;
4. communicate annually: transmission to the Revenue Agency of detailed information on:

• complete personal data of customers: name, address, date of birth, tax residence, tax code or tax identification number (TIN);
• nature of operations (purchase, sale, exchange, staking or lending);
• amount and date of transactions;
• account balances;
• realized capital gains;
• transfers to external wallets and addresses used;
• activities with linked cards;
• cash-out movements to linked bank accounts.

Sanctions system

The regulation provides for graduated sanctions to ensure compliance. Crypto service providers who do not comply with obligations risk pecuniary sanctions from €1,500 to €15,000 per single violation, with cumulative sanctions.

Individual users also have responsibilities. If a customer ignores two consecutive requests for tax information within 60 days, the platform must completely block their operations. They will no longer be able to buy, sell or transfer cryptocurrencies until regularization.

Operational preparation

RCASPs will have to implement various operational transformations, which involve an increase in compliance costs:

• enhanced KYC/AML systems: collection and verification of detailed tax data, including tax residence and national identification codes;
• advanced IT infrastructures: systems to automatically track, categorize and report all user transactions;
• due diligence processes: procedures to identify the nature of crypto-assets and apply the correct reporting regimes;
• training and compliance: staff training on regulatory requirements and coordination between legal, compliance and IT departments.

It should also be noted the extraterritorial effect of DAC8: whoever serves customers resident in the EU, even from outside Europe, must comply, regardless of their geographical location. In practice, American or Asian exchanges that allow European taxpayers to purchase digital assets will have to register in a member state and respect the same rules.

A honeypot built by law

DAC8 effectively amplifies a structural security problem. Forcing exchanges to transmit larger volumes of sensitive data increases the risk of data breaches, transforming each RCASP into an even more coveted target for targeted attacks.

But the real vulnerability lies not only in collection, but in automatic exchange between 27 member states. Every data passage is a potential point of compromise. The directive provides that information crosses computer systems of tax authorities with very different cybersecurity levels from each other.

Beyond technical risk, uncertainty remains about how this information can be used in the future. Once collected and shared at the European level, citizens’ data leaves its original context – the tax one – and becomes accessible to a multitude of authorities with different competencies, priorities and agendas. This opens the door to possible extensions of use: non-tax investigations, economic profiling, asset controls, up to potential regulatory reinterpretations that could further expand the purposes of financial surveillance.