DAC8: the EU’s new crypto reporting obligation, country by country
DAC8 is the EU’s transposition of the OECD’s Crypto-Asset Reporting Framework — and the first reporting cycle for crypto-asset service providers begins on 1 January 2026. The substance is shared across the bloc; the procedural reality is that each member state has its own portal, its own intake forms and its own implementing decree, and the differences between them matter when you operate cross-border. This piece walks through what DAC8 captures, who has to file, and where the six core jurisdictions diverge.
1. What DAC8 is
DAC8 — Council Directive (EU) 2023/2226 amending Directive 2011/16/EU on administrative cooperation in the field of taxation — extends the EU’s automatic-exchange-of-information regime to crypto-assets. It transposes the OECD’s Crypto-Asset Reporting Framework (CARF) into EU law and aligns it with the wider DAC architecture that already covers financial accounts (DAC2 / CRS), digital platforms (DAC7) and tax rulings.
The first reportable period runs from 1 January 2026. The first information exchange between member states under DAC8 is scheduled for 2027, covering 2026 data.
2. Who is in scope
Two categories of “Reporting Crypto-Asset Service Providers” (RCASPs):
- EU-authorised CASPs under MiCA — every CASP licensed under Regulation (EU) 2023/1114. Authorisation triggers RCASP status automatically.
- Non-EU operators with EU users — operators not established in the EU but providing crypto-asset services to EU-resident users. They must register with a single EU competent authority and report through it.
The scope mirrors CARF: it captures exchanges, brokers, custodians, issuers offering exchange services, and certain crypto-ATM operators. Pure software providers (wallet code, node operators) are out of scope unless they exercise control over user assets.
3. What gets reported
For each EU-resident user, per calendar year:
- Identification — name, address, tax-residence, taxpayer-identification number (TIN), date of birth.
- For each “relevant crypto-asset” the user transacted in: aggregate fair-market value of acquisitions (in fiat) and aggregate of disposals.
- The number of units acquired and disposed of.
- For transfers, the wallet address category (custodial, self-custodial) and counterparty class.
- For retail-payment transactions, the aggregate fair-market value where the goods or services exceed €50,000.
The schema is the OECD CARF XML, with EU-specific extensions adopted by the European Commission’s Directorate-General for Taxation and Customs Union (DG TAXUD).
4. Cadence and channel
- Frequency: annually. First reportable period = calendar year 2026, first submission due in 2027.
- Channel: via the home member state’s tax-authority portal. Cross-border PSPs file once with their home authority; the authority forwards to the others.
- Format: XML based on CARF v1.0 with EU extensions.
5. The due-diligence layer
DAC8 introduces customer due-diligence obligations broader than what most CASPs run for AML purposes alone:
- Self-certification at onboarding — the user attests their tax residence(s) and TIN(s).
- Reasonableness check — the CASP cross-references the self-certification with KYC data and other reliable indicia.
- Change-in-circumstance triggers — material updates require re-certification.
- Record retention — at least 5 years from the end of the reportable period.
For CASPs that already run a clean MiCA-aligned KYC programme, the gap to DAC8 is moderate. For those building from a thin onboarding flow, this is a meaningful uplift.
6. The six core jurisdictions, where they diverge
The substantive framework is identical EU-wide. The implementation differences are procedural:
- 🇪🇸 Spain — transposed via the Spanish General Tax Law amendments. Filings go through the AEAT’s electronic portal.
- 🇳🇱 Netherlands — transposed in the Wet internationale bijstandsverlening, with filings to the Belastingdienst’s central exchange unit.
- 🇫🇷 France — transposed in the Code général des impôts; Direction générale des Finances publiques (DGFiP) is the receiving authority.
- 🇮🇹 Italy — transposed via legislative decree amending Article 31-bis of the Italian fiscal code; Agenzia delle Entrate is the receiving authority.
- 🇩🇪 Germany — transposed via the Plattformen-Steuertransparenzgesetz (PStTG) extension; Bundeszentralamt für Steuern (BZSt) is the receiving authority.
- 🇱🇺 Luxembourg — transposed via amendments to the Luxembourg DAC implementing law; Administration des contributions directes (ACD) is the receiving authority.
For a CASP authorised in one member state and serving users across the bloc, the home-state filing is typically the single point of submission. The forwarding to other member states happens authority-to-authority, not via the CASP.
7. How DAC8 differs from the other DACs
| Regime | What it captures | Reporter |
|---|---|---|
| DAC2 / CRS | Financial accounts of non-residents | Banks, EMIs, certain investment entities |
| DAC6 | Cross-border tax-planning arrangements | Intermediaries (advisers, lawyers, taxpayers) |
| DAC7 | Sales by sellers on digital platforms | Platform operators |
| DAC8 | Crypto-asset transactions of EU-resident users | CASPs and certain non-EU operators |
A firm that holds both a CASP authorisation and an EMI authorisation can fall under both DAC8 (for crypto activity) and DAC2 / CRS (for fiat-account activity) — see our CESOP overview for the parallel VAT-side regime.
8. FAQ
Is DAC8 the same as CARF?
Substantively, yes. DAC8 is the EU implementation of the OECD’s CARF, with EU-specific procedural extensions for the inter-member-state exchange.
I am authorised under MiCA — am I automatically a Reporting CASP?
Yes. MiCA authorisation triggers RCASP status under DAC8. There is no separate registration step for in-scope MiCA-licensed firms.
I am a non-EU exchange with EU customers — what do I do?
Register with a single EU competent authority of your choice and file there. The EU member state forwards your data to all other member states with EU-resident users.
Does DAC8 cover stablecoins separately?
EMTs and ARTs under MiCA are within scope where they are traded as crypto-assets through a CASP. The DAC8 schema does not separate them; the underlying classification flows through CARF’s “relevant crypto-asset” definition.
What is the penalty regime?
Each member state sets its own penalties under DAC8’s “effective, proportionate and dissuasive” standard. They are typically fines per missed filing or per misreported user, escalating with severity.
Does the user see what is reported about them?
The user is informed at onboarding that their data may be reported under DAC8. There is no annual statement obligation, but users have GDPR access rights to their data.
9. What to do, today
- Map your existing onboarding flow against the DAC8 self-certification requirements; close the gaps.
- Build the per-user, per-asset transaction aggregation as a year-end batch, not real-time.
- Identify your home-state competent authority and confirm the portal access and credentials needed.
- Pre-engage with the supervisor — most authorities published implementation guidance through 2025; read it before designing.
- If you also hold an EMI / PI licence, plan DAC8 alongside CRS — the customer due-diligence layers overlap.
Related: MiCA white paper drafting · What is CESOP reporting? · AML representative across the EU
