Loading market data…
Loading calendar…
FRIDAY, 15 MAY 2026
The BeaconThe Beaconby enon

Where regulators speak. Significant news, nothing else.

Tax · Crypto · EU

DAC8: The EU's crypto reporting regime turns the wallet into a tax form

From 1 January 2026, every EU crypto-asset service provider must collect customer tax IDs and report transactions to national tax authorities. Germany's implementation lands the directive with criminal-law teeth — and changes the strategic calculus for retail crypto users who'd treated tax compliance as optional.

By Sebastian Winzker · 15 May 2026

What changed

The European Union's Directive on Administrative Cooperation, eighth iteration ("DAC8"), entered into force on 1 January 2026. It does for crypto-assets what its predecessors did for traditional financial accounts: it requires service providers to identify their customers, gather transaction-level data, and hand that data to the customer's tax authority once a year via automatic exchange.

The directive is the European companion to the OECD's Crypto-Asset Reporting Framework (CARF), and its scope is deliberately broad. It applies to centralised exchanges, hosted-wallet providers, brokers, dealers, and any platform that "effects exchange transactions" on behalf of customers. Self-custody on a personal device is not in scope. Decentralised protocols where no operator has custody are not in scope. Everything else — the platforms most retail users actually touch — is in.

In Germany, the directive is implemented through the Kryptowerte-Steuertransparenzgesetz (KStTG), passed by the Bundestag on 6 November 2025. The Bundeszentralamt für Steuern (BZSt) is the competent authority for receiving reports and exchanging the data with other EU member states. (Bundestag, BZSt overview)

What service providers have to collect

For every reportable user — broadly, every natural person resident in an EU member state and every legal entity with a tax presence in one — a Reporting Crypto-Asset Service Provider (RCASP) must record:

On the transaction side, the platform must log every exchange between a crypto-asset and fiat, every exchange between crypto-assets, and every transfer in or out, including the counterparty wallet address where known. Annual aggregates are reported to the BZSt by 31 July of the year following the reporting year. The BZSt forwards them to peer authorities. The first reports for the 2026 financial year are due in mid-2027. (BZSt procedure)

Why this is a step-change, not an incremental tax update

Three things make DAC8 materially different from the patchwork of national reporting that came before.

Automatic exchange across the EU. A German resident trading on a Lithuania-licensed exchange has historically been a tax-administration blind spot: the platform was outside the German revenue's direct reach, and most exchanges only responded to specific information requests. DAC8 flips the default to push. The Lithuanian regulator receives the report locally and forwards the German-resident slice to Berlin. The BZSt receives it whether or not the user mentions the account on their tax return.

Identification is the point of friction. DAC8 does not permit the platform to keep operating accounts where the user has refused to provide a TIN. After a documented outreach, the platform must "close" or "block" the account. Accounts opened on or after 1 January 2026 must be TIN-verified upfront. That changes the operational posture of every EU-licensed crypto-asset service provider materially.

The penalties are tax-criminal, not just administrative. Once the German tax authority has line-item evidence of crypto transactions, the burden of explaining them shifts. A previously-undeclared portfolio with gains over the §22 Nr. 3 EStG threshold becomes a Steuerhinterziehung case (tax evasion under §370 AO), which carries a custodial sentence of up to five years — ten in serious cases. Late voluntary disclosure (Selbstanzeige, §371 AO) is still available but its window narrows the moment the BZSt receives the first data drop. The KPMG Law commentary frames the risk bluntly: previously-passable non-disclosure is now exposed evidence. (KPMG Law, Strafrecht-Bundesweit)

The shape of what gets reported

A reportable transaction is any one of:

CategoryExamples in scope
Exchange transactionBTC → EUR; ETH → USDC
TransferWithdraw to self-custody; receive from an external wallet
Retail payment transactionBuying goods or services with crypto via a regulated payment processor

Aggregated per user per asset per year, the platform reports the gross fiat-equivalent inflow and outflow, the number of transactions, and — for transfers — the destination wallet address when it has the data.

That last clause matters more than the rest. Self-custody is not itself reportable, but a transfer from a regulated platform to a self-custody wallet is reportable, and the destination address is part of the record. The protocol-level blockchain is public; the BZSt now learns which address belongs to which TIN. The on-ramp's "off-ramp to self-custody" step is, going forward, the inflection point where a wallet becomes named.

What's not in scope — and why that gap matters

Three categories sit outside DAC8.

The compliance reality is therefore bifurcated. Custody and exchange on a regulated EU platform sits inside an automatic-information regime. Self-custody activity is still effectively self-reported. The strategic implication is that the boundary between the two — the on-ramp and the off-ramp — is now the de facto enforcement choke point. Sophisticated tax-evading users will be the ones who never touched a regulated platform; everyone else, including most retail, will have a clean paper trail at the BZSt.

What service providers should already be doing

For platforms in scope, the implementation runway has expired. Practical work items as of mid-2026:

  1. Customer-onboarding pipeline. TIN + member-state pair captured at signup; self-certification form retained; documentary evidence (passport/ID) cross-checked against the declared residence. Existing customers re-papered through a documented outreach campaign with deadlines.
  2. Reportable-transaction taxonomy. Internal transfers between a customer's own accounts on the same platform are NOT reportable; transfers to external addresses are. Many exchanges historically didn't distinguish these in their ledger structure.
  3. Annual report format. XML schemas published by the European Commission; member-state portals (in Germany, BZSt's BOP) accept submissions through summer 2027 for the 2026 reporting year.
  4. Customer communications. Tax authority will see this. Platforms that have framed DAC8 as a back-office detail are mis-pricing the customer-experience hit when the first BZSt comparison letters land in 2027.

What retail users should be doing

If you've been operating on the assumption that EU-licensed exchanges were a tax-administration grey zone — that's gone. The realistic options:

Editorial note

DAC8 is the most consequential change to the regulatory treatment of crypto in the EU since MiCA's licensing regime came online. MiCA was about who can operate. DAC8 is about who knows what about whom. The two together — a licensed perimeter that automatically pipes customer-transaction data to tax authorities — make "European-regulated crypto" a category that looks much closer to "European-regulated bank account" than to the operational anonymity that defined the asset class through 2024.

This is, in our editorial view, a good thing for the legitimacy of the regulated industry and a structurally bad thing for the value proposition of "regulated EU exchange" relative to (a) self-custody for users who value privacy, and (b) jurisdictions outside the EU-CARF perimeter for users who don't. The first effect should clarify the customer base of the regulated industry. The second is the harder problem and is the substance of what the BMF and the Commission will be measuring through 2027.

Sources

dac8cryptoeutaxgermanybzstmicacarf

Corrections and right of reply: info@enon.md. Editorial standards: editorial policy · disclaimer.