← Back to all briefings
Compliance 7 min read Published Updated Credibility 90/100

EU DAC8 extends tax transparency to crypto-asset platforms

EU DAC8 directive on crypto asset reporting in May 2023 extended tax transparency to digital assets. Crypto service providers must report to tax authorities.

Kodi C.

Editor & Research Lead

Fact-checked and reviewed — Kodi C.

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

On EU finance ministers reached political agreement on the eighth amendment to the Directive on Administrative Cooperation (DAC8), extending tax transparency rules to crypto-asset service providers (CASPs) and e-money institutions. The final text, published as Directive (EU) 2023/2226, requires CASPs serving EU clients—regardless of where they are established—to collect, verify, and report customer and transaction data annually starting . The directive aligns EU reporting with the OECD Crypto-Asset Reporting Framework (CARF) and obliges member states to introduce consistent penalties and joint audit mechanisms.

DAC8 closes gaps left by DAC7’s platform-reporting scope and prevents unreported capital gains, staking rewards, and stablecoin transactions from slipping through fragmented national rules. Compliance teams at exchanges, custodians, and decentralized platforms offering in-scope services must build due diligence processes comparable to anti-money laundering (AML) checks, but tailored to tax transparency: identity validation, tax residency collection, and transaction classification tied directly to annual reporting templates.

Who must report and what data is captured

Directive 2023/2226 defines CASPs broadly, covering exchanges, brokerages, custodial wallet providers, and certain decentralized platforms when an intermediary helps customer transactions. Non-EU providers are in scope if they serve EU residents or entities, meaning LATAM or APAC platforms with EU customers must also comply. Reportable users include individuals and entities; exemptions apply for small-value transfers under prescribed thresholds and for central bank digital currencies.

CASPs must collect know-your-customer (KYC) data (name, address, taxpayer identification numbers, date of birth), verify identities, and capture wallet addresses and transaction details (asset type, quantity, fair market value, consideration, fees). Staking, airdrops, and exchange of one crypto-asset for another are reportable. Providers must reconcile transaction values to reliable price sources at the time of the event and store evidence supporting valuations.

Due diligence and verification requirements

DAC8 imports OECD CARF due diligence rules: providers must obtain self-certifications of tax residence, validate them against reliable independent documentation, and flag changes in circumstances. Existing customers require lookback procedures using electronically searchable records. Where documentation gaps exist, CASPs must treat accounts as undocumented and still report under default residency assumptions, increasing audit risk.

Compliance leaders should design onboarding journeys that combine AML and DAC8 checks to avoid duplicate outreach. That includes automated verification of identity documents, address validation, and controls that prevent trading until self-certifications are captured. Annual recertification triggers should be logged, and exception handling workflows must record rationale for accepting alternative evidence. Because data quality underpins cross-border exchange, internal audit should perform periodic sampling of KYC files and transaction valuations against blockchain records.

Reporting mechanics and joint audits

Member states must implement electronic reporting in XML schemas aligned with OECD CARF. CASPs will need to map transaction systems to the schema, assign reportable user identifiers, and classify transactions into prescribed categories (for example, disposal, exchange, transfer). Data warehouses should retain history for at least five years to support audit queries. Because DAC8 also strengthens administrative cooperation on VAT and introduces joint audits, providers should expect coordinated examinations by multiple tax authorities when anomalies arise.

Joint audits mean that evidence packs—pricing sources, timestamped transaction logs, KYC documentation, and correspondence—needs to be organized so they can be shared with more than one tax administration. CASPs should implement access controls and audit trails showing who generated, reviewed, and submitted reports. Establishing a control owner for each field of the XML report can help tie validation checks (for example, fair market value calculation) to accountable teams.

Penalties, dispute handling, and customer communications

DAC8 obliges member states to set effective and proportionate penalties for reporting failures and to harmonize them across the EU. CASPs operating in multiple jurisdictions should inventory penalty thresholds and appeal processes as local laws are transposed in 2025. Because customers will probably receive new tax statements or may be contacted by tax authorities based on DAC8 data, platforms need clear communications explaining what will be reported and how customers can reconcile the information with their own records.

Compliance and customer-support teams should create FAQs, update privacy notices, and prepare scripts for handling data subject requests. Legal teams must assess how DAC8 reporting interacts with GDPR obligations, ensuring lawful bases for processing, retention limits, and data subject access response protocols. Platforms that operate globally should also align DAC8 controls with U.S. Form 1099 and OECD Common Reporting Standard (CRS) processes to avoid divergent data definitions.

Path to implementation

With the application date set for 2026, CASPs should execute a structured setup plan in 2024–2025:

  • Perform a scoping analysis to determine which services fall within the DAC8 definition of CASP and identify EU-resident users.
  • Design combined AML/DAC8 onboarding that collects tax residency and identity evidence before trading is enabled.
  • Map transaction systems to the CARF-aligned XML schema and build valuation engines that capture fiat-equivalent values at the time of each taxable event.
  • Establish maker-checker reviews and exception logs for onboarding, valuation, and reporting steps.
  • Develop customer communication packs explaining what will be reported and how disputes will be handled.
  • Run dry-run filings with anonymized data to test completeness, reconciliation, and error handling before go-live.

DAC8 marks a decisive expansion of EU tax transparency. CASPs that build strong due diligence, data quality, and reporting controls now will be better positioned to navigate joint audits and maintain customer trust once reporting begins.

Systems architecture and control mapping

CASPs need to map every data element in the DAC8 XML schema to a source system and assign control owners. A defensible design includes lineage diagrams from trading engines and blockchain nodes through valuation tools and data warehouses to the reporting layer. Each transformation—such as currency conversion, time-stamping, or wallet address normalization—should carry validation rules and exception handling.

Internal audit and compliance monitoring should schedule periodic walkthroughs of these data flows, sampling transactions end-to-end to confirm that reported values reconcile to on-chain activity and fiat settlement records. These walkthroughs should also confirm that change-management controls prevent untested code from altering reporting fields ahead of filing season.

Platforms will need to update privacy notices, consent flows, and data retention schedules to reflect DAC8 reporting. Clear disclosures at onboarding and within account settings should explain what data is collected, how long it is retained, and which authorities will receive it. Providing downloadable account statements and tax summaries can reduce disputes and call-center load once DAC8 data exchanges begin.

Because customers may reside in multiple jurisdictions, CASPs should design preference centers that capture multiple taxpayer identification numbers and provide locale-specific guidance. Integrating these preferences into identity-resolution engines helps prevent duplicate profiles and ensures that reports submitted to tax authorities match customer-facing statements.

Penalty calibration and appeals: DAC8 requires member states to set effective, proportionate, and dissuasive penalties for non-compliance; firms should anticipate alignment with existing DAC7 and CRS penalty ranges in each jurisdiction. Maintain a matrix of local penalty provisions, appeal timelines, and responsible officers, and stage mock audits to validate that evidence packages (customer due diligence files, reconciliation reports, and filing acknowledgements) can withstand joint audits.

Cross-framework consistency: Align DAC8 data capture with EU anti-money laundering rules (AMLD5/6), GDPR consent records, and MiCA authorization conditions to avoid conflicting client communications. When using CARF schema design, document differences—such as transaction types or wallet classifications—and include translation logic in data lineage diagrams.

Internal audit coverage: Internal audit should test onboarding controls for crypto-asset users, sampling onboarding journeys to verify that self-certification, TIN capture, and residency determinations match DAC8 due diligence criteria. Audit should also validate encryption, access control, and retention configurations for exchanged data to satisfy GDPR and information security policies.

Operational readiness drills: Run parallel filings to tax authorities in a sandbox where available, reconcile submissions against transaction ledgers, and document root-cause analyzes for variances. set up a runbook for responding to tax authority queries within statutory timeframes, including named contacts, message templates, and escalation paths to legal and privacy officers.

More on this topic

Further reading from our research library.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
90/100 — high confidence
Topics
Tax transparency · Crypto-asset reporting · Due diligence · Joint audits
Sources cited
3 sources (consilium.europa.eu, eur-lex.europa.eu, iso.org)
Reading time
7 min

Source material

  1. Council agrees on new rules for information exchange on crypto-assets (DAC8) — Council of the European Union
  2. Directive (EU) 2023/2226 of 17 October 2023 amending Directive 2011/16/EU (DAC8) — Official Journal of the European Union
  3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization
  • Tax transparency
  • Crypto-asset reporting
  • Due diligence
  • Joint audits
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.