Compliance Briefing — EU DAC8 extends tax transparency to crypto-asset platforms

Executive briefing: On 16 May 2023 EU finance ministers reached political agreement on the eighth amendment to the Directive on Administrative Cooperation (DAC8), extending tax transparency rules to crypto-asset service providers (CASPs) and e-money institutions.^[1] The final text, published as Directive (EU) 2023/2226, requires CASPs serving EU clients—regardless of where they are established—to collect, verify, and report customer and transaction data annually starting 1 January 2026.^[2] The directive aligns EU reporting with the OECD Crypto-Asset Reporting Framework (CARF) and obliges member states to introduce consistent penalties and joint audit mechanisms.

DAC8 closes gaps left by DAC7’s platform-reporting scope and prevents unreported capital gains, staking rewards, and stablecoin transactions from slipping through fragmented national rules. Compliance teams at exchanges, custodians, and decentralized platforms offering in-scope services must build due diligence processes comparable to anti-money laundering (AML) checks, but tailored to tax transparency: identity validation, tax residency collection, and transaction classification tied directly to annual reporting templates.

Who must report and what data is captured

Directive 2023/2226 defines CASPs broadly, covering exchanges, brokerages, custodial wallet providers, and certain decentralized platforms when an intermediary facilitates customer transactions.^[2] Non-EU providers are in scope if they serve EU residents or entities, meaning LATAM or APAC platforms with EU customers must also comply. Reportable users include individuals and entities; exemptions apply for small-value transfers under prescribed thresholds and for central bank digital currencies.

CASPs must collect know-your-customer (KYC) data (name, address, taxpayer identification numbers, date of birth), verify identities, and capture wallet addresses and transaction details (asset type, quantity, fair market value, consideration, fees). Staking, airdrops, and exchange of one crypto-asset for another are reportable. Providers must reconcile transaction values to reliable price sources at the time of the event and store evidence supporting valuations.

Due diligence and verification requirements

DAC8 imports OECD CARF due diligence rules: providers must obtain self-certifications of tax residence, validate them against reliable independent documentation, and flag changes in circumstances.^[2] Existing customers require lookback procedures using electronically searchable records. Where documentation gaps exist, CASPs must treat accounts as undocumented and still report under default residency assumptions, increasing audit risk.

Compliance leaders should design onboarding journeys that combine AML and DAC8 checks to avoid duplicate outreach. That includes automated verification of identity documents, address validation, and controls that prevent trading until self-certifications are captured. Annual recertification triggers should be logged, and exception handling workflows must record rationale for accepting alternative evidence. Because data quality underpins cross-border exchange, internal audit should perform periodic sampling of KYC files and transaction valuations against blockchain records.

Reporting mechanics and joint audits

Member states must implement electronic reporting in XML schemas aligned with OECD CARF. CASPs will need to map transaction systems to the schema, assign reportable user identifiers, and classify transactions into prescribed categories (e.g., disposal, exchange, transfer). Data warehouses should retain history for at least five years to support audit queries. Because DAC8 also strengthens administrative cooperation on VAT and introduces joint audits, providers should expect coordinated examinations by multiple tax authorities when anomalies arise.^[2]

Joint audits mean that evidence packs—pricing sources, timestamped transaction logs, KYC documentation, and correspondence—must be organized so they can be shared with more than one tax administration. CASPs should implement access controls and audit trails showing who generated, reviewed, and submitted reports. Establishing a control owner for each field of the XML report can help tie validation checks (e.g., fair market value calculation) to accountable teams.

Penalties, dispute handling, and customer communications

DAC8 obliges member states to set effective and proportionate penalties for reporting failures and to harmonize them across the EU.^[2] CASPs operating in multiple jurisdictions should inventory penalty thresholds and appeal processes as local laws are transposed in 2025. Because customers will likely receive new tax statements or may be contacted by tax authorities based on DAC8 data, platforms need clear communications explaining what will be reported and how customers can reconcile the information with their own records.

Compliance and customer-support teams should create FAQs, update privacy notices, and prepare scripts for handling data subject requests. Legal teams must assess how DAC8 reporting interacts with GDPR obligations, ensuring lawful bases for processing, retention limits, and data subject access response protocols. Platforms that operate globally should also align DAC8 controls with U.S. Form 1099 and OECD Common Reporting Standard (CRS) processes to avoid divergent data definitions.

Implementation roadmap

With the application date set for 2026, CASPs should execute a structured implementation plan in 2024–2025:

• Perform a scoping analysis to determine which services fall within the DAC8 definition of CASP and identify EU-resident users.
• Design combined AML/DAC8 onboarding that collects tax residency and identity evidence before trading is enabled.
• Map transaction systems to the CARF-aligned XML schema and build valuation engines that capture fiat-equivalent values at the time of each taxable event.
• Establish maker-checker reviews and exception logs for onboarding, valuation, and reporting steps.
• Develop customer communication packs explaining what will be reported and how disputes will be handled.
• Run dry-run filings with anonymised data to test completeness, reconciliation, and error handling before go-live.

DAC8 marks a decisive expansion of EU tax transparency. CASPs that build robust due diligence, data quality, and reporting controls now will be better positioned to navigate joint audits and maintain customer trust once reporting begins.

Systems architecture and control mapping

CASPs need to map every data element in the DAC8 XML schema to a source system and assign control owners. A defensible design includes lineage diagrams from trading engines and blockchain nodes through valuation tools and data warehouses to the reporting layer. Each transformation—such as currency conversion, time-stamping, or wallet address normalization—should carry validation rules and exception handling.

Internal audit and compliance monitoring should schedule periodic walkthroughs of these data flows, sampling transactions end-to-end to confirm that reported values reconcile to on-chain activity and fiat settlement records. These walkthroughs should also confirm that change-management controls prevent untested code from altering reporting fields ahead of filing season.

Customer experience and consent management

Platforms will need to update privacy notices, consent flows, and data retention schedules to reflect DAC8 reporting. Clear disclosures at onboarding and within account settings should explain what data is collected, how long it is retained, and which authorities will receive it. Providing downloadable account statements and tax summaries can reduce disputes and call-centre load once DAC8 data exchanges begin.

Because customers may reside in multiple jurisdictions, CASPs should design preference centres that capture multiple taxpayer identification numbers and provide locale-specific guidance. Integrating these preferences into identity-resolution engines helps prevent duplicate profiles and ensures that reports submitted to tax authorities match customer-facing statements.

Penalty calibration and appeals: DAC8 requires member states to set effective, proportionate, and dissuasive penalties for non-compliance; firms should anticipate alignment with existing DAC7 and CRS penalty ranges in each jurisdiction. Maintain a matrix of local penalty provisions, appeal timelines, and responsible officers, and stage mock audits to validate that evidence packages (customer due diligence files, reconciliation reports, and filing acknowledgements) can withstand joint audits.

Cross-framework consistency: Align DAC8 data capture with EU anti-money laundering rules (AMLD5/6), GDPR consent records, and MiCA authorisation conditions to avoid conflicting client communications. When leveraging CARF schema design, document differences—such as transaction types or wallet classifications—and include translation logic in data lineage diagrams.

Internal audit coverage: Internal audit should test onboarding controls for crypto-asset users, sampling onboarding journeys to verify that self-certification, TIN capture, and residency determinations match DAC8 due diligence criteria. Audit should also validate encryption, access control, and retention configurations for exchanged data to satisfy GDPR and information security policies.

Operational readiness drills: Run parallel filings to tax authorities in a sandbox where available, reconcile submissions against transaction ledgers, and document root-cause analyses for variances. Establish a runbook for responding to tax authority queries within statutory timeframes, including named contacts, message templates, and escalation paths to legal and privacy officers.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 87/100 · January 31, 2025

Compliance Briefing — January 31, 2025

With the 31 January 2025 DAC7 filing cut-off hours away, Zeph Tech is synchronising finance governance, universal opt-out handling, and evidence vaults so every EU platform report is defensible across tax, privacy, and…

Compliance · Credibility 89/100 · March 22, 2021

Policy Briefing — EU DAC7 Digital Platform Reporting Directive

The EU adopted Directive (EU) 2021/514 (DAC7), extending tax information exchange to digital platforms and obliging operators to identify sellers, collect revenue data, and report annually under harmonized due diligence…

Compliance · Credibility 89/100 · April 30, 2020

Compliance Briefing — UAE economic substance regime tightens reporting controls

Cabinet Resolution No. 57 of 2020 and Ministerial Decision No. 100 for 2020 overhauled the United Arab Emirates Economic Substance Regulations (ESR), expanding relevant activities, clarifying exempted licensees, and…

Compliance · Credibility 89/100 · May 16, 2023

Compliance Briefing — May 16, 2023

EU finance ministers gave final approval to MiCA, activating phased licensing, stablecoin, disclosure, and sustainability rules for crypto-asset issuers and service providers.

Compliance · Credibility 87/100 · May 31, 2023

Compliance Briefing — May 31, 2023

The EU Deforestation Regulation entered into force on 29 June 2023 following publication on 9 June, imposing due diligence, geolocation, and customs reporting obligations for commodities placed on the EU market.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.