Crypto Law

Updated in July, 2023

Looking to establish a crypto/web3 business? 

Every crypto/web3 product brings a set of different legal questions. Whether you are creating a custodial and non-custodial wallet, exchange, allowing crypto to crypto or crypto to fiat, NFT exchange, staking and mining business, token generator, or launchpad, crypto projects are not immune from the Law. 

Let us answer the basic questions every web3 founder should ask when starting their business and help you learn how to set your business up for success.

1. Define Your Crypto/Web3 Product

Defining your product is crucial as it can determine where to incorporate your company and whether you require any licence or registration. For instance, even small iterations in your product’s data collection and processing flows may have consequences for privacy regulation setup, know your customer (KYC) and anti-money laundering (AML), while how decentralised your product is may have consequences for the legal classification of tokens used and for the liability of the company and founders.

The law is looking at the actual state of your product, not the label. Therefore the most important thing is what the product does in practice.

The questions that will help you define your product are discussed below in section 4.

2. Regulation

Blockchain technology aspires to introduce a network without borders, with smart contracts dictating what happens at any given moment and without intervention from third parties. BUT, even if the on-chain (blockchain ledger) world is hard to govern and change, the off-chain world (founders, companies, internet service providers, etc.) can be reached by regulators.

Where to Establish Crypto/Web3 Business?

The law governing crypto and web3 varies by country, so it will depend on your product which jurisdiction is right for you. There are also practical aspects of doing business in some countries to consider.

If you choose country A without crypto regulation and expect easier operation than in country B with crypto regulation, your decision can backfire. Country A’s status is often not permanent and brings a level of uncertainty of regulatory change, which can have a negative effect on both your product development and potential investors. When you choose a country with no abundant legislation, you do not know what to expect or the authority practices. This brings a need to prepare for multiple scenarios and therefore higher costs (more scenarios mean more to consider and costs are piling up).

In most cases, it is better to choose a country with a clearer regulatory framework concerning the crypto and blockchain space (such as Estonia, Lichtenstein, Switzerland) or countries without a specific crypto regulation but at least with a predictable legal system in general (such as Slovakia, the Czech Republic and Germany) than countries which do not regulate almost any area (such as the Cayman Islands).

When you choose a country with no specific crypto regulation, but with rich legislation in other areas, you are given flexibility within a certain range (grey area) of legal rules or guidelines within which you can operate. Uncertainty lies then in the question of how close you get to the “edge”. On the other hand, the “any crypto regulation is better than no crypto regulation” approach is not necessarily a one size fits all solution, and may not fully work for DeFi or DAO projects as these concepts are still mostly unknown to the existing legislative frameworks and any attempts to structure them according to traditional legal concepts may result in a non-functioning project.

Finally, operating under a jurisdiction where the government is supporting blockchain development (for example Liechtenstein with specialised legislation, Liechtenstein’s Blockchain Act) can bring you clarity and certainty in the limits of your product, even if it does impose restrictions and additional administration.

To sum up, the key here is to find the right balance between a reasonably liberal regulatory space that allows your business to grow, and having a sufficient level of certainty when it comes to the questions of what is permitted and how to conduct business legally.

Registrations and Licences

Registrations and licences are used by countries to set requirements for some types of crypto projects to comply with. The requirements differ from country to country and a licence in one country often cannot just be passported to other countries.

It is recommended to start planning ahead as obtaining the licence or filing registration may take several months. Depending on the jurisdiction, obtaining a licence can require submitting certain information such as your ID or proof of residence. Moreover, a poorly completed application can delay or even cancel processing by the authorities.

EstoniaYou need a licence for certain activities. This includes: providing services for the storage and exchange of cryptocurrencies, making transactions and transfers in the client’s name or on their behalf, or providing  initial coin or token offerings services
GermanyYou need a licence for crypto custody and trading
LithuaniaYou need a licence for a crypto exchange or a virtual (crypto) currency wallet service
Czech RepublicYou need a special trade licence for providing services related to virtual assets
Examples of countries and crypto projects for which you need a licence, a special trade licence or registration. Requirements listed above are correct as of April 2023.

Regulatory sandboxes (an environment created and controlled by governments) provide a way for startups, entrepreneurs and established companies to launch products on a limited and temporary scale without having to comply with all legal requirements and with the guidance from the regulator. It allows consumers to test the software before it is opened to the market. Countries which run those sandboxes include, for example, the United Kingdom, Singapore, United Arab Emirates, Austria, Australia and in the US – Arizona, Wyoming, Utah and Kentucky. Sandboxes can also provide a platform for the earliest of ideas by having little or no requirements for applications. For example, in Arizona companies can participate in programs without having an office or employees in the state.

Anonymity of Crypto

KYC and AML compliance is required for many crypto projects in most jurisdictions. Historically, AML regulation targeted mostly banks and other financial institutions, but as cryptocurrencies, DeFi and other blockchain products entered the mainstream market, policymakers have been increasingly looking at how to expand AML compliance. 

It is precisely AML regulation that creates, through KYC, conflict with the general premises of privacy and anonymization which exists in the blockchain space. If AML regulations are applicable, you can be obliged to identify your users, keep all related documents and share them with the state authorities upon a request. As a consequence, you will have to find a way to effectively verify the participants of your blockchain network and obtain the necessary information about them. With products already developed, it is sometimes impossible to comply with these obligations (the premise of blockchain is immutability and changes to introduce identification may not be technically possible) and therefore it is necessary to keep this in mind during development.  

For blockchain projects connected with a financial system, there is a high chance that obligations regarding AML and KYC (mostly due to the classification of the token used and application of security laws) will apply. 

The relevant authorities that are active in the crypto area are, for example, FINTRAC in Canada; FinCEN, OCC, SEC and CFTC in the US, FCA in the UK, MAS in Singapore, BaFin in Germany, FAÚ in the Czech Republic, EBA in Europe or global FATF.

Breaches of AML regulations can result in both criminal and civil penalties, fines and prison terms (for example BitMex was charged with a $100 million penalty). Companies that are found to have broken AML laws also often suffer reputational damage and may have to further operate under restrictions imposed by the respected authorities (e.g. to freeze your bank accounts).

EU and US Regulation

Neither the EU nor the US has effectively created a harmonised regulatory environment in crypto yet.

What could bring more harmonisation in the EU is the “Markets in Crypto-Assets Regulation” (MiCA). It’s part of the EU’s digital finance strategy, and it tries to deal in a holistic manner with the crypto ecosystem to establish clear and passport-able licensing, meaning you will be able to use a licence obtained in one state also in other EU states. MiCA would allow firms to operate across the EU under the same rules, and also increase consumer protection standards. Although MiCA will only come into force in 2024 at the earliest, it is recommended to monitor developments and changes in this effort and plan projects that already comply with it. 

On the other hand, the US does not yet have these harmonisation efforts. There is often a clash between federal and state laws. Some states are very supportive of crypto (Wyoming), while others are not so much (New Jersey). The legislation applicable will mostly come down to federal regulators like the SEC. The US in general is one of the countries with the most active regulators (SEC has been involved in crypto disputes since 2013) and regulation is quickly evolving.

On the other hand, the US does not yet have these harmonisation efforts. There is often a clash between federal and state laws. Some states are very supportive of crypto (Wyoming), while others are not so much (New Jersey). The legislation applicable will mostly come down to federal regulators like the SEC. The US in general is one of the countries with the most active regulators (SEC has been involved in crypto disputes since 2013) and regulation is quickly evolving.

3. Tokenization

A token is a special virtual asset. It represents tradable assets or utilities that reside on the blockchain. Tokens can be used for various purposes (e.g., as an investment, to store value, to establish a right to a particular service/product or a right to participate in the governance of a blockchain network).

In other words, a token is a representation of a particular right. It can be a right to influence the future of a protocol or an app (such as the say in the governance of the network), an ownership right to an asset whether unique digital or real-world asset (such as NFTs) or a right to a utility, meaning a right to use a digital application. 

The main categories of tokens are:

  • utility tokens – providing rights to access or use a digital application or service;
  • payment tokens – providing a means of payment; and
  • security (asset) tokens – providing the crypto equivalent of traditional securities like stocks and bonds.

Security Tokens

If you are planning to issue a token you should first check whether you are creating a security token. If the transaction would be considered a security transaction, the regulatory requirements for it increase significantly, including, for example, the requirement for AML compliance, a need for professional managers or publication of a prospectus before the offer of your token.

You should also be aware that at different stages of your product the category of the token can change. Examples of when this can occur include if your crypto becomes more decentralised or if the token becomes subject to multiple jurisdictions with varying laws.

Another challenge here is that attention must be paid not only to the laws of the jurisdiction where you are domiciled but also to the local laws of your users. This sometimes leads to a decision to forbid users from a jurisdiction where the laws are stricter and authorities rather active, e.g the US.

Utility Tokens

In the case of utility tokens, to avoid falling under security regulation, avoid promising users any interests, profit sharing or other compensation (such as shares or bonds). Please be aware that in some jurisdictions, such as the US, even mentioning any profit expectation in the white paper or advertising materials, could lead to a subsequent application of security laws.

On the other hand, a mere description of a token as a “utility token” is not enough, it is the factual state of the tokens that matters. Utility tokens, mostly, bring only issues regarding general civil law, consumer protection law and the law regarding general terms and conditions.

4. Important Questions for All Crypto Founders

The following questions can help you define your product and the legal frameworks which may apply.

 Composition of Product

Is the product fully decentralised, fully centralised or a hybrid of both? Is your company or another party going to be able to interfere with transactions, take custody of tokens or funds, and have a significant effect on voting? What will be the role of founders? Will they manage, only deploy the product on the blockchain network or a hybrid of both?

These questions will help to determine aspects of the potential liability of founders and other cooperating entities for matters connected with a product. These depend mainly on the involvement of the various parties that are present on your blockchain product’s network. In general, the greater the involvement and impact of a party (for example in management, marketing or promotion), the greater the likelihood and degree of potential liability.


Who will your customers be? Are you creating a B2B or B2C product or service? From which countries will your customers come from? Can you even determine where your customers are (can you meet the KYC requirements?)?

This is not a direct crypto issue, but it is also important to mention. Many consumer rights apply regardless of any contract terms and conditions agreed by the parties (unfair terms, distance selling regulations, product liability, etc.).

In this area, targeting US customers can bring regulatory hurdles (e.g. the need for registration with SEC). Because of the activity of the SEC and other US government agencies (e.g. the actions taken against Telegram, DAO network and Kik proceedings), it is difficult to complete most token-generating events involving US persons.


What is the planned monetization model? Is it feasible from legal and tax perspectives?

It is always necessary to devise a strategy for the flow of money into the project, but also the flow of money from the project back to the founders.

Jurisdiction of Founders and Product

What jurisdiction will your business operate out of?

It usually does not matter where you are based formally (“on paper”). Instead regulators often look at your physical operation and business activity in a given country (such as from where your users are connecting, you are working and your programmers develop the product). This can be important from a perspective of taxation, consumer protection, labour, IP.

5. Decentralization

A frequent debate among the public interested in web3 is whether decentralized tools, such as DAOs, should be regulated at all and whether they need to be subject to any legal regime. There are also frequent disputes about what type of legal entity a DAO even constitutes and whether it should have a legal personality.

From the legal perspective, a typical DAO is a group of people that organize themselves for a specific purpose using various digital communication tools and collectively hold some funds in digital currencies. This type of structure has no legal personality meaning its members’ actions are their own and their liability is not limited. This also means the collective is not capable of having rights and obligations. 

A DAO is only a new tool for organizing human activity, not a new type of legal entity.

DAOs without legal personality can therefore face problems includingr: 

  • broad liability of DAO members for the organization’s actions and activities; 
  • inability to enter into contracts with potential business partners; 
  • inability to employ staff; 
  • difficulties in opening bank accounts;
  • uncertain tax position; 
  • insufficient protection of intellectual property rights; 
  • inability to hold property and assets. 

A DAO without legal personality may thus exist only to a limited extent. It can use the decentralized online environment to operate and transact, but it can not enter into legal relationships in the traditional world. Operating a DAO using a DAO alone is therefore highly risky. The setup of a legal entity (a “legal wrapper”), is highly recommended to mitigate the risks listed above.

6. Additional Sources

There are many recognized sources providing crypto/blockchain-related content where you can find out more:

  • Kraken’s crypto guide provides descriptions of how some of the top crypto projects work. This guide will help you understand projects that are already operating.
  • Binance Academy has useful information about all blockchain and crypto topics. Whether you are a crypto rookie or a veteran, you can always find something useful there. 
  • Coinbase Academy is aimed at crypto beginners. This source includes guides and explainers for your crypto questions.
  • The European Union Blockchain Observatory and Forum provides more detailed research papers designed for intermediate crypto enthusiasts.
  • Metamask Learn will show you what Web3 is, why it’s important to you, and how to use a digital wallet along the way.
  • Ethereum Learn Hub is an educational guide to the world of blockchain. This page includes technical and non-technical articles, guides, and resources.
  • Blockgeeks is a community providing various reports, guides and courses on the topics of cryptocurrencies, blockchain and web3.

Have you found what you are looking for?

Let us know if this content is relevant for you.

Take a quick survey