Author: Mark Galea Salomone – WH Partners
Malta has long positioned itself as a forward-looking EU jurisdiction for digital asset businesses combining EU membership, a sophisticated regulatory framework, and a proactive approach to fintech and blockchain innovation. That landscape is now shifting further, and this time the pressure comes from a tax transparency direction.
Council Directive (EU) 2023/2226 (“DAC8”) represents the EU’s most comprehensive effort yet to tighten tax transparency associated with crypto-assets. By introducing mandatory reporting obligations for crypto-asset service providers (“CASPs”) and enabling automatic exchange of information across EU Member States, DAC8 significantly raises the compliance bar for the entire sector.
The rules are live. With the rules applying from 1 January 2026 and Malta’s transposition understood to be in its final stages, CASPs operating in or from Malta face a narrowing window to prepare. This article outlines the key pillars of DAC8 and highlights the strategic and operational questions that every crypto-asset business should already be working through.
What Is DAC8 and Why Does It Matter?
DAC8 as the name suggests is the eighth iteration of a framework that has progressively expanded the EU’s tax information-sharing architecture. While earlier iterations focused on traditional financial institutions, bank accounts, and cross-border tax arrangements, DAC8 turns decisively to the crypto-asset ecosystem.
The EU’s policy rationale is clear. The rapid growth of crypto markets, coupled with their decentralised and inherently cross-border nature, has made effective tax oversight increasingly difficult. DAC8 addresses this by relocating the compliance obligation to the point of interaction: the service provider. Under this model, “Reporting Crypto-Asset Service Providers” are required to collect and report detailed transaction and user data, which is then automatically exchanged between EU Member States’ tax authorities.
For Malta, the implications are particularly significant. As a jurisdiction that has actively cultivated a well-developed digital asset regulatory framework, and which is home to a growing population of MiCA-authorised or soon-to-be-authorised CASPs, DAC8 is not a distant regulatory development. Given the complexity of the rules and as it is already a live obligation, it will test the sector’s operational depth as much as its legal awareness.
Who Is in Scope?
DAC8 applies broadly. It captures both CASPs authorised under MiCA (Regulation (EU) 2023/1114) and operators that are not MiCA-authorised but nonetheless provide in-scope crypto-asset services. Both categories fall within the definition of “Reporting Crypto-Asset Service Providers” for the purposes of the directive.
The scope of reportable activity is equally wide, covering:
- Crypto-to-fiat and crypto-to-crypto exchange transactions;
- Transfers of crypto-assets, including certain transfers to unhosted wallets; and
- Retail payment transactions.
The definition of reportable crypto-assets extends beyond mainstream tokens. Decentralised crypto-assets, certain stablecoins and NFTs are potentially in scope (subject to specific carve-outs), with reportability assessed on a case-by-case basis.
For CASPs operating in Malta, this immediately raises several strategic questions:
- Have you clearly mapped where DAC8 reporting obligations are triggered across your full business model?
- Does any part of your activity fall outside MiCA authorisation but still within DAC8 scope?
- Do you have a robust and defensible framework for classifying your services as well as tokens and reviewing reportability on a continuous basis?
The Data Challenge: From Legal Obligation to Operational Reality
DAC8 is not simply a legal compliance exercise. It is, at its core, a data and systems challenge.
The Directive requires detailed reporting of transaction aggregates by crypto-asset type, together with granular user information for each reportable individual or entity: name and address, Member State(s) of tax residence, tax identification numbers (TINs), and date and place of birth for individual users. Reported amounts must be expressed in fiat currency, using a consistently applied fair market valuation methodology.
This level of reporting introduces complexity across multiple operational layers such as onboarding, transaction processing, data storage, and auditability.
Due Diligence, Self-Certifications, and Control Frameworks
DAC8 places considerable weight on the quality and reliability of due diligence.
CASPs must obtain self-certifications from users in order to determine their tax residence, and these must be validated against existing KYC and customer due diligence information. Where a user’s circumstances change in a way that renders the original self-certification unreliable, a new valid certification must be obtained promptly.
The Directive also introduces a clear enforcement mechanism: where a user fails to provide the required information following two reminders, the CASP must block that user from carrying out reportable transactions. This is not a back-office technicality. It has direct and material implications for customer experience, platform design, and client retention and must be carefully integrated into front-end processes and client-facing communications from the outset.
Timelines, Record-Keeping, and Governance
The first reporting period begins on 1 January 2026, with the initial automatic exchange of information between tax authorities required within 9 months following the close of that calendar year. For businesses that have not yet begun preparing, this timeline is tighter than it may initially appear.
DAC8 also imposes stringent record-keeping obligations. CASPs must retain evidence of their due diligence procedures and underlying reporting data for a minimum of five years, and up to ten years, following the end of the relevant reporting period.
At Member State level, penalties for non-compliance must be effective, proportionate, and dissuasive. In practice, this means that DAC8 demands a structured compliance programme; one with clearly defined governance, documented policies and procedures, and measurable controls with clear lines of accountability across the business.
Conclusion: Act Now, Not Later
DAC8 reflects an unambiguous EU policy direction: crypto-assets are entering an era of standardised, systemic tax transparency, and that era begins now.
For CASPs in Malta, the challenge is not simply one of legal interpretation; it is one of operations and procedures. Embedding robust data capture, due diligence workflows, and reporting processes into the core of the business requires time, cross-functional coordination, and early investment in systems and governance infrastructure.
Crucially, DAC8 does not operate in isolation. It sits alongside MiCA and Malta’s wider regulatory framework for digital assets. An integrated, coordinated approach to compliance, one that maps DAC8 obligations against existing MiCA and AML frameworks, can reduce duplicated effort, streamline implementation, and strengthen overall operational resilience.
Although Malta awaits the final publication of the transposing legal notice, the direction of travel is unambiguous. The businesses that will be best positioned are those that act now, rather than those that wait for the first reporting deadline to focus minds.
