Crypto transaction reporting from 2026 – what should crypto-asset service providers know about DAC8?

Starting in 2026, new regulations on the automatic exchange of information regarding crypto-asset transactions will come into force across the European Union.

These rules will introduce mandatory reporting obligations for a broad range of entities operating in the crypto sector – including platform operators, token issuers, wallet providers, crypto exchanges, and other companies facilitating the acquisition, disposal, or transfer of crypto-assets.

What is DAC8?

DAC8 is the common name for the eighth amendment to Directive 2011/16/EU on administrative cooperation in the field of taxation (Directive on Administrative Cooperation). This directive, in force since 2011, sets out the legal framework for the exchange of tax-relevant information between Member States. Previous amendments introduced:

• DAC2 – Automatic exchange of financial account information,
• DAC6 – Mandatory disclosure rules,
• DAC7 – Reporting obligations for digital platforms.

These initiatives aim to curb tax evasion and prevent income from being hidden outside the jurisdiction of tax residence. The overarching goal is to equip tax authorities with the information necessary to correctly determine taxpayers’ liabilities not merely relying on self-declared data.

DAC8 builds on this framework by extending information collection obligations to entities operating in the crypto-asset market.

Who will be affected?

The DAC8 rules will apply to companies and individuals providing crypto-asset services – meaning those enabling the purchase, sale, exchange, transfer, or custody of crypto-assets for clients. This will go beyond the largest exchanges and also include:

• Crypto exchanges and over-the-counter brokers,
• Wallet service providers,
• Token exchange platforms,
• Token issuers,
• Any intermediary facilitating crypto transactions.

DAC8 introduces the term ‘Reporting Crypto-Asset Service Provider’ (RCASP). This concept is based on the definition of a CASP under the EU’s MiCA Regulation but has a broader scope. While MiCA applies to entities operating under EU supervision, DAC8 will also apply to non-EU providers serving EU tax residents. Even in the absence of any formal presence within the EU, such a provider will be required to register in one Member State and comply with DAC8 reporting obligations.

Importantly, the scope is not limited to regulated financial services. Even if a company does not hold client funds but enables crypto transactions (e.g. token swaps or wallet-to-wallet transfers), it may still fall within the reporting remit.

Reportable activities will include:

• Acquisition or disposal of crypto-assets in exchange for fiat currency (e.g., EUR, USD),
• Exchange of one crypto-asset for another (e.g., ETH for USDT),
• Transfers of crypto-assets between user wallets,
• Any transaction where an RCASP acts as intermediary, agent, or tool provider.

Notably, both cross-border and domestic transactions will be reportable – including situations where both the provider and the user reside in the same Member State.

What data must be collected and reported?

Entities subject to DAC8 must submit annual reports on users and their crypto-asset transactions. Required user identification data includes:

• Full name (or entity name),
• Address,
• Country of tax residence,
• Tax Identification Number (TIN),
• For individuals: date and place of birth,
• If applicable: crypto-asset account identifier (e.g., hosted wallet address).

Required transaction data includes:

• Name and type of crypto-asset,
• Number of units involved,
• Transaction date,
• Type of transaction (e.g., deposit, withdrawal, exchange),
• Gross transaction value in fiat currency.

This information must be reported per user and per asset type. The first reporting year will be 2026, with reports due to tax authorities by 31 January 2027. In practice, data collection will need to begin as early as January 2026, regardless of when Poland or other Member States formally implement local legislation.

Alignment with OECD CARF

Although DAC8 does not explicitly reference the OECD’s Crypto-Asset Reporting Framework (CARF), its requirements are largely aligned. Therefore, providers operating internationally can expect similar obligations in other jurisdictions implementing CARF, such as the UK or Switzerland. Aligning internal data structures with CARF will help multinational firms meet reporting requirements across multiple regions.

DAC8 and polish law

Like other EU directives, DAC8 is not directly applicable and must be transposed into national law. Member States, including Poland, are required to implement DAC8 by 31 December 2025.

As of the date of this publication, Poland has not yet published even a draft bill to implement DAC8. Given that fewer than six months remain, it is likely Poland will miss the deadline as occurred in past with DAC7, which was implemented almost a year late. Nonetheless, Polish entities were required to report transactions that occurred prior to the enactment of local legislation.

This precedent suggests that failure to meet the legislative deadline does not relieve RCASPs of their reporting duties, but only delays enforcement. Therefore, businesses should begin preparations without waiting for national legislation.

How should firms prepare?

Crypto-asset service providers must reassess their internal processes for collecting and verifying customer data. Preparations should include:

• Updating KYC and AML procedures,
• Adjusting user onboarding to collect DAC8-compliant data,
• Implementing systems to track and categorise transactions,
• Ensuring cross-department coordination (compliance, legal, IT).

DAC8 requires RCASPs to perform specific due diligence procedures, including identifying the tax residence of users.

While the directive does not impose a uniform penalty structure, it requires Member States to introduce effective, proportionate, and dissuasive sanctions for non-compliance.

Conclusion

DAC8 will significantly reshape the regulatory landscape for crypto businesses operating in or serving the EU. Despite uncertainties surrounding national implementation, the 2026 deadline is fast approaching. Early preparation – particularly in IT infrastructure, data management, and compliance processes – will be essential to meeting the directive’s requirements and avoiding future penalties.