MiCA, DAC8, DORA and Travel Rule
2026 Compliance for Czech Crypto Exchanges
In 2026, crypto-asset service providers in the Czech Republic and the EU are facing an unprecedented wave of regulatory requirements. The MiCA Regulation, now fully enforced, and the DAC 8, DORA and FATF Travel Rule directives are transforming their operating model. This article explains what crypto exchanges must do, what the risks of non-compliance are, and what issues both Czech and foreign operators encounter on the Czech market.

Key takeaways
MiCA and its impact on Czech crypto exchanges
The MiCA Regulation (Markets in Crypto-Assets Regulation) introduces a single regulatory framework for all crypto-asset service providers (CASPs) across the European Union. In the Czech Republic, the competent authority role has been assumed by the Czech National Bank (CNB), which began issuing authorisations under harmonised European standards on 30 December 2024. Any crypto exchange that wants to provide services legally to the Czech population or any EU population must currently undergo a strict authorisation process.
Although this may seem like a formal requirement, the reality is more complex. The authorisation process is highly selective and requires meeting very stringent criteria. Entities that provided services before 30 December 2024 and applied for authorisation by 30 December 2025 could continue operating during the transitional period; however, this transitional period ends no later than 1 July 2026. After that date, every service provider must already hold a valid licence.
Mandatory authorisation and the licensing process
What exactly does the regulator assess? First and foremost, governance and control systems—how the company has set up decision-making processes, what its AML/CFT policy is, how it addresses risks, and who bears responsibility. Second is capital adequacy—the minimum initial capital varies depending on the services provided.
For example, operating a crypto-asset trading platform, exchanging crypto-assets for fiat currency or other crypto-assets, or receiving and transmitting orders relating to crypto-assets requires initial capital of EUR 125,000 (Article 63 MiCA). For custody services, it is EUR 150,000 (Article 63 MiCA).
Third are security measures, which fall under the DORA Regulation. Fourth is the verification of beneficial owners and their suitability. Without addressing all of these points, the CNB will not grant authorisation.
The CNB issued the first few authorisations during 2025 and in early 2026. This means the process is demanding and the number of licensed operators remains low so far. For entrepreneurs, the message is clear: the authorisation process takes months, requires high-quality legal and compliance preparation, and cannot be handled on an improvised basis.
Companies that recognised this earlier and started preparing from 2024 now have an advantage. Those that hesitated face a real risk of having to suspend operations.
Contents of the authorisation file and practical obstacles
What specific documents and information must a crypto exchange submit? MiCA sets out a long list. The basics include a detailed description of the organisational structure, including the alignment of management bodies, an explanation of who is responsible for what, and how the independence of the compliance and risk management functions is ensured.
This is not a document that merely “records” the structure formally, but a demonstration of how it actually operates. Other important elements include financial models and a three-year plan. The crypto exchange must demonstrate that it has realistic revenues, is not dependent on a single client, and has the resources to meet regulatory obligations.
ARROWS’ Prague-based attorneys often see situations where smaller entities underestimate the true costs required for compliance teams, audits, or technical infrastructure. An AML/CFT policy with a “risk-based” approach is also necessary, meaning different levels of verification for clients from high-risk countries and different levels for ordinary local clients.
It cannot be the same for everyone. An IT security audit by an independent third party is essential and must include penetration testing, vulnerability testing, and compliance with DORA.
Ownership and co-control arrangements, including information on all persons with influence over decision-making, are also material. If there are foreign individuals behind the company, their background must be vetted. Many entrepreneurs believe that preparing such a file can be done quickly.
In practice, it takes 6–12 months if the company is already partially prepared. If it is only just starting, even longer timeframes should be expected. Attorneys from ARROWS, a Prague-based law firm, help clients structure the file so that it meets the CNB’s expectations and is aligned with other legal obligations (e.g., tax, corporate governance, etc.).
Passporting and operations in other EU countries
One of MiCA’s major advantages is so-called passporting. If a crypto exchange obtains authorisation in the Czech Republic (or any other EU country), it can then provide its services across the Union without having to obtain licences in each country separately.
It is sufficient to notify the CNB of the intention to provide services, which will then be recorded in the ESMA register. This sounds like a major advantage for expansion—and in many respects it is. However, in practice there are limitations.
A crypto exchange may passport only those services for which it is authorised in its home country—it must not expand its service offering abroad without approval from its home regulator. Furthermore, if it has more than 15 million annually active users in a given host country, it becomes subject to direct supervision by the European Securities and Markets Authority (ESMA), which means increased regulatory scrutiny.
In addition, some states may retain additional requirements for information and data collection. For Czech entities, this means a realistic plan: first obtain Czech authorisation, then expand into other countries gradually and carefully.
ARROWS attorneys address precisely these cross-border aspects and understand the specifics of individual jurisdictions. We have partners for this within the ARROWS International network, which is useful when dealing with more complex structures with a foreign element.
DORA Regulation and digital security
Although DORA (Digital Operational Resilience Act) is not a crypto-specific regulation but a general regulation of the financial sector, it also applies to crypto exchanges. It entered into force on 16 January 2023, but its requirements apply and are fully enforceable from 17 January 2025 (Article 64 DORA).
What does DORA specifically require? Above all, three pillars: (1) ICT risk management – the process by which a crypto exchange addresses cyber risks, who is responsible for them, and how the risks are managed.
(2) Third-party risk management – if a crypto exchange uses third parties (large cloud platforms, payment gateways, etc.), it must understand what risks it has assumed as a result. (3) Incident reporting – in the event of a major cyber incident, the crypto exchange must report it to the ČNB without undue delay and ensure damage is minimised.
From the perspective of crypto exchanges, the criterion of “critical third-party providers” (CTPPs) is particularly complex. If a crypto exchange relies on a large cloud platform or a payment gateway and it fails, regulators seek to prevent systemic risk from spreading.
This means that each such critical third party must be assessed, contractually secured (with audit and access rights), and, where possible, backup solutions should exist. In practice, this means: crypto exchanges that run on “cheap hosting” and have a simple IT infrastructure without redundancies cannot be DORA-compliant. They must invest in 24/7 monitoring of security threats and incidents.
Penetration tests at least once a year and IT risk documentation with a threat matrix and mitigating measures are essential. Incident management is also key, defining what happens in the event of a ransomware attack or a data breach.
Redundant measures are necessary to ensure system functionality if one component fails. Employee security training is also important.
The Czech National Bank issues and will continue to issue detailed recommendations and requirements for supervision of digital security. It is not enough to have a security policy “on paper”—it must be genuinely implemented.
DAC 8 and tax transaction reporting obligations
Directive DAC 8 (Directive on Administrative Cooperation – eighth amendment) opens a new chapter in the transparency and traceability of cryptocurrency transactions. This directive, adopted by the EU as part of the fight against tax evasion and money laundering, extends reporting obligations to crypto exchanges and their clients.
What exactly does DAC 8 require?
From 1 January 2026, crypto exchanges established in the Czech Republic must collect and report to the relevant Ministry of Finance the relevant information on all reportable crypto-asset transactions. This concerns tax residence—i.e., in which country the client has tax obligations.
Transaction data is important—who sent it, to whom, in what amount, in which cryptocurrency, and when. The type of transaction is also reported—crypto-to-fiat exchange, crypto-to-crypto exchange, purchase of goods/services, staking, lending, etc.
Exchange rates and the CZK equivalent are key—what the exchange rate was on the transaction date and what the amount was in Czech crowns. The reporting obligation applies to all relevant crypto-asset transactions that meet the definition under DAC 8.
Crypto exchanges must keep records of all transactions in case of a later inspection, whether or not they are subject to central reporting.
When and to whom is the report submitted?
Crypto exchanges submit the report once a year by 30 June for the previous calendar year. The recipient is the competent tax office, which is part of the Financial Administration of the Czech Republic.
The information is then automatically shared among the tax authorities of individual EU countries and other countries that have joined the OECD initiative (CRS standard). This means that if a Czech entity has part of its funds purchased in the Czech Republic and part on an exchange, for example in Singapore or the United Kingdom (if these countries are part of the automatic exchange of information under the CRS standard or other agreements), the tax authorities of those countries will receive information about that client.
Impact on clients
For clients of crypto exchanges, this means an entirely new transparency regime. They can no longer buy crypto “anonymously” and hope that no one will know about it.
If a specific client does not provide the crypto exchange with the necessary information (such as tax residence), the crypto exchange is obliged to suspend services for that client. This also creates a new situation for entrepreneurs or investors who previously thought they had “at least some crypto for themselves, without reporting”.
From 2026, this will no longer apply. This reflects a global trend. The FATF and the EU have decided that “crypto will not remain beyond the reach of the law forever”, and they are gradually integrating it into standard financial supervision.
AML/CFT obligations and compliance
Anti-money laundering (AML) and counter-terrorist financing (CFT) are becoming one of the most sensitive areas of regulation for crypto exchanges. In recent years, some of the world’s largest exchanges have been fined for failures in their AML/CFT systems.
For example, one of the world’s largest exchanges paid substantial fines in the billions of US dollars, and other entities have been penalized in the millions of euros. This signals how seriously regulators approach the enforcement of these obligations.
Know your customer (KYC) – the cornerstone
KYC is a core element of compliance. Before opening an account for a client, a crypto exchange must identify the client, verify their identity against an ID document, and also determine their source of funds (Source of Funds). At a minimum, this includes the name—it must be the client’s real name.
Date of birth is also required—to verify age and, in some countries, also for registration in central databases. An address is essential—either permanent residence or a business address.
The account type is also important—an individual, a legal entity, or something else. And finally, the purpose of use—why the account is being opened (trading, long-term investing, purchasing goods, etc.).
In practice, this means every client must go through verification, which in an online setting often includes a liveness test (a selfie with an ID), an OCR test (optical character recognition of the document), and screening against PEP (Politically Exposed Persons) and sanctions lists.
Transaction monitoring and the Travel Rule
Once a client has passed KYC verification, the crypto exchange must continuously monitor their transactions. The Travel Rule, set by the FATF and now implemented through MiCA, requires that for every transfer above EUR 1,000 (or the equivalent amount in USD) between crypto exchanges or to an unhosted wallet, the identity of both the sender and the recipient is captured and verified.
In practice, this works as follows: when a client sends crypto from one exchange to another, the sending exchange must transmit information with the transaction such as “the recipient is person XYZ, passport number ABC, address DEF”. The recipient exchange verifies and archives this information. If the recipient were a person on a sanctions list, the exchange should stop the transaction.
This sounds simple, but in practice it means that every exchange must have established communication channels with other exchanges, digital infrastructure for exchanging information, and staff to manage it. Many smaller exchanges that have not implemented these systems in time face difficulties in enforcing the requirements.
Reporting suspicious activity (SAR/STR)
If a crypto exchange detects a transaction that appears suspicious—for example, a sudden inflow of funds from a person without justification, a transaction involving a person on a sanctions list, or structured small transactions that together create a sum intended to circumvent limits—it must report it.
A report (Suspicious Activity Report – SAR, or in the EU a Suspicious Transaction Report – STR) is submitted to the Financial Analytical Office (Finanční analytický úřad, FAÚ) in the Czech Republic, or to the relevant Financial Intelligence Unit (FIU) in other EU countries. If the exchange finds that it has received a transaction from someone who is already on a sanctions list, it is required to block the transaction, freeze the assets, and inform the Czech National Bank (ČNB) and the FAÚ.
The reality is that regulators have previously focused on cases where exchanges had a huge volume of unprocessed or insufficiently analyzed suspicious transactions that were not reported in time. During an inspection, the Czech National Bank (ČNB) monitors precisely this point: how long it takes to analyze a transaction, how the decision-making process is documented, and whether SAR/STR reports are submitted without undue delay.
Sanctions screening and specific threats in 2026
In 2025, there was a major increase in sanctions and their application to the crypto sector. According to available reports and analyses, there has been a significant rise in the value of transactions involving sanctioned entities. Russia, Iran, and North Korea actively use crypto exchanges to circumvent sanctions, and regulators are closely monitoring and responding.
OFAC (Office of Foreign Assets Control) has in the past sanctioned a number of crypto exchanges that facilitated transactions with entities from Russia, Iran, and North Korea. The European Union has adopted sanctions packages specifically targeting crypto-asset services.The UK Office of Financial Sanctions Implementation (OFSI) is taking a similar approach.
What does this mean for a Czech crypto exchange? It means it cannot accept clients from certain countries, cannot send or receive transactions to/from certain countries, and cannot do business with certain persons listed on sanctions lists.
Sanctions management requires at least one screening before onboarding—verifying that the client is not on OFAC, EU, UK, or other relevant lists. Ongoing screening is also necessary—monitoring whether the client is added to a list during the course of the relationship.
Record-keeping is key—archiving when screening was performed, what the result was, and who performed it. And last but not least, transaction blocking—if a suspicious transfer is detected, it must be stopped.
All of this requires modern compliance software and processes. A crypto exchange that tries to do everything manually or has outdated systems will very quickly find itself at risk of fines and reputational damage.
Practical issues crypto exchanges are dealing with in 2026
Until 1 July 2026, crypto exchanges that provided services before 30 December 2024 and submitted an authorisation application by 30 December 2025 could continue operating under the so-called transitional regime, even if they did not yet have final authorisation. After that date, it ends completely—no authorisation, no business.
ESMA has clearly stated that any entity providing services without a licence will, as of 1 July 2026, be in breach of EU law and will be subject to enforcement. This creates a very stressful situation.
Companies that, in lawyers’ view, deserve authorisation but whose files the Czech National Bank (ČNB) has not yet finished processing will have to either actively manage existing clients and prevent new ones from coming on board, or risk legal penalties.
Crypto entrepreneurs face a lack of access to banking
One of the major problems for crypto exchanges in the Czech Republic is that traditional banks (e.g., those linked to older Canadian or Scandinavian groups) do not want to deal with crypto. They commonly refuse to open standard bank accounts for crypto exchanges, or they close accounts even when the exchange is compliant with regulations.
This is paradoxical, because MiCA grants crypto exchanges a licence to operate – but without a bank account they cannot fully benefit from that licence. A number of Czech crypto exchanges therefore look for banking partners abroad – in Lithuania, Estonia, Malta, or in the United States (if they have EU sub-entities).
However, this usually means additional compliance, additional AML obligations, and higher costs.
The problem of tokenisation and asset classification
MiCA strictly distinguishes between different types of crypto-assets: mainstream cryptocurrencies (e.g., Bitcoin, Ethereum), asset-referenced tokens (ARTs), e-money tokens (EMTs), and other crypto-assets. Each category has different requirements.
The problem is that many projects (e.g., wrapped tokens, various DeFi protocols) fall into a grey area. Is it a security, a commodity, or something else entirely?
The EU is trying to clarify this, but for a Czech crypto exchange it means it must handle the classification itself, along with the related regulatory obligations. The attorneys at ARROWS, a Prague-based law firm, focus on precisely these classification issues and can help clients structure their offering so that it complies with the regulations of individual countries.
|
Potential issues |
How ARROWS can help (consultation@arws.cz) |
|
Missing or incomplete authorisation after 1 July 2026 – An entity without an active MiCA licence must suspend all activities; it faces penalties of up to 10% of annual revenues (turnover) (Article 111 MiCA), withdrawal of the licence, and potentially even criminal liability. |
The attorneys at ARROWS, a Prague-based law firm, will prepare a comprehensive authorisation file, secure all required documents, financial models, AML policies, and security audits required by the Czech National Bank (ČNB). We represent the client in dealings with the regulator. |
|
Non-compliance with AML/CFT systems – Weak KYC procedures, inadequate SAR/STR reporting, and transaction monitoring lead to fines that can reach tens to hundreds of millions of Czech crowns, and to regulatory intervention. |
ARROWS can help design and implement risk-based KYC processes, set up transaction monitoring, train the compliance team, and ensure that reporting is carried out on time and correctly. |
|
DAC 8 reporting and tax considerations – From 2026, crypto exchanges must report transactions to the tax authorities. Incorrect reporting or erroneous data lead to significant fines, which can reach millions of Czech crowns, and to additional tax assessments for clients. |
ARROWS, a Prague-based law firm, will ensure the legal structure for reporting, tax-efficient setup, and communication with the relevant Ministry of Finance. We also advise clients on their tax obligations. |
|
DORA incidents and cyber risk – If a security incident occurs (hack, ransomware), it is not only a data loss issue, but also an obligation to notify the Czech National Bank (ČNB) without undue delay; an unprepared crisis response leads to fines and loss of trust. |
We will help structure an incident management plan, set up monitoring, and manage communications with the regulator. We represent the client during the incident and communicate with the Czech National Bank (ČNB). We have experience with crisis management in similar situations. |
|
Sanctions screening and Travel Rule compliance – If a crypto exchange does not block transactions of sanctioned persons or does not implement the Travel Rule, it faces high fines and reputational attacks. |
ARROWS can help clients select the right compliance software, set up screening processes, and ensure documentation. We also represent the client if an inspection or enforcement action occurs. |
Final summary
2026 represents a moment of transformation for everyone doing business with cryptocurrencies in the Czech Republic. The MiCA Regulation, with the final deadline of 1 July 2026 for the end of the transitional period, DAC 8 obligations from 1 January 2026, compliance requirements under the FATF Travel Rule, and the DORA Regulation on digital resilience – all of this means that operating a crypto exchange is no longer a matter of a few computers and a handful of people.
It is a complex operation requiring legal infrastructure, compliance systems, IT security, audit, and ongoing monitoring. For crypto exchanges, this has real impacts: without authorisation after 1 July 2026 they cannot remain on the market; without proper AML/CFT they risk high fines (in the tens to hundreds of millions of Czech crowns for serious breaches); and without DORA compliance they risk system failure and sanctions.
At present, there is only very limited time left for the remaining entities that still do not have authorisation to have a chance to obtain it. Others will, in practice, end up outside the legal market. This is not pessimism, but the reality of regulatory developments.
In a positive sense, this means that the crypto sector is gradually “normalising” and ceasing to be a grey area. Clients have more protection, exchanges are supervised, and the system as a whole is safer. In a negative sense, it means higher costs, more complex operations, and strict compliance.
If you are a crypto exchange or a crypto-asset service provider and you are not sure how to proceed, do not hesitate to contact the attorneys at ARROWS, a Prague-based law firm (consultation@arws.cz). We offer comprehensive legal advice on crypto-asset regulation under Czech and EU legislation, preparation of authorisation files for the Czech National Bank (ČNB), setup of AML/CFT systems, DORA implementation, and assistance with DAC 8 reporting.
If you have an international element – e.g., you have clients in other EU countries or you are planning expansion – we have the ARROWS International partner network to address these cross-border matters.
Read also:
- MiCA and Czech Compliance: Legal Pitfalls for Crypto Projects
- How to Obtain a Czech National Bank Licence for Financial Institutions
- Phishing Under the New Cybersecurity Act: Managers’ Personal Liability
- AI governance in companies: How to do it right to avoid legal problems and fines
- Defending Managers and Owners in Economic and Tax Crime Investigations
About the author
Disclaimer:
The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (consultation@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.
