Folio v0.9 — CEX + On-chain Consolidation is liveSee what's new →
Wag3sWAG3S
Get Started

DAC8 Penalties for CASPs: What Non-Compliance Actually Costs in 2026

Regulation·

DAC8 Penalties for CASPs: What Non-Compliance Actually Costs in 2026

DAC8 penalties are set by each EU Member State within an EU-mandated minimum severity. Here's what triggers a penalty, how the regimes vary, why MiCA licence risk is the bigger exposure, and how a CASP should think about the cost of non-compliance.
Author avatar Wag3s TeamEditorial team specializing in Web3 finance, crypto tax, and DAO operations. Based in Zurich, Switzerland.

Reviewed by Wag3s Editorial Team — verified against Council Directive (EU) 2023/2226 and European Commission DAC8 guidance · Last reviewed May 2026

DAC8 Penalties for CASPs

The question every crypto-asset service provider asks about DAC8 is "what does it cost if we get it wrong?" The honest answer is: it depends on the Member State, and the monetary fine is rarely the part that should worry you most. This article covers what triggers a penalty, how the national regimes vary, and why the licence consequence is the real exposure.

TL;DR

  • Penalties are national. DAC8 is a Directive — each Member State sets its own amounts and structures in transposition law.
  • EU floor on severity. The Directive mandates effective, proportionate, dissuasive sanctions with a minimum severity to block jurisdiction shopping. No single harmonized EU figure.
  • Three trigger categories: failure to report, data-integrity failures, due-diligence failures.
  • The real exposure is the MiCA licence, not the fine. Serial DAC8 non-compliance is a supervisory concern for an authorized CASP.
  • First exposure crystallizes in 2027 (FY 2026 reporting) — but the data quality that determines it is being built now.

What triggers a penalty

DAC8 penalty exposure falls into three categories:

1. Failure to report

Missing the statutory deadline for the annual data submission. The CASP filing deadline is set nationally within the window that allows the EU authority-to-authority exchange to complete by 30 September following the reporting year. Late or non-filing is the most clear-cut trigger.

2. Data-integrity failures

Submitting incomplete, inaccurate, or false information. This is the most common real-world exposure because it is not binary — a report can be filed on time and still be defective:

  • Missing reportable users (a wallet or sub-account not linked to the user)
  • Incorrect tax-residency determination
  • Aggregates that don't reconcile to the underlying transactions
  • Wrong counterparty categorization

Data-integrity failures are where most CASPs are actually at risk, because they can believe they are compliant while filing defective aggregates.

3. Due-diligence failures

Neglecting the mandatory verification process — most importantly, failing to collect and verify Tax Identification Numbers and tax-residency self-certifications. A CASP that filed a report but never verified the self-certifications underneath it has a due-diligence failure even if the numbers happen to be right.

How the national regimes vary

Because DAC8 is a Directive transposed nationally, penalty design differs across the EU. Common structures:

StructureHow it worksWhere it tends to appear
Fixed per-failure fineA set amount per omitted record or per failureSeveral Member States use this for clarity
Revenue / turnover-basedPenalty scaled to the CASP's turnoverUsed where regulators want proportionality to size
Escalating for repeat failuresHigher amount on the second and subsequent failuresCommon across the board
Licence consequenceSupervisory action up to authorization impactThe serious-case backstop

The EU's design intent is a minimum severity floor so a CASP cannot relocate its reporting nexus to a lenient Member State. You cannot assume the most favourable national regime applies to your whole EU footprint — the reporting nexus rules determine which Member State's penalties bite.

Because exact figures and structures change with national transposition and are finalized at different times across Member States, this article deliberately does not publish per-country amounts. Confirm the current statute in each Member State you serve rather than relying on a generic number.

Why the licence is the real exposure

For a MiCA-authorized CASP, the monetary fine is usually survivable. The existential risk is the operating licence.

Serial or serious DAC8 non-compliance is not just a tax matter — it is a supervisory signal. A CASP that cannot demonstrate control over its tax-reporting obligations raises a governance and systems-and-controls concern that feeds into the MiCA authorization assessment. The framing that matters internally: DAC8 compliance is licence protection, not a tax-filing chore.

This reframes the cost-benefit. The investment in a clean DAC8 data pipeline is not justified by avoiding a one-off fine — it is justified by protecting the authorization the entire business depends on.

When exposure crystallizes

  • First reporting period: calendar year 2026.
  • National CASP filing deadline: within the window enabling the EU exchange.
  • EU authority-to-authority exchange: by 30 September 2027 for FY 2026.

A reporting or data-integrity failure for FY 2026 becomes actionable once the national deadline passes — so the first real penalty exposure is in 2027. But the data that determines whether the FY 2026 report is accurate is being created now, throughout 2026. A CASP that waits until the filing deadline to think about data quality has already lost the year.

What to do about it

  1. Treat data integrity as the priority, not format. Most penalty exposure is defective aggregates, not late filing.
  2. Verify self-certifications and TINs continuously, not as a year-end scramble.
  3. Retain per-transaction lineage so any reported aggregate can be reconstructed under audit (see DAC8 data collected).
  4. Confirm the penalty regime per Member State you serve — do not assume uniformity.
  5. Brief the board on licence risk, not just fine risk — that is the framing that gets the program funded.

Where vendors fit

  • Sumsub reduces due-diligence-failure exposure: self-certification capture, TIN verification, re-certification flags.
  • TaxBit reduces failure-to-report exposure: producing the filing in the required format on time.
  • Cryptio reduces data-integrity exposure: normalized transaction data with lineage so aggregates reconcile.

The penalty categories map almost one-to-one to the vendor layers, which is why a defensible DAC8 program is usually a stack.

How Wag3s helps

Wag3s Ledger targets the highest-frequency exposure — data integrity:

  • Multi-chain reconciliation so no reportable activity is missed (see multi-chain reconciliation)
  • Per-user aggregation that reconciles to retained per-transaction lineage
  • Counterparty categorization at transaction level
  • Audit reconstruction: any reported aggregate traces back to specific on-chain transactions

See the Wag3s Ledger product page for module details.

Further reading

Sources

Editorial disclaimer
This article is informational and does not constitute legal advice. DAC8 penalty levels are set in each Member State's transposition law and vary significantly. Confirm the applicable penalty regime with qualified counsel in each Member State where you operate.

DAC8 Data Collected: The Exact Fields CASPs Must Report in 2026

What data DAC8 requires crypto-asset service providers to collect and report from 1 January 2026: per-user identity and tax-residency fields, per-transaction fields, and the annual aggregate figures — with the operational implications for compliance teams.

DAC8 and Stablecoins: Why E-Money Tokens Are In Scope When CARF Excludes Them

DAC8 brings e-money-token stablecoins into EU crypto tax reporting from 2026 — a key divergence from the OECD CARF, which carves out specified e-money products. What this means for stablecoin issuers, payment processors, and treasuries.

Explore the coverage

Every chain, integration, and competitor mentioned in this article gets its own page — coverage detail, comparison signals, and the audit trail your finance team needs.