The blockchain sector in Sweden is developing rapidly. For several years, the industry has been led by more traditional and well-established blockchain operations, such as cryptocurrency exchanges. However, there has been increased interest in other innovative uses of blockchain-based technology in entirely different contexts of late, eg, as a means of collateral in lending arrangements and in crossovers and combined service offerings of token-based payment transactions and traditional payment services. In line with Sweden’s history and reputation as a spearhead fintech market, Swedish companies continue to show interest in innovative uses of blockchain technology in ways that extend beyond more traditional practices.

EU Regulation

2024 marked a historic paradigm shift in the EU’s regulation of the blockchain market, primarily through the entry into force of Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA). With this most recent development, all major components of the European Commission’s so-called Digital Finance Package, proposed in September 2020, have now been realised.

In addition to MiCA, the package also included a proposed regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLT), which was adopted in 2022 and became applicable during 2023 (Regulation (EU) 2022/858; the “DLT Regulation”). On 2 June 2022, as a result of the pilot regime, the Swedish government launched an inquiry into account-based bookkeeping methods for financial instruments, with the aim of exploring potential regulatory changes to facilitate the use of blockchain (see Government Directive 2022:59). The proposal has been being consulted on since 2024.

In December 2023, a legislative report was published (see report SOU 2023:102) proposing a new Swedish legislative act to supplement the DLT Regulation. The proposed legislative act contains provisions which in substance greatly correspond to those that apply to book entry financial instruments under existing Swedish legislation. However, the legislative act also contains the necessary adaptations to suit the new technologies covered by the DLT Regulation. For example, these technologies are distinct in that financial instruments do not necessarily need to be held in an account and the information can be stored in a distributed (decentralised) manner in different nodes rather than in a single central register. As a general rule, the provisions of the legislative act will take precedence over provisions in other Swedish statutes.

The most predominant use of blockchain technology in Sweden, by sheer scale of operations, continues to be in the cryptocurrency exchange sector. There are two market-leading Swedish companies offering these services as well as a number of foreign exchanges whose services are accessible in Sweden.

In terms of more innovative uses of blockchain technology, there has been increased interest in developing financial instruments based on DLT, with the intention of these instruments being traded on regulated markets. One example of an initiative within this type of use for blockchain technology is so|bond, a sustainable and open platform for the issuance of digital bonds based on blockchain technology which was launched in 2023 by the Swedish bank SEB and the French bank Crédit Agricole.

There are other numerous other initiatives, with a general upward trend in Swedish companies and public bodies showing interest in utilising the unique characteristics and benefits of blockchain technology.

There are two ways owned blockchain-based digital assets can be transferred. These are the:

• finalisation of a transfer between the parties to the transfer; and
• finalisation and validity of transfer of ownership for purposes of rights in rem.

General contract law principles apply between the parties to a transfer of blockchain-based assets (as well as the respective service providers involved in the trade) meaning that the parties are generally at liberty to agree and determine at what point during the transactions various rights and obligations associated with the ownership of the assets will be transferred from one party to the other as well as the involved parties’ respective liabilities to one another during the course of completing the transaction (and thereafter). In that regard, Swedish law does not prescribe any particular rules specific to blockchain-based assets.

However, the validity of ownership transfer from the perspective of obtaining rights in rem is a more complex issue and in the absence of precedents is a question yet to be definitively settled. One fundamental aspect of rights in rem under Swedish law is how and when transfer of ownership to certain property confers protection to the transferee (purchaser) from claims by the creditors of the transferor (seller).

The general rule under Swedish law is that a transfer of ownership must have been manifested through some observable action in order to entail rights in rem for purposes of protection from creditors of the seller for the purchaser. For typical, physical, movable property such as ordinary goods, the change in ownership is manifested through the act of transferring possession of the goods to the purchaser, pursuant to the so-called principle of tradition. However, due to practical impossibilities this principle cannot be applied in the same way in relation to immovable property or dematerialised assets. In those cases, the legislature has instead enacted specific legislation that ties the validity of rights in rem associated with ownership to registration.

For example, this applies to:

• dematerialised stocks and bonds;
• other types of financial instruments; and
• emission allowances.

However, for blockchain-based assets, there are no similar rules under Swedish law which ascribe validity to rights in rem based on registration. It is therefore uncertain whether and how rights in rem could be obtained for transfers of blockchain-based assets.

This issue is addressed and commented on in the report proposing legislative changes to align Swedish law with the DLT Regulation (SOU 2023:102). If enacted, the proposed legislative changes will mean that the person registered as owner in the ledger of a DLT-based financial instrument will be presumed to also have ownership rights (unless proven otherwise). Furthermore, validity to a transfer of a DLT-based financial instrument, for purposes of rights in rem, is proposed to follow from validation of the transfer through a consensus mechanism (the details of which may vary from one DLT market infrastructure to another).

There is a proposal for a validated transfer of a DLT-based financial instrument to ensure protection from subsequent claims by the transferor’s creditors in respect of any right that was not registered in the ledger before the validation of the transfer. This proposal will not apply in respect of transfers in ownership stemming from the sale of assets but other transfers such as gifts, wills, inheritance or division of property as well.

In a December 2023 judicial decision by a Swedish Administrative Court of Appeal (see 5.1 Judicial Decisions and Litigation), the Court found that it is currently unclear how rights in rem are achieved for blockchain transactions under Swedish law.

While both judicial decisions and the current process of proposed legislative changes contribute towards making the matter of ownership of blockchain-based assets under Swedish law increasingly clear, the matter is yet to be definitively settled in its current state.

As Swedish law does not include a national bespoke categorisation system for digital assets, their legal classification needs to be analysed on a case-by-case basis against general legal concepts and definitions. Historically, this has resulted in a focus on determining whether digital assets may be deemed to be financial instruments under Swedish law. If a digital asset is deemed to be a financial instrument, the provision of investment services relating to that digital asset is subject to securities and investment laws and regulations, most notably Directive 2014/65/EU (MiFID II) and the Prospectus Regulation.

However, MiCA has introduced a new regime for categorisation of digital assets which distinctly regulates three classes of crypto-assets:

• asset-referenced tokens;
• e-money tokens; and
• utility tokens.

Asset-referenced tokens and e-money tokens can both be considered “stablecoins”. An e-money token is defined as a type of crypto-asset that purports to maintain a stable value by referencing the value of only one official currency. Meanwhile, an asset-referenced token is defined as a type of crypto-asset that purports to maintain a stable value by referencing another value or right (or a combination thereof) including one or more official currencies.

Utility tokens are defined in MiCA as a type of crypto-asset that is only intended to provide access to a good or a service supplied by its issuer.

Swedish law does not specifically define tokenised securities (ie, traditional securities with a digital wrapper) as a distinct category of asset. The question of whether tokenised securities are subject to securities and investment laws and regulations is essentially a question of whether these securities correspond to the definition of financial instruments under the Swedish Securities Market Act, which implements MiFID II.

The Swedish Financial Supervisory Authority (the Finansinspektionen or SFSA) has expressed the view that, in order for instruments in a digital wrapper to qualify as securities under Swedish law, the instruments must be able to be registered in a manner that has the same legal effect (specifically in regard to rights in rem) as possession and presentation of a physical certificate, such as a coupon bond or a bearer bond.

Registration based solely on contractual grounds (which is only binding on the parties to the contractual arrangement) has not been considered sufficient to meet this requirement. In addition, the SFSA has expressed the view that an instrument must entail rights to its holder or obligations to its issuer, or both, which are legally enforceable.

In March 2025, the European Securities Markets Authority (ESMA) published guidelines on the conditions and criteria for qualifying crypto-assets as financial instruments. The guidelines express that classification should be done in line with the principle of technological neutrality and should take a substance over form approach. When assessing whether tokenised securities qualify as financial instruments under the Swedish Securities Market Act, the characteristics distinguishing crypto-assets from traditional securities and traditional capital markets should also be considered. For example, the fact that a crypto-asset is traded on online trading platforms may indicate that the assets are freely transferable but does not necessarily mean that the assets meet the condition of being negotiable on the capital markets.

Stablecoins were not explicitly regulated in Sweden before MiCA. However, they have now become subject to the extensive regulatory framework under MiCA. MiCA will cover any stablecoins that meet the definition of either asset-referenced tokens or e-money tokens (see 2.2 Categorisation). MiCA does not explicitly distinguish algorithmic stablecoins from others in a classification aspect. Instead it states that the rules in MiCA are the same for algorithmic asset-referenced tokens as for others.

An aspect of MiCA’s substantive regulatory requirements that may have an impact on the practical feasibility of issuing algorithmic stablecoins is that, among the requirements introduced by MiCA on issuers of asset-referenced tokens, there is an obligation to have a reserve of assets covering the risks associated with the underlying asset and the liquidity risks associated with rights of redemption of the tokens. The reserve of assets is required to be legally and operationally segregated from the issuer’s own assets.

There are currently no specific regulations under Swedish law in relation to NFTs. Customary commercial and consumer protection law applicable to marketing and sales in general will also apply to NFTs.

Swedish law does not prohibit the use of cryptocurrencies as a means of payment. However, it does not recognise cryptocurrencies as legal tender that any person is legally required to accept as a means of payment.

Swedish law only recognises banknotes and coins as legal tender that households and companies must be able to use to make payments. However, this general rule is not without exceptions. Firstly, there is the possibility of waiving the obligation to accept cash by agreement, both in private enterprise and public sector operations that can be equated to private enterprise (eg, municipal car parks). Secondly, there are exemptions from the obligation to accept cash as a means of payment in a number of legal acts, such as tax legislation, which means it is not possible to pay tax in cash.

Following these observations and the limitations of cash as legal tender, the Swedish Central Bank launched a project to assess the possibility of establishing and backing an e-currency that could potentially constitute legal tender under Swedish law in 2017 (see 4.7 Other Government Initiatives).

In line with Swedish law, the action necessary to perfect a pledge in order to create a security interest is generally the same as the action to be taken in order for a purchaser of an asset to receive rights in rem towards the creditors of the seller. As explained in 2.1 Ownership, existing case law (which is at risk of being overturned on appeal) is limited to transfers in Bitcoin and it is uncertain what action is necessary in relation to the perfection of a pledge over other types of digital assets.

The proposal for Swedish legislative changes to supplement the DLT Regulation addresses whether and how it should be possible to pledge DLT-based financial instruments. In a corresponding way, for transfers of ownership (see again 2.1 Ownership), the proposal is for Swedish law to require a distributed ledger to have functionality for registering security rights to a financial instrument (ie, the pledging over the instruments) and to recognise a pledge over DLT-based financial instruments as occurring upon validation of the action through a consensus mechanism.

There are no specific laws or judicial decisions addressing the legal enforceability of smart contracts. The Swedish law on the formation of contracts is technology-neutral and therefore does not preclude smart contracts from constituting valid agreements between the parties that use them. Two cases may be distinguished.

In the first case, parties agree “off-chain” to use a particular smart contract as a mode of delivery when executing an obligation that has been agreed “off-chain” (eg, an interest payment) on a particular date that is automatically calculated and executed by the smart contract where the underlying right to the payment is documented in a loan agreement “off-chain”. The validity of the performance of an obligation is within the freedom of contract of the parties and will generally be legally binding.

In the second case, the parties do not have a pre-existing relationship that has been agreed “off-chain” but rather use the smart contract as their only mode of communicating and exchanging performances. Under Swedish law, a contract may be entered into between parties through action, with the textbook example of a car park user being bound by the terms of the parking garage by parking in the garage (as long as the terms are available to the car park user). It is likely that the same reasoning can be applied to a contract being entered into through the use of a smart contract.

It is not the smart contract itself that constitutes the agreement. An agreement between two parties is a legal concept of an abstract nature that in turn can be manifested and documented (eg, through a written contract or computer code in a smart contract), but the manifestation does not necessarily reflect the binding abstract agreement between the parties. However, it is often difficult to prove that the content of an agreement differs from its physical manifestation.

Swedish law on the formation of contracts also allows for the altering of contracts on the grounds of their being unconscionable (especially in relation to consumers vis-à-vis businesses) or because the formation of the contract was invalid due to fraud, usury or duress, for example. The manifested obligations and any performance of a smart contract can therefore potentially be challenged in court on the grounds of the agreement being unfair or invalid.

Regulatory capital requirements of credit institutions and large investment firms primarily stem from Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms (CRR) and are therefore EU-based rather than Sweden-specific.

In June 2024, a legislative package was published which updated and amended the CRR. The changes introduced a requirement for credit institutions and investment firms to report and disclose exposures to crypto-assets. As of July 2024, crypto-asset exposures are treated under a transitional regime created by the CRR which consists of specific risk weights for various categories of crypto-asset exposures by credit institutions. The transitional nature of the rules follows a new legislative proposal for treatment of crypto-asset exposures by 1 July 2025.

In parallel with the EU legislative process, the Basel Committee on Banking Supervision published a number of amendments to the 2022 Basel crypto-asset standard in July 2024. There are similarities between these standards and rules under the CRR but they are not identical. The implementation date of the revised Basel standards is 1 January 2026.

There are currently no regulatory sandboxes for blockchain technology in Sweden. However, the SFSA has established an innovation hub that deals with fintech in general.

The two dominating sets of regulatory frameworks within the field of blockchain under Swedish law, the DLT Regulation and MiCA, are heavily influenced by international standards. As the rules introduced by MiCA are based on a directly applicable EU Regulation they are harmonised within the EU and are not specific to Sweden. Similarly, many of the proposed changes to Swedish law have the aim of aligning Swedish law with international standards by enabling the DLT Regulation to be applied in Sweden in the manner intended by the EU legislature.

The SFSA is the competent authority for the purposes of MiCA and the DLT Regulation in Sweden. It has both a supervisory mandate and the role of processing applications for authorisation and other types of regulatory approval under MiCA and the DLT Regulation.

The SFSA has historically had a generally cautious and sceptical position towards cryptocurrency and, in particular, has repeatedly communicated warnings to consumers against investing in cryptocurrencies. It is not unlikely that MiCA may cause a shift in the SFSA’s position towards blockchain and digital asset firms, by regulating these firms more diligently than before and therefore bringing a degree of legitimacy to those firms who qualify for authorisation.

However, at the time of writing the SFSA has yet to grant its first regulatory licence under MiCA and it is still too early to tell if and how MiCA will have an impact on the SFSA’s approach to blockchain and digital asset firms.

There are currently no self-regulatory organisations or trade groups that perform regulatory or quasi-regulatory roles in relation to blockchain in Sweden.

The Swedish Central Bank (Riksbanken) is currently assessing the possibility of establishing and backing an e-currency: the e-krona. The e-krona is contemplated as being a retail CBDC, ie, a central bank digital currency that is available to the general public.

Since February 2020, Riksbanken has been running a pilot project with a third-party technical service provider to develop a technical platform for a blockchain-based e-krona. The pilot project has undergone four phases of (mainly technical) analysis, testing and evaluation and the results of the fourth and final phase were published in March 2024.

The solution is based on digital tokens that are portable, cannot be forged or copied (double-spent) and enable instantaneous peer-to-peer payments. The tokens will be guaranteed a fixed value corresponding to the Swedish krona, so that the value of the user’s funds would always be identical regardless of whether they are held in the form of cash, a bank account balance or e-currency.

The technical solution for the e-krona that has been tested in the pilot project is based on the e-krona being issued and redeemed exclusively by Riksbanken. The e-krona will be distributed via participants in a private e-krona network administered by Riksbanken (eg, banks). The pilot project has analysed and tested various options for a secure offline solution to enable use of the e-krona for payments using payment instruments.

At the time of writing, no legislative initiative has been proposed to make the e-krona a reality. As part of the evaluation of the e-krona, Riksbanken has also considered the implications and consequences of a potential digital euro. It has concluded that a digital euro would generally have a positive influence on the usefulness of an e-krona. One reason for this is that an e-krona would contribute to safeguarding the current role of the Swedish currency. Another reason is that a digital euro may reduce the cost and complexities of launching an e-krona. Thirdly, Riksbanken has expressed that a co-existing digital euro and e-krona could improve cross-border payments through interoperability.

Digital Negotiable Debt Instruments

In a judgment from 2017 (NJA 2017 page 769), the Swedish Supreme Court assessed whether a negotiable debt instrument under Swedish law can be digital. A negotiable debt instrument is essentially an instrument that is itself representative of a legal debt, meaning that whoever holds the instrument is typically entitled to require payment from the obligor. The Swedish legislation on negotiable debt instruments is from 1936 and therefore assumes that these instruments exist in physical paper form.

However, the Supreme Court’s judgment held that the law does not strictly require a negotiable debt instrument to exist physically and should be interpreted and applied in a technology-neutral manner, provided that doing so does not jeopardise the fundamental principles and interests that the law is intended to protect. According to the Supreme Court, this means that a digital negotiable debt instrument can be recognised legally, provided that it is designed in a manner that ensures an obligor is afforded technical means of verifiably fulfilling its payment obligation and extinguishing the debt, comparable to those afforded an obligor under a physical negotiable debt instrument. An obligor is by law entitled to have the physical negotiable debt instrument returned to them upon making payment.

While the Supreme Court did not specify in its judgment how this could be achieved in practice, it has been theorised and discussed in the legal community that blockchain-based technology could possibly enable corresponding ways of verifying payment, due to its inherent ability to be manipulated.

Cryptocurrencies and Foundation Requirements

In a judicial decision from January 2023, the Administrative Court of Appeal in Göteborg found that a Swedish foundation (stiftelse), where the assets under management were a type of cryptocurrency, satisfied the legal requirements for registration and recognition under Swedish law (eg, that the assets of the foundation can be managed indefinitely). The Court found that the volatile nature of cryptocurrencies did not preclude the assets from having an economic value and it being possible to manage them indefinitely.

Payment in Kind Using Bitcoin

Another notable judicial decision is from November 2022 and relates to blockchain technology. In that case, the District Administrative Court in Härnösand had to consider whether a Swedish limited liability company could be incorporated by payment for company shares in kind using Bitcoin. The Court found that payment in kind using Bitcoin could be considered to satisfy the requirements under Swedish law. However, the decision was appealed, and in December 2023 the Administrative Court of Appeal in Sundsvall repealed the decision, owing (inter alia) to uncertainty regarding rights in rem in relation to blockchain transactions and to the volatile nature of Bitcoin.

In 2013, the SFSA issued a decision against a person who was providing money remittance services comprised of taking receipt of fiat currency from customers in Sweden and of using those funds to purchase Bitcoin from an exchange service provider in Iran. The customers could subsequently instruct the Iranian exchange service provider on how to settle the outstanding balance, eg, by exchanging the balance in Bitcoin into local currency. In essence, this enabled the customers to transfer money from Sweden to Iran by way of exchanges into and from Bitcoin. The SFSA intervened and ordered the Swedish service provider to cease its operations on the basis that they comprised licensable payment services for which the service provider did not hold the requisite licence as a payment institution. The decision was appealed but was upheld by the Stockholm Administrative Court in 2014.

This case provides some guidance on the boundaries of permitted and prohibited blockchain activities by clarifying that although virtual currencies themselves are not considered to constitute “funds” for the purposes of the Swedish Payment Services Act (SFS 2010:751), a service provider taking receipt of funds (ie, fiat currency) from customers and transferring a corresponding amount by purchasing Bitcoin for the purposes of effectively remitting the customers’ funds is carrying out an activity that is licensable as a payment service under the Payment Services Act.

No particular Swedish tax rules other than applicable EU legal acts have been introduced in relation to blockchain or cryptocurrencies or to operations relating to this technology. Many Swedish taxpayers have therefore experienced more significant challenges in practically meeting the administrative tax-filing burden according to the applicable rules than in the legal uncertainties around this technology. This is because taxable income from transactions in virtual currencies needs to actually be calculated and reported, whereas many other forms of savings and investment products can be managed through a so-called investment savings account (investeringssparkonto). This investment savings account is subject to standard tax based on the balance on the account as opposed to individually calculated capital gains or losses resulting from transactions.

In addition to these challenges, Swedish data centres selling computing power for bitcoin mining face significant uncertainty regarding input VAT recovery. The Swedish Tax Agency contends that these data centres are effectively mining bitcoin themselves rather than providing computing services, which excludes them being eligible to recover VAT. This interpretation creates a complex situation where data centres must navigate between providing a service and engaging in a mining activity, which affects their ability to reclaim VAT on related expenses.

In November 2021, the SFSA and the Swedish Environmental Protection Agency (Naturvårdsverket) published a joint opinion proposing that mining activities should be regulated because of the environmental impacts of the inherent high energy demand of the Proof of Work mining method. The opinion was partly a reaction to an observed significant increase in energy consumption for cryptocurrency mining in Sweden between April and August 2021, which was most likely a result of cryptocurrency miners looking to operate out of Sweden due to the low energy prices, attractive tax regulations and good supply of renewable energy sources. The opinion has not yet resulted in any legislative action in Sweden and at an EU level the most recent legislative developments indicate that the position may be against a ban on the Proof of Work mining method.

However, MiCA explicitly recognises the potential adverse environmental impacts of consensus mechanisms used for the validation of transactions in crypto-assets and deals with this by imposing disclosure requirements related to principal adverse impacts on the climate and other environment-related adverse impacts as part of the White Papers to be drawn up by the offeror, issuer and/or person admitting a crypto-asset to trading on a trading platform.

Crypto-asset service providers are also required to make the ESG-related disclosures available in a prominent place on their websites, in respect of each crypto-asset available through the service provider’s scope of services.

The rules in MiCA empower ESMA to develop more detailed delegated legislative acts specifying the content and form of ESG-related disclosures. Following ESMA’s proposal, the European Commission adopted a delegated regulation in December 2024 specifying the content methodologies and presentation of sustainability indicators in crypto-asset White Papers and on the website of a crypto-asset service provider. The delegated regulation includes an annex which specifies the format and data points to be included in the sustainability disclosures governed by the delegated regulation.

An essential piece of information expected to be included in the White Paper disclosures regarding ESG impacts is a description of the consensus mechanism used for each particular crypto-asset (eg, a Proof of Work-based mechanism or Proof of Stake-based mechanism), which will need to be accompanied by an analysis of the environmental impact of the consensus mechanism used. ESMA considers that this impact analysis should be anchored in three main features:

• the energy consumption of each DLT network node;
• the location of the DLT network nodes; and
• the devices used by each DLT network node to take part in the DLT network and to technically hold a replica of the network’s ledger.

In terms of indicators and methodologies for presenting the ESG-related information to be disclosed, those drawing up White Papers are required to calculate and disclose quantitative data on energy consumption resulting from the crypto-asset. Annual energy consumption is used as the key mandatory indicator because it is considered to be the most conducive to making investors aware of the impact of consensus mechanisms. For issuers with significant energy consumption levels exceeding certain thresholds, additional disclosures covering energy intensity and greenhouse gas emissions are required.

At face value, the Swedish laws and regulations that apply to data privacy fundamentally apply to operations with blockchain-based products and services in the same way as for other operations, without any specific derogations or distinctions to account for the particularities of blockchain-related operations. To date, there is no clear case law or guidance from the Swedish Authority for Privacy Protection that settles how data privacy rights and obligations can be applied to blockchain-based operations.

As in other EU jurisdictions, the main source of data privacy-related rights and obligations in Sweden is the General Data Protection Regulation (Regulation (EU) 2016/679 or GDPR), which governs matters such as individuals’ right to:

• access their personal data that is being processed;
• the rectification of incorrect information about them; and
• the erasure of personal data that it is no longer necessary to process, for whatever purpose it was originally collected and processed.

The rights and obligations in the GDPR require careful analysis when being practically implemented in blockchain-based operations. Data protection measures should take the inherent characteristics of blockchain technology and particularly that services and products are often based on public blockchains, which do not require any special permissions to become a participating node (eg, the most common cryptocurrencies powered by blockchain) into account.

The GDPR is based on the assumption that there is a “data subject”, whose personal data is being processed by a “controller” that determines the purpose and means of the data processing. A typical scenario is of a bank that acts as the “controller” of the personal data that it processes about its customers. The bank may, in its role as a controller, engage service providers as its processors. The GDPR consequently establishes rights for data subjects and corresponding obligations for controllers and processors.

The concepts of the different roles, ie, controller, joint controller and processor, play a crucial role from a data protection perspective. It is therefore important to carefully analyse and outline the roles and responsibilities of all parties engaged in the blockchain-based operations at an early development stage, keeping in mind that there may not be a single controller, but rather a vast number of independent parties who may upload, process and store data (which may include personal data) on and outside the blockchain.

The roles set out in the GDPR must therefore be taken into account from the very beginning of the design phase of the blockchain in order to clearly define accountability for fulfilling the obligations that the GDPR imposes on controllers.

The parties must also take the rights established in the GDPR into account in order to apply the rights in practice to blockchain-based technology. The architecture and design of the blockchain must therefore include data protection strategies in order to ensure that the rights are secured, considering that the blockchain technology only permits data to be added to a blockchain and not to be removed from it.

A notable example that needs to be complied with is the so-called right to be forgotten, ie, the right for a data subject to have their personal data erased when there are no longer any lawful grounds for processing it.

The GDPR establishes the concept of “data protection by design and default”, meaning that data protection measures should be implemented as integrated components of technical systems and services rather than as additional layers “on top”. The GDPR also requires controllers of personal data to implement appropriate security measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services and to restore personal data in the event of any unforeseen incident.

Where appropriate, security measures should also include measures for the encryption of data, which is particularly interesting in the context of blockchain technology. There is an important distinction between truly anonymised data and data that is only pseudonymised. Where an anonymisation process results in data that is impossible to link to any individual and where that process is also irreversible, the resulting anonymous data is entirely beyond the scope of the GDPR.

Methods for removing identifying characteristics of data that do not meet this standard of true anonymisation are instead referred to as “pseudonymisation” and the GDPR remains applicable to pseudonymised personal data. In a blockchain context, this means that data on the blockchain will often qualify as pseudonymised personal data subject to the GDPR, as although a public blockchain may not openly and explicitly contain identifying details, it is possible to indirectly link the visible public keys or addresses to an individual (eg, through pattern analysis).

This means that blockchain-based services and products are not generally considered as anonymous (although each blockchain needs to be assessed on the basis of its particular characteristics) but are instead subject to requirements under the GDPR.

In April 2025, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data through blockchain technologies. The guidelines address the intersection of the GDPR and blockchain technology and are intended to provide clarity to organisations considering the deployment of blockchain technology while ensuring compliance with the GDPR. The draft guidelines include a comprehensive framework for assessing the implications of blockchain architecture on personal data processing operations and emphasise the need for roles and responsibilities of various actors within the blockchain ecosystem to be carefully considered.

One of the matters the draft guidelines address is potential ways to satisfy the requirements in the GDPR in blockchain-based data processing where the technical possibilities of deleting or modifying data are typically very limited or non-existent, due to the inherent essential characteristics of blockchain technology. The draft guidelines suggest that technical security measures such as encryption of data, hashing or use of cryptographic comments can be evaluated as tools and means to facilitate compliance with the GDPR when processing personal data in a blockchain-based environment. The draft guidelines also emphasise more generally that technical impossibility cannot be invoked to justify non-compliance with GDPR requirements and highlight the importance of conducting a data protection impact assessment (DPIA) before implementing blockchain-based processing of personal data. The guidelines also include a set of concise recommendations to help organisations ensure that processing of personal data with blockchain technology is GDPR-compliant. The guidelines are being publicly consulted on until early June 2025 and are expected to be finalised following the conclusion of the public consultation period.