Centralised Decentralisation: When Token Protocols Become Regulated in the EU

For fintechs, token issuers, protocol developers and other businesses handling crypto-assets, decentralisation is no longer only a technical choice. It is also a regulatory question.

Under EU law, the way in which a token service is built may determine whether the activity is regulated or falls outside the regulatory perimeter. A business may decide to operate through a centralised platform, with a company controlling the user relationship, the interface, order flow, custody, pricing or execution process. In that case, the regulatory analysis is relatively familiar: the company is the identifiable service provider and may need authorisation, whether under Regulation (EU) 2023/1114 (MiCAR), Directive 2014/65/EU (MiFID II) or another financial services regime.

But the same economic function may also be implemented through decentralised infrastructure. A smart contract may execute transactions automatically. An AMM may replace a conventional order book. Users may interact directly with a protocol. Governance may be moved to token holders. Fees may be calculated by an oracle. Access may be controlled through a KYC credential rather than through a conventional platform account.

In such cases, the regulatory question becomes more difficult: is there still a regulated service provider, or is the activity carried out in a fully decentralised manner without an intermediary?

MiCAR and MiFID II

MiFID II tokens are tokenised versions of the instruments already traded on traditional securities markets, including tokenised transferable securities, money-market instruments, collective investment units, commodities-linked derivatives and similar instruments. Under Article 2(4) of MiCAR, any crypto-asset that qualifies as a financial instrument under MiFID II is carved out of MiCAR’s scope. All other fungible tokens – cryptocurrencies, stablecoins, utility tokens, e-money tokens and asset-referenced tokens – fall within MiCAR’s scope.

The two regulatory regimes are mutually exclusive: a given token is either a financial instrument within the meaning of MiFID II – and therefore subject to MiFID II, MiFIR, the Prospectus Regulation, the Market Abuse Regulation and the wider EU securities-law acquis – or a MiCAR crypto-asset governed by MiCAR Titles II-VI, but not both.

That distinction matters because MiCAR expressly recognises that crypto-asset services provided in a fully decentralised manner without an intermediary should fall outside its scope. If a service is centralised, the provider may require authorisation as a crypto-asset service provider. If the same service is genuinely decentralised, there may be no legal person on whom the MiCAR’s service provider obligations can be imposed.

MiFID II contains no explicit decentralisation exemption comparable to MiCAR Recital 22. Where the token qualifies as a financial instrument, EU law does not provide a general decentralisation exemption merely because the instrument is issued, traded or settled on-chain. A decentralised technical layer does not by itself preclude the application of investment services or trading venue rules. There are, however, good reasons to apply comparable criteria to MiFID II tokens, as will be argued below.

This creates a practical structuring question for market participants. Businesses dealing with tokens must decide whether to build a regulated centralised service, or whether they can – and should – design infrastructure that is genuinely decentralised. That choice is not cosmetic. It affects licensing strategy, governance, investor protection, AML design, user access, liability, revenue models, technical architecture and the long-term ability to operate across the EU.

The problem is not blockchain – the problem is control

“Decentralised” is not a single legal or technical fact. A protocol may be decentralised at one layer and centralised at another. A smart contract may be immutable, but the website may be controlled by a company. An AMM may be ownerless, but the token list may be curated. Fees may be calculated automatically, while the oracle may be controlled by a single entity. A protocol may be permissionless, while access may require a KYC credential. Governance may be token-based, while voting power remains concentrated in a small number of wallets.

The issue is therefore not whether a project uses blockchain technology for issuing and handling tokens, nor whether settlement occurs on-chain. The key question is: who, if anyone, controls the regulated activity?

Current EU law status

The European compromise

The European framework for crypto-asset markets rests on a deliberate yet uneasy compromise. Recital 22 of Regulation (EU) 2023/1114 (MiCAR excludes crypto-asset services “provided in a fully decentralised manner without any intermediary” from its scope. MiFID II contains no equivalent carve-out, as its definitions of trading venues and investment firms presuppose identifiable legal persons. The framework therefore attempts to achieve two objectives simultaneously: to respect genuinely decentralised infrastructure not controlled by any person, while bringing identifiable controllers into the regulatory scope.

The undefined line and emerging guidance

The line between these outcomes is not clearly defined in either regulation. ESMA’s emerging guidance under the MiCAR Level 2 mandates, together with the Joint Committee work with the EBA and EIOPA, has addressed the perimeter question but has not yet provided a comprehensive methodology. Competent authorities in several member states have also issued preliminary guidance, including BaFin’s published views on DeFi, AMF analyses of decentralised arrangements, and most notably the Danish Finanstilsynet’s 2024 Principles for the Assessment of Decentralisation. These materials are useful indications but do not constitute authoritative pan-European interpretations; ultimately, ESMA’s position and the emerging case law will be decisive.

Regulation attaches to identifiable persons

The starting point in both regimes is that regulation attaches to identifiable legal persons. Article 3(1)(15) of MiCAR defines a crypto-asset service provider (CASP) as “a legal person or other undertaking” providing crypto-asset services on a professional basis. Each regulated service in Article 3(1)(16) presupposes a performing person. Recital 22 confirms that fully decentralised services without any intermediary fall outside scope, while adding that the Regulation applies “including when part of such activities or services is performed in a decentralised manner”. MiFID II is structured similarly but lacks an explicit decentralisation carve-out: Articles 4(1)(19)-(23) define multilateral systems, multilateral trading facilities (MTFs) and organised trading facilities (OTFs) as systems someone operates, and Article 4(1)(6) on dealing on own account presupposes an investment firm with a balance sheet. The DLT Pilot Regime (Regulation (EU) 2022/858) accommodates DLT-based trading and settlement systems, subject to authorisation of the operator.

From contract to methodology

EU financial services regulation presupposes an identifiable legal or natural person capable of bearing regulatory obligations and liability. Only legal and natural persons can enter into binding legal relationships; software cannot independently manifest legal intent. A smart contract has no will of its own; it implements the will of whoever controls its parameters, upgrade authority or inputs. The regulatory question reduces to whether there is a legal entity behind the regulated activity, and what specifically does that entity control? A two-stage methodology follows.

• The first stage examines technical decentralisation: is the regulated activity provided exclusively through self-executing, autonomous smart contracts that are not controlled by any legal entity? This assessment considers both the smart contracts themselves (self-execution, autonomy, embedded inherent rights) and the surrounding DLT infrastructure (distribution versus decentralisation, access mechanisms, concentration of decision-making).
• The second stage examines decentralised governance: even where the technical arrangement is not autonomous, can governance nonetheless be characterised as decentralised? This involves assessing whether the arrangement is operated by a partnership or other structure that constitutes a legal person under applicable member state law, whether governance tokens concentrate decision-making power, and whether identifiable bodies exercise discretion over the regulated activity.

Specific smart contract scenarios

The centrally controlled oracle

Consider an otherwise immutable smart contract protocol for token trading that relies, for material trading parameters (fees, matching logic, eligible-asset listing), on an oracle controlled by an identifiable entity. The smart contracts may be self-executing on a conventional blockchain, but they are not autonomous: their operation depends on parameters supplied by the controller. Where the rules are encoded in immutable smart contracts but parameterised by a centrally controlled oracle, the oracle controller is, in substance, managing the rules. The protocol is not provided “without any intermediary” under Recital 22 of MiCAR; the oracle controller is the intermediary.

Hence, under both MiCAR and MiFID II, such a protocol remains subject to regulation and requires authorisation – MiCAR CASP authorisation or MiFID II investment firm authorisation. Smart contracts executing trades on a public blockchain do not exempt a protocol where a critical economic function is centrally controlled. ESMA’s substance-over-form approach in its MiFID II Q&A supports the same conclusion under MiCAR.

Two refinements probe the limits. The bounded-discretion oracle allows the controller to set fees within a hard-coded band. Bounds do not eliminate control; they constrain it. A band of 0.01% to 5% leaves effectively full pricing discretion; a band of 0.29% to 0.31% may be too narrow to give the controller economically meaningful discretion. Three factors matter:

• whether the controller can alter the bounds through upgrade authority;
• whether the controller has economic interest in fee outcomes; and
• whether other functions are also controlled.

Bounded discretion is a mitigating factor, not a defeating one. The ministerial executor removes discretion entirely: the executor mechanically applies deterministic rules based on observable inputs. A ministerial executor unable to deviate from immutable rules arguably is not “managing” the rules, but merely implementing them. The Recital 22 carve-out becomes more plausibly available, though the line is delicate.

A further dimension is benchmark regulation. Regulation (EU) 2016/1011 (BMR) defines a “benchmark” in Article 3(1)(3) and Article 3(1)(6) as any index by reference to which the amount payable under a financial instrument or financial contract is determined, or the value of a financial instrument is determined. The “administrator” (defined in Article 3(1)(6) as the natural or legal person that has control over the provision of a benchmark) requires authorisation, registration or third-country recognition. An oracle that calculates and publishes a reference value used to determine amounts payable under on-chain financial contracts is, on a textually defensible reading, doing precisely what the BMR was designed to regulate. Price feeds for liquidations, settlement values, redemption rates and yield calculations are all examples where an oracle’s published value directly determines a financial outcome.

Critically, the BMR is largely indifferent to whether the administrator exercises discretion: the regime applies to mechanical, formula-based benchmark calculation as much as to discretionary panel benchmarks. A ministerial executor that escapes the MiCAR CASP perimeter on the basis that it does not “manage” trading platform rules could potentially fall within the BMR perimeter. The regimes are independent. The analytical migration from MiCAR to BMR is not a regulatory escape but a regime shift: the oracle controller may find itself characterised as a benchmark administrator subject to governance, control, conflicts-of-interest, methodology disclosure and supervision obligations under Title II of the BMR. This applies a control-based test that the ministerial executor argument cannot defeat (because the BMR does not require discretion), capturing exactly the protocols designed to avoid the CASP perimeter through formula-based architecture.

The multilateral element

Does the protocol operate a multilateral system or a bilateral one? Articles 4(1)(19), (22) and (23) of MiFID II define regulated markets, MTFs and OTFs as multilateral systems in which multiple third-party buying and selling interests in financial instruments are able to interact in the system. This concept has been the subject of extensive ESMA guidance, distinguishing MTFs and OTFs from “bulletin board” arrangements that merely display trading interests. Article 3(1)(18) of MiCAR incorporates the multilateral element directly.

• First option: bilateral-discovery protocol. Users see each other’s identities and the specific terms of each other’s offers, and decide whether to transact bilaterally. The protocol facilitates discovery but does not perform matching. This falls outside the scope of Article 3(1)(16)(d) of MiCAR and Articles 4(1)(22) and (23) of MiFID II. The resulting contract is a bilateral agreement between identified users rather than system-driven matching. There is no indication that ESMA’s longstanding position on bulletin-board systems for MiFID II should not also apply under MiCAR. Depending on the exact design and level of intermediation, residual classification risk may fall under intermediary services such as the reception and transmission of orders under MiCAR or arranging transactions under MiFID II, rather than a regulated trading venue.
• Second option: the standard AMM (eg, Uniswap). Users contract bilaterally with the smart contract; the AMM’s curve responds mechanically to inventory. The user does not see, and does not contract with, any other user. The conventional analysis asks whether the AMM is an MTF, an OTF or a dealer arrangement under MiFID II by reading the textual definitions onto the AMM facts. This approach overlooks the structural function of AMMs. The MTF regime exists to compensate for opacity in matching: pre-trade and post-trade transparency obligations under Articles 3-4 and 6-7 of MiFIR, transaction reporting under Article 26, organisational requirements and market abuse surveillance all respond to the fact that traditional MTF matching happens inside the venue, invisibly to participants. An AMM has no such opacity. The price is the curve; the curve is public; the user sees the price before clicking confirm; every trade is verifiable on-chain. The transparency obligations are become largely redundant, the reporting obligations duplicate what is already public, and the surveillance obligations target a hidden matching process that does not exist. A functional argument can be made that applying the MTF regime to an AMM imposes compliance cost without commensurate regulatory benefit.

The correct characterisation follows from the AMM’s actual economic substance: the user is presented with a publicly quoted price and bilaterally accepts that quote, rather than interacting with opposing third-party orders in a multilateral order book. Functionally, this resembles principal trading. Under MiFID II, such activity may be characterised as dealing on own account under Article 4(1)(6), Annex I, Section A(3); under MiCAR, it would generally fall within the exchange of crypto-assets for funds or for other crypto-assets (Article 3(1)(16)(e)-(f)). These categories are designed for an identifiable counterparty that quotes and trades against users, with conduct, conflicts and capital obligations calibrated to that activity. They fit the AMM’s substance, where the MTF regime does not.

The only remaining question is whether an identifiable principal trader exists at the AMM level. This is the same control question developed above. Where an identifiable entity controls the AMM’s parameters, fees, eligible asset listing or upgrade authority, that entity is the principal trader and the regulated subject. Where no such entity exists, there is no principal trader and the question does not arise. The matched-principal concern under MiFID II is relevant only where the protocol substantively performs matching between users on the same platform; a classical constant-product AMM does not – it offers a curve, and users transact against the curve. The AMM is therefore correctly analysed as principal trading by whoever controls the AMM, and the doctrinal effort goes into identifying that controller.

The Decentralised Autonomous Organisation (DAO) as substitute for centralised control

A DAO is a group whose rules, assets, decision-making processes and operations are administered primarily through smart contracts and blockchain-based governance rather than a traditional corporate management structure. It is commonly understood to be a structure in which decision-making through voting is distributed in such a way that no entity or group of partners acting in concert can be identified as having control. Decisions are usually made through voting using governance tokens, and votes may decide matters of protocol operation, parameter changes, share in protocol fees and so on – that is, subjects reflecting central control. The “decentralised” element is that these decisions cannot be executed by an identifiable entity or group of persons, meaning that there is no regulatory centralised control.

The hurdles are high. Even if voting is distributed such that no single entity controls the votes, voting decisions must still be executed by someone. Voting results would need to be implemented in smart contract operations without discretionary room for intermediate management to make decisions. To be considered decentralised in the regulatory sense, the DAO must not be operated as a centrally managed partnership, must not be concentrated in a small group, and must not delegate to identifiable bodies.

The KYC/AML-only gatekeeper

Consider the case where the only identifiable control point in an otherwise operator-less protocol is a KYC/AML gatekeeper determining who is allowed access. The gatekeeper has no role in setting parameters, matching trades or executing transactions – only in identity verification and sanctions screening.

The doctrinally correct conclusion is that the operator question under MiCAR is whether a legal entity controls one of the regulated activities listed in Article 3(1)(16) – the substantive trading, custody, exchange, execution, transfer and advisory functions. AML gatekeeping is not among them; it is a separate function under a separate regime (AMLR and AMLD), with its own obligations – customer due diligence, suspicious transaction reporting, sanctions screening, record-keeping. The two regimes are conceptually independent. An entity performing AML gatekeeping is regulated as an AML obligor under the AMLR; it is not, by virtue of that function alone, a CASP under MiCAR. Recital 22’s “without any intermediary” formulation supports this functional separation: an AML-purposes gatekeeper is not an intermediary in the substantive financial services sense. The same analysis applies under MiFID II.

Neither ESMA nor other European regulators have yet provided guidance on how access control should be assessed under MiCAR or MiFID II control frameworks. However, this would create a regulatory tension if the very act of implementing a KYC/AML gate – a measure they generally encourage – triggers full authorisation requirements for the protocol. This would create a disincentive for protocols to adopt such compliance controls, undermining regulatory goals.

Conclusion for the EU

The essential regulatory question for token protocols in the EU is not whether they are decentralised in the abstract, but rather who can actually make decisions: who can change the protocol, select pools, admit assets or control treasury assets? If a small group can control the regulated activity, governance is centralised even if the protocol uses a DAO label.

Yet, there remains significant scope for structuring token protocols in ways that may fall outside existing licensing frameworks. The key is to genuinely hand over control of transactions to the peers who interact directly with each other. If the handling of financial transactions is executed through autonomous smart contracts outside central control, then there may be no identifiable operator to which licensing requirements under MiCAR and MiFID II can be attributed.

This principle appears in specific architectures. The choice to use an AMM, for instance, does not in itself resolve the regulatory question. By analysing the AMM’s economic substance, it becomes clear that its function is not readily characterised as that of a multilateral trading facility but rather a form of principal trading. This shifts the regulatory focus from market infrastructure rules to identifying the principal trader. Consequently, the decisive question becomes who controls the AMM’s parameters and is therefore acting as the regulated principal.

Furthermore, the analysis demonstrates that decentralisation is not a simple path to deregulation but rather a complex exercise in navigating the regulatory landscape. A protocol that successfully avoids classification as a crypto-asset service provider under MiCAR by using a mechanical, non-discretionary oracle may, by virtue of that very design, give rise to substantial arguments for qualification under the Benchmark Regulation. The controller of a price-feed oracle, for instance, may shift from being a potential CASP to a benchmark administrator, subject to a different but equally comprehensive set of obligations.

Ultimately, functions such as KYC/AML gatekeeping may be regarded as separate compliance obligations and, in themselves, should not automatically trigger authorisation requirements for the underlying protocol. This supports an interpretative approach under which regulation remains focused on the entities that truly control the core financial activity.

Global landscape

Comparable principles – a control-based, function-by-function test with carve-outs reserved for genuinely operator-less infrastructure – are emerging across the major jurisdictions, framed in different vocabularies. Switzerland provides the closest structural analogue, expressly excluding fully decentralised infrastructures without a direct operator from FinMIA, applying a “same risks, same rules” substance-over-form approach, and treating AMLA financial intermediary obligations as separate from licensing. The UK follows the same direction with the FCA’s DP25/1 and CP25/40, applying a “clear controlling person” test that amounts, in substance, to a function-by-function control analysis. The US reaches comparable conclusions through case law (Risley v Uniswap Labs, Sarcuni v bZx DAO, CFTC v Ooki DAO) and emerging legislation (the pending CLARITY Act). Singapore is the principal counter-position, applying activity-based tests with no operator-less carve-out. International standard-setters – IOSCO’s 2023 Final Report on DeFi and the FATF Updated Guidance on VASPs – push harder against the carve-outs but apply the same control-and-influence test structurally. The European framework’s distinctive contribution in Recital 22 is its explicit textual recognition of the operator-less case; the other frameworks reach the same destination through agency guidance, case law or statutory drafting.

Outlook

The phrase “centralised decentralisation” captures the problem. A protocol may be decentralised at the settlement layer but centralised at the access layer; decentralised at the AMM layer but centralised at the oracle layer; and decentralised in code but centralised in governance. A functional legal analysis should ask not whether decentralisation exists in the abstract, but whether the centralised element controls the regulated activity. Although regulatory frameworks differ across jurisdictions, an international trend is emerging towards function-based and control-oriented assessments of decentralised structures. In light of these developments, the EU framework, in terms of regulatory clarity, appears well positioned to consolidate its leading role in this area.