Blockchain & Crypto-Assets 2026 Comparisons

Several regulatory authorities are relevant to blockchain and crypto-asset activities in Spain, each covering distinct aspects of supervision.

The CNMV is the primary markets regulator and plays a central role within the MiCA framework in the authorisation and supervision of crypto-asset service providers (CASPs), with responsibility for investor protection, market integrity, and the oversight of asset-referenced tokens. The Bank of Spain supervises payment services and electronic money issuance and is the competent authority for issuers of e-money tokens under MiCA, while also contributing to financial stability oversight. SEPBLAC is the primary AML/CFT supervisory authority, ensuring compliance with EU anti-money laundering rules applicable to crypto-asset activities. The Ministry of Economy, Trade and Business performs policy co-ordination functions, including oversight of the regulatory sandbox framework. The Spanish Tax Authority (AEAT) supervises fiscal compliance and reporting obligations relating to crypto-assets, including Form 721 and the implementation of DAC8.

Spanish regulators have aligned closely with international standards, primarily through EU-level harmonisation. FATF recommendations on virtual assets are implemented through the EU AML framework. IOSCO principles on investor protection and market conduct are reflected in MiCA and the broader EU securities regime applied by the CNMV. BIS financial stability considerations are incorporated into the prudential elements of the EU regulatory architecture, particularly as implemented by the Bank of Spain. Overall, Spain’s engagement with these international bodies is channelled predominantly through EU institutions rather than direct national-level co-ordination.

Under MiCA, crypto-assets in Spain are classified into three principal categories: utility tokens, asset-referenced tokens (ARTs), and e-money tokens (EMTs). Crypto-assets that qualify as financial instruments under MiFID II fall outside the scope of MiCA and remain subject to the existing EU securities framework. NFTs are generally excluded unless they are fractionalised, functionally fungible, or otherwise exhibit characteristics bringing them within the scope of financial regulation.

Spain does not have a standalone national crypto-asset regime. The primary framework is MiCA, which is directly applicable and governs the issuance, public offering, and provision of services relating to crypto-assets. Where crypto-assets qualify as financial instruments, the existing EU securities framework – including MiFID II – applies instead.

Regulated activities under MiCA include custody and administration of crypto-assets, operation of trading platforms, exchange services between crypto-assets and fiat currency, execution of orders, placement, transfer services, and provision of advice on crypto-assets. These activities require authorisation by the relevant national competent authority, primarily the CNMV, and in certain cases the Bank of Spain in relation to EMT-related functions.

Prohibited activities include the offering of ARTs or EMTs without prior authorisation, the publication of a non-compliant white paper, and market abuse behaviours such as insider dealing and market manipulation. While MiCA does not fully mirror the MiFID II retail/professional distinction, it imposes enhanced disclosure and marketing requirements where retail clients are targeted, resulting in a differentiated compliance burden in practice.

Over the next 12 months, one of the most significant regulatory developments will be the expiry of the MiCA transitional arrangements applicable in Spain on 1 July 2026. Following the end of this grandfathering period, crypto-asset service providers previously operating under the former Spanish AML registration regime will generally be required to hold full MiCA authorisation in order to continue providing regulated crypto-asset services within Spain and across the European Union. Additional regulatory developments are also expected in relation to the implementation of DAC8 reporting obligations, the EU AML package, comprising the directly applicable Anti-Money Laundering Regulation (AMLR), the Sixth Anti-Money Laundering Directive (AMLD6), and the establishment of the EU Anti-Money Laundering Authority (AMLA), as well as technical standards and supervisory guidance issued under MiCA.

The use of a regulated legal wrapper does not alter the underlying classification of crypto-assets under MiCA or, where applicable, EU securities law, but it materially affects how exposure is structured, supervised, and disclosed. The regulatory focus shifts from the asset itself to the obligations of the regulated entity managing the investment.

Where crypto-assets are held through collective investment structures, the applicable framework depends on the vehicle used. UCITS funds are subject to strict eligibility, liquidity, and diversification requirements that in practice significantly constrain direct exposure to crypto-assets. Alternative Investment Funds (AIFs) under the AIFMD framework offer greater flexibility, but remain subject to risk management, valuation, leverage, and custody requirements supervised by the CNMV in Spain. Neither framework has been specifically adapted to crypto-assets, meaning fund managers must apply general regulatory principles to assets with distinctive operational and risk profiles.

Regulated firms and fund managers with material crypto-asset exposure must address overlapping regulatory considerations. From a prudential perspective, financial institutions and regulated entities with material crypto-asset exposure may also become subject to enhanced capital, risk management, and supervisory expectations, particularly in light of evolving EU prudential standards and international guidance relating to digital asset exposures. Additional considerations may arise where the relevant crypto-assets qualify as financial instruments, e-money tokens, or tokenised securities, in which case overlapping MiFID II, AIFMD, UCITS, MiCA, AML/CFT, and market abuse requirements may apply simultaneously.

There is a viable crypto-asset issuance market in Spain, increasingly shaped by the MiCA framework following years in which ICOs operated in a largely unregulated environment. Issuance activity is now progressively channelled through compliant structures, and Spain has seen meaningful participation from blockchain projects seeking to launch within the EU regulatory perimeter.

Under MiCA, the public offering or admission to trading of crypto-assets requires the preparation and publication of a crypto-asset white paper containing prescribed disclosures on the issuer, the project, the rights and obligations attached to the token, the underlying technology, associated risks, and the use of proceeds. The white paper must be notified to the CNMV prior to the offer, although no authorisation is required for utility tokens. Issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) are subject to a more stringent regime, including prior authorisation, ongoing prudential requirements, and reserve asset obligations.

Certain exemptions may apply, including offers to fewer than 150 persons per member state, offers below EUR1 million over a twelve-month period, and certain limited cases involving non-fungible crypto-assets, subject to careful assessment of their characteristics.

MiCA also imposes conduct and disclosure obligations on issuers and offerors, requiring marketing communications to be fair, clear, and not misleading, and to remain consistent with the information contained in the white paper. The regime additionally introduces express civil liability for misleading, inaccurate, or incomplete disclosures, representing a substantial increase in regulatory and litigation exposure compared to the pre-MiCA environment.

In practice, the viability of launching a crypto-asset project from Spain now depends heavily on careful token classification, the regulatory characterisation of the proposed activity, compliance with MiCA disclosure and conduct requirements, and the ability to implement adequate governance, AML/CFT, and operational controls from the outset.

Spain applies a dual market abuse framework to crypto-assets, determined by the legal classification of the asset. Where a crypto-asset qualifies as a financial instrument under MiFID II, the EU Market Abuse Regulation (MAR) applies in full, prohibiting insider dealing, unlawful disclosure of inside information, and market manipulation on the same basis as traditional securities.

For crypto-assets falling within the scope of MiCA, a dedicated market abuse regime applies. This framework is largely modelled on the EU Market Abuse Regulation (MAR), while being adapted to the specific operational characteristics of crypto-asset markets. The prohibited behaviours are broadly aligned with those prohibited under MAR and include insider dealing, unlawful disclosure of inside information, and market manipulation in relation to crypto-assets admitted to trading on a crypto-asset trading platform. “Inside information” is also defined in substantially similar terms, namely precise information of a non-public nature which, if made public, would be likely to have a significant effect on the price of the relevant crypto-asset or related crypto-assets.

Important differences arise in practice. MAR operates within a framework of established issuers, regulated venues, and formal disclosure channels, facilitating the identification of insiders and the monitoring of trading activity. By contrast, the MiCA regime applies to a more fragmented and decentralised environment, where the absence of a centralised issuer – particularly for protocol-based or decentralised crypto-assets – and the pseudonymous nature of blockchain transactions complicate the identification of insiders, attribution of liability, and effective enforcement.

Supervisory responsibility in Spain rests with the CNMV, which is expected to play an increasingly active role in monitoring market integrity in crypto-asset markets.

Enforcement in Spain against crypto-asset firms has historically been moderate, focusing primarily on registration breaches, misleading advertising, and AML/CFT failures under pre-existing frameworks. Prior to MiCA, the principal tools available to the CNMV included administrative fines, public warnings, and the inclusion of entities in supervisory warning lists – measures which, while limited in scope, have operated as effective reputational deterrents in the Spanish market. The Bank of Spain has played a more limited role, primarily in relation to AML registration and supervisory functions.

With MiCA entering into application, the enforcement framework is becoming significantly more structured. The regulation introduces a harmonised sanctioning regime, including administrative fines, withdrawal of authorisation, temporary suspension of services, and public disclosure of infringements. Spanish competent authorities are expected to make increasing use of these powers as transitional arrangements expire in July 2026 and the full population of CASPs becomes subject to authorisation requirements.

Cross-border enforcement remains structurally challenging. Spanish regulators have addressed breaches by non-EU entities primarily through public warnings and co-ordination with other EU competent authorities via ESMA, including supervisory convergence efforts and information exchange. Practical enforcement against entities operating from outside the EU without authorisation remains limited, reflecting jurisdictional constraints inherent to decentralised and cross-border markets.

Looking ahead, the regulatory stance is expected to become more assertive, with increased supervisory co-ordination at EU level and a stronger focus on authorisation compliance, market conduct, and investor protection. The establishment of the EU Anti-Money Laundering Authority (AMLA), with responsibilities over AML/CFT supervision of certain obliged entities including CASPs, is also expected to reinforce the cross-border enforcement framework.

The primary trigger for licensing in Spain is the provision of crypto-asset services falling within the scope of MiCA on a professional basis. Regulated activities include custody and administration of crypto-assets, operation of trading platforms, exchange services between crypto-assets and fiat currency or between crypto-assets, execution of orders, placement, transfer services, and the provision of advice or portfolio management in relation to crypto-assets. The mere use of blockchain technology, without the provision of regulated services, does not itself trigger a licensing requirement.

MiCA operates on an EU-wide basis through a system of authorisation and passporting. Firms authorised in one EU member state may provide services across the EU, including Spain, without requiring additional local authorisation. Entities established outside the EU must obtain authorisation in an EU member state in order to provide crypto-asset services within the Union. In assessing territorial nexus, factors such as targeted marketing to Spanish clients, use of Spanish language communications, and the location of effective management or operational control may be relevant in determining whether activities are deemed to be carried out in Spain.

Transitional (grandfathering) provisions apply to entities previously registered under pre-MiCA national AML regimes. These firms may continue operating until July 2026 while seeking full MiCA authorisation. During this transitional period, however, they are subject to limitations, including the inability to exercise passporting rights and constraints on expanding the scope of services. Full authorisation is required to access the EU single market on a cross-border basis.

In Spain, CASP authorisation under MiCA is granted by the CNMV as the competent authority, with the Bank of Spain acting as the competent authority for certain EMT-related aspects. Applications must be submitted in accordance with the harmonised requirements set out in MiCA and relevant ESMA technical standards, and must demonstrate full compliance across organisational, governance, prudential, and operational dimensions before authorisation is granted.

From a substance perspective, applicants must establish a clear organisational structure with well-defined lines of responsibility, effective risk management and internal control frameworks, business continuity arrangements, and ICT and cybersecurity policies consistent with the Digital Operational Resilience Act (DORA). Regulators assess whether meaningful decision-making, oversight, and control functions are effectively located within the EU, and structures that resemble shell or purely booking entities are unlikely to meet supervisory expectations.

On personnel, MiCA requires that members of the management body and holders of key control functions – including compliance, risk management, and AML – satisfy fit and proper requirements and possess appropriate knowledge, skills, and experience. While no formal local staffing quotas apply, authorities assess whether governance arrangements ensure effective oversight and accountability within the jurisdiction.

Prudential requirements are calibrated to the services provided, with minimum own funds ranging from EUR50,000 for advisory or order execution services to EUR150,000 for custody and exchange services. CASPs must maintain ongoing compliance with these capital requirements and implement appropriate safeguarding measures for clients’ crypto-assets and funds, including segregation, custody protections, and operational control.

The authorisation process involves detailed substantive review by the CNMV, including assessment of qualifying shareholders, governance arrangements, senior management, AML/CFT controls, outsourcing structures, and operational resilience measures. The process is typically iterative, with the regulator empowered to request additional information and clarifications before granting authorisation.

In Spain, change-of-control transactions involving crypto-asset service providers (CASPs) are subject to mandatory prior supervisory assessment under Regulation (EU) 2023/1114 (MiCA), consistent with the harmonised EU framework applicable across regulated financial services. Any direct or indirect acquisition of a qualifying holding – generally starting at thresholds of 10%, 20%, 30% or 50% of capital or voting rights, or any transaction resulting in the ability to exercise significant influence over the management of the CASP – triggers a prior notification requirement to the competent authority in Spain, the CNMV.

The assessment is carried out under MiCA and the relevant EU implementing and delegated acts governing qualifying holdings. The CNMV must evaluate the proposed acquisition against five statutory criteria:

• the reputation of the proposed acquirer;
• the suitability of any persons who will direct the business of the CASP following the acquisition;
• the financial soundness of the acquirer;
• the ability of the target CASP to continue complying with applicable prudential requirements; and
• the absence of reasonable grounds to suspect money laundering or terrorist financing risks arising from the transaction.

The CNMV conducts its assessment within a maximum statutory period of 60 working days from acknowledgement of a complete notification, during which it may approve, conditionally approve, or oppose the transaction. The regime is based on EU maximum harmonisation, meaning member states are generally not permitted to introduce additional substantive assessment criteria.

In practice, thorough preparation of the notification file is essential, including full ownership structures, source of funds documentation, and governance impact analysis. Transactions involving non-EU acquirers or complex holding structures typically attract enhanced scrutiny, particularly from an AML/CFT perspective. Completion of a notifiable acquisition without prior approval may result in significant supervisory measures, including suspension of voting rights.

Licences obtained in Spain under MiCA benefit from the EU passporting regime, allowing authorised crypto-asset service providers (CASPs) to operate across the European Union without obtaining separate authorisations in each jurisdiction. Once authorised by the CNMV, a CASP may provide services in other member states either on a cross-border basis or through the establishment of a branch.

The passporting mechanism is based on a harmonised notification system rather than separate host state authorisation. The CASP must notify its home competent authority (the CNMV) of its intention to provide services cross-border, including details of the member states concerned, the services to be provided, the intended start date, and any ancillary activities. The CNMV must then transmit this information to the relevant host authorities and EU bodies within a short statutory timeframe.

While no additional licences are required in host member states, CASPs remain subject to ongoing supervision by the CNMV and must comply with applicable non-harmonised local rules, particularly in relation to conduct of business, consumer protection, and AML/CFT obligations.

No additional capital or structural requirements apply for passporting. The key condition is prior authorisation under MiCA in Spain and completion of the cross-border notification process in accordance with Article 65 before commencing activity abroad.

In Spain, the cross-border provision of crypto-asset services is regulated under MiCA. EU-based CASPs authorised in another member state may provide services into Spain under the passporting regime. No separate authorisation from the CNMV is required. Incoming CASPs must nonetheless comply with applicable conduct-of-business, consumer protection, and AML/CFT rules on an ongoing basis.

For non-EU firms, access to the Spanish market is materially more restricted. Third-country entities cannot passport into Spain and must either obtain authorisation within the EU or operate through an authorised EU CASP. Direct provision of services to Spanish clients without authorisation would be in breach of the MiCA authorisation requirement, particularly where there is active solicitation through Spanish-language marketing, targeted advertising, or local onboarding processes.

The principal exemption available to third-country firms is reverse solicitation which applies where a client initiates the relationship entirely on its own exclusive initiative. ESMA has issued supervisory guidelines, which are expected to be followed by competent authorities, adopting a strict interpretation of this exemption. Solicitation is interpreted broadly and in a technology-neutral manner, and includes digital marketing, social media activity, and platform-based promotion. Disclaimers alone are not sufficient to establish reverse solicitation in practice.

Regarding marketing and disclosure, MiCA harmonises requirements. All communications must be clearly identifiable as advertising, fair, clear and not misleading, and consistent with the relevant white paper. Competent authorities, including the CNMV, may require correction or withdrawal of non-compliant communications.

Under MiCA in Spain, white-label and regulatory hosting arrangements are not expressly prohibited, but they do not allow an unlicensed entity to circumvent authorisation requirements. The authorised crypto-asset service provider (CASP) – whether licensed by the CNMV or passporting into Spain from another EU member state – remains fully responsible for all regulated services performed under its licence, regardless of any outsourcing or branding arrangements.

MiCA establishes a strict outsourcing framework requiring CASPs to retain full accountability and ensure that outsourcing does not result in the delegation of responsibility, the alteration of client relationships, or the weakening of supervisory oversight. In particular, outsourcing must not prevent competent authorities from effectively supervising the CASP, and firms must maintain adequate resources, expertise, and access to information to manage outsourced functions.

In practice, external firms may provide technology, interfaces, or distribution capabilities, while the CASP must retain effective control over regulated activities, including compliance and risk management. However, ultimate responsibility for regulatory obligations, including AML/CFT compliance, remains with the CASP at all times.

Spanish regulators apply a substance-over-form approach when assessing white-label structures. Where the arrangement results in the outsourcing entity effectively performing regulated services independently, or where the CASP lacks meaningful operational control, authorities may recharacterise the structure as unauthorised provision of crypto-asset services.

There is no specific white-label licensing regime under MiCA. Outsourcing arrangements are permitted provided they are supported by robust contractual safeguards, ongoing oversight, and adequate governance and contingency planning, ensuring that the CASP retains genuine operational substance and control over the services provided.

Accordingly, white-label models are generally viable only where supported by robust contractual arrangements, effective governance, ongoing oversight, and a demonstrable operational role retained by the authorised CASP.

Spain does not recognise DeFi as a standalone regulatory category, and there is no specific regime expressly permitting or prohibiting decentralised finance. Instead, Spanish supervision follows a functional, activity-based approach, whereby DeFi-related activities are assessed under existing frameworks such as MiCA, MiFID II, payment services regulation, and AML/CFT rules where relevant.

Fully decentralised protocols with no identifiable issuer, operator, or controlling governance body may, depending on the factual structure, fall outside the scope of regulated financial services. However, this does not create a regulatory safe harbour. Where a person or entity exercises effective control, provides a user interface, or intermediates access to a protocol, that party may be deemed to be providing regulated crypto-asset services under MiCA, triggering authorisation and full compliance obligations.

CeFi firms operating in Spain – whether authorised domestically or passporting under MiCA – may interact with DeFi protocols, but only within the scope of their regulated activities. Where DeFi functionality is embedded into client-facing products, firms must ensure compliance with MiCA governance, custody, conflict-of-interest, and AML/CFT requirements.

Regulators focus on risks including loss of custody and control, smart contract vulnerabilities, governance attacks, valuation and liquidity uncertainty, and reduced traceability in permissionless systems. Firms are expected to conduct enhanced technical and AML due diligence, ensure robust client disclosures, and maintain full regulatory accountability even where execution is decentralised or automated.

Spain does not recognise DeFi or decentralised autonomous organisations (DAOs) as distinct legal or regulatory categories, and there is no specific legal framework governing their organisation or operation.

DAOs do not have legal personality under Spanish law. Accordingly, any governance, treasury, or operational activity connected to Spain must ultimately be attributable to identifiable natural or legal persons. In practice, DeFi projects with links to Spain are therefore commonly structured through traditional legal entities, such as limited liability companies, foundations, or foreign entities, which act as operational, development, governance, or interface vehicles in connection with the protocol.

There are no capital or substance requirements for establishing a DeFi protocol as such, as the development of decentralised software is not regulated. However, where an entity performs activities that qualify as crypto-asset services under MiCA – such as custody, exchange, execution of orders, or portfolio management – full CASP authorisation requirements apply. These include minimum own funds, governance and internal control standards, operational substance, and AML/CFT obligations.

Spain has not yet developed DeFi-specific case law or regulatory enforcement addressing harm caused by decentralised protocols. Accordingly, accountability and liability are assessed through general civil, administrative, and financial regulatory principles, with authorities focusing on whether any identifiable actor exercises effective control or intermediates user access.

Spanish regulators and courts apply a substance-over-form approach. Where a protocol is genuinely decentralised and lacks an identifiable issuer, operator, or controlling governance structure, enforcement is constrained by the requirement to attribute liability to a natural or legal person.

From a civil-law perspective, both contractual and non-contractual (tort) liability may arise where users interact through identifiable intermediaries. Where corporate structures are involved, directors’ liability rules may also be engaged in cases involving governance failures, inadequate controls, or misleading conduct.

Although Spain has not issued landmark judicial decisions addressing harm caused purely by autonomous DeFi protocols, regulators are likely to approach DeFi-related misconduct through existing frameworks relating to unauthorised financial services, AML/CFT compliance, consumer protection, market abuse, misleading marketing practices, and operational risk management.

Payments in crypto-assets are permitted in Spain, but they are not recognised as legal tender. Crypto-assets such as Bitcoin or Ether may be used as a means of exchange between private parties, and merchants may voluntarily accept them. However, only the euro benefits from legal tender status and the associated protections under EU monetary and payment law.

Regulation focuses primarily not on the act of paying with crypto-assets, but on the intermediaries facilitating such payments. Where a provider offers custody, exchange, transfer, or payment-processing services involving crypto-assets, it will generally fall within the scope of a crypto-asset service provider (CASP) under MiCA and require authorisation. In Spain, CASPs are supervised primarily by the CNMV, with the Bank of Spain involved where e-money tokens or payment institution frameworks are engaged.

Where crypto-asset payment flows involve fiat conversion, electronic money, or payment accounts, additional regulatory regimes may apply, including PSD2 and e-money regulation, potentially triggering licensing as a payment or e-money institution depending on the structure of the service.

In this regard, the European Commission has proposed a revised Payment Services Directive (PSD3) together with a directly applicable Payment Services Regulation (PSR), which will update and replace PSD2. These instruments are expected to strengthen the regulatory framework applicable to the intersection between payment services and crypto-asset activities, including in relation to providers facilitating fiat-to-crypto conversions and the interaction between CASPs and payment or electronic money institutions. CASPs whose services involve payment-related functionalities should monitor these developments closely, as the PSR will introduce new requirements directly applicable across all member states. Additionally, the recast Transfer of Funds Regulation (Regulation (EU) 2023/1113, the “TFR”) imposes the so-called “travel rule” on CASPs, requiring them to collect, verify, and transmit originator and beneficiary information in crypto-asset transfers. The TFR is directly applicable and complements MiCA’s AML/CFT framework, ensuring that crypto-asset transfers are subject to traceability requirements equivalent to those applicable to traditional wire transfers.

Spain does not apply a standalone regime to tokenised assets or real-world assets (RWA) on blockchain. Instead, regulation follows the EU’s technology-neutral, activity-based approach, meaning the legal treatment depends on the nature of the underlying asset rather than its tokenised form.

Where a token represents a financial instrument under MiFID II – such as tokenised shares, bonds, money-market instruments, or fund units – it is regulated exactly like its traditional equivalent. This triggers the full EU securities framework, including prospectus requirements, investment firm authorisation, market abuse rules, custody and settlement obligations, and trading venue regulation. Tokenisation affects only the technical form of issuance or transfer, not the regulatory classification.

Tokenised RWAs that do not qualify as financial instruments fall under general civil and commercial law. However, where such tokens are issued, offered, or traded as crypto-assets, they fall within the scope of MiCA, unless they qualify as financial instruments, in which case MiCA does not apply.

Compared with non-blockchain equivalents, tokenisation does not alter the legal nature of the asset, but it introduces additional supervisory focus.

Spain has also positioned itself as relatively receptive to tokenised financial instruments through the implementation of the EU DLT Pilot Regime and the amendments introduced by Law 6/2023 on Securities Markets and Investment Services, which expressly recognise the issuance and representation of certain financial instruments through distributed ledger technology systems.