Why the EU crypto industry is not ready for regulation

The favourability of light-touch regimes, the prevalence of unauthorised virtual asset service providers (VASPs) and other insights on the crypto regulatory landscape in Europe.



VASPnet collects data from public authorities around the world on the service providers regulated to conduct virtual asset activities. As of today, the platform has data on 36,227 virtual asset service providers (VASPs) from 66 regulators in 57 countries. More than 80% of the data is refreshed every 24 hours. We analysed the current landscape of VASPs in Europe, and here’s what we found.

Most VASPs in Europe are authorised under light-touch, AML/CFT-only regimes.

More than half of Europe’s authorised VASPs are in Eastern Europe – and Bulgaria, Estonia and Poland are currently regulating more VASPs than any other jurisdictions in the European Economic Area. All three countries regulate virtual asset activity under Anti-Money Laundering (AML) and Combatting Financial Terrorism (CFT) regimes and do not yet have prudential or consumer protection requirements in place. In these jurisdictions, the implementation of the Travel Rule, the Financial Action Task Force’s (FATF) recommendation for VASPs to conduct due diligence on counterpart VASPs, is varied.  

In Poland, the Polish Financial Services Authority (KNF) enforces an AML/CFT regime with light registration requirements. Registrants must provide a name, an indication of services provided, a signature and proof of registration as an entrepreneur in the National Court Register. Risk or business assessments, policies and procedures regarding AML/CFT risks and a physical presence in the jurisdiction are not required. The Travel Rule is currently in place, but there is little evidence of ongoing supervision.    

In Estonia, on 15 March 2022, the Parliament adopted the Money Laundering and Terrorist Financing Prevention Act, an AML/CFT Regulation that outlines stricter regulatory scrutiny for VASPs, including an implementation of the Travel Rule. After the deadline for licensed entities to comply passed in June 2022, VASPnet reported on the exodus of crypto businesses from the region. That being said, the jurisdiction currently regulates nearly as many VASPs as all of Western Europe combined.

In Bulgaria, as of 19 August 2020, the National Revenue Agency of the Republic of Bulgaria has an AML/CFT-only regime in place, but there are no existing provisions that require VASPs to comply with the Travel Rule.  

Europe’s forthcoming Markets in Crypto-assets (MiCA) Regulation will harmonise the regulatory approach across the European Union and put in place significant consumer protection and prudential requirements for VASPs. Yet, in its current state, a large part of the private sector crypto industry in Europe is likely unprepared or unequipped to comply.

There’s a higher chance your EU counterpart VASP is not authorised than authorised.

In Europe, the number of VASPs authorised to conduct crypto-asset services is less than the number of VASPs that previously obtained authorisation but are now no longer authorised, a statistic which signifies a great deal of transience in the industry and, as we saw in Estonia, perhaps indicates an inability or an unwillingness for some firms to comply with existing or enhanced requirements.

According to FATF Recommendations, virtual asset businesses must know whether their counterparts are regulated and be aware of changes to regulatory status and related data in order to make well-informed risk-based decisions. Given recent market events, we expect increased pressure for regulators to more adamantly enforce the Travel Rule, a requirement that, to date, has not seen much attention from the industry or regulators.

Most EU regulators do not provide data on VASPs that are not permitted to conduct activities.

To date, not many National Competent Authorities (NCAs) in Europe have made public and available the list of VASPs they have explicitly not permitted to conduct crypto-asset activities. There are only 126 of these entities reported in Europe, with the majority of the transparency coming from NCAs in France and Malta. The lack of complete data on the matter suggests there are likely a lot more VASPs in this category.

It will remain a difficult task for the private sector crypto businesses to comply with Europe’s forthcoming version of the Travel Rule, the Transfer of Funds Regulation (ToFR), if they are unable to determine when VASPs have been prohibited and by which National Competent Authorities (NCAs). The industry will need increased transparency from EU regulators in order to meet their compliance requirements.