With the Markets in Crypto-Assets Regulation (hereinafter “MiCA” or the “Regulation”) now in force and its implementation underway, the EU has taken a landmark step in establishing a harmonised regulatory framework for crypto‑assets. Yet, its scope remains focused on centralised actors, such as crypto-asset service providers (CASPs) and stablecoins, which represent the more structured and institutionally tractable segments of the crypto market. The ongoing push to develop a digital euro further highlights the EU’s commitment to integrating tokenised money into its monetary framework.

Meanwhile, decentralised finance (DeFi), characterised by autonomous smart contracts and permissionless protocols, continues to evolve, largely outside traditional supervisory paradigms. According to the joint report published by the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA), on ‘Recent Developments in Crypto Assets’ (the “Report”):

“DeFi remains a niche phenomenon, with amounts locked in DeFi protocols representing 4% of all crypto-asset market value at the global level”.

But “niche” does not mean static. It certainly does not mean regulatory irrelevance. MiCA’s framework largely overlooks DeFi and leaves many uncertainties unresolved. As innovation races ahead, a critical question emerges: can a law designed for today’s crypto market keep pace with the decentralised financial architectures of tomorrow?

To answer this, it is first necessary to understand what DeFi encompasses and how it fundamentally differs from the centralised systems that MiCA seeks to regulate.

---

While MiCA does not define DeFi – a deliberate omission reflecting the absence of a settled legal taxonomy – the Report describes it as:

‘‘A system of financial applications built on blockchain networks that aims to replicate some of the functions of the traditional financial system in a seemingly open and permissionless way, eliminating traditional financial intermediaries and centralised institutions.’’

DeFi operates on distributed ledger technology, which enables data to be shared and updated across a network without a central authority responsible for governance or accountability. These systems typically rely on cryptographic security, distribution of data across multiple participants, automation of functions and in many cases, decentralised control.

Functionally, DeFi mirrors many services found in centralised finance (CeFi), such as asset exchanges, lending, leveraged trading and stablecoins. However, the distinction lies in control: CeFi platforms are operated by identifiable entities that manage user assets and compliance, while DeFi protocols allow users to interact directly with financial services through smart contracts, without intermediaries. Notably, crypto lending in DeFi has redefined traditional lending models by enabling direct peer-to-peer transactions through decentralised applications. This shift offers greater transparency and autonomy but also introduces new risks.

As highlighted by ESMA in its Report, these risks include, among others, information and communication technology (ICT) vulnerabilities, heightened money laundering and terrorist financing (ML/FT) risks and significant consumer protection concerns. These risks expose the tension between DeFi’s code-based architecture and MiCA’s legally anchored framework.

---

MiCA aims to establish a comprehensive framework for crypto-assets within the EU. However, it consciously avoids engaging with decentralised systems and entities such as decentralised autonomous organisations (DAOs). From the outset, the EU legislator opted not to address directly whether DAOs could issue crypto-assets or qualify for authorisation as CASPs under EU law.

MiCA’s starting point is clear: as stated in Article 2(1), it applies to “natural and legal persons and certain other undertakings”. This scope is mirrored in the definitions found in Article 3 of “issuer”, “offeror” and “crypto-asset service provider”. However, Article 4(1)(a) exclusively limits the issuance of crypto-assets that are not stablecoins to legal persons, meaning that only entities with a separate legal personality may undertake such activity.

Notably, this restriction applies only to the lighter regulatory regime covering the issuance of crypto-assets which are not stablecoins. In contrast, the more demanding regimes for asset-referenced tokens (ARTs) and CASPs are extended to include “other undertakings” alongside legal persons. Articles 16(1)(a) and 18(1) regarding ART issuers and Article 59(1)(a) regarding the requirements of CASP authorisation make this distinction explicit. These “other undertakings” may participate only if “their legal form ensures a level of protection for third parties’ interests equivalent to that afforded by legal persons and if they are subject to equivalent prudential supervision appropriate to their legal form”, as required by Articles 16(1) and 59(3). In practice, it appears that most DAOs will be structurally incapable of meeting this threshold.

---

By confining its regulatory reach to entities with legal personality or equivalent status, MiCA effectively excludes decentralised arrangements from its direct regulatory scope. This omission sits uneasily with its objectives, particularly its commitment to protect investors, clients and crypto-asset holders, as stated in Article 1 and throughout its Recitals. Most DAOs, lacking legal personality, would fail to meet the conditions imposed on “other undertakings”. Consequently, they could neither issue asset-referenced tokens nor obtain authorisation as CASPs under the current regime.

Recital 22 of the Regulation confirms this approach. While Recital 22 provides that the Regulation should apply to activities performed in a “decentralised manner”, it further states that such activities do not fall within the scope of the Regulation ‘‘[w]here crypto-asset services are provided in a fully decentralised manner without any intermediary […]” In such cases, where there is no identifiable issuer, the rules on issuance simply do not apply. Nevertheless, Recital 22 clarifies that CASPs offering services relating to such decentralised crypto-assets remain covered by MiCA. However, this limited inclusion only deepens the ambiguity surrounding DeFi’s regulatory perimeter.

---

Perhaps the most striking unresolved issue in MiCA’s approach to DeFi lies not in what it regulates, but what it leaves undefined. The Regulation refers to services being performed in a “fully decentralised” manner yet provides no guidance on what this actually entails. This risks transforming ‘full decentralisation’ into a post hoc enforcement label rather than a legal test. No criteria are provided to distinguish between varying degrees of decentralisation, nor any framework to determine when a service crosses the threshold from being merely “partially” decentralised to “fully” so. ESMA, while acknowledging this gap in its Report, likewise refrains from offering interpretative guidance.

This lack of clarity risks generating substantial legal uncertainty, leaving both regulators and market participants without a reliable basis for assessing compliance or enforcement obligations.

---

The EU’s cautious stance may be traced to the still-nascent state of legal thinking around DAOs. Although the DAO ecosystem has grown rapidly, fundamental questions of accountability, liability and governance remain unresolved. For instance, who would be responsible for a DAO-issued white paper, or how could prudential supervision be enforced in the absence of a centralised entity? These uncertainties likely influenced the EU legislator’s decision to avoid premature regulation.

As a result, MiCA’s engagement with DeFi is partial, extending only to identifiable actors while leaving decentralised systems largely outside its reach. This narrow focus reflects a pragmatic attempt to regulate what can be effectively supervised today, rather than what may dominate the market tomorrow.

Yet, by leaving fully decentralised finance largely unaddressed, the EU has created a regulatory frontier. Here, Malta stands out as a jurisdiction with early experience and institutional maturity. Malta was among the first to introduce a comprehensive legal framework for crypto-assets through the Virtual Financial Assets Act, establishing clear rules for issuance, licensing and investor protection. The Malta Financial Services Authority (MFSA) has been at the forefront of this effort, demonstrating a careful yet innovative approach to regulating emerging technologies.

Within the boundaries of MiCA, Malta is well positioned to continue its role as an early adopter and experienced regulatory jurisdiction. This could be achieved through initiatives such as regulatory sandboxes, the issuance of interpretative guidance and the publication of best practices for DeFi actors interacting with regulated entities within the limits of ESMA supervisory convergence.

Comparable approaches have already emerged in other Member States. Notably, in Denmark, the Danish Financial Supervisory Authority has published guidance clarifying how existing financial regulation may apply to crypto-assets and decentralised arrangements, focusing in particular on functional activity rather than formal legal structure. While such guidance does not create new legal obligations, it provides market participants with a degree of regulatory predictability in an area where EU-level legislation remains deliberately silent.

These national initiatives illustrate how Member States can play a constructive role in operationalising MiCA by addressing its interpretative gaps without undermining harmonisation. By adopting a similarly proactive stance, Malta has the opportunity to operationalise MiCA’s principles in areas where EU‑level legislation remains deliberately silent. Ultimately, whether MiCA’s silence proves prudent caution or a missed opportunity will depend on the pace and direction of DeFi’s evolution. For now, the message is clear: decentralisation sits at the current edge of crypto-regulation, presenting a challenge that progressive jurisdictions like Malta may be uniquely positioned to address.

---