DAC8 has two clear objectives:

• to bring crypto‑asset activity within mandatory tax reporting and
• to streamline and strengthen the existing cooperation architecture between tax authorities.

In practice, this means that traditional financial institutions and a wide spectrum of digital‑asset operators with a Luxembourg nexus face materially higher expectations on data capture, due diligence, reconciliation and governance.

The changes reach well beyond the Markets in Crypto-Assets Regulation (MiCA) authorised providers; any firm handling, exchanging or safeguarding crypto‑assets may fall within the definition of a Reporting Crypto‑Asset Service Provider and be required to register, conduct due diligence and report annually.

Crypto-Asset Reporting Framework

The most notable innovation under DAC8 is the introduction of the Crypto-Asset Reporting Framework (CARF). Under CARF, entities that facilitate crypto‑asset transactions must identify reportable users through self‑certification and verification processes, notify those users about data collection, and file annual returns to the Luxembourg tax authorities.

Reporting covers specified user and transaction data, and nil returns are expected where no reportable users exist. Where a crypto‑asset provider is also a Reporting Financial Institution under the CRS, the framework permits limited simplifications to avoid duplication; however, these do not remove the need for robust, documented controls around onboarding, classification and reporting.

• Scope: The CARF brings a wide array of CASPs operating with a Luxembourg nexus into scope, regardless of their authorisation status under MiCA. This includes operators not previously subject to oversight.
• Definition: DAC8’s definition of crypto-assets is comprehensive, extending to all digital assets that can serve as payment or investment vehicles.
• Obligations for CASPs:
  • Registration: CASPs must register with Luxembourg tax authorities. MiCA-authorised entities are registered automatically.
  • Due diligence and self-certification: CASPs are required to classify users via self-certification and carry out verification to determine reportable persons.
  • User notification: Individuals whose data is reportable must be promptly notified regarding collection and correction rights.
  • Annual reporting: Reportable user details and relevant transaction data must be submitted annually, including nil filings where applicable.

Streamlined processes exist for CASPs also qualifying as Reporting Financial Institutions under the Common Reporting Standard (CRS), reducing duplicative reporting and administrative complexity.

CRS 2.0: broader scope, finer granularity

In parallel, DAC8 upgrades CRS. The scope now explicitly encompasses crypto‑assets, e‑money institutions and holdings of central bank digital currencies. The definition of financial assets and relevant account types has been modernised to reflect these instruments, placing digital‑first and traditional providers on comparable footing.

Reporting will become more granular, including the status of self‑certification, joint‑account characteristics, precise account classifications, and the roles of reportable persons in investment entities as well as the mandatory roles of controlling persons of passive entities. Due diligence expectations rise accordingly.

Institutions are expected to make reasonable, documented efforts to obtain missing tax identification numbers and dates of birth for pre‑existing accounts during routine AML and KYC refreshes, to reconcile inconsistencies across FATCA, CRS and AML datasets, and to maintain a comprehensive register of actions covering policies, governance decisions, training and oversight of outsourced providers.

Other measures to note

Beyond CARF and CRS 2.0, DAC8 widens the automatic exchange of information on cross‑border tax rulings affecting high‑net‑worth individuals, aligning member states on disclosure thresholds and scope.

It incorporates the Court of Justice’s 2022 clarification on legal professional privilege within DAC6, relieving lawyers of any duty to notify other intermediaries while preserving obligations to inform their own clients.

It introduces automatic exchange for certain cross‑border life‑insurance death benefits not otherwise reportable under CRS, and it rationalises aspects of DAC7 platform reporting by allowing more extensive reliance on third‑party identity and tax‑residence verification solutions.

Timeline and compliance implications

• Effective date: DAC8 applies retroactively from 1 January 2026.
• First reporting: Initial filings under the new rules are required by 30 June 2027, covering the 2026 reporting year.

Practical impact

Meeting DAC8 expectations requires coordinated action across legal, tax, compliance, technology and operations. For crypto‑asset providers, this means implementing classification logic aligned to CARF definitions, embedding self‑certification and verification at onboarding and refresh, and building reporting pipelines capable of consolidating transaction‑level data with validated customer attributes.

For financial institutions, it means updating customer due diligence playbooks and onboarding forms to capture the expanded CRS data points, enhancing reconciliation between AML, FATCA and CRS records and instituting a governance register that evidence policy changes, decision‑making, training and oversight of service providers.

Across both groups, clear record‑keeping, audit‑ready workflows and defensible interpretations will be critical to reduce penalty exposure and reputational risk.

Failure to comply with DAC8’s requirements may result in regulatory penalties. Prompt action is recommended to safeguard compliance and maintain operational resilience in the evolving landscape of tax transparency.

The law can be found here