Although still young, the French Web3 ecosystem – i.e., French players building products and services based on distributed ledger technology (“DLT”) – is expanding quickly and has emerged as a leading European hub. It now counts several hundred players at different stages of maturity, mainly pure‑play startups and scale‑ups, with four having reached unicorn status in recent years (Ledger, Sorare, The Sandbox, Zama). French firms span crypto‑asset services (brokerage/exchange, payments, custody, market making/prime brokerage, asset management), DLT infrastructure, DeFi, staking, tokenisation of financial instruments and real‑world assets, data/analytics, and sectoral uses (identity, entertainment/luxury, logistics, energy, real estate, health, security/compliance, advisory).

Despite a challenging environment since 2022 (market scandals, rate hikes, tighter financing, strengthened EU rules, rising non‑EU competition), the French Web3 ecosystem has continued to grow and professionalise. Recent industry surveys report strong top‑line growth, ongoing fund‑raising, and rising technical headcount, with crypto/tokenisation FinTechs still attracting significant capital. Cross‑border dynamics are pronounced: leading French players are expanding internationally, and major foreign actors serve French clients through local or passported setups.

Institutional adoption has accelerated. Banks, asset managers, custodians and large corporates now deploy DLT solutions for tokenised issuances, stablecoins, tokenised funds and depositary services, staking/validator operations, supply‑chain traceability and luxury authentication. Partnerships between financial institutions and Web3 natives are multiplying.

While maturing, the French Web3 ecosystem is also repositioning around new key trends, such as Layer 2/3 DLT architectures, interoperability (cross‑chain and with AI), institutional DeFi, (re)staking, and large‑scale tokenisation.

Key challenges remain: solving technical constraints (scalability, interoperability, energy), completing the transition to MiCA, deepening domestic funding, recruiting specialised talent, and broadening retail adoption (c.10% penetration in early 2025). Failure to scale could trigger consolidation favouring international competitors (recent examples of this phenomenon being the sales of Aplo or Exaion).

In short, France has built a credible, diversified, and increasingly institutional Web3 hub, which is positioned for the next wave of innovation. However, leadership is not assured, and the coming years will be decisive as France navigates regulatory transitions, mobilises capital, and scales talent to secure its position as one of the leading forces in the EU Web3 landscape.

France is one of the EU’s most mature Web3 hubs, having been an early mover on tokenisation of unlisted securities and on access to and operation of crypto‑asset markets. When it was first introduced, the French Web3 regulatory framework pursued two main objectives: (i) promoting innovation and (ii) ensuring legal certainty, while mitigating fraud and money laundering and terrorism financing risks, to protect investors and financial stability. The framework provided French market participants with the legal clarity needed to develop their activities from an early stage, while enabling French regulators to gain expertise in regulating and supervising DLT and crypto-asset use cases. This pioneering national regulatory framework thus provided the French authorities with valuable experience, enabling them to influence the negotiations on the latest EU Web3 regulations, particularly the new EU Regulation on crypto-asset markets (“MiCA”), which is said to have been inspired by the French Loi PACTE regime.

The initial French Web3 regulatory framework tightened over time, due to enhanced EU anti-money laundering and combating the financing of terrorism (“AML/CFT”) standards and, above all, the adoption of MiCA making the access to and operation of crypto-asset markets conditional on prior authorisation and strengthened ongoing obligations.

Key milestones include early application of AML/CFT to cryptocurrencies exchanges (2016), permission to issue and transfer unlisted securities on DLT under certain conditions (2017), and the Loi PACTE national framework for “digital assets” (2019).

Under the latter, France introduced: (i) an optional ICO visa regime; (ii) a mandatory so-called PSAN registration regime for custody and crypto/fiat exchange services (extended in 2020 to crypto/crypto exchange and crypto trading platform operation) and (iii) an optional, more demanding so-called PSAN licence regime for broader services (including crypto custody, crypto/fiat and crypto/crypto exchange services, crypto trading platform operation, as well as crypto RTO, portfolio management, advisory, placement/underwriting services).

While the optional PSAN license was more burdensome in terms of regulatory requirements (leading to a very limited number of actual licenses granted), it had the benefit of broader marketing and advertisement permissions and of certifying a higher regulatory compliance standard. Service providers only active on services, other than mentioned under item (ii) above, such as crypto RTO, portfolio management, advisory, underwriting, and/or placement services, and that were not carrying out specific marketing or advertisement activities at the same time, were however able to operate without a PSAN registration or license.

Following the adoption of the directly applicable MiCA regulation (March 2023), France opted for MiCA’s 18‑month transition period and, from 1 January 2024, strengthened the PSAN registration regime for new applicants to align it largely with the PSAN licence (itself close to the mandatory crypto-asset services provider (“CASP”) licence regime introduced by MiCA), except for prudential requirements. Legacy PSANs remained under the initial simpler registration regime during transition.

In parallel, French law has been adapted for the implementation of the EU pilot regime for DLT market infrastructures (the “EU Pilot Regime”).

Since 30 December 2024, French law has also been adapted to implement:

• MiCA: terminology alignment; replacement of the optional ICO visa with MiCA’s mandatory crypto issuance regime (from 30 June 2024 for stablecoins and 30 December 2024 for other crypto-assets); and repeal of the PSAN regime at the end of the 18th-month transition, when the MiCA CASP regime fully applies (1 July 2026). France also created a civil‑law regime recognising crypto‑assets as negotiable intangible property with transfer rules aligned to securities.
• the new EU Regulation on crypto‑asset transfers (“TFR2”), with French adjustments to ensure CASPs are fully subject to national AML/CFT and sanctions rules and to strengthen sector‑specific obligations.

In addition, since April 2025, pledges over crypto-assets are now specifically regulated under French law and the applicable law for transactions in listed financial securities which are registered on a DLT under the EU Pilot Regime has been clarified.

As at end‑2024, France had 100+ registered PSANs (mostly under the simple registration regime) and very few licensed PSANs.

It is expected that the end of the MiCA transitional period in France will likely favour big players, particularly institutional ones which are already regulated under existing EU financial regimes, given that MiCA allows these latter to obtain a CASP status via a simple notification rather than a full CASP licence application, while the hurdles to transform a standalone PSAN registration into a MiCA license can be seen as more significant.

As at the date of this publication, only ten CASPs have been authorised by the AMF under MiCA (Deblock, GOin, Caceis Bank, Bitstack, Metal Gear, Coinshares Asset Management, Finctek, Banque Delubac et Cie, Société Générale-Forge and Relai), three of which were licensed PSANs, two credit institutions (Caceis Bank and Banque Delubac et Cie), one an investment firm and one an alternative investment fund manager.

Supervision mainly rests with three authorities: the French Autorité des marchés financiers (“AMF”) (licensing CASPs, handling crypto offerings/admissions except stablecoins, authorising certain DLT infrastructures), the French Autorité de contrôle prudentiel et de résolution (“ACPR”) (licensing stablecoin issuers, processing notifications by credit institutions, investment firms and e‑money institutions, authorising certain DLT infrastructures), and the Banque de France (“BdF”) (oversight of stablecoins used as means of payment and certain DLT infrastructures). Coordination among them is frequent in practice.

Other relevant authorities include: TRACFIN (suspicious money laundering and tax fraud transaction reports), the Treasury (sanctions policy and implementation), the Agence nationale de la sécurité des systèmes d’information (“ANSSI”) (the French cybersecurity authority, notably in charge with AMF and ACPR of DORA implementation, and of the audits of PSAN IT systems), and the Commission nationale de l’informatique et des libertés (“CNIL”) (the French data protection authority).

French public authorities have quickly shown openness to the emergence of a Web3 ecosystem in France, provided that its development occurs in an orderly manner and under conditions that ensure the protection of investors and the financial system. Beyond regulating and supervising the sector, they have therefore multiplied initiatives to support this ecosystem, with the aim of making it a pillar of France’s future economic and technological sovereignty as well as the European hub for Web3.

For instance, Bpifrance (“BPI”) – i.e., the French public investment bank – has invested heavily in Web3, with more than EUR 150 million injected into DLT projects and support provided to 200 French startups, including direct equity investments and commitments to several dedicated Web3 funds. Under its 2025–2029 plan, BPI will double support, including direct investments in crypto‑assets for French projects.

The French public authorities also back major ecosystem events, such as the Paris Blockchain Week and the French FinTech Weeks, to foster dialogue and partnerships between the ecosystem stakeholders.

Furthermore, the French public authorities directly contribute to the development of the French Web3 ecosystem by initiating or participating in projects and collaborations, including with sector players or other public authorities, either for experimentation purposes to better understand the technology and explore new use cases, or to develop concrete solutions for the market and the public. For example:

• the BdF has launched a series of experiments, in collaboration with various institutional players and public authorities, on the launch of a wholesale central bank digital currency (“CBDC”);
• as early as 2015, the Caisse des Dépôts et Consignations (“CDC”), a public bank, developed Web3 expertise by launching, with French banking and insurance institutions (BNP Paribas, BPCE, AXA, CNP, etc.), LaBChain, a consortium dedicated to exploring and developing the use of DLT in banking, finance, and insurance sectors;
• the CDC has also contributed to several Web3 projects and market experiments, such as (i) the “Archipels” blockchain dedicated to digital identity certification and management, (ii) the issuance of EUR 100 million of bonds via Euroclear’s Digital Financial Market Infrastructure, a DLT‑based infrastructure, in the context of the European Central Bank (“ECB”)’s wholesale CBDC exploratory project, or (iii) the custody of crypto-assets seized in criminal proceedings.

Moreover, national regulators, led by the AMF and ACPR, maintain constant dialogue with French Web3 ecosystem players to foster their understanding of applicable regulations, through several educational initiatives such as dedicated conferences and webinars, as well as the publication of guidelines, Q&As, and explanatory guides. In particular, the ACPR and AMF have set up dedicated “FinTech” teams to support Web3 project leaders and guide them in selecting and implementing their regulated status.

In addition to these daily support actions, French public authorities also play a role in shaping the future regulation applicable to the French Web3 ecosystem including at EU level:

• the ACPR and the AMF are indeed fully engaged in current discussions regarding the future regulation applicable to DeFi and its use cases, with the aim of influencing upcoming EU and international regulatory initiatives in this area. Since 2023, the ACPR and the AMF have been analysing the regulatory risks and challenges raised by DeFi and considering possible regulatory approaches, in consultation with the ecosystem. In particular, these regulators launched, in 2024, a working group on the certification of smart contracts, whose initial findings were published in February 2025 and subject to public consultation. Furthermore, in May 2024, at the request of the AMF, the French Haut Comité Juridique de la Place financière de Paris (the “French Steering Committee”) analysed how decentralised autonomous organisations (“DAOs”) can be tackled under existing French company law, contract law, and liability law.
• French regulators are also pressing for targeted adjustments to existing DLT and crypto regulations in order to address unanticipated issues (e.g., regarding the debate on “multi‑issuance” stablecoin models under MiCA).

In addition, to address the marginal adoption of the EU Pilot Regime and thus enhance innovation, competitiveness and the integration of DLT in the EU financial ecosystem in the context of the EU Savings and Investment Union project, the AMF and the Italian financial regulator – the Consob – have proposed (i) making the EU Pilot Regime more flexible notably by enhancing ESMA’s converging role and allowing the use of stablecoins and tokenised deposits to settle transactions (pending the introduction of a EU CBDC), (ii) expanding its scope to include more asset types and larger and more diverse DLT infrastructure projects, and (iii) clarifying its duration to encourage investment. These regulators have also recommended improving interoperability of DLT market infrastructures with traditional market infrastructures and raising market awareness to promote tokenisation of financial assets.

Furthermore, the AMF, the Consob and the Austrian FMA proposed targeted MiCA revisions to ensure consistent enforcement and prevent regulatory arbitrage among EU Member States and mitigate some inconsistencies of MiCA: (i) direct, centralised supervision of significant CASPs by ESMA, (ii) stricter oversight of trading platforms operating outside the EU that may be used by CASPs to provide services to EU investors and obligation for CASPs executing orders on crypto-assets on behalf of EU investors to use trading platforms compliant with MiCA or equivalent regulations, (iii) mandatory, independent cybersecurity audits for CASPs before authorisation and at regular intervals thereafter and (iv) clarifying the scrutiny process for white papers of non-stablecoin crypto offerings, and creating a one-stop shop managed by ESMA for pan-European non-stablecoin token offerings. If these proposals are not adopted, the AMF is threatening to prevent EU CASPs which are subject to less stringent supervision in their home Member States (e.g., Cyprus, Malta, etc.) from operating in France under the MiCA passport. This position has been criticised by market players, who point out that they are not responsible of the way their home regulators manage their licensing applications, particularly when some of them were/are subject to shorter transitional periods for licensing their national players.

BdF’s wholesale CBDC experimentation programme

The BdF launched its wholesale CBDC experimentation programme in 2020, adopting a learning‑by‑doing approach under real regulatory conditions. The objectives were to (i) preserve central bank money as the settlement asset in tokenised markets, (ii) support safe innovation and market integration, and (iii) explore interoperable solutions for cross‑currency transactions.

Between 2020 and 2023, the BdF conducted twelve experiments, with market infrastructures, banks, central banks and public authorities, to demonstrate the technical feasibility of two core use cases: delivery‑versus‑payment for tokenised securities and payment‑versus‑payment for cross‑border and cross‑currency settlement.

In this context, the BdF articulated three complementary models for wholesale CBDC: interoperability (linking a Eurosystem cash DLT to market/foreign DLTs), integration (unified settlement on a Eurosystem DLT), and distribution (issuing wholesale CBDC with representative tokens on shared DLTs). These models were tested through complex cross‑border pilots, including DeFi‑inspired automated market makers for on‑chain FX settlement (notably with the BIS Innovation Hub, the Monetary Authority of Singapore and the Swiss National Bank as part of Project Mariana), and through interoperability with legacy systems, including an exercise with SWIFT using ISO 20022 messaging. The BdF also developed its own DLT named “DL3S”, a permissioned/private Hyperledger‑based cash DLT providing atomic settlement, privacy controls, and bridges to TARGET Services and market DLTs.

According to the BdF, these experiments confirmed that wholesale CBDC can deliver atomic settlement for securities and cross-border payments across heterogeneous DLTs (both permissioned/private and permissionless/public). In addition, they confirmed that wholesale CBDC can be governed with robust central bank controls over issuance, access, and circulation, (including via smart contracts) and that it can interoperate credibly with both market DLTs and conventional infrastructures. Furthermore, the BdF’s wholesale CBDC experimentation programme demonstrated efficiency gains through reduced reconciliation, shorter trade‑to‑settlement cycles, and enhanced settlement assurance, particularly for cross‑border transactions. However, the BdF also identified open legal and policy questions concerning finality, access policies for non‑traditional actors, and the macro‑financial effects of new liquidity dynamics and remuneration if wholesale CBDC persists overnight.

In 2024, using its DL3S platform, the BdF contributed to the ECB’s exploratory wholesale CBDC project with trials covering delivery‑versus‑payment, payment‑versus‑payment, margining and automated large‑value flows, and in parallel executed live‑like market operations settled in wholesale CBDC.

Looking ahead, the BdF will now contribute to the ECB’s two‑phase plan for implementing a wholesale CBDC settlement. Phase 1 will link DLT platforms and TARGET Services for settlement in CBDC, with a pilot expected by Q3 2026. In this context, the BdF and Euroclear launched a project to tokenise Negotiable European Commercial Papers, aligned with such phase.

BdF’s position on wholesale CBDC vs stablecoins debate

The BdF views the expansion of USD‑denominated private stablecoins as a threat to EU monetary sovereignty and stability. It advocates tighter MiCA constraints (especially on multi‑issuance models) and rapid delivery of a functional wholesale CBDC.

While the BdF believe that the Eurosystem’s wholesale CBDC should be the foundational settlement layer for tokenised finance in the EU, it also considers that stablecoins could be useful for specific applications of tokenised finance that are not covered by CBDC. Therefore, the BdF encourages EU banks to issue euro stablecoins or tokenised deposits that can interoperate with wholesale CBDC. The intended outcome is a competitive euro‑denominated tokenised ecosystem that preserves the unicity of money, avoids fragmentation into private silos, and counters the gravitational pull of USD stablecoins through credible, interoperable DLT infrastructure.

BdF’s position on ECB euro digital

BdF supports the ECB’s retail digital euro project and urges faster progress, viewing it as essential to monetary sovereignty and privacy‑preserving “digital cash”.

Conversely, EU banks argue that a retail digital euro would threaten disintermediation by shifting deposits to the central bank, thereby compressing lending capacity and profitability, and amplifying outflows in times of stress. They also fear that a publicly provided, free payment instrument would undermining private payment initiatives such as Wero, while imposing substantial compliance and technology costs – estimated by industry studies to be in the tens of billions – despite the ECB’s lower projections. Beyond cost and stability, critics question the benefit to users and fear confusion in an already mature mobile payments market.

Since 30 December 2024, providing in France any of the ten categories of MiCA crypto‑asset services on a regular basis requires prior authorisation as a CASP.

Failing to comply with this authorisation requirement could expose to criminal sanctions (2 years imprisonment and a €30,000 fine (up to €150,000 for legal entities)) and disciplinary sanctions (including financial penalties).

Crypto-asset services covered by MiCA are custody, operation of trading platforms, exchange (fiat/crypto and crypto/crypto), execution of orders, placement, reception/transmission of orders, advice, portfolio management and transfer services.

For these purposes, crypto-assets means any digital representation of a value or of a right that is able to be transferred and stored electronically, using DLT or similar technology, including cryptocurrencies, utility tokens and stablecoins.

However, certain crypto-assets or crypto services are excluded from MiCA’s scope. Exclusions include notably: (i) services relating to crypto-assets qualifying as MiFID financial instruments, CBDCs and NFTs, (ii) intra‑group crypto services, (iii) crypto lending/borrowing, (iv) staking and (v) DeFi-based crypto services.

With respect to crypto lending/staking, it should be noted that the AMF considers that, depending on how they are structured, these services may amount nonetheless to the provision of MiCA crypto-asset services or regulated payment services and, accordingly, may trigger CASP or payment service provider licensing. With respect to staking more particularly, it should be noted that indirect custodial staking would usually give rise to crypto-asset custody services under MiCA, whereas direct or on‑chain custodial staking should not. DeFi‑based indirect staking would be out of scope only where fully decentralised and disintermediated.

CASP status can be obtained either via an AMF MiCA application (subject to ACPR’s opinion) or, for eligible regulated institutions, via a notification of equivalent services to the AMF/ACPR (depending on the relevant regulated status).

Once authorised, CASPs benefit from the EU passport and may therefore provide their crypto-asset services across all EU Member States. However, completely free passporting is currently being called into question by certain regulators due to regulatory arbitrages and differences in interpretation and supervision among regulators.

Authorised CASPs must comply with general organisational and conduct of business requirements common to all CASPs (e.g., best interests, disclosures, own funds, governance, conflicts of interest, complaints, outsourcing, internal control) and with service‑specific organisational and conduct of business rules depending on the services for which they have been licensed (e.g., custody policy and segregation rules for crypto-asset custodians).

Treatment of DeFi in France

DeFi refers to on‑chain financial activities executed by smart contracts on layered DLT stacks (L1s and L2s), often permissionless, with dApps providing user access.

DeFi main use cases mirror and extend those of traditional finance: (i) crypto exchanges via decentralised exchanges and automated market makers, which rely on liquidity pools and algorithmic pricing rather than centralised order books, (ii) crypto lending/borrowing protocols, typically over‑collateralised and featuring automated liquidations, (iii) staking and liquid staking, (iv) derivatives (e.g., perpetual futures), (v) margin trading, (vi) asset‑management strategies and aggregation, (vi) prediction markets, (vii) decentralised insurance, and (ix) governance through DAOs and governance tokens that allow token‑holders to propose and vote on protocol parameters and upgrades.

DeFi is growing rapidly (with around $78 billion in TVL as at September 2024) but remains a legal grey area. MiCA excludes DeFi-based crypto services provided entirely in a decentralised manner without intermediaries. As outlined by the French regulators, this means that, in practice, a case‑by‑case assessment of the technological, operational and governance features of the relevant protocols is actually required to determine their actual degree of decentralisation and disintermediation and, accordingly, whether MiCA applies.

In this context of uncertainty around the subjection or not of certain DeFi solutions to MiCA, and pending EU Commission’s assessment of the appropriate regulatory treatment of DeFi, the ACPR and the AMF have analysed, in consultation with industry stakeholders, the regulatory risks and challenges raised by DeFi with the view to identifying potential regulatory approaches to regulate DeFi.

French regulators have identified a broad series of risks across the DeFi stack. At the DLT infrastructure level, layer2 scalability solutions introduce new trust and security issues. Operational and technological vulnerabilities persist at the smart contract layer and through reliance on oracles. Financialstability concerns stem from leverage, automatic liquidations, stablecoin dependencies, and intraDeFi interconnectedness.

Beyond these risks, DeFi presents several regulatory challenges. First, identifying a responsible locus of control is difficult where influence is diffuse or masked, yet essential for assigning obligations and enabling supervision and redress. In addition, applying existing frameworks designed for centralised intermediaries (including the MiCA CASP regime) is not straightforward. Regulators must distinguish where technology‑neutral rules can be applied by analogy and where bespoke measures are needed to address specific topics such as automated execution, oracle dependency, and novel infrastructure risks. Finally, effective enforcement requires an ability to focus on reachable touchpoints and cross‑border coordination.

Considering the above, the ACPR and the AMF have explored different regulatory approaches to regulate DeFi, including: (i) minimum security standards and periodic audits for public/permissionless DLTs, (ii) smart contract certification calibrated by scale/risk, (iii) governance transparency, (iv) proportionate standards for oracles, particularly in respect of data quality, and (v) regulation of access points/front‑ends and intermediaries providing user gateways to DeFi.

While most industry stakeholders support the idea of regulating DeFi to enable the the ecosystem to develop in an orderly manner, the details of implementation remain the subject of heated debate.

French regulators assess money laundering and terrorist financing risk in crypto‑asset activities as very high due to pseudonymity, rapid cross‑border transfers, mixers, anonymity enhanced/privacy coins, self‑hosted wallets and DeFi’s lack of identifiable intermediaries. According to the French regulators, these features facilitate the laundering of proceeds from fraud and cybercrime (including ransomware attacks), darknet trade, sanctions evasion and the financing of terrorism. France took an early stance into implementing AML/CFT requirements in the Web3 space and since 30 December 2024, CASPs have also become subject to French AML/CFT and sanctions rules and TFR2 rules. DeFi-based crypto service providers are however out of scope since they are in principle exempted from MiCA CASP licensing requirement.

CASPs are subject to France’s robust AML/CFT and sanctions framework. In a nutshell, under these rules, CASPs must implement risk-based AML/CFT and sanctions arrangements, including governance and internal controls, customer due diligence and KYC measures, ongoing transaction monitoring, enhanced due diligence for higher-risk situations and the reporting of suspicious transactions to TRACFIN. CASPs must also implement EU and French asset-freezing and other restrictive measures immediately.

Beyond these requirements that apply to all regulated entities subject to French AML/CFT and sanctions rules, several crypto-specific requirements have been imposed to CASPs in anticipation of the new EU AML/CFT Regulation (“AMLR”) due to apply from 10 July 2027: (i) mandatory identity collection and verification of all clients (including occasional ones) and beneficial owners (no thresholds), (ii) enhanced due diligence for cross-border correspondent relationships with third-country financial institution and transfers to/from self‑hosted wallets (with additional risk‑mitigation steps), (iii) bans on anonymous or anonymising accounts/services, and (iv) the TFR2 “travel rule” with procedures for originator/beneficiary identification, recording, cross-border interoperability, data security and self‑hosted addresses, as clarified by EBA guidelines.

The French regulators provide further details on the implementation of AML/CFT and sanctions obligations by CASPs in their guidelines. On risk assessment, the ACPR inter alia expects documented risk mapping and risk classification must drive client risk scoring and the intensity of KYC at onboarding stage and ongoing monitoring. On KYC, the ACPR endorses the use of electronic identification or dual independent measures for remote onboarding. On ongoing monitoring, the ACPR expects CASPs to deploy tools and capabilities to analyse on-chain flows with alert scenarios calibrated to crypto typologies. While not mandatory, DLT analytics tools are often necessary. Where tools are not used, CASPs must demonstrate alternative measures providing equivalent vigilance. Enhanced due diligence is expected from CASPs for complex or unusually large transactions.

Non‑compliance can lead to disciplinary sanctions (fines, business limitations) and, if such non-compliance amounts to complicity, criminal exposure for money laundering and terrorist financing offences. With respect to money laundering, it should be noted that revenues from anonymising crypto-assets or crypto-asset transactions are presumed criminal unless rebutted.

Regarding the taxation of individuals selling crypto-assets in the context of the management of their private wealth, French law provides for a specific regime whereby the sale of “qualifying” crypto-assets against “qualifying” crypto-assets is not a taxable event. Taxation only occurs when “qualifying” crypto-assets are sold against fiat money. In such case, the gain is determined as the difference between the sale price of the “qualifying” crypto-assets and an acquisition price, equal to the acquisition price of the entire taxpayer’s crypto-assets portfolio multiplied by the sale price and divided by the taxpayer’s portfolio fair market value on the date of the sale. The gain is then taxable at a 12.8% for personal income tax, plus 17.2% of social contributions on wealth income, plus up to 4% of exceptional surcharge on high income (if applicable), plus up to 3.2% of differential surcharge on high income (if applicable), leading to a combined taxation rate of up to 37,2%. For purposes of this rule, “qualifying” crypto-assets are defined by reference to the definition of “crypto-assets” provided by the FMFC (including “digital assets” (actifs numériques) within the meaning of the French Loi PACTE regime (until it is repealed in 2026) and “crypto-assets” within the meaning of MiCA). The receipt of crypto-assets from a DeFi protocol is generally not taxable until they are converted into fiat money, provided they are “qualifying” crypto-assets. When the sold crypto-assets are not “qualifying” crypto-assets, a case-by-case analysis need to be performed to determine what is the applicable tax treatment.

Regarding the taxation of individuals selling crypto-assets in the context of a trading business or companies, gains and losses are generally included in the taxpayer’s result (either subject to personal income tax under the category of commercial income or non-commercial income at the progressive scale up to 45% plus up to 4% of exceptional surcharge on high income (if applicable) or subject to corporate income tax at the standard rate of 25%, plus 3.3% of the corporate income tax due if the exceptional surcharge on corporate income tax applies). Income from DeFi arrangements should also be included in the taxpayer’s result. For individuals, social security contributions on activity income may also apply. Also, when an individual is engaged into mining activities, his/her profits should be taxed as non-commercial income at the same rate as commercial income.

A factual analysis should be performed when an individual engages in the buying and selling of crypto-assets to determine whether he or she is acting in the context of the management of his/her private wealth or in the context of a trading activity.

With respect to VAT, a case-by-case analysis shall be performed to determine whether the sale of crypto-assets is subject to VAT. For instance, VAT may apply to the sale of NFTs, at a rate depending upon the nature of the NFTs.

Regarding compliance obligations, France has implemented reporting obligations provided by Council Directive (EU) 2023/2226 (“DAC 8”) in its finance bill for 2025. Starting January 1st, 2026, services providers providing “crypto-assets services” within the meaning of MiCA (including French CASPs authorised under MiCA and other service providers not authorised under MiCA with the French regulators but that have certain ties with France (e.g., tax resident in France or managed from France)) will have to report to the French tax authorities certain information relating to the crypto-assets transactions carried out by the users of their services. The first reporting is due in 2027 for the fiscal year 2026.

The holding, use and trading of crypto‑assets are permitted in France.

However, since issuing crypto-assets and providing crypto-assets are regulated activities in France, anyone seeking to do so must first take the required regulatory steps, including obtaining the required regulatory authorisations where applicable, after having carried out a proper assessment as to whether their services are at risk of being provided in France (which, would not be the case if these services are provided on a reverse solicitation basis within the meaning of MiCA – noting that such exemption should be strictly construed and cannot be relied on as a business model). Furthermore, disseminating inaccurate or misleading information in respect of its regulatory status, or promoting illegal offerings online, is also prohibited. Failing to comply with these requirements could expose to criminal and disciplinary sanctions.

French regulators continuously monitor the market to identify illegal offerings and maintain blacklists/whitelists to help investors avoid being scammed.

In addition, the marketing of crypto-asset offerings and crypto-asset services is strictly regulated, particularly when targeting retail investors and consumers. While crypto-asset offerings or services may be promoted, the promotional communications used for these purposes must comply with specific conduct of business rules, particularly with regard to ensuring that the information provided is fair, clear, and not misleading. Furthermore, certain promotional methods, when directed at retail investors and consumers, may only be carried out by authorised intermediaries and are subject to further conduct of business requirements. Failure to comply with these rules could also result in criminal and disciplinary sanctions.

For instance, financial solicitation (démarchage) to promote crypto-asset services to retail investors is prohibited unless carried out by authorised CASPs, which will have to comply with extra pre‑contractual information and withdrawal‑right duties. Aggressive electronic advertising, sponsorship and patronage to promote crypto-assets to consumers are also prohibited unless carried out by authorised CASPs.

France also regulates influencer marketing on social networks. Influencers cannot promote, inter alia, unauthorised crypto-asset services and, where authorised, must include clear disclosures and comply with mandatory contract requirements, CASPs using influencers are jointly and severally liable for any damage caused.

Finally, French regulators have published numerous educational materials and resources for French investors, particularly those more likely to invest in crypto-assets (such as young people), to raise awareness of the risks of investing in crypto-assets and the best practices to adopt before investing in such assets. In particular, the AMF has a service named “Epargne Info Service” which mission is to answer public queries and provide guidance, particularly in cases of fraud or complaints.

Initial Coin Offerings (“ICOs”) are DLT-based fundraising operations that issue tokens which, depending on their features, may provide access to products or services, be traded on secondary markets, and in some cases generate profit. ICOs surged in early Web3 development despite numerous scams, but activity has since declined, and proceeds remain modest compared with traditional corporate finance. A recent industry study indicates that ICOs represented only 9% of French Web3 financing by value in 2024.

In France, the 2019 PACTE law created an optional visa regime administered by the AMF for public offerings of utility tokens (excluding offerings of instruments comparable to financial securities, such as security tokens offering (“STO”)). To obtain the AMF visa, French issuers had to submit a compliant crypto‑asset white paper and specified corporate and offering documentation, implement safeguarding arrangements for collected assets, and meet AML/CFT obligations. While optional, the AMF visa conferred access to direct promotional methods with retail investors and consumers (financial solicitation, aggressive electronic advertisement, sponsorship and patronage) and the right to a bank account. Uptake was at the end very limited: only five ICOs received AMF visa between December 2019 and February 2024, and just one remained valid as at 1 May 2024.

Between 30 June 2024 and 30 December 2024, the French optional visa regime has been superseded by the EU MiCA mandatory framework for stablecoins issuances and public offerings and admissions to trading of crypto‑assets.

With respect to public offerings and admissions to trading of crypto‑assets other than stablecoins, offerors are only subject to an AMF prior notification (no licence is required). More specifically, they must draft, notify, and publish a crypto‑asset white paper, prepare and publish commercial communications, and comply with conduct‑of‑business rules. This white paper must include issuer and offering disclosures and a classification analysis demonstrating that the crypto-assets offered are not excluded from the scope of MiCA and is not a stablecoin. MiCA also provides targeted exemptions for specific offers (i.e., Airdrops, mining/staking, limited network, etc.).

To streamline pan‑European offerings and ensure uniform application across Member States, the AMF has recently recommended to revise MiCA in order to clarify the scrutiny process of white papers and establish an EU‑level one‑stop shop managed by ESMA.

While MiCA regulates the offering and provision of crypto-assets, it does not address the civil law regime that governs the crypto-assets themselves (legal nature, title transfer and security interests). Consequently, the definition of these civil law rules currently falls within the remit of the national law of each Member State. In France, recent reforms have clarified these issues to some extent, but the new legal framework still requires further clarification.

Legal characterisation of crypto-assets under French civil law

Until the end of 2024, in the absence of specific statutory provisions, crypto-assets could be legally characterised under French law as either:

• “intangible goods” if they represent a store of value (e.g., Bitcoin, Ether, and other cryptocurrencies); or
• “receivables” if they represent rights against an issuer (e.g., utility tokens, etc.),

noting that the hybrid nature of stablecoins (representing both a value and a claim against their issuers) led to uncertainties regarding their true legal nature.

Depending on this legal characterisation, the applicable transfer of ownership and security interest rules varied. For instance, the transfer of ownership of crypto-assets that could be characterised as “intangible goods” was governed by the general rules on the transfer of ownership, whereas the transfer of ownership of crypto-assets that could be characterised as “receivables” was governed by the special rules on the assignment of receivables.

Beyond their fragmentation, the applicable rules were themselves ill-suited to the specific features of DLT and crypto‑assets. They imposed constraints due to their formalism and, as regards the applicable regime for the pledge of intangible movable property applicable to crypto-assets that could be characterised as “intangible goods”, created legal uncertainty because of the lack of specific protections in the event of the debtor’s default.

These issues were therefore hindering the proper development of crypto-asset transactions on the French market. This was particularly the case for companies holding crypto‑assets that were seeking to acquire, finance themselves, or hedge by mobilising these financial assets.

France implemented these reforms between 2024 and 2025. Crypto‑assets are now “negotiable intangible goods” (biens meubles négociables) with transfer and security mechanics aligned to those of securities.

Rules for transferring the title of crypto-assets

Title now passes by registration. As a matter of principle, the ownership of the crypto-assets transfers to the purchaser upon their registration on the DLT. By exception, if the crypto-assets are held by a MiCAauthorised, their ownership transfers upon the registration of the purchaser’s position in the custodian’s internal register of positions. These rules mirror, respectively, selfcustody and custodial models.

However, there are still open issues. First, finality is probabilistic on some DLTs. Prudent practice is to wait for the execution of several transactions before considering that an on-chain transaction is validly executed. In addition, the coexistence of on-chain and custodial registrations could generate mismatches. Erroneous or delayed mirroring of a custodial registration on a DLT could indeed complicate remediation and loss allocation. Furthermore, while negotiability protects the purchaser acting in good faith against claims, there are still some grey areas, particularly with regard to forks, airdrops and staking rewards. Conceptually, the title covers proceeds, but operational the handling of these derivative assets still depends on the custodial terms and, in certain circumstances, on technical actions to claim them. Finally, some implementation details still need to be specified by decree, which has not yet been enacted as the time of this publication. This leaves residual uncertainty for market players.

Ad hoc regime for pledging crypto assets

France created a special pledge over crypto‑assets (nantissement de crypto‑actifs), inspired by the securities‑account pledge, but adapted to DLT/wallet specifics.

The constitution of the pledge has been streamlined. Effectiveness and opposability of the pledge follow a declaration signed by the pledgor and notified to the custodian (if any). This declaration can be implemented via a smart contract. The pledge covers identified crypto-assets (and their proceeds, unless excluded) and allows successive pledges, ranked by declaration date. The pledgee is granted a right of retention and must therefore benefit from effective control over the pledged crypto-assets (e.g. via key custody, custodian escrow or multisig). Enforcement of the pledge is flexible. In the absence of an agreed timeline, the pledgee may enforce the pledge eight days after providing formal notice. The pledgee may then transfer the pledged fiat proceeds by outright appropriation and transfer the pledged crypto-assets as agreed. If there is no agreement on this last point, the transfer will be made as provided for by law.

However, practitioners should anticipate several risks in the documentation. Notification mechanics to custodians are important for effectiveness in a custodial setting, as well as for ensuring that any right of retention is meaningful in practice. Retention control structures must be robust, as a pledge can otherwise be legally valid, but operationally fragile. Volatility argues for clear margining and top-up clauses, as well as automated monitoring, subject to insolvency law constraints on post-filing assiette increases. Forks, airdrops, staking and other protocol-level events should be expressly covered to avoid gaps in the pledged proceeds. Finally, some implementation details of the pledge rules are still unclear pending the publication of a forthcoming decree.

Smart contracts are IT programs deployed on DLT that automatically execute predefined transactions when coded conditions are met. These programs typically used in DeFi environment provide automated settlement, parameterisation (fees, liquidity management, risk thresholds) and composability by interacting with other on‑chain modules. Although often described as “autonomous,” they are neither sentient nor self‑modifying, and their behaviour reflects the code deployed. While the IT code designing the smart contract is immutable once deployed, practical mutability is possible through designs such as administrative parameters, proxy architectures and version upgrades.

Smart contracts facilitate the on‑chain performance of off‑chain contractual agreements. They are a technical means of contractual performance, rather than legal contracts within the meaning of French law. French terminology recommends thus using the term “automated clause executor” instead, which is used in the new crypto-asset pledge regime.

The deployment of smart contracts primarily exposes to software and execution risks, including vulnerabilities in the code or defects arising from the interaction of composable modules (such as layer2s or oracles). These risks can lead to logic hijacking or the loss of funds. Another key legal issue that arises in this respect concerns liability for the use of smart contracts, particularly in cases involving coding errors, cyber-attacks or fraudulent use. Current considerations include various models of liability, such as the liability of developers who write the underlying code, the liability of entities that deploy the protocols or the liability of the community exercising governance. The latter raises further difficulties where governance itself is structured through a DAO.

To mitigate these risks, the ACPR and AMF are exploring smart contract certification, built on three pillars: security, governance and compliance. Certification would be time‑bound/versioned, visible to users (ideally on‑chain) and independently audited.

There is, at present, a relatively broad consensus in favour of smart contract certification. Although the modalities remain debated, the general principle of setting minimum security standards appears widely supported by market participants.

The French regulators’ broader reflection on DeFi complements their work on smart contract certification by identifying smart contracts as the key layer to be regulated, while recognising that infrastructures and access points and intermediaries should also be regulated.

DAOs designate organisational arrangements whose governance and core operating rules are encoded in smart contracts deployed on (typically public) DLTs. The terminology highlights three main features: an organisation structured by explicit rules and processes, autonomy insofar as certain operational decisions are self-executed by code, and decentralisation reflecting horizontal power structures and reliance on DLTs.

DAOs operate natively online and at global scale by combining DLT infrastructure, smart contracts and crypto-assets. Governance often relies on tokens conferring voting rights, but token-based voting is not a definitional requirement and, depending on design, votes may be advisory or binding. In mature arrangements, vote proposals follow standardised pathways – from forum discussion to on-chain vote – with automated execution where feasible. Transparency is characteristic: rules, treasury positions and governance history are observable on-chain, albeit decipherable only with appropriate tooling. Use cases range widely, from the governance of DeFi protocols to investment vehicles, community or charitable coordination, and the funding of digital public goods. To interface with legal and economic reality, many DAOs are paired with off-chain legal “wrappers” (associations, foundations or development companies) for contracting, employment, IP, and fiat connectivity.

French law does not recognise DAOs as sui generis legal persons. However, in disputes, French courts may requalify DAOs by analogy under existing legal qualifications. Where capital contributions, affectio societatis and a sharing of profits and losses are evidenced, characterisation as a de facto company (société créée de fait) is conceivable, implying no separate legal personality and potential personal, even joint and several, liability of members in some circumstances. Where participants pool activities or knowledge toward a non-profit objective without formalities, a de facto association (association de fait) may be characterised, likewise lacking legal personality. For DAOs that hold common crypto-assets, indivision may be argued, reflecting co-ownership without personality. Investment-type DAOs may invite comparison with French collective investment schemes which do not possess legal personality. Across these potential legal qualifications, the constant is the absence of separate legal personality and the correlative shift of responsibility toward identifiable persons or legal entities involved in the development, governance facilitation or operation of user interfaces.

This legal uncertainty crystallizes a series of risks and implementation challenges. A DAO without personality cannot own property, contract, hire, open accounts, or sue or be sued. DAOs that rely on associations, foundations or ad hoc representatives raise questions about mandate scope, fiduciary duties and the enforceability of on-chain governance instructions against directors bound by their own statutory duties. Liability allocation for DAOs is diffuse. Claimants may target developers, association or foundation managers, front-end operators, multisig signers and significant tokenholders. Insolvency law offers no procedures to DAOs lacking personality and if they are requalified, members may face proceedings on their own patrimony. Taxation is also unsettled: territorial nexus, taxpayer identity and characterisation of income (protocol revenues, distributions, token vesting) are complex for “entityless” DAOs, and contributors face VAT and invoicing constraints when the counterparty lacks a legally cognisable identity and address.

Regulatory compliance is another issue. Depending on activities and factual control, persons involved with a DAO may fall within MiCA rules or, for investment DAOs, alternative investment fund management (“AIFM”) rules. The narrow MiCA exclusion for DeFi services provided “entirely in a decentralised manner without any intermediary” is in our view to be interpreted strictly and therefore rarely applies in the presence of intermediated components exercising some form of control over the protocol.

French regulators have mapped these issues while favouring incremental, targeted responses.

The French Steering Committee has provided the most detailed French legal analysis to date on DAOs and sets out pragmatic solutions without presupposing recognition of DAOs as legal persons. In a nutshell, the proposed solutions are: (i) a clear status for DAO representatives (duties, liability shields, asset segregation, right to litigate), (ii) a bespoke framework defining DAOs, mandating a legal representative and aligning on‑chain governance with predictable rules for responsibility, property, taxation and supervision, or (iii) an intermediate property construct to conceptualise DAOs as co-ownerships of intangible assets managed by a legal person, enabling obligations to attach at the manager level while limiting participants’ liability.

To date, few enforcement or disciplinary actions have been taken against Web3 native players. One notable case is the AMF’s 2022 withdrawal decision of Bykep’s PSAN registration for unlawful client‑debit and AML/CFT breaches. With MiCA, TFR and DORA now in force, supervisory scrutiny is however increasing. In this respect, it should be noted that the ACPR has recently launched AML/CFT investigations targeting several service providers (including Binance and Coinhouse).

Payment services regulation

The provision of crypto-assets services may lead to the provision of other regulated services, in particular payment services which requires to be licensed by the ACPR as a payment services provider (either as a credit institution, payment institution or e-money institution).

Indeed, as early as 2014, the ACPR has stated that in the context of a transaction to buy or sell Bitcoins against a legal tender currency, the intermediation activity consisting of receiving funds from the buyer of Bitcoins in order to transfer them to the seller of Bitcoins constitutes the provision of payment services.

Similarly, the AMF considers that the provision of certain crypto-asset services, in particular crypto/fiat exchange services and operating a crypto-asset trading platform, could also amount to the provision of payment services. However, the AMF has specified that this would not be the case where the service provider collects funds that are owed to it.

These positions of the French regulators should be read in conjunction with EBA’s recent non-action letter on the interplay between MiCA and Directive (UE) 2015/2366 (“PSD2”) for CASPs providing services in relation to stablecoins in the form of e-money tokens (“EMTs”). Since EMTs are deemed to be “e-money” under MiCA and therefore “funds” under PSD2, CASPs providing EMT-related services should, in principle, be regarded as also providing payment services and accordingly, should be also licensed as payment service providers. This situation creates dual-licensing risks, inconsistent supervision, and consumer protection gaps, while the revision of PSD2 is still in progress. The EBA has therefore issued transitional guidelines to clarify this issue pending the adoption of the PSD3/PSR package, as a result of which only CASPs providing EMT-related transfer and custody/administration services must also be licensed as payment service providers (or partner which a licensed payment service provider). However, the EBA has advised national regulators to grant a transition period until 1 March 2026 before enforcing this licensing requirement and to streamline this licensing process by relying on the information already provided by these CASPs in the context of their MiCA licensing. In addition, once the payment service provider licence is obtained by these CASPs, the EBA has advised national regulators to not prioritise the enforcement and supervision of certain PSD2 requirements, while at the time insisting on other PSD2 requirements. For the long term, the EBA recommends resolving the issue through the adoption of the PSD3/PSR package, ideally by embedding relevant requirements for EMT‑related services in MiCA. The French regulators have not yet officially reacted to this EBA’s non-action letter, but expectations are that they will likely comply with it.

Data Protection

The General Data Protection Regulation (“GDPR”) is one of the most influential legal frameworks affecting the development and deployment of DLT, as it governs the processing of personal data across the EU. Whereas the GDPR is founded on centralised notions of accountability and controllership, DLT operates on principles of decentralisation, immutability, and distributed participation. This conceptual tension creates significant legal uncertainty and makes it challenging to reconcile DLT with GDPR requirements and data protection principles more broadly, particularly with respect to: (i) the allocation of roles and responsibilities, (ii) data minimisation and storage limitation, (iii) the safeguarding of data subject rights and (iv) the principles of privacy by design and by default.

Allocation of roles and responsibilities

The GDPR requires that controllers and processors be clearly identified, as this qualification determines accountability and compliance risks. In DLTs, however, such identification depends on the governance model and is often complex. Permissioned DLTs, where a single entity or consortium regulates participation, provide a clearer framework for assigning roles. By contrast, in public and permissionless DLTs, functions such as validation, storage, and smart contract development are dispersed among many actors, making responsibilities more difficult to define. For instance, users who write data onto a chain may qualify as controllers, while developers or validators may, in some circumstances, be considered processors. In certain cases, nodes or developers may also be regarded as joint controllers where they exert decisive influence. In conclusion, roles must be determined on a case-by-case basis, taking into account governance structures, technical features, and the actual influence of the actors involved.

Data minimisation and storage limitation

The principles of data minimisation and storage limitation are central to the GDPR: only data strictly necessary for a specified purpose may be processed, and it must not be retained longer than required. DLT, in principle and as originally conceived, relies on the permanent recording and replication of transactions across nodes, making deletion technically impracticable. This structural permanence creates compliance challenges for these principles, unless mitigated through appropriate technical or governance measures such as off-chain storage, time-limited encryption keys, or the use of anonymisation techniques.

Immutability and data subject rights

The immutability of DLT records poses significant challenges to the exercise of data subject rights under the GDPR, particularly the rights to rectification, erasure, and objection. Once data are recorded on the ledger, modification or deletion is generally technically impracticable. Nevertheless, these rights must remain effective and technology-neutral, and controllers cannot invoke technical impossibility as a defence. To reconcile DLTs with these obligations, controllers should consider mitigating measures such as off-chain storage, encryption combined with key deletion, pseudonymisation, or other cryptographic techniques.

Privacy by design and by default

Article 25 GDPR requires controllers to implement data protection by design and by default, meaning that systems and processes must be structured so that only the data necessary for a specific purpose is processed. When controllers rely on DLT, meeting this obligation is particularly challenging, as immutability and transparency are inherent features of the technology. To address this, supervisory authorities advise against storing personal data directly on-chain and recommend instead using off-chain storage combined with on-chain proofs (e.g., hashes, cryptographic commitments, or encrypted references). Nonetheless, it is worth noting that even hashed or encrypted data may still constitute personal data under the GDPR if re-identification is reasonably possible.

Consumer law

When dealing with French consumers, CASPs must comply with French “public order” rules (pre‑contractual disclosures, unfair terms, remote contracting, language rules, bans on aggressive marketing, access to an ombudsman in the event of a complaint). These apply even if a non‑French law governs the consumer contract.

Asset management

Since 30 December 2024, French portfolio management companies have been authorised to provide crypto-asset portfolio management, advisory and RTO services, provided they hold an equivalent permission under their UCITS/AIFM licence and have notified the AMF of their intention to provide these services.

In addition, since the introduction of PACTE Law in 2019, certain French collective investment schemes opened to professional investors – i.e., professional private equity funds (FPCI) and professional specialised funds (FPS) – have been authorised to invest directly in crypto assets (for FPCI up to 20% of their assets and for FPS subject to applicable liquidity and valuation rules).

However, crypto ETFs are not authorised in France, as French UCITS rules prohibit ETFs from investing in real world assets other than securities. Alternatively, investors may invest in crypto-themed ETFs – i.e., holding exposures to DLT/crypto sector companies rather than crypto-assets – or in crypto ETNs – i.e. exchange-traded debt products exposed to crypto-assets. The President of the AMF has recently announced that the AMF regulations would soon be amended to facilitate the issuance of crypto ETNs in France.

Mining

In France, there is no specific regulation regarding mining – i.e., validating and recording transactions on a DLT by using computing power to solve cryptographic problems (i.e., the “proof of work” consensus mechanism). This activity is carried out by “miners”, who are rewarded with newly created crypto-assets for their work.

However, operators may be subject to energy, environmental and tax rules, and to MiCA if their activities amount to the provision of regulated crypto-asset services.

A recent parliamentary proposal suggests piloting the use of surplus nuclear electricity for mining, but this proposal is still being debated in Parliament, and it is uncertain that it will be passed.