Is a DAO an Issuer Under MiCA? The Sky Protocol, DAI, USDS and the Non-Identifiable Issuer Question

1. Introduction: The Question MiCA Did Not Answer

There is a question embedded in the centre of MiCA’s stablecoin framework that the regulation’s drafters either could not answer or deliberately chose not to. The question is this: when a stablecoin is issued through a permissionless, decentralised protocol governed by thousands of anonymous token holders, distributed across dozens of jurisdictions, with no corporate headquarters, no registered office, and no identifiable controlling person — who is the issuer?

This question is not academic. Its answer determines whether Title IV of MiCA applies at all. If the protocol has no identifiable issuer, then Recital 22 places it outside the scope of Titles III and IV entirely. The authorisation requirement — the obligation to be a licensed credit institution or electronic money institution — does not apply. The whitepaper obligation does not apply. The entire regulatory architecture that MiCA built for stablecoin governance simply does not engage.

For DAI and USDS — the stablecoins at the centre of the EU’s most consequential MiCA interpretive dispute — this question is directly in play. The Sky Protocol, formerly known as MakerDAO, is one of the oldest and largest decentralised finance protocols in existence. Its governance is distributed across tens of thousands of holders of MKR and SKY tokens. No single person controls it. No EU-registered entity issues its stablecoins. Its smart contracts operate autonomously once deployed.

And yet: those same governance token holders vote on debt ceilings, stability fees, collateral types, and liquidation parameters. They can initiate emergency shutdowns. They control the upgradeability of the USDS contract. They collectively exercise what looks, in certain lights, very much like control over the issuance of the Sky Stablecoins.

This article examines both sides of this analysis with the precision the question demands — drawing on the BCAS legal opinion, the GFXLabs critique of that opinion, MiCA’s legislative text and recitals, and the Commission’s Article 142 DeFi report delivered in January 2025. It then asks what the legislative framework that will eventually govern DeFi under EU law should look like, and what CASPs and DeFi protocols should be doing in the interim.

2. How MiCA Defines an Issuer — and Why the Definition Strains Against DeFi

MiCA Article 3(1)(10) defines an issuer as “a natural or legal person, or other undertaking, who issues crypto-assets.” Recital 20 adds that “issuers of crypto-assets are entities that have control over the creation of crypto-assets.”

On its face this definition appears manageable. An issuer is whoever creates or controls the creation of a crypto-asset. For centralised stablecoins — Circle issuing USDC, Tether Limited issuing USDT, Société Générale Forge issuing EURCV — the issuer is a clearly identifiable legal entity. The definition works straightforwardly.

The definition begins to strain the moment you apply it to a decentralised protocol. The Sky Protocol does not have a traditional corporate structure. DAI and USDS are not created by the click of a button in a corporate treasury system. They are minted through smart contracts on the Ethereum blockchain in response to user interactions — users depositing collateral, calling the relevant functions, and receiving stablecoins in return. The protocol executes the minting. The governance token holders set the parameters within which minting can occur. The users initiate the individual minting transactions. None of them fits comfortably into the MiCA definition of an issuer as “a natural or legal person, or other undertaking.”

“Other undertaking” is the definitional escape valve — a deliberately broad formulation designed to capture entities that do not fit neatly into the natural person / legal person binary. A DAO could potentially qualify as an “other undertaking” depending on how that term is interpreted under EU law. But MiCA provides no further guidance on what constitutes an “other undertaking,” and the question of whether a DAO — which lacks legal personality, has no registered domicile, and whose membership is pseudonymous and distributed — qualifies as one is genuinely unresolved.

The Recital 20 gloss — that issuers are entities with “control over the creation” of crypto-assets — does not simplify matters. It raises the deeper question of what constitutes “control” in a decentralised governance context. Governance token holders collectively set the parameters within which the protocol operates. They do not individually control any specific minting transaction. They cannot mint stablecoins themselves without going through the same permissionless smart contract interface as any other user. Their control is parametric and collective — not transactional and individual.

This is precisely the regulatory gap that the BCAS opinion identifies, and that the Commission’s Article 142 DeFi report acknowledges: MiCA’s issuer framework was designed with centralised entities in mind, and its application to genuinely decentralised protocols requires interpretive stretching that the text does not clearly support.

3. Recital 22: The Non-Identifiable Issuer Carve-Out

MiCA Recital 22 states: “Crypto-assets that have no identifiable issuer should not fall within the scope of Titles II, III and IV of this Regulation. Crypto-asset service providers providing services in respect of such crypto-assets should however be covered by this Regulation and should be required to comply with the relevant obligations under this Regulation.”

This provision is one of MiCA’s most consequential and least examined carve-outs. Its effect is to place an entire category of crypto-assets — those with no identifiable issuer — outside the three operative titles of MiCA that govern crypto-asset issuance and admission to trading. Only Title V (which governs CASP obligations) continues to apply, through the second sentence of Recital 22, which brings CASPs providing services in respect of such assets back within MiCA’s perimeter.

The structure is elegant and practical. MiCA cannot regulate an issuer that does not exist — or cannot be identified. Rather than attempting to regulate the non-existent issuer, MiCA regulates the intermediaries who provide services in relation to the relevant crypto-assets. CASPs must still conduct suitability assessments, maintain AML/CTF frameworks, reference available whitepapers, and make environmental disclosures. The asset is not in a regulatory vacuum. But the issuer-level obligations — authorisation, whitepaper publication, reserve requirements, governance rules — simply do not engage.

For the stablecoin debate, this matters enormously. If DAI and USDS have non-identifiable issuers within the meaning of Recital 22, then the entire debate about whether CEXes can list them under MiCA’s Title IV framework becomes somewhat beside the point — Title IV simply does not apply to them. The ESMA statement’s instruction to delist “non-MiCA-compliant EMTs” would not capture tokens from non-identifiable issuers, because there is no issuer to be non-compliant.

The ESMA statement’s failure to engage with Recital 22 — identified in Article 3 of this series as Critique 4 — is therefore not merely a gap in the statement’s reasoning. It is a gap that potentially undermines the statement’s entire applicability to DAI and USDS specifically, even if ESMA’s broader reading of Articles 16(1) and 48(1) were correct for identifiable-issuer EMTs.

4. What “Non-Identifiable” Actually Means — and What MiCA Does Not Say

Here is the central difficulty: MiCA does not define what “non-identifiable” means. Recital 22 uses the term without elaboration. There are no criteria, no thresholds, no safe harbours, and no regulatory technical standards that specify how to assess whether an issuer is identifiable or not. The legislative text gives us the concept without the content.

This is not unusual in EU financial regulation — framework provisions regularly leave definitional precision to delegated acts, regulatory technical standards, or supervisory guidance. But in this case, no such downstream specification has been produced. ESMA has not published guidance on the non-identifiable issuer framework. The EBA’s December 2024 guidelines on ART and EMT reporting focus on identifiable issuers conducting offers to the public and do not address the non-identifiable issuer question. The Commission’s Article 142 DeFi report touches on the issue but does not resolve it.

The BCAS opinion, confronted with this gap, proposes a working definition based on the principle that a non-identifiable issuer is one where no single person or entity has control over the issuance of crypto-assets. This reading derives from Recital 20’s formulation of issuers as entities with “control over the creation” of crypto-assets — if no single entity has that control, then no single entity is the issuer, and the issuer is non-identifiable.

But the BCAS opinion acknowledges, candidly, that this reading is probabilistic rather than certain. As the opinion notes, a non-identifiable issuer might alternatively subsist “when issuances can be limitedly controlled by a sufficiently large group or network of persons with sufficiently wide distributions in terms of control — in other words, a DAO.” The word “sufficiently” appears twice in that formulation, and the BCAS opinion offers no metric for determining what is sufficient. The legislature has not spoken on this, and the gap is real.

Two alternative frameworks for interpreting “non-identifiable” deserve consideration:

The control-based test — proposed by BCAS — asks whether any single person or entity has control over the issuance. Under this test, a sufficiently decentralised DAO with no dominant individual controller would qualify as a non-identifiable issuer.

The legal personality test asks whether the issuer can be identified as a legal person under any applicable law. Under this test, a DAO without legal personality in any jurisdiction — which describes the Sky DAO — would qualify as non-identifiable, because there is no legal entity to identify.

The transparency test asks whether the issuer can be identified as a matter of public information — whether there is a named, locatable entity that can be held legally responsible. Under this test, a DAO whose founding team is publicly known but whose governance is distributed might not qualify as non-identifiable, because the founding team provides an identifiable face even if governance is dispersed.

None of these tests is clearly supported by the MiCA text over the others, because the text provides no test at all. The Commission’s Article 142 DeFi report — discussed in Section 13 — is the most recent official engagement with this question, and even it stops short of providing definitive criteria.

5. The Sky Protocol: Architecture, Governance, and the Issuer Question

To apply the non-identifiable issuer analysis concretely, it is necessary to understand how the Sky Protocol actually works — both technically and as a governance system.

The Sky Protocol, formerly known as MakerDAO, is a decentralised finance protocol built on the Ethereum blockchain. It was one of the first DeFi protocols to achieve significant adoption, operating since 2017. Its stablecoins — originally DAI, now joined by USDS — are backed by over-collateralised positions in crypto-assets and real-world assets, with peg stability maintained through a combination of collateral liquidation mechanisms, the Lite-PSM (which enables 1:1 swaps with approved stablecoins), and a surplus buffer.

Governance of the Sky Protocol is exercised by holders of two governance tokens: MKR (the original governance token, operational since 2017) and SKY (its successor, introduced as part of the Sky Protocol rebrand). Governance token holders participate in the protocol through a two-phase process: Community Polling, in which proposals are discussed and consensus is built; and Executive Voting, in which approved proposals are enacted through on-chain “spells” — scripts that directly modify protocol parameters.

The parameters that governance token holders control include: which collateral types are approved for minting DAI and USDS; debt ceilings for each collateral type; stability fees (the borrowing rate); liquidation ratios and liquidation penalties; the Lite-PSM’s approved stablecoin pairs and inventory limits; the parameters of the surplus buffer and Smart Burn Engine; and — critically for USDS — the upgradeability of the USDS smart contract itself through the UUPSUpgradeable pattern.

The Protocol also allows governance to initiate emergency shutdown — a mechanism that halts all minting, freezes price feeds, and allows collateral redemption — in the event of a critical security failure or black swan event.

As of January 2025, the Sky Protocol had approximately 101,784 holders of its governance tokens. These holders are distributed globally, operating pseudonymously through Ethereum addresses, with no central registry or KYC requirement for governance participation.

6. The Case That the Sky DAO Is a Non-Identifiable Issuer

The BCAS opinion makes the case for non-identifiable issuer status on several grounds, each of which deserves examination.

The decentralisation argument. With over 101,784 governance token holders distributed globally, no single person or entity holds a controlling interest in the Sky DAO’s governance. While large token holders — “whales” — can exercise disproportionate voting influence, this is a feature of virtually all token-based governance systems and does not, of itself, make any one holder a controller in the regulatory sense. The power to influence governance decisions is not the same as control over the creation of crypto-assets.

The permissionless minting argument. Individual minting transactions are user-initiated and user-controlled. A user who deposits collateral and calls the relevant smart contract function receives DAI or USDS without any intervention by the DAO. The DAO does not review, approve, or process individual minting transactions. It sets the parameters within which minting can occur, but the act of minting itself is user-initiated and autonomous. This is materially different from a centralised issuer who decides whether to mint and in what quantity for each transaction.

The no-registered-office argument. The Sky DAO has no registered office or branch in the Union. It has no legal personality under any EU jurisdiction. There is no entity that can be identified and located for the purposes of EU regulatory engagement. This is not merely a technicality — it reflects the genuine organisational reality of a decentralised protocol that exists as code on a public blockchain rather than as a corporate entity in a physical jurisdiction.

The Recital 22 DeFi intent argument. The legislative history of Recital 22 suggests that it was specifically designed to address protocols like MakerDAO — protocols that were already operating at scale when MiCA was being drafted, that had no identifiable issuer in the traditional sense, and that the legislature chose to leave outside Titles III and IV rather than attempt to regulate them through an issuer-focused framework. The Commission’s Article 142 DeFi report confirms that DeFi is explicitly recognised as outside MiCA’s current scope, with dedicated legislation to follow.

7. The Case That the Sky DAO Is an Identifiable Issuer

The counter-analysis is equally substantive, and the GFXLabs critique of the BCAS opinion — published in the Sky DAO forum immediately following the opinion’s release — identifies several specific arguments that the BCAS opinion does not adequately address.

The collective control argument. While no single governance token holder controls the protocol, the governance token holders collectively exercise comprehensive control over every material parameter of the minting process: what can be minted, how much, at what cost, against what collateral, and with what liquidation parameters. Collective control exercised through a DAO governance mechanism is still control — it is simply distributed rather than concentrated. Recital 20’s formulation that issuers are “entities that have control over the creation of crypto-assets” does not require that control be held by a single entity.

The governance-initiated minting argument. GFXLabs specifically identified several minting mechanisms that are not user-initiated but governance-initiated — mechanisms that the BCAS opinion’s Section 9.2 did not adequately address. These include: the LITE-PSM pre-minted DAI/USDS reserve, where governance sets the inventory level (up to 400 million DAI at the time of the critique) and initiates the pre-minting; direct deposit modules into Aave, Morpho, and the Spark lending market, where governance proactively mints stablecoins and deposits them into lending pools ahead of any user borrowing; and workforce compensation and marketing expenses sourced from the Surplus Buffer. If governance is itself initiating significant minting activity — not merely setting parameters for user-initiated minting — the argument that issuances are “solely user-initiated” weakens considerably.

The upgradeable contract argument. The USDS contract (Usds.sol) is upgradeable through governance spells. This means that governance token holders can modify the logic of the USDS token itself — including its minting and burning functions. The ability to modify the fundamental code governing how USDS is created and destroyed is a form of control over its issuance that goes beyond parameter-setting. It is closer to what a traditional issuer does when it amends the terms of a financial instrument.

The “sufficiently large group” problem. The BCAS opinion’s own formulation of when a DAO might constitute a non-identifiable issuer — “a sufficiently large group or network of persons with sufficiently wide distributions in terms of control” — raises the question of what “sufficiently” means. If the threshold is a matter of degree rather than kind, then it is theoretically possible for a DAO to be large enough that it qualifies, or concentrated enough that it does not. With 101,784 governance token holders, the Sky DAO is large — but governance voting participation rates in DeFi protocols are typically low, meaning effective decision-making power may be concentrated in a much smaller group of active voters. The BCAS opinion does not address voting participation rates or effective governance concentration.

8. The Governance Token Holder Analysis: Control as the Determinative Test

The preceding sections identify control as the conceptual pivot of the non-identifiable issuer analysis. Whether governance token holders constitute an identifiable issuer depends significantly on how “control over the creation of crypto-assets” is defined and applied.

Three analytical frames are possible:

Frame 1 — Formal control. Does any person or entity have formal legal authority over the minting of DAI and USDS? Under this frame, the answer is no — the protocol’s smart contracts operate autonomously, and no legal entity has formal authority to override them. Governance can modify parameters through the spell mechanism, but between governance votes, the protocol operates on autopilot. This frame supports the non-identifiable issuer conclusion.

Frame 2 — Effective control. Does any person or entity have the practical ability to materially influence whether and how DAI and USDS are created? Under this frame, the answer is more complicated. Large governance token holders can exercise disproportionate voting power. The founding team and major institutional investors in the Sky ecosystem hold significant governance token positions. Specific entities — MakerDAO’s original development company, Maker Foundation (now dissolved), and successors in the Sky ecosystem — have historically played outsized roles in governance proposals. Whether this constitutes “effective control” is a factual question that cannot be answered from the protocol’s public documentation alone.

Frame 3 — Parametric control. Does any entity control the parameters within which crypto-assets are created, even if not the individual creation events? Under this frame, governance token holders as a collective clearly exercise parametric control. Whether parametric collective control by a large, distributed group of token holders constitutes “control over the creation of crypto-assets” in the regulatory sense depends on how regulators and courts ultimately interpret Recital 20’s formulation.

The BCAS opinion gravitates toward Frame 1. The GFXLabs critique gravitates toward Frame 2, identifying specific instances of governance-initiated action that move the analysis toward effective control. A regulator or court applying a purposive reading of MiCA would likely focus on Frame 2 — asking whether, in substance, there is a group of people making decisions about when and how much DAI and USDS are created. A court applying a textual reading might focus on Frame 1 or Frame 3 depending on how it reads “control.”

The BCAS opinion gravitates toward Frame 1. The GFXLabs critique gravitates toward Frame 2, identifying specific instances of governance-initiated action that move the analysis toward effective control. A regulator or court applying a purposive reading of MiCA would likely focus on Frame 2 — asking whether, in substance, there is a group of people making decisions about when and how much DAI and USDS are created. A court applying a textual reading might focus on Frame 1 or Frame 3 depending on how it reads “control.”

9. GFXLabs Critique: Does Governance-Initiated Minting Change the Analysis?

The GFXLabs response to the BCAS opinion — published in the Sky DAO forum on 23 January 2025, the same day as the legal opinion — deserves specific attention because it is the most technically precise published challenge to the BCAS non-identifiable issuer analysis.

GFXLabs identified four specific minting mechanisms that the BCAS opinion’s Section 9.2 did not adequately address:

The LITE-PSM pre-minted reserve. The LITE-PSM is a set of smart contracts that offer 1:1 swaps of DAI/USDS and USDC. The inventory of pre-minted DAI/USDS available in the LITE-PSM is set by governance — at the time of the GFXLabs critique, governance had set the inventory at 400 million DAI, a parameter that changes with governance votes. This pre-minting is governance-initiated, not user-initiated. Users initiate swaps against the pre-minted inventory, but the inventory itself was created by governance decision.

Direct deposit modules. The Sky Protocol’s direct deposit modules allow governance to proactively mint DAI/USDS and deposit them directly into lending markets — Aave, Morpho, and Spark — ahead of any user borrowing. GFXLabs noted that, per their analysis at the time of the critique, approximately 98% of all DAI/USDS deposited on Spark was sourced from the Sky Protocol providing inventory in this governance-initiated way. This is categorically different from user-initiated minting — it is governance-initiated supply creation for lending market liquidity.

The BCAS response. The BCAS authors acknowledged the GFXLabs critique in a follow-up post, accepting that it “shed new light” on their understanding. However, they maintained that even accepting these governance-initiated minting mechanisms, the overall conclusion of the opinion was unchanged. Their reasoning was that neither the LITE-PSM pre-minting nor the direct deposits constituted an “offer to the public” under MiCA — because no purchase contract was being proposed, no terms of sale were being communicated, and users were simply swapping or borrowing, not purchasing. The governance-initiated minting affects the non-identifiable issuer analysis but does not, of itself, transform the Sky DAO into a MiCA offeror.

The unresolved tension. The GFXLabs critique does not definitively establish that the Sky DAO is an identifiable issuer — it establishes that the issuer identity question is more complicated than the BCAS opinion’s initial framing suggested. The governance-initiated minting mechanisms shift the analytical dial toward identifiability, without clearly crossing the threshold. They demonstrate that the Sky DAO is not a purely passive parameter-setter — it actively and proactively creates supply in specific contexts. Whether that active supply creation constitutes “control over the creation of crypto-assets” in the regulatory sense remains the open question.

10. Why the Answer Matters Differently for DAI versus USDS

The non-identifiable issuer analysis does not apply identically to DAI and USDS, despite both being Sky Stablecoins. The two tokens have materially different technical architectures that affect the control analysis in distinct ways.

DAI is governed by the Dai.sol smart contract, which was created as an immutable contract — meaning it cannot be modified by governance. The minting function can only be called by authorised contracts within the Protocol (specifically the Vat.sol core accounting contract), not directly by governance token holders. Once deployed, the DAI contract operates autonomously within the parameters set by governance. The immutability of the core contract provides a genuine argument that governance does not have the ability to directly modify how DAI is minted — only the parameters within which the immutable minting logic operates.

USDS presents a meaningfully different picture. The Usds.sol contract was deliberately designed as upgradeable, implementing the UUPSUpgradeable pattern and the ERC-1967Proxy standard. Governance token holders control USDS upgradeability through spells — they can modify the actual minting and burning logic of the USDS token, not merely the parameters within which it operates. This is a qualitatively different degree of control from DAI’s parametric governance. An argument that governance token holders have “control over the creation” of USDS is considerably stronger than the same argument applied to DAI, precisely because the USDS contract can be modified by governance.

This distinction has practical compliance implications. A CASP conducting separate suitability assessments for DAI and USDS listings — as it should, since they are distinct tokens with distinct technical profiles — should document the difference in the governance and control analysis. A CASP that treats DAI and USDS as identical for regulatory purposes is applying insufficient granularity to its Article 76(2) assessment.

11. The Upgradeable Contract Problem: USDS and Governance Risk

The upgradeability of the USDS contract introduces a dimension of governance risk that does not exist for DAI, and that has broader implications for how MiCA’s control-based issuer analysis should be applied to upgradeable DeFi protocols generally.

An upgradeable smart contract is one where the implementation logic — the code that determines how the contract behaves — can be replaced while the contract’s address remains constant. This is achieved through proxy contract patterns such as the Universal Upgradeable Proxy Standard (UUPS) and the ERC-1967 proxy standard, both of which the USDS contract implements.

The practical consequence of upgradeability is that the governance body that controls the upgrade mechanism has the power to fundamentally alter how the token works. This power is exercised through governance proposals and spells in the Sky Protocol. Governance could, in theory, modify the USDS minting logic to introduce new minting pathways, change the relationship between collateral and issuance, or alter the token’s redemption mechanics.

From a regulatory standpoint, the control over the upgrade mechanism is the most direct form of “control over the creation of crypto-assets” in the MiCA sense. It is qualitatively different from controlling parameters like debt ceilings (which constrain the quantity of minting without changing the minting mechanism) — it is control over the mechanism itself.

For CASPs listing USDS, the upgradeability risk is also a suitability assessment consideration under Article 76(2)’s technical reliability dimension. An upgradeable contract introduces the risk that the token’s technical characteristics — including its supply dynamics, minting economics, and redemption mechanics — could change materially through governance action after listing. A CASP’s suitability assessment should evaluate: the quality of the upgrade governance process, the transparency of upgrade proposals, the existence of time-lock delays between governance approval and upgrade execution (which provide a safety window for detecting malicious upgrades), and the historical record of USDS upgrade activity.

The Sky Protocol’s governance architecture includes a Governance Security Module (GSM) — a time-lock mechanism that delays the execution of approved governance spells by a defined period. At the time of the BCAS opinion, this was set at 48 hours for most protocol changes, though the period is itself a governance-controlled parameter. This provides a meaningful safety window for detecting and responding to malicious governance proposals. CASPs should document their review of the current GSM time-lock parameters — and any governance votes that have modified them — as part of the USDS technical reliability assessment.

12. Issuers Versus Offerors: Why Classification Alone Is Not the End of the Analysis

Having examined the non-identifiable issuer question in depth, it is important to anchor the analysis in MiCA’s broader regulatory architecture. Even if the Sky DAO qualifies as an identifiable issuer — which is contested — the regulatory consequences depend not only on issuer classification but on whether the triggering acts (offer to the public or seeking admission to trading) have occurred.

MiCA Article 48(1)’s obligations apply to persons who “make an offer to the public or seek the admission to trading of an e-money token, within the Union.” Issuer classification is a necessary but not sufficient condition for Title IV applicability. An issuer who does not conduct either triggering act is not subject to Title IV, regardless of whether it is identifiable.

This means that even accepting, for the sake of argument, that the Sky DAO is an identifiable issuer — a conclusion the BCAS opinion regards as possible under the widest interpretation — the analysis does not end there. The Sky DAO would still need to be conducting an offer to the public or seeking admission to trading in the Union for Title IV to apply. The BCAS opinion’s examination of the sky.money interface concludes that neither is occurring. The governance-initiated minting mechanisms identified by GFXLabs — the LITE-PSM pre-minting, the direct deposits into lending markets — are not offers to the public in the MiCA sense because they involve no purchase contract, no terms of sale, and no solicitation of prospective purchasers.

The BCAS analysis therefore operates on two independent grounds: first, the Sky DAO is probably a non-identifiable issuer (Recital 22 carve-out); second, even if it is an identifiable issuer, it is not conducting an offer to the public or seeking admission to trading (no Title IV triggering act). Either ground, standing alone, is sufficient to place Sky Stablecoins outside Title IV’s scope.

This layered analysis is important for compliance officers to understand because it means the non-identifiable issuer question — while fascinating and consequential — is not the only basis on which CEXes can support continued listing of DAI and USDS under the BCAS framework. The absence of a triggering act is an independent and potentially stronger basis for the same conclusion.

13. MiCA’s Article 142 DeFi Report: What the Commission Actually Found

On 16 January 2025 — one day before ESMA’s stablecoin public statement — the European Commission delivered its Article 142(1) report on recent developments in crypto-assets, produced jointly with the EBA and ESMA. This report was required by MiCA Article 140(2)(t), which mandated an assessment of DeFi developments and the appropriate regulatory treatment of “decentralised crypto-asset systems without an issuer or crypto-asset service provider.”

The report’s findings on DeFi are directly relevant to the non-identifiable issuer question. Several key observations from the report deserve attention:

The Commission acknowledges that DeFi currently falls largely outside MiCA’s scope — not as an oversight, but as a deliberate design choice reflecting the legislature’s recognition that MiCA was not designed to regulate decentralised protocols without identifiable issuers. This acknowledgment directly supports the Recital 22 carve-out analysis.

The report identifies the core regulatory challenge for DeFi as the absence of a clearly identifiable responsible party — what the report characterises as the “governance-responsibility gap.” Where a protocol is governed by distributed token holders and its smart contracts operate autonomously, identifying who bears regulatory responsibility for compliance obligations is genuinely difficult.

The report notes that the degree of decentralisation in DeFi protocols exists on a spectrum — from genuinely decentralised protocols where no single party has meaningful control, to nominally decentralised protocols where founding teams or venture capital investors retain effective control through large token holdings or privileged governance access. This spectrum observation is directly relevant to the Sky DAO analysis, where the governance-initiated minting mechanisms identified by GFXLabs suggest the protocol sits somewhere on the spectrum rather than at its fully decentralised extreme.

The Commission stops short of recommending a specific regulatory framework for DeFi in the Article 142(1) report, noting that the technology and market are still developing and that premature regulatory intervention risks stifling innovation. A second report, due by 30 June 2027 under Article 140(2)(t), is expected to include a potential legislative proposal.

The practical implication of the Article 142(1) report for CASPs is threefold. First, it confirms that the legislature itself recognises DeFi’s current extra-MiCA status — which reinforces the Recital 22 carve-out analysis. Second, it signals that dedicated DeFi legislation is coming, probably within the 2027-2030 legislative cycle. Third, it provides a useful regulatory framing — the “governance-responsibility gap” concept — that compliance teams can use when documenting their analysis of DeFi protocol token listings.

14. The June 2027 Legislative Horizon: What a DeFi-Specific Framework Might Look Like

The Commission’s Article 142(2) report, due by 30 June 2027, is expected to include a potential legislative proposal for DeFi. While predicting legislative content is inherently speculative, several approaches have been discussed in policy circles and academic literature that are worth examining from a compliance preparedness perspective.

The Front-End Operator Model. One approach would designate front-end operators — the developers and entities that maintain user interfaces through which users interact with DeFi protocols — as the regulated party. Under this model, sky.money’s operators would bear compliance obligations rather than the Sky DAO itself. This approach has the advantage of identifying a real-world entity that can be regulated. Its disadvantage is that protocol interactions can occur through multiple front-ends, including directly through smart contracts, making front-end regulation easily circumventable.

The Governance Participation Threshold Model. A second approach would impose obligations on governance token holders above a specified threshold — for example, anyone holding more than 1% or 5% of a protocol’s governance tokens could be designated as a regulated party bearing compliance obligations proportionate to their governance stake. This approach attempts to impose responsibility where effective control actually lies. Its disadvantage is the practical difficulty of identifying and supervising pseudonymous token holders.

The Developer Registry Model. A third approach would require DeFi protocol developers — the teams that write and deploy the initial smart contract code — to register with a competent authority, even if ongoing governance is decentralised. This creates a regulatory entry point without requiring ongoing identification of governance token holders. Its disadvantage is that it imposes obligations on the original developer team long after governance has genuinely decentralised.

The Algorithmic Compliance Model. A more futuristic approach would attempt to encode compliance obligations directly into protocol smart contracts — for example, requiring that AML/CTF screening be integrated into minting and transfer functions. This approach dispenses with the need for an identifiable responsible party by building compliance into the protocol itself. Its disadvantage is the extreme technical complexity and the risk that such requirements would either be easily circumvented or would fundamentally undermine the permissionless nature of DeFi.

For CASPs listing DeFi protocol tokens and for DeFi protocols themselves, the 2027 legislative horizon means that the current regulatory gap is temporary. Building compliance frameworks now that can adapt to the incoming regime — whatever form it takes — is more valuable than treating the gap as a permanent free pass.

15. Implications for CASPs Listing DeFi Protocol Tokens

The non-identifiable issuer analysis has several direct practical implications for CASPs that have listed or are considering listing DeFi protocol tokens, including DAI and USDS.

Differentiate your suitability assessments by token. The non-identifiable issuer analysis applies differently to different tokens even within the same protocol. DAI and USDS are both Sky Stablecoins but have materially different technical architectures — DAI’s immutable core contract versus USDS’s upgradeable contract — that affect the control analysis. Each token requires its own suitability assessment, not a protocol-level assessment applied to both.

Document the issuer classification analysis explicitly. Your Article 76(2) suitability assessment for any DeFi protocol token should include a section specifically addressing the issuer classification question: is the issuer identifiable, and if so, who is it? Has the issuer conducted an offer to the public or sought admission to trading in the Union? The answers to these questions — and the reasoning behind them — should be documented in writing and retained as part of the token listing file.

Assess governance-initiated minting as an AML risk factor. For protocols like the Sky Protocol where governance can proactively mint stablecoins and deploy them into lending markets, the AML risk profile includes the possibility that governance-minted supply enters the market without the kind of user-level CDD that user-initiated minting transactions involve. Your transaction monitoring programme should be calibrated to address this.

Monitor the Article 142(2) DeFi legislative process. The 2027 DeFi report and any resulting legislative proposal will significantly affect the regulatory treatment of DeFi protocol token listings. CASPs should track this process through ComplyFactor’s ongoing MiCA and EU regulatory coverage, including our MiCA regulation guide, VASP compliance guide, and 6 AML trends analysis.

Engage your legal counsel on jurisdiction-specific NCA posture. The non-identifiable issuer analysis is legally sophisticated and not yet addressed by formal supervisory guidance. The weight your home NCA assigns to the Recital 22 carve-out, and its posture toward DeFi protocol token listings generally, is a critical variable in your risk assessment. ComplyFactor’s global MLRO services and AML advisory support CASPs in navigating these jurisdiction-specific assessments.

16. Implications for DeFi Protocols Considering EU Market Access

For DeFi protocols — including the Sky Protocol and others — that are considering how to position themselves relative to the EU market, the non-identifiable issuer analysis has strategic as well as compliance implications.

The non-identifiable issuer argument is not a permanent shield. Recital 22’s carve-out reflects the legislature’s recognition that DeFi does not fit current regulatory frameworks, not a permanent exemption from regulation. The 2027 legislative process will likely produce obligations that apply to DeFi protocols or their key participants in some form. Protocol teams should be preparing for that regime rather than assuming the current gap is permanent.

Governance-initiated minting is a regulatory liability. The GFXLabs critique demonstrates that the boundary between parameter-setting governance and issuance-control governance is not always clear. Protocols that want to maintain the strongest possible non-identifiable issuer argument should examine whether governance-initiated minting mechanisms — pre-minted reserves, direct deposit modules — can be redesigned to be more clearly user-initiated, or whether their scale can be reduced to a level that does not materially affect the control analysis.

Front-end UI decisions have regulatory consequences. The BCAS opinion’s assessment of the sky.money interface — concluding that it does not constitute an offer to the public — is based on the absence of purchase solicitation in that specific interface accessible from EU IP addresses. Protocol teams should be aware that front-end design decisions have direct regulatory consequences: an interface that includes promotional content, purchase pricing, or terms of sale for stablecoins moves the analysis toward offer-to-the-public territory.

The seeking-admission-to-trading boundary must be respected. As the BCAS opinion warns explicitly: if Sky DAO governance token holders seek re-admission to trading of Sky Stablecoins following a delisting, that act constitutes “seeking admission to trading” and triggers Title IV. Protocol governance communities should have clear internal guidance on this boundary and should not approach newly-authorised CASPs for listing purposes.

17. The Broader Pattern: How Other Jurisdictions Are Approaching DAO Regulation

The EU is not alone in wrestling with the question of how to regulate DAOs. A brief comparative survey is useful context for understanding the range of approaches being considered globally, which may inform the eventual EU legislative proposal.

In the United States, the question of DAO legal status and liability has been addressed inconsistently across federal and state levels. Wyoming was the first US state to recognise DAOs as a distinct legal entity — the “DAO LLC” — providing legal personality while preserving the governance token structure. However, this approach has not been adopted federally, and federal regulators — including the SEC and CFTC — have taken enforcement action against DAO governance participants in specific cases, treating large governance token holders as liable parties.

In the United Kingdom, HM Treasury’s crypto-asset regulatory consultation has acknowledged DeFi as a distinct category requiring dedicated attention, with a phased approach that would first regulate DeFi activities that most closely resemble traditional financial services before extending the perimeter to more genuinely decentralised activities. The UK’s approach of extending regulation to “sufficient nexus” UK persons — rather than attempting to regulate the protocol itself — is one model the EU’s 2027 DeFi legislation might consider.

In the UAE, VARA’s framework explicitly addresses DeFi service providers, requiring entities that operate DeFi front-ends or provide DeFi-related services to UAE users to register and comply with VARA’s Virtual Asset Service Provider regulations. ComplyFactor’s UAE crypto regulation guide covers VARA’s approach in detail.

Switzerland’s FINMA has taken a pragmatic, case-by-case approach to DeFi, applying existing AML and financial services frameworks to DeFi activities where a Swiss nexus exists — typically through a development team, foundation, or front-end operator based in Switzerland. Our Switzerland AML audit guide covers the Swiss framework’s application to crypto entities.

The emerging international consensus — reflected across US, UK, UAE, and Swiss approaches — is that fully decentralised protocols with no identifiable controlling party are difficult to regulate through traditional entity-based frameworks. Regulation tends to land on the most identifiable nexus: front-end operators, development teams, major governance token holders, or third-party service providers. The EU’s 2027 DeFi legislation will likely follow a similar pattern.

18. Frequently Asked Questions

Q: Does MiCA’s Recital 22 definitively exempt DAI and USDS from Titles III and IV? A: Not definitively. Recital 22 provides the carve-out, but whether DAI and USDS have “non-identifiable issuers” within the meaning of that recital is contested. The BCAS opinion concludes on a balance of probabilities that the Sky DAO qualifies as a non-identifiable issuer, but acknowledges that a wider interpretation of “issuer” could lead to a different conclusion. The answer is not definitively yes or no — it is a genuinely unresolved interpretive question that will ultimately require supervisory or judicial resolution.

Q: Is the non-identifiable issuer question more or less settled for USDT? A: Considerably more settled, and in the opposite direction. Tether Limited is a clearly identifiable legal entity with a known corporate structure, officers, and domicile. The non-identifiable issuer carve-out does not apply to USDT. The regulatory question for USDT is whether Tether has conducted an offer to the public or sought admission to trading in the Union — not whether it is identifiable.

Q: If a DeFi protocol becomes more centralised over time, does it lose the non-identifiable issuer status? A: Potentially yes. The non-identifiable issuer analysis is not static — it reflects the factual reality of governance at a given point in time. If a protocol’s governance becomes more concentrated, if a dominant entity emerges that exercises effective control over minting, or if the founding team reinstates governance privileges that were previously relinquished, the control analysis changes. CASPs should treat the non-identifiable issuer assessment as an ongoing obligation, not a one-time determination.

Q: What happens to tokens listed under the non-identifiable issuer framework if the 2027 DeFi legislation introduces new obligations? A: New legislation would apply prospectively. Tokens listed under the current framework would need to be assessed against the new requirements as they come into force. The 2027 legislative timeline gives CASPs and protocol teams several years to prepare — but given the complexity of DeFi compliance infrastructure, preparation should begin well in advance of the legislation’s applicability date.

Q: Can a DAO voluntarily seek MiCA authorisation to provide regulatory certainty? A: In theory, yes — but in practice, obtaining authorisation as a credit institution or EMI requires being a legal person established in the EU, which a DAO typically is not. Some DeFi protocols have established EU-registered foundation entities to interact with regulators, but this approach creates its own complications — particularly if the foundation entity is seen as having control over the protocol, which could reintroduce the identifiable issuer analysis. There is no clean path to voluntary MiCA authorisation for a genuinely decentralised protocol under the current regulatory framework.

Q: Should CASPs delist DeFi protocol tokens pending the 2027 DeFi legislation? A: Not necessarily. The 2027 DeFi legislation is a future development, not a current regulatory obligation. The decision to list or delist any token should be based on the current regulatory framework — including the Article 76(2) suitability assessment, the AML/CTF risk assessment, and the legal risk analysis of the non-identifiable issuer question — not on speculation about future legislation. A well-documented listing decision made under the current framework remains defensible even if the framework subsequently changes.

This article is published for informational purposes and does not constitute legal advice. For MiCA compliance advisory, CASP AML programme development, fractional MLRO services, and DeFi regulatory risk assessments, contact ComplyFactor.

Related Articles:

• Can EU Exchanges Still List USDT, DAI and USDS Under MiCA? The Legal Debate Explained
• MiCA Admission to Trading: What Every CASP Compliance Officer Must Know Before Listing a Stablecoin
• ESMA’s January 2025 Stablecoin Statement: Is It Legally Binding — And Is It Even Correct?
• MiCA Regulation Guide 2026: EU Crypto-Asset Framework Explained
• Ultimate Guide to VASP Compliance: Global AML/CTF/PF Standards
• UAE Crypto Regulation 2025: Complete Guide to VARA, ADGM, SCA, CBUAE
• Switzerland 2025 AML Audit and Independent Review Guide
• 6 AML Trends in Regulatory Compliance Every Compliance Officer Needs to Follow
• Offshore VASPs: FATF’s 2026 oVASP Risk Report Explained
• The Complete AML Program Blueprint: Design, Build and Implement