Legilux ¦ Law of 27 March 2026 DAC8

Luxembourg’s DAC8 Law brings crypto-asset platforms into the automatic exchange net

Luxembourg has enacted the law of 27 March 2026 transposing the EU’s DAC8 changes into national law – formally bringing providers of crypto-asset services into the automatic and mandatory exchange of tax-relevant information regime. The law applies from 1 January 2026 and imposes new registration, reporting, and due diligence obligations on “declaring” crypto‑asset service providers (CASPs) and other operators that carry out reportable crypto transactions on behalf of users who are tax residents in jurisdictions subject to reporting. The statute amends several existing Luxembourg laws on administrative cooperation, the Common Reporting Standard (CRS) , country‑by‑country reporting (CbCR) , cross‑border arrangements, and platform operators to integrate crypto reporting into the international automatic exchange network. For teams working on financial crime risks and tax compliance, the law materially changes the information flows, supervisory responsibilities and enforcement powers that intersect with anti‑money laundering and sanctions controls.

Who must register and what the register will contain

From the 2027 reporting cycle, Luxembourg’s financial regulator, the Commission de surveillance du secteur financier (CSSF), must annually provide the tax administration with identities of all crypto‑asset service providers that held a Luxembourg authorisation in the prior calendar year, including LEIs and Luxembourg trade register numbers. Operators that meet the statutory definitions and are subject to reporting obligations in Luxembourg must register with the Administration des contributions directes (ACD) before the deadline for providing the information to the administration. A unique identification number will be allocated and shared with other EU member states. Registration data must include name, postal and electronic addresses, any tax identification numbers, member states where reportable users reside, and any qualified third jurisdictions used by the operator. The tax authority will notify the European Commission (EC) where a subject operator fails to register – a clear escalation channel that supports cross‑border enforcement.

Scope of reportable activity and detailed reporting fields

The law requires declaring crypto‑asset service providers to report annually by 30 June the full set of user‑level data required by the Annex – with the first reporting year covering transactions from 1 January 2026. Reporting covers natural persons and entities that are reportable users or entities whose controlling persons are reportable. Reported data include names, addresses, jurisdictions of tax residence, TINs , dates and places of birth for individuals, and the reporting provider’s own identifiers including LEI and the tax administration’s assigned ID. For each type of reportable crypto‑asset, firms must submit extensive transactional aggregates and counts: gross amounts paid and received where fiat was used, market value totals where crypto‑to‑crypto or other non‑fiat transfers occur, numbers of units and number of reportable transactions, a breakdown by transfer type when known, and a specific category for transfers to addresses on distributed ledgers that are not obviously associated with another VASP or financial institution. Firms that have no reportable users must file a zero‑report.

Bastian Schwind-Wagner _Follow

"Luxembourg’s DAC8 implementation requires crypto‑asset service providers to upgrade their onboarding and recordkeeping to meet stricter tax reporting and due diligence standards. Firms should prioritise obtaining valid auto‑certifications for existing users and ensuring transaction data can be aggregated and audited in line with the new templates.

Compliance and financial crime teams must align AML/KYC workflows with tax reporting demands, document any cross‑border reporting arrangements, and secure evidence of identification service reliance where used. Failure to adapt promptly risks administrative fines, registration revocation, and regulatory escalation."

Due diligence, auto‑certifications and data provenance responsibilities

The law cross‑references rigorous due diligence requirements drawn from the Annex. Providers must collect valid auto‑certifications from users to establish tax residencies, and for pre‑existing relationships those certifications must be obtained by 1 January 2027. Where circumstances change so that prior certifications are no longer reliable, firms must obtain updated documentation and may not rely on the outdated certifications. For entities, providers must identify and, where appropriate, obtain information on controlling persons. The statute expressly permits relying on AML/KYC procedures where consistent with Luxembourg AML rules, and allows the use of third parties to perform due diligence functions, while maintaining ultimate responsibility with the reporting provider.

Operational relief where cross‑border reporting is already performed

The law provides exemptions where equivalent reporting and due diligence are already being performed in another EU member state or a qualified third jurisdiction. If a provider is already registered and conducting reporting in another member state before the Luxembourg reporting deadline, the provider is not required to register again in Luxembourg. Likewise, reporting obligations that are fulfilled by another branch or jurisdiction with equivalent standards may relieve the Luxembourg registration or reporting obligation, subject to notification and proof. This avoids duplicate reporting but creates the need for robust evidence trails showing which jurisdiction is the reporting point of obligation.

Interaction with platform operator rules, identification services and automated confirmations

DAC8 harmonises reporting for operators of crypto‑asset platforms with the regime already applied to other digital platforms. The law allows providers to rely on “identification services” issued by EU member states or the EU to obtain direct confirmations of a user’s identity and fiscal residence. Where a provider uses such a service and relies on the direct confirmation, the provider reports the identifier of the identification service and state of issuance instead of the full identification data otherwise required. For marketplace and platform operators this is significant because requirements were aligned with the prior platform operator law and now extended to crypto activity.

Enforcement powers, sanctions and investigatory reach

The Administration des contributions directes (ACD) has broad verification powers to inspect whether providers comply with declaration and due diligence obligations, and to investigate whether any practices aim to circumvent reporting. The tax authority may access AML records, procedures and related documentation, including policies, controls and IT systems, and it can audit the registers and the files firms are required to maintain for ten years. The statute sets tiered monetary sanctions: a fixed 5,000 euro penalty for failures to register or to notify changes or for transmitting incomplete or incorrect registration data; a 5,000 euro fixed penalty for late reporting; and administrative fines up to 250,000 euros for failures in due diligence or substantive reporting obligations (excluding late‑filing). The authority will issue reminders and may revoke an operator’s registration where reporting is not provided after notices. Decisions are subject to administrative appeal.

Data protection, confidentiality and limited use of exchanged information

The law embeds GDPR responsibilities – providers and the tax authority are controllers for their respective processing operations – and requires secure, restricted access to the information exchanged. Data received by the Administration des contributions directes (ACD) may only be used for the purposes permitted by the law and the 2013 administrative cooperation law. Providers must notify data subjects that their information will be gathered and transferred, and must provide data subject rights information in time to allow exercise of those rights prior to the transmission to the tax authority. Retention periods are limited to what is necessary to apply the law and otherwise follow applicable legal limitation rules. Exchanged information is also covered by safeguards in the administrative cooperation legal framework.

Implications for financial crime controls and compliance programs

The Luxembourg DAC8 regime tightens the link between tax transparency and AML/CFT supervision, with several practical implications for practitioners:

• Data quality and provenance become enforcement focal points. The law requires detailed aggregated transactional metrics plus robust evidential trails for due diligence steps and communications with users. AML databases, KYC document stores and transaction monitoring systems must be able to produce auditor‑grade evidence of how tax residency was established and how amounts were calculated and converted when necessary.
• Integration of tax reporting with AML processes is mandatory in practice. Firms that already conduct AML/KYC checks must adapt those processes to capture CRS/DAC8‑relevant elements, capture and validate auto‑certifications, and ensure the mapping from wallets, addresses and transfer types to the reporting taxonomy is documented and auditable.
• Controls around user onboarding and the ninety‑day and sixty‑day remediation timelines matter. Providers must escalate and ultimately block access if users do not provide required information after two reminders and statutory cure periods. Business processes that allow users to trade while information is missing will need adjustment to avoid sanctions.
• Use of official identification services reduces reporting friction but requires careful proof. When providers rely on EU member state identification services, they must preserve identifiers and service provenance in their records and coordinate with those services’ data quality regimes.
• Cross‑border branch and group reporting strategies must be documented. Where an operator claims another member state is the reporting jurisdiction, clear notifications and documentary proof are required to avoid duplication or registration failures and the 5,000 euro fixed penalties.
• Sanctions and deregistration create regulatory escalation risk. Late‑filing and substantive failures can trigger fines, registration revocation and automated notifications to the European Commission (EC) if registration is lacking, which may then feed into supervisory or criminal inquiries.

Practical next steps for compliance, AML and financial crime teams

Start by mapping obligations to current processes: inventory who in the organisation is designated as responsible for CRS/DAC8 reporting, whether current data flows capture the user‑level and transaction aggregates required, and where LEIs, TINs and address data are sourced and validated. Implement an action plan to obtain valid auto‑certifications for existing users ahead of the 1 January 2027 deadline, and revise onboarding flows for new users to ensure certifications, supporting documents and identification service integrations are captured and logged. Ensure AML transaction monitoring and suspicious activity reporting systems record the additional metadata needed for DAC8 reporting and that retention and access controls meet the ten‑year preservation and audit requirements. Review contractual arrangements with third‑party service providers used for KYC or identity confirmation to ensure they support the evidentiary and data security requirements and permit sharing identifiers required by DAC8. Finally, coordinate with tax, legal and regulators to confirm whether the firm should register in Luxembourg or rely on registration and reporting in another EU member state – document and retain the proof that supports the chosen reporting jurisdiction.

What to watch next

Regulatory technical standards and implementing forms will follow – the law anticipates implementing acts from the European Commission (EC) on reporting templates and processes and Luxembourg Grand‑Ducal regulations on the practicalities of registration, reporting formats and the list of third jurisdictions subject to reporting. Firms must track Commission technical standards for the exact XML schemas and the identification service procedures that will determine the operational interfaces for automated confirmations. Enforcement activity is also likely to intensify as authorities acclimatise to new data streams, so maintaining defensible recordkeeping and demonstrable processes will be essential.

Conclusion

Luxembourg’s transposition of DAC8 integrates crypto‑asset activity into the international automatic exchange of tax information regime and strengthens the intersection between tax transparency and AML/CFT oversight. The law imposes detailed reporting, longstanding retention and heightened investigatory powers, while offering operational relief where equivalent reporting already takes place elsewhere in the EU. For compliance and financial crime teams, the task is practical and urgent: align KYC, transaction monitoring and data systems to produce the user‑level and transaction aggregates the tax administration will require, document jurisdictional reporting choices, and implement robust recordkeeping and escalation workflows so that both tax and AML obligations can be met and defended under scrutiny.

Dive deeper

• Legilux ¦ Loi du 27 mars 2026 relative à l’échange automatique et obligatoire des informations déclarées par les Prestataires de Services sur Crypto-actifs ¦ Link