27 August, 2025

Luxembourg prepares international exchange of crypto-asset information

Luxembourg has published a draft law (no. 8592) to transpose Directive (EU) 2023/2226 (DAC8) into national law, with the aim of implementing the EU’s new crypto-asset reporting framework and related expansions to automatic exchange of tax information. The draft was presented to Parliament on 24 July 2025 and sets out registration, due-diligence and reporting obligations for crypto-asset service providers (CASPs).

What the draft covers (quick summary)

  • Who is in scope: reporting crypto-asset service providers (RCASPs) — i.e., entities that custody, manage, trade, exchange, operate trading venues, or execute orders in crypto-assets on behalf of others — will be required to collect and report information on their users. The draft applies to CASPs authorised under MiCAR and to other providers with a sufficient nexus to Luxembourg (tax residency, PE, etc.).
  • Definition of crypto-assets: Luxembourg’s draft aligns broadly with the EU MiCAR definition but expressly adopts a wider definition for reporting purposes so that all crypto-assets used for payment or investment may fall within scope.
  • Timing: the new reporting regime will generally apply from 1 January 2026. The first reporting year will be 2026; the first automatic exchanges between tax authorities are expected to take place by 30 September 2027. Member States had to transpose DAC8 by 31 December 2025.

Practical obligations for CASPs

The draft law mirrors the Crypto-Asset Reporting Framework (CARF) developed by the OECD and set out in DAC8. Practically, reporting CASPs will need to:

  • register with the Luxembourg Tax Administration (LTA) before the annual deadline for filing the information to be reported (the draft sets annual submission timing and requires registration in advance of reporting cycles). MiCAR-authorised CASPs may benefit from simplified registration mechanics;
  • implement due-diligence procedures at onboarding and, for many existing clients, retrospectively: obtain and verify identity and tax-residency information (self-certifications), identify controlling persons where relevant, and apply carve-outs for excluded entities (public bodies, central banks, listed companies and related parties, certain financial institutions);
  • gather transactional and holding data required by CARF (types and amounts of crypto-assets held or transferred, account identifiers/wallet identifiers where available, dates and counterparties, and income derived from certain instruments);
  • report annually (the draft requires annual reporting, with a nil-report obligation where no reportable users or transactions exist). The draft aligns Luxembourg’s timing so data reported locally is then exchanged with other jurisdictions within the DAC8 timeframes.

Enforcement and penalties

The draft introduces administrative sanctions for non-compliance. Operators that fail to register or submit the required reports within the statutory deadline face a fixed penalty (reported drafting indicates €5,000 for failure to register or late reporting), while more serious breaches of due-diligence and reporting obligations can attract substantially higher fines (up to €250,000 under the draft). Supervisory authorities will also be able to apply other administrative measures.

Extensions to automatic exchange beyond crypto

DAC8 and the Luxembourg draft do not only add crypto. The initiative also broadens automatic exchange to include certain life-insurance income and advance cross-border tax rulings concerning individuals (where the ruling concerns transactions above stated thresholds or determines tax residency). Luxembourg’s draft also updates domestic rules implementing DAC6, DAC7, the Common Reporting Standard and country-by-country reporting to ensure consistency across regimes.

Interaction with MiCAR, AML and other rules

Luxembourg’s CARF implementation will intersect with MiCAR (the EU markets in crypto-assets framework) and existing AML/KYC obligations. Firms authorised under MiCAR and supervised by the CSSF should pay particular attention to aligning their compliance programmes so that MiCAR licences, AML onboarding, and DAC8/CARF reporting operate together without duplication — and to avoid conflicting data-handling processes. The draft includes simplification measures (to reduce duplicate reporting) where an entity is already subject to CRS/other reporting regimes.

Legal professional privilege and DAC6 changes

The draft also amends Luxembourg’s DAC6 implementation to reflect recent Court of Justice of the European Union (CJEU) jurisprudence (notably the judgments limiting the scope of obligations where legal professional privilege applies). The upshot is that lawyers covered by legal professional privilege are no longer required to notify other intermediaries of a potential reportable arrangement, although they remain obliged to inform their own clients; other intermediaries retain notification duties. This aligns Luxembourg with the CJEU case law and avoids conflicts with privilege protections.

What this means in practice — implications and risks

  • Operational burden: CASPs must upgrade onboarding, data-capture, back-office systems and reporting pipelines very quickly. For many platforms this will require significant IT investment and process re-engineering.
  • Privacy and data security: the collection of tax residency and wallet/account identifiers raises EU data-protection and cross-border transfer considerations (GDPR); firms must ensure lawful bases and careful security controls.
  • Cross-border compliance: entities with multi-jurisdictional activity must coordinate reporting to avoid duplication (the draft includes specific mechanisms to mitigate double reporting within the EU). atoz.lu
  • Risk of enhanced tax audits: greater automatic exchange increases the chance that tax authorities will interrogate undeclared crypto income and holdings. Investors and individuals should expect heightened scrutiny.

Recommended next steps for CASPs, asset managers and legal counsels

  1. Gap analysis: map current client onboarding, recordkeeping and transactional reporting against CARF/DAC8 requirements.
  2. Registration planning: prepare to register with the Luxembourg tax authorities where required and confirm whether MiCAR authorisation simplifies registration in practice.
  3. Onboarding & remediation: update client onboarding forms to capture tax residency and reportable-user information; plan outreach to legacy clients to remedy missing data.
  4. IT & reporting: design secure data flows and reporting pipelines, including wallet/account identifier capture, encryption, and automated exports in the prescribed XML/technical format.
  5. Legal & privacy review: coordinate with data-protection and tax counsel to ensure GDPR compliance and to document lawful bases for processing.
  6. Training & governance: train compliance staff; implement oversight and audit trails to reduce risk of heavy administrative fines.

Final considerations

Luxembourg’s draft Law no. 8592 brings the Grand Duchy into line with the EU’s ambitious transparency agenda under DAC8 and the OECD’s CARF. For CASPs, fund managers and intermediaries, the next 6–12 months will be crucial to convert legal obligations into practical controls. Early investment in data architecture, documented due-diligence procedures and cross-functional coordination (tax, compliance, legal, IT) will be essential to both meet the new obligations and limit regulatory risk.

 

Contact Us

© 2026 Italian Company Formations
Disclaimer and Privacy | Cookies Preference
| Cookies Policy