On 9 March 2023, the French National Assembly passed Article 8 of the DDADUE1 law, legislation that mandates compulsory authorisation for digital asset businesses applying for approval to operate in France. Effectively, Article 8 makes many of the requirements in Europe’s Markets in Crypto-assets Regulation (MiCA) for crypto-asset service providers (CASPs) enforceable as early as 1 January 2024 for digital asset service providers2 (DASPs) entering the French market.
In the aftermath of the FTX collapse, the ensuing market turmoil unleashed several months of debate among French legislators. As a result, the jurisdiction has implemented new requirements prior to MiCA’s coming into force with the aim to reinforce higher standards for crypto-asset businesses without compromising flexibility and innovation.
France’s digital asset registration regime
Up until now, the PACTE3 law introduced in 2019 created a two-stage regulatory process for DASPs looking to operate in France. The objectives of the PACTE were to promote innovation and allow the country to develop a crypto-asset industry while simultaneously moving DASPs towards a more rigorous regulatory framework.
The first stage was a compulsory registration regime that required all DASPs to register with the financial services regulator, the Autorité des marchés financiers (AMF), and comply with classic Anti-money Laundering (AML), Countering Financial Terrorism (CFT) and ‘fit and proper person’ standards. In return, DASPs have been able to provide a limited number of specified services.
The second stage was a demanding but optional authorisation process that, if successful, would allow DASPs to provide a full suite of services. The authorisation application required DASPs to meet standards surrounding their organisation, financial resources, business conduct and professional indemnity insurance.
To date, not a single one of the DASPS currently registered with the AMF have been authorised, a fact that suggests more stringent standards may have disincentivised them from applying.
Who is caught by Article 8?
Under Article 8, the compulsory registration-only regime will no longer be available. New entrants must apply for authorisation, and if approved, will need to comply with MiCA-level standards almost one year before CASPs looking for authorisation in the European Economic Area (EEA). The implications of Article 8 are varied, depending on the current status of a DASP’s registration in France.
If a DASP is already registered, nothing changes. The 65 DASPs currently registered in France4 are exempt from the new legislation, although firms may still choose to apply voluntarily. After MiCA comes into force (likely in April 2023), these firms will have 18 months to comply with the requirements and must apply to the AMF in due course for authorisation.
If a DASP is not registered and submits a complete application to the AMF before 1 July 2023, they can still benefit from the first stage registration-only regime if the application is approved. In this case, they will not be subject to the Article 8 requirements that come into force on 1 January 2024. The AMF must make a decision about the application within six months of submission and in any event, before 31 December 2023.
If a DASP is not registered and submits an application on or after 1 July 2023, they can no longer apply for the first stage registration. They must instead apply for authorisation and comply with the Article 8 requirements that come into force on 1 January 2024.
Article 8 requirements
All DASPs captured by Article 8 will need to demonstrate that they have in place adequate internal controls, a system for managing conflicts of interest and a resilient, secure IT system to resist cyber-attacks. They must also provide clear, non-misleading communication to their customers.
The requirements are particularly robust for DASPs providing custody services on behalf of third parties or access to digital assets through private cryptographic keys. These DASPs will need to ensure that they:
- conclude an agreement with their clients that sets out the DASP’s obligations and responsibilities;
- establish a retention policy;
- ensure the necessary means are in place to return digital assets or provide access to digital assets held on behalf of their clients as soon as possible;
- segregate client assets from their own assets;
- do not use or dispose of digital assets, or cryptographic keys held on behalf of their clients, except with the express prior consent of the client.
What happens after MiCA comes into force?
All DASPs, regardless of whether they are registered or authorised, will eventually need to become authorised by the AMF under MiCA and meet its robust standards.
Article 8 requirements will fall away when MiCA comes fully into operation at the end the 18-month transition period. This is in line with the EU’s objective to harmonise the regulation of crypto-asset service providers across the 30 jurisdictions in the European Economic Area (EEA).
Next steps from ADAN
In the meantime, the Association pour le développement des actifs numériques (ADAN), a leading crypto industry association in France, welcomes Article 8 as a good compromise measure but has recommended that the AMF should:
- clarify the conditions for processing applications from DASPs to the AMF between now and the entry into force of the reinforced regime;
- ensure it has the resources to deal with applications in a timely and effective way (so as not to economically penalise players for excessive delays);
- support service providers in complying with cybersecurity requirements by clarifying expectations, broadening and deepening the AMF’s cybersecurity skills and adopting a pragmatic approach in analysing the risks incurred by DASPs; and
- work on finalising the relevant national MiCA implementation texts in order to facilitate the final transition of the French regime to the European regime.
Digital asset businesses looking to enter the French market have three months left to apply in order to be eligible under France’s existing registration regime. DASPs that apply after the 30 June 2023 deadline will have to demonstrate by 1 January 2024 – less than nine months from today – that they are substantially MiCA-ready.
Are you a digital asset business interested in registration or authorisation in France? Have questions about operating your business under MiCA? Get in touch with us at email@example.com.
 Loi numéro 2023-171 du 9 mars portant diverses dispositions d'adaptation au droit de l'Union européenne dans les domaines de l'économie, de la santé, du travail, des transports et de l'agriculture.
 In France, digital asset service providers (DASPs) are the conceptual equivalent of crypto-asset service providers (CASPs) in the EU.
 Plan d'action pour la croissance et la transformation des entreprises
 Data verified by VASPnet on 13 March 2023.