Disclosure: This article does not represent investment advice. The content and materials featured on this page are for educational purposes only.
Viktor Juskin, Co-Founder of LegalBison, explains how crypto founders must navigate the complex 2026 regulatory landscape, from MiCA and DORA compliance to DAO liability and jurisdictional strategies across the EU, U.S., and UAE.
Viktor Juskin is Co-Founder and Managing Partner of LegalBison, a global boutique legal and business services firm and licensed Corporate Service Provider specializing in corporate structuring for FinTech and digital asset projects. LegalBison operates across 50+ jurisdictions with offices in Poland, Estonia, Bahrain, Costa Rica, Panama, and Malaysia, serving clients ranging from leading cryptocurrency exchanges to VC-backed payment platforms.
In this interview, he addresses the operational realities of the post-transition 2026 regulatory framework: from DORA’s reach into IT infrastructure and the end of DAO immunity, to Travel Rule interoperability gaps and how founders should structure their jurisdictional strategy across the EU, U.S., and UAE.
What does “running a global crypto business” actually mean from a regulatory perspective? What surprises founders the most?
It means every country where you have users, process transactions, or market your services is potentially a jurisdiction where you need authorization. Founders think globally about their product. The app works everywhere, and the blockchain does not care about borders. Regulators, on the other hand, think locally. They care about whether their residents are being served, whether funds are being held, and whether marketing is being directed at their market. A single platform can trigger obligations in a dozen jurisdictions at the same time. Each of these locations will have different requirements, timeframes, and enforcement deadlines.
Which specific business activities most commonly trigger licensing requirements that founders do not anticipate?
First, there is centralization. In the case of MICA licensing, it means the existence of any specific service provider who directly or indirectly controls the project. The moment you hold a user’s private keys or maintain control over their assets, most jurisdictions classify you as a custodian/service provider, and that triggers licensing. Founders who think they are just building a cryptocurrency exchange are often building a regulated custodial service. Second, fiat on-ramp and off-ramp activity. Converting between traditional currency and digital assets triggers payment regulations in almost every jurisdiction. Third, active marketing. Some countries distinguish between passively accepting clients who find you and actively soliciting clients in their territory. If your activities fall under the second category, you may be required to register, even if your company is incorporated abroad. In many jurisdictions, there are strict rules on reverse solicitation, too. So, companies that hold a crypto exchange license cannot rely solely on ‘global reverse solicitation’.
How do you identify whether a particular service requires licensing in a given jurisdiction?
You start with the business model instead of the jurisdiction. Map every activity your platform performs: is it centralized? Does it hold user funds? Does it execute trades on behalf of users? Does it facilitate transfers between parties? Does it provide advice? Each of those activities, to name a few, has a regulatory classification that varies by country. At LegalBison, we usually run such an activity mapping against the regulatory frameworks of each of our clients’ target jurisdictions. The output is a matrix: which activities require which authorizations, where. That matrix is the foundation of the entire corporate and licensing strategy, and without it, it is frankly speaking a lot of guesswork.
DORA is often discussed as a capital and governance requirement. What is its actual reach into the IT infrastructure for crypto firms?
DORA goes much deeper than capital. The regulation requires firms to map their entire ICT supply chain, which means identifying every third-party technology provider in your stack and formally assessing the risks they entail. A crypto platform running on AWS with a third-party KYC provider, an external custody solution, and an off-the-shelf trading engine has four or five entities in that chain before you even count the subcontractors. Each link has to be documented, assessed, and managed under a formal third-party risk framework.
Management boards are now personally responsible for steering ICT risk. A major technology failure is a management board liability with potential enforcement consequences from European Supervisory Authorities. CASP-licensed entities, for example, also have to run regular resilience testing and report significant ICT incidents to their national competent authority. DORA sets a compliance standard closer to what banks maintain than what most EU-licensed VASPs have historically built.
Many DeFi founders assume that operating through smart contracts and decentralized governance means they fall outside traditional regulatory reach. Is that assumption still valid in 2026?
It was never a reliable assumption in the first place. The CFTC’s case against Ooki DAO has only proven it. The DAO was classified as an unincorporated association, and the enforcement action demonstrated that regulators are willing and able to target decentralized structures that lack a traditional legal entity. Decentralization does not shield you from the consequences of non-compliance.
Regulators are following the pattern of operational control. If you deploy the protocol, hold administrative keys, or exercise governance voting power that functions like managerial control, you are a potential enforcement target regardless of how the structure is labeled. The same-risk-same-rule principle applies: if a DeFi protocol performs the economic function of a regulated intermediary, regulators treat it as one. If you want to build a DeFi App, you would want to ensure there is no centralization element, no licensed activity in the markets you target, and you do not actively solicit clients in markets that trigger licensing requirements.
The FATF Travel Rule requires VASPs to share originator and beneficiary data on transfers. In practice, what are the main compliance barriers?
Interoperability is the key problem. The Travel Rule requires data to travel with the transaction, but different VASPs in different jurisdictions use compliance systems that are not always technically compatible. When a transfer moves from a compliant EU VASP using one protocol to a counterpart using a different standard, the data exchange can fail entirely. Global adoption remains low, which means the infrastructure to actually enforce the requirement is still being built. But over time, we assume it will follow.
We at LegalBison see that non-compliance with the Travel Rule becomes more of a commercial barrier than a legal one. Compliant VASPs in regulated markets sometimes reject transfers from non-compliant counterparts regardless of where the sender is incorporated. The network effect of regulated participants enforces the rule even where local law does not.
If a founder’s business model relies on issuing stablecoins, how does the regulatory matrix differ from a standard exchange?
MiCA regulation creates two distinct categories. Asset-Referenced Tokens are pegged to a basket of assets or currencies. E-Money Tokens are backed by a single official fiat currency. Each category carries different authorization requirements, reserve obligations, and governance standards. The capital and liquidity frameworks are substantially more demanding than what a standard CASP faces.
Founders need to understand in which cases they face real regulatory exposure. If an ART or EMT reaches a volume or systemic importance threshold set by the European Banking Authority, the issuer moves to EBA direct supervision. That means higher capital reserves, stricter liquidity management requirements, and interoperability obligations that go beyond what MiCA imposes at the baseline level.
With the U.S. shifting toward a more pro-innovation framework and the UAE continuing to attract digital asset businesses, how should founders approach the EU versus U.S. versus UAE decision in 2026?
The right answer depends on the business model and target markets. The EU is the most demanding but offers the most commercially valuable outcome. A CASP authorization in one member state provides a passport across all 27 EU nations. The transitional period for existing VASP registrations ends in July 2026 at the latest, but Member States can and have shortened it. Lithuania has removed the grandfathering period entirely, with its national deadline falling on December 30, 2024. Others have cut it to 12 months, expiring in December 2025. For companies that assumed they had until mid-2026, the choice of national competent authority depends on their compliance readiness.
In the U.S., the situation is turning around. Spot and ETFs got approved. The SEC and CFTC have clearer boundaries over what each of them oversees. Stablecoin rules at the federal level are taking shape. For founders going after institutional capital, there’s now enough regulatory structure to plan around.
The UAE operates differently. Dubai’s VARA framework and Abu Dhabi’s ADGM regime are rigorous but transparent. The VARA rulebook is activity-specific, which makes the compliance obligations easier to scope. The free zone zero-tax environment is attractive, but the structural requirements can be challenging. The strategic variable is where your clients are, and which regulatory signal matters to them.
Viktor Juskin is Co-Founder of LegalBison, a global boutique legal and business services firm and licensed Corporate Service Provider for FinTech and digital asset projects.
Disclosure: This content is provided by a third party. Neither crypto.news nor the author of this article endorses any product mentioned on this page. Users should conduct their own research before taking any action related to the company.
