Disclosure: This article does not provide investment advice. The content and materials on this page are for educational purposes only.
Victor Juskin, co-founder of LegalBison, explains how crypto founders will need to navigate the complex regulatory landscape of 2026, from MiCA and DORA compliance to DAO liability and jurisdictional strategies across the EU, US and UAE.
Victor Juskin is co-founder and managing partner of LegalBison, a global boutique legal and business services firm and corporate services provider specializing in corporate structuring for FinTech projects and digital assets. LegalBison operates in over 50 jurisdictions with offices in Poland, Estonia, Bahrain, Costa Rica, Panama and Malaysia, serving clients from leading cryptocurrency exchanges to VC-backed payment platforms.
In this interview, he addresses the practical realities of the post-transition regulatory framework in 2026: from DORA’s access to IT infrastructure and the end of DAO immunity, to the shared shortcomings of the Travel Rule and how founders should structure their jurisdictional strategy across the EU, US and UAE.
What does “promoting global crypto business” mean from a regulatory perspective? What surprises founders the most?
This means that any country where you have users, conduct transactions, or market your services is likely a jurisdiction where you need permission. Founders around the world think about their products. The app works anywhere, and blockchain doesn’t care about borders. Regulators, on the other hand, think locally. They care about whether their residents are being served, whether funds are being saved, and whether marketing is targeting their market. A single platform can generate commitments in dozens of jurisdictions at the same time. Each of these locations has requirements, deadlines, and deadlines.
What specific business activities create the most licensing requirements that the founders did not anticipate?
First, there is centralization. In the case of MICA licensing, this means that there is no specific service provider that directly or indirectly controls the project. Once you hold a user’s private keys or maintain control of their assets, most jurisdictions classify you as a custodian/service provider, and this leads to licensing. Founders who think they are just building a cryptocurrency exchange are often building a regulated storage service. Second, on-ramp and off-ramp fiat activity. The conversion of traditional currencies and digital assets will trigger payment regulations in almost all jurisdictions. Third, active marketing. Some countries distinguish between passively accepting customers who find you and actively recruiting customers in their territory. If your activity falls into the second category, you are required to register, even if your company is established abroad. Many jurisdictions also have strict reverse solicitation rules. So, companies that hold a crypto exchange license cannot rely solely on the “global reverse call”.
How do you determine if a particular service requires a license in a given jurisdiction?
You start with a business model instead of a competency. Map each activity your platform performs: is it centralized? Does it keep user funds? Does it perform business on behalf of users? Does this make it easy to transfer between parties? Does it give advice? Each of these activities, to name a few, has a regulatory classification that varies by country. At LegalBison, we typically perform such activity mapping against the regulatory frameworks of each of our clients’ target jurisdictions. The result is a matrix: which activities require which permissions, where. This matrix is the basis of the entire corporate and licensing strategy, and without it, frankly, we are making a lot of assumptions.
DORA is often viewed as a capital and management requirement. What is its real access to IT infrastructure for crypto companies?
DORA goes much deeper than equity. The regulation requires companies to map their entire ICT supply chain, which means identifying each third-party technology provider in your stack and formally assessing the risks they pose. The cryptocurrency platform, which runs on AWS with a third-party KYC provider, an external storage solution, and an off-the-shelf trading engine, has four or five entities in the chain, so you can even count subcontractors. Each link should be documented, assessed and managed in a formal third party risk framework.
Governing boards are now responsible for ICT risk management. A major technological failure is the responsibility of the management board, which has potential enforcement implications by the European regulatory authorities. For example, CASP license entities must also conduct regular stability testing and report critical ICT incidents to their national competent authorities. DORA sets a standard of compliance to what banks maintain, compared to what most EU-licensed VASPs have historically built.
Many DeFi founders assume that working through smart contracts and decentralized governance means they are beyond the reach of traditional regulation. Is this assumption still valid in 2026?
It was never a reliable guess in the first place. The CFTC case against Ooki DAO proved just that. The DAO has been classified as an illegal association, and enforcement action has shown that regulators are willing and able to target decentralized entities that lack traditional legal personality. Decentralization does not protect you from the consequences of non-compliance.
Regulators follow an operational control model. If you deploy a protocol, hold administrative keys, or exercise administrative voting power that acts like administrative control, you are a potential enforcement target regardless of how the structure is labeled. The principle of the same rule applies: if the DeFi protocol performs the economic function of a regulated intermediary, the regulators will consider it as a single one. If you want to build a DeFi App, you want to make sure that there is no centralized element, no licensing activity in the markets you’re targeting, and you’re not actively recruiting customers in markets that create licensing requirements.
The FATF Travel Rule requires VASPs to share originator and beneficiary information on shipments. What are the main obstacles to compliance in practice?
Interaction is the main problem. The travel rule requires data to travel with the transaction, but different VASPs in different jurisdictions use matching systems that are not always technically compatible. When a transmission goes from an EU-compliant VASP using one protocol to another using a different standard, data exchange may fail completely. Global adoption remains low, which means the infrastructure to actually meet this demand is still being built. But over time, we think it will follow.
We at LegalBison see that non-compliance with the Travel Rule becomes more of a business obstacle than a legal one. Compliant VASPs in regulated markets sometimes reject shipments from non-compliant counterparts regardless of where the sender is located. The network effect of regulated participants enforces the rule even if local law does not.
If the founder’s business model relies on issuing stablecoins, how is the regulatory matrix different from a standard exchange?
The MCA regulation creates two different categories. Asset-linked tokens are linked to a basket of assets or currencies. E-Money tokens are backed by an official fiat currency. Each category has different permitting requirements, resource obligations, and management standards. Capital and liquidity frameworks are significantly more demanding than what a standard CASP would face.
Founders should understand in what situations they are exposed to real regulatory influence. If an ART or EMT reaches a threshold of size or systemic importance set by the European Banking Authority, the issuer will be subject to direct supervision by the EBA. This means higher capital reserves, stricter liquidity management requirements and mutual obligations that go beyond what MICA sets at baseline.
With the US moving into a more innovation-driven framework and the UAE continuing to attract digital asset businesses, how should founders approach the EU vs. the UAE decision in 2026?
The right answer depends on your business model and target markets. EU is the most demanding but offers the most commercially valuable result. A CASP permit in one member state provides passporting in all 27 EU countries. The transition period for existing VASP registrations ends at least in July 2026, but member states can shorten it. Lithuania has completely removed the grandfathering period, which nationally expires on December 30, 2024. Others cut it to 12 months, ending in December 2025. For companies that thought they had until mid-2026, the choice of national competent authorities depends on their readiness to comply.
The situation is changing in the USA. Spot and ETFs have been approved. The SEC and CFTC have clearer boundaries about what each oversees. Stablecoin regulations are shaped at the federal level. For founders going after institutional capital, there is now enough regulatory structure to plan for.
The United Arab Emirates does it differently. Dubai’s VARA framework and Abu Dhabi’s ADGM regime are strict but transparent. The VARA rulebook is activity-specific, making compliance obligations easier to cover. The zero-tax environment of a free zone is attractive, but the structural requirements can be challenging. The strategic variable is where your customers are and what regulatory signal is most important to them.
Victor Juskin is the co-founder of LegalBison, a global legal and business services company and provider of corporate services for FinTech projects and digital assets.
Disclosure: This content is provided by a third party. Neither crypto.news nor the author of this article endorses any of the products mentioned on this page. Users should do their research before taking any action related to the company.
