Cyprus HomeCyprus NewsCyprus Publications
European Union HomeEurope HomeGlobal
Special Report · Cyprus

Cyprus Puts Crypto on the Tax Map

Cyprus Puts Crypto on the Tax Map
Key Takeaways
  • 1DAC8 is now law in Cyprus from January 1, 2026, covering both MiCA-licensed providers and unlicensed operators with any meaningful connection to the jurisdiction
  • 2Reportable transactions include crypto-to-fiat swaps, crypto-to-crypto exchanges, retail payments above $50,000, and transfers to unidentified wallet addresses — CBDCs and e-money tokens are excluded
  • 3Due diligence on existing users must be completed by January 1, 2027; first data submission covering 2026 is due June 30, 2027
  • 4Penalties run from €5,000 for verification failures to €10,000 for filing and registration breaches, with EU-wide registration revocation available for repeat non-compliance
  • 5Practitioners should audit AML/KYC infrastructure against the Annex VI due diligence standard now — the first reporting cycle is already running

Cyprus follows EU in closings the gap that was always visible. A trader in Frankfurt holding a Bitcoin account with a Cypriot exchange faced no automatic disclosure to German tax authorities — the kind of transparency that bank account holders have lived with since DAC2 standardised financial account reporting in 2016. DAC8, agreed at EU Council level in October 2023 under Directive 2023/2226, was built to close it. Cyprus transposed it as Law 38(I)/2026, backdated to January 1, 2026.

The legislation amends the base Administrative Cooperation Law — in force since 2012 and amended seven times since — by inserting a new Article 7ΣΤ and a comprehensive Annex VI governing crypto-asset reporting. It is the most structurally significant expansion of the automatic exchange of information framework in Cyprus since the CRS was implemented in 2017.

The Reporting Perimeter

The legislation defines Reporting Crypto-Asset Service Providers broadly. MiCA-licensed firms authorised under Article 63 of Regulation 2023/1114, or passporting into Cyprus under Article 60, fall in automatically. So do unlicensed Crypto-Asset Operators — any entity or individual with tax residence, incorporation, place of effective management, or habitual place of business in Cyprus that executes exchange transactions on behalf of users.

Reportable transactions cover both Exchange Transactions — crypto-to-fiat and crypto-to-crypto swaps — and Transfers, defined as movements of Reportable Crypto-Assets to or from a user's address outside the provider's own custody. Retail payment transactions exceeding $50,000 are separately categorised as Reportable Retail Payment Transactions and carry their own reporting line.

The definition of Reportable Crypto-Asset deliberately excludes Central Bank Digital Currencies, e-money tokens as defined under MiCA, and any asset a provider has adequately documented as incapable of use for payment or investment purposes. The practical effect is that stablecoins representing a single fiat currency and redeemable at par on demand are outside scope — a carve-out that mirrors the OECD's CARF treatment.

Due Diligence

Annex VI Section III sets out the due diligence procedures. For individual Crypto-Asset Users, providers must obtain self-certification establishing tax residency and confirm its reasonableness against client documentation — including any materials gathered under AML/KYC procedures consistent with the Prevention and Suppression of Money Laundering Law. For Entity Users, the obligation extends to identifying Controlling Persons who are Reportable Persons, applying procedures substantively equivalent to CRS entity due diligence.

Existing users — those with a relationship as of December 31, 2025 — must be brought into compliance by January 1, 2027. New relationships require self-certification at onboarding. Where a change in circumstances renders a prior self-certification unreliable, providers must obtain a fresh certification or a reasonable explanation before continuing to rely on the original.

What Gets Reported

Article 7ΣΤ(3) and Annex VI Section II specify the data fields. For each Reportable Person, providers must report name, address, member state or states of residence, TIN or TINs, and — for individuals — date and place of birth. For Entity users with Reportable Controlling Persons, the obligation cascades to each controlling individual's identity and role.

At transaction level, providers report separately for each type of Reportable Crypto-Asset: total gross amounts paid and received against fiat, total fair market value and unit counts for crypto-to-crypto acquisitions and disposals, aggregate values for Retail Payment Transactions, and — notably — total fair market value of transfers to distributed ledger addresses not known to be associated with a virtual asset service provider or financial institution. This last category is designed to capture on-chain activity that exits the regulated perimeter entirely.

All amounts are reported in a single fiat currency, converted at the time of each transaction using a method applied consistently by the provider.

Registration

MiCA-licensed providers supervised by CySEC or the Central Bank of Cyprus are fed into the framework directly — both authorities must transmit full licensee lists to the Tax Department by December 31 of each reporting year. Operators outside MiCA must register with the competent authority of a single EU member state. Those registering in Cyprus receive an individual identification number from the Tax Department, which then notifies all other member states electronically via the central register maintained by the Commission.

A provider whose registration is revoked for non-compliance may re-register only after demonstrating to the competent authority that all outstanding filing deficiencies have been remedied.

Penalties

The penalty regime under the amended Article 22D is tiered. Failure to enforce the collection and verification requirements under Annex VI Section V draws up to €5,000. Incomplete or inaccurate filings, record-keeping failures, and registration non-compliance each carry a maximum of €10,000.

Non-compliance with the filing obligation after two formal reminders triggers the hardest sanction available: revocation of EU-wide registration, with effect no sooner than 30 days and no later than 90 days after the second warning.

Records must be retained for a minimum of five years and a maximum of ten years from the end of the relevant reporting period — a ceiling framed explicitly in terms of GDPR proportionality under Regulation 2016/679.

The Timeline

The first data submission covers calendar year 2026 and is due by June 30, 2027 — nine months after year-end, consistent with the DAC8 timetable. TIN inclusion requirements deepen progressively: from January 1, 2028, TINs must be included in exchanges of advance cross-border rulings under Article 7A and DAC6 cross-border arrangements under Article 7D. From January 1, 2030, TINs from the residence-state become mandatory for the Article 7(1) income categories — employment income, directors' fees, and pensions.

Practical Implications

Cyprus is not a peripheral jurisdiction in this context. The island's concentration of MiCA-licensed entities and crypto-adjacent fintech firms — drawn by EU passporting rights, an English-law influenced legal system, and the IP box regime — means the Tax Department will sit at the centre of substantial bilateral data flows with counterpart authorities across the member states.

Practitioners advising clients on DAC8 compliance will need to assess whether existing AML/KYC infrastructure is adequate to meet the Annex VI due diligence standard, whether self-certification processes are in place for both individual and entity clients, and whether any crypto-assets in scope have been properly documented for potential exclusion. The interaction between the Reportable Crypto-Asset definition and MiCA's asset classification regime will generate early interpretive questions — particularly for assets that straddle the line between utility tokens and instruments capable of use for payment or investment.

The law is in force. The clock on the first filing cycle is already running.

Source: Official Gazette of the Republic of Cyprus, Law 38(I)/2026, published March 27, 2026. Council Directive (EU) 2023/2226 of October 17, 2023. Regulation (EU) 2023/1114 (MiCA). Regulation (EU) 2023/1113. OECD Crypto-Asset Reporting Framework (CARF).

Prepared byMediterranean VAT Review Editorial
Thursday, June 11, 2026
More Publications
VAT Rate Power Lies With Parliament, Not the Minister — South Africa's Democratic Alliance v Minister of Finance RulingSouth Africa | Case Commentary
Italy Turns Summer Into a Tax Reckoning for Short-Term Rental OperatorsItaly | Special Report
UAE Rewrites the Rules on Home-Builder Tax Refunds in Push to Go Fully DigitalUnited Arab Emirates | Special Report
Rwanda Mandates VAT on Digital Services with Registration and Withholding RulesRwanda | Special Report
KSeF Invoices Cannot Be Cancelled Once Transmitted, Polish VAT Act ConfirmsPoland | Practice Note
Poland Moves to VIDAPoland | Policy Brief
Colorado Supreme Court to Review Netflix Streaming Sales Tax CaseUnited States | Case Commentary
Policy Brief
Manitoba Enhances Tax Credits, Removes RST from Additional Grocery Items in 2026 BudgetCanada | Policy Brief
Coverage
CountryCyprusRegionEuropeUnionEuropean Union