DAC8 (EU) & CARF (UK): The 2026 crypto “tax transparency switch” is on — TIN collection, annual reporting, and 60-day account restrictions for non-compliant users

Since 1 January 2026, crypto platforms serving EU residents must start collecting tax identity data under DAC8—and can be required to block “reportable transactions” after two reminders and 60 days if users don’t provide the required information. The UK is running a parallel track via CARF reporting to HMRC, with first reports due in 2027. This is not a “new crypto tax,” but a major enforcement upgrade.

Key Points

• EU DAC8 starts data collection in 2026; first EU-wide exchange of the 2026 reporting data is due by 30 Sept 2027.
• If a user fails to provide required info after two reminders (and not before 60 days), the provider must prevent the user from performing “Reportable Transactions.”
• Reporting scope includes crypto-fiat, crypto-crypto, and transfers, including certain withdrawals to “unhosted” (self-custody) addresses.
• UK CARF requires platforms to collect user + transaction data and report to HMRC; first submission window: 1 Jan–31 May 2027 for calendar year 2026.
• This is part of a global convergence: OECD tracks many jurisdictions committed to CARF exchanges in 2027–2029.

Short Narrative

A viral claim framed January 2026 as “the end of crypto privacy in Europe.” The reality is more precise — and for compliance teams, more operationally painful: the regulated on/off-ramps have become standardized tax sensors. Under DAC8, platforms must collect tax-residency identifiers (including TINs) and report aggregated transaction data annually, including categories that can cover withdrawals to self-custody. For users who refuse to provide required details, platforms face a hard rule: after reminders and a 60-day clock, access to “reportable transactions” must be switched off.

Extended Analysis

1) What exactly changed on 1 January 2026 in the EU?

DAC8 (Directive (EU) 2023/2226) expands the EU’s “administrative cooperation” rules so that Member States can automatically exchange crypto-asset information for tax compliance. The European Commission’s DAC8 guidance is explicit: data collection starts 1 January 2026, the first reporting year is 2026, and reporting is due within 9 months after year-end — i.e., by 30 September 2027 for the first cycle.

Compliance translation: 2026 is not “instant enforcement day”; it is the mandatory capture year that determines what tax authorities can match at scale once exchanges begin in 2027.

2) Which providers are covered?

DAC8 targets Reporting Crypto-Asset Service Providers (RCASPs) — broadly, entities (and in some cases individuals) that effectuate exchange/transfer transactions in reportable crypto-assets for users. The Commission notes DAC8 builds on MiCA definitions and covers a broad set of crypto-assets, including stablecoins (incl. e-money tokens) and certain NFTs.

Practical perimeter: centralized exchanges, broker-style trading platforms, and custodial/intermediated transfer services are the primary “in-scope” population. Pure self-hosted wallet software (with no custody and no transaction-effectuating intermediary) is typically not the reporting chokepoint — but the moment users touch a reporting provider, the trail restarts.

3) What must providers collect — and do they report automatically?

Yes. Under DAC8, RCASPs must collect identification data for reportable users (including TINs and residence information) and report annually to their national tax authority, which then exchanges the information with the user’s tax-residence Member State.

The Directive also specifies what gets reported and how it’s structured: aggregated gross amounts for acquisitions/disposals against fiat and other crypto-assets, plus fair-market-value metrics for transfers and certain payment transactions. Crucially, it also includes reporting for transfers to distributed ledger addresses “not known to be associated with a [service provider] or financial institution” — i.e., the regulatory “hook” for many self-custody withdrawals.

4) The 60-day countdown: what platforms must do

The “countdown” isn’t a new power to seize wallets — it’s an access-control obligation. The Directive states that if a user does not provide required information after two reminders, but not before 60 days, the provider must prevent the user from performing “Reportable Transactions.” Depending on platform design, that can effectively mean no trading and no withdrawals that fall inside reportable scope until compliance data is provided.

5) EU only — or also UK and other countries?

• EU: DAC8 applies across EU Member States from 2026 (implemented in national law via transposition), with EU-to-EU exchange of data.
• UK: The UK is implementing the OECD Cryptoasset Reporting Framework (CARF) with HMRC guidance requiring platforms to collect user/transaction data and file their first report 1 Jan–31 May 2027 covering 2026. Required user data includes (for individuals) name, DOB, address, residence, and for UK residents NI number or UTR; for non-UK residents, TIN + issuing country.
• Global: OECD and the EU both point to a wide group of jurisdictions committed to CARF exchanges in 2027–2029 (OECD’s commitment list is updated regularly).

Bottom line: If your platform serves customers cross-border, assume tax reporting convergence is becoming the norm — not a regional anomaly.

6) What does this mean for offline wallets like Ledger?

Self-custody is not banned by DAC8. But the compliance impact is real:

• If you withdraw from an exchange to a Ledger address, DAC8 reporting can capture that as a reportable transfer (with value and other standardized fields), because the destination address is not “hosted” by the same provider.
• Transactions entirely within self-custody are not automatically reported by the wallet, but they become visible again when you re-enter a reporting provider (deposit, convert to fiat, use a custodial service, etc.).

For users, the compliance message is simple: self-custody reduces counterparty risk, not tax obligations. The reporting perimeter is the on/off-ramp.

Actionable Insight

For exchanges / crypto platforms (2026 compliance checklist)

1. TIN & tax-residency capture: update onboarding flows, remediation journeys, and “two reminders → 60 days → restrict reportable transactions” logic.
2. Transaction classification & valuation: map events to DAC8/CARF categories; implement consistent fair market value methodology at transaction time.
3. Self-custody transfer reporting: ensure your system can tag and aggregate withdrawals to “unhosted” addresses per the Directive’s reporting fields.
4. Cross-border strategy: if you serve EU residents, plan for DAC8 registration/reporting and for “qualified non-union jurisdiction” equivalents where relevant.
5. Privacy/GDPR + audit trail: reporting is mandatory, but the data lifecycle must be defensible (minimization, access control, retention, breach playbooks).

For customers

• Expect platforms to request TIN / tax identifiers and residency details — and treat non-response as a service continuity risk (trading/withdrawal restrictions).
• Keep your own records; reporting increases mismatch detection. In the UK, platforms will report summaries to HMRC and penalties exist for inaccurate or late reporting by providers, raising the compliance bar across the ecosystem.

Call for Information

Are platforms using DAC8/CARF as a pretext for over-collection, selective freezes, or discriminatory de-risking? If you are a compliance insider, affected customer, or vendor with evidence of implementation gaps or abusive practices, send information securely via Whistle42.com (anonymity options available).