Perpetual futures (perps) on DEXs may be branded as “permissionless,” but in the EU they don’t live outside the law. When derivatives are offered to EU clients, they generally fall under MiFID II—licences, conduct rules, surveillance, the lot [2]. In our latest field test from Italy, we connected a wallet to Hyperliquid, accepted its terms, and reached Spot and Perps—with no EU geo-gate, no residency question, and no KYC (see case study details below). Hyperliquid’s own Terms (26 Jan 2025) restrict the U.S., Ontario, and sanctioned regions—but not the EU [8]. That is not a theoretical nuance; it’s a live compliance risk given how EU regulators view crypto-derivatives [2][5].
Executive summary
- Derivatives in the EU: Crypto perps are generally treated as MiFID II financial instruments when provided to EU clients; if a venue or its market makers address or onboard EU users, MiFID II investment-services authorisations (or an authorised distribution route) are expected [2].
- MiCA vs. MiFID II: MiCA covers crypto-assets that are not financial instruments (e.g., many utility/program tokens that avoid backing/pegs/dividends) [1]. But derivatives on such tokens push the activity into MiFID II for the provider serving EU clients [2][4].
- NCA posture: Multiple European regulators have stated that cash-settled crypto derivatives require authorisation, and have warned that reverse solicitation is narrow and not a backdoor into the EU [5][3].
- Our Hyperliquid test: From an EU IP (Italy), we connected a wallet, signed “ApproveAgent,” saw the Deposit modal for Spot & Perps, and accepted the Terms—all without EU-specific controls; Hyperliquid’s Terms omit EU/EEA/UK from the “Restricted Persons” definition and shift legality to users [8]. This pattern elevates MiFID II exposure if EU clients are being admitted and serviced [2][5].
The legal split (plain English)
- MiCA (token/program side): If a token avoids pegs, backing, and dividends, it can remain a crypto-asset other than ART/EMT; issuers/CASPs then fall under MiCA rather than MiFID II [1].
- MiFID II (derivative side): A perpetual future (even on a crypto index) is typically a derivative and thus a financial instrument; firms serving EU clients must hold the relevant authorisations and meet conduct/market-abuse duties [2].
Interpretation: It’s not the “decentralised front-end” label that decides the perimeter; it’s the provision of an investment service to EU users [2].
What NCAs actually look for
- Authorisation trigger: Are EU clients being addressed, onboarded, or serviced in derivatives? If yes, the activity is MiFID II in-scope [2][5].
- Reverse solicitation (RS): RS is strict and narrow; any EU-facing promotion (ads, affiliates, influencers, local-language funnels) or a pattern of EU client business undermines it. Firms must keep evidence that each EU relationship was exclusively client-initiated [3].
Interpretation: “We don’t market to the EU” is not persuasive if EU users can seamlessly trade perps via the official interface [3].
Case study: Hyperliquid (as tested by FinTelegram)
Observed behaviour from Italy (EU):
- Wallet connect to app.hyperliquid.xyz with MetaMask → “ApproveAgent” signature (standard trading-agent approval).
- Deposit modal for ETH showing Spot and Perps functionality available.
- Terms acceptance signature → no residency question, no EU geo-gate, no KYC before perps features became accessible.
(We have preserved screenshots and hashes on file.)
Terms highlights (26 Jan 2025):
- §1.5 “Restricted Persons”: U.S., Ontario, and sanctioned jurisdictions only—no EU/EEA/UK restriction [8].
- §1.6: Shifts responsibility to the user to ensure compliance with local leveraged/derivative rules [8].
- §3.1.5: Bans circumvention (VPN/proxy), but this is a weak control where EU access is not explicitly restricted [8].
- §5 Programs: Promotions could constitute solicitation if available to EU users [8][3].
Interpretation: For the EU perimeter, this combination—frictionless access to perps for EU users, no explicit EU exclusion in the Terms, and responsibility shifted to users—is exactly the pattern European supervisors scrutinise [2][3][5].
A tougher question for a market leader
Hyperliquid positions itself as a premier perps venue. With that status comes responsibility. Our test suggests EU users can reach perps without EU-specific controls, and the Terms omit EU/EEA/UK from the restricted list [8]. How is that compatible with the MiFID II framework that other players—centralised and decentralised—are now building toward [2][5]?
This posture is uncomfortably reminiscent of Binance’s early “grow first, fix later” era: global scaling with ambiguous perimeter controls, followed by a multi-year regulatory reckoning. The lesson from that period is clear: scale doesn’t outrun jurisdiction.
Compliance analysis (our view)
- If a venue admits EU users to perps without EU authorisation (or a compliant EU distribution route), an NCA could deem this unauthorised investment services [2][5].
- Hyperliquid’s Terms and our EU access test together heighten this risk [8].
- Only a competent authority can determine a breach; however, the fact pattern is consistent with MiFID II-in-scope activity [2][5].
Enforcement vectors & user risk
- Regulatory tools: warnings, domain measures, orders to block access, actions against EU-facing promotions; cross-border coordination via ESMA [3][5].
- User impact: abrupt off-boarding, position restrictions, or loss of EU recourse (no MiFID II investor-protection regime) [2].
- Market integrity: authorised venues run surveillance/halts; permissionless UIs rarely meet that standard [2].
Recommendations
For venues/market makers
- Add EEA/UK to Restricted Persons; enforce IP geofencing, residency attestations, and KYC for derivatives modules [2][3].
- Insert a Marketing & Solicitation clause: no perps solicitation in EEA/UK; restrict Programs by geography [3].
- Keep logs and audits; implement an incident playbook for regulator queries.
For token issuers/projects
- Keep the token and index/oracle MiCA-safe (no pegs/backing/dividends; methodology-first comms) [1].
- License Index IP only to venues that geofence the EU or hold MiFID II/UK permissions; include audit & takedown rights [2][3].
For investigators/editors
- Preserve screenshots/videos and hashes; archive Terms/Privacy/Programs and capture network logs.
- Offer a right-to-reply (EU exclusion controls? reliance on EU permissions? RS records?) [3].
Conclusion
“Permissionless” is not permission-free in Europe. MiCA can cover your utility token if you avoid pegs, backing, and dividends [1]; the moment you provide EU clients with a perpetual future, you’re in MiFID II [2]. That moves obligations to the venue and its market makers: licensing, client protections, market integrity.
Our test shows that a market leader—Hyperliquid—appears to allow EU access to perps without EU-specific controls, while its Terms omit EU restrictions and push legality onto users [8]. That is not sustainable in a post-MiCA, MiFID-aware Europe. The industry has a choice: professionalise distribution or invite another Binance-style reckoning.
Sources & References
[1] Regulation (EU) 2023/1114 (MiCA) — Markets in Crypto-assets; establishes EU framework for crypto-assets that are not financial instruments and for tokens other than ART/EMT (scope/exclusions).
[2] Directive 2014/65/EU (MiFID II) — esp. Annex I, Section C on financial instruments (derivatives); triggers authorisation, conduct, and market-abuse regimes when provided to EU clients.
[3] ESMA — Final Report: Guidelines on Reverse Solicitation under MiCA (Dec 2024) — clarifies RS is strict and narrow; direct/indirect marketing into the EU defeats it; record-keeping expectations.
[4] ESMA — Final Report: Guidelines on conditions/criteria for the qualification of crypto-assets as financial instruments (Dec 2024) — “classification by substance”; if a token is a financial instrument, MiFID II applies, not MiCA.
[5] AMF (France), Analysis of the legal qualification of cryptocurrency derivatives (Mar 2018) — early NCA view that crypto-derivatives are financial instruments; authorisation/advertising limits apply.
[6] AMF — MiCA explainer (Nov 2024) — reiterates that crypto-assets qualifying as financial instruments are outside MiCA and within existing regimes (MiFID II).
[7] BaFin (Germany), MiCAR/MiFID materials (overview pages) — confirms case-by-case classification; tokens can be financial instruments under national/MiFID II rules.
[8] Hyperliquid — Terms of Use (Last updated 26 Jan 2025) — §1.5 (Restricted Persons: US/Ontario/sanctioned—no EU); §1.6 (user responsible for local derivative laws); §3.1.5 (VPN/proxy ban); §5 (Programs).
Note: We have preserved the Hyperliquid Terms text provided to FinTelegram, plus screenshots and SHA-256 hashes from the Italy-based access test (on file).
