How to Build a DeFi or Web3 Project

Q: Does MiCA apply to my DeFi protocol?

MiCA applies unless the service is provided in a fully decentralised manner without any intermediary (Recital 22). The Joint EBA-ESMA Report under MiCA Article 142 confirms that very few DeFi systems achieve truly full decentralisation. ESMA assesses decentralisation case-by-case, looking for indicators of residual centralisation: admin or upgrade keys, fee accrual to a controlled treasury, an identifiable front-end operator, active EU marketing, governance-token concentration, treasury management by an identifiable foundation, and bridge or oracle dependencies. Partial decentralisation is not a safe harbour. A protocol relying on Recital 22 should document the position contemporaneously and update it as the protocol evolves.

What You Need to Build a DeFi or Web3 Project

A DeFi or Web3 project needs five interlocking components: a legal wrapper for the protocol or DAO, an operating entity for off-chain activities, a regulatory perimeter analysis under MiCA Recital 22 (and equivalent rules outside the EU), fiat on/off-ramp banking for treasury and operations, and an ongoing compliance stack covering smart-contract audits, sanctions screening, and DORA controls. The components are sequenced, not parallel.

In short: the most common failure pattern is treating the legal wrapper as a tax-optimisation choice and the regulatory perimeter as a Phase 2 question. Smart contracts ship, fee accrual begins, the protocol grows past the Recital 22 thresholds, and the founders discover that what was framed as a “fully decentralised” protocol is now a CASP-classified service in every European Economic Area member state where the front-end is accessible. Jagelski & Partners scopes the perimeter before the contracts are deployed, when the architectural choices that determine MiCA scope are still cheap to make.

The first decision is the legal wrapper for the protocol. DeFi protocols of meaningful scale operate behind a foundation: most commonly a Cayman Foundation Company under the Foundation Companies Act (2017, as revised), an ADGM DLT Foundation under the Distributed Ledger Technology Foundations Regulations 2023, or a Panama Private Interest Foundation under Law 25 of 12 June 1995. The wrapper holds the protocol treasury, contracts with developers and service providers, and provides a counterparty for grant programmes, exchanges and counterparties. A protocol without a wrapper is not a protocol; it is a group of individuals personally exposed to securities, tax, and anti-money-laundering liability in every jurisdiction where they reside.^[1]

The second decision is the operating entity for off-chain activities. The wrapper rarely employs developers, runs the website, signs SaaS contracts, or holds the fiat float. Those activities run through an operating entity, typically a service-provider company that contracts with the foundation. The operating entity is what the European regulator looks at when asking whether a CASP authorisation is required: it has identifiable management, marketing activity, fee accrual, and counterparty relationships that make it visible to the regulator.

The third decision is the regulatory perimeter under MiCA Recital 22. The Joint EBA-ESMA Report under Article 142 of MiCA (ESMA75-453128700-1391 / EBA/Rep/2025/01, published 13 January 2025) confirms that “very few DeFi systems achieve truly full decentralisation in the manner contemplated by Recital 22” and that the exemption must be assessed case-by-case.^[2] The factors that pull a service back inside MiCA include an identifiable front-end operator, admin or upgrade keys, fee accrual to a treasury controlled by a named party, active EU marketing, and governance-token concentration. Partial decentralisation is not a safe harbour. Recital 22 explicitly states that MiCA applies “when part of such activities or services is performed in a decentralised manner.”

The fourth decision is fiat on/off-ramp banking. Pure on-chain projects still need fiat for payroll, vendor payments, and the on/off-ramp itself. Banks routinely reject DeFi-adjacent counterparties: counterparty anonymity at the protocol layer, smart-contract operational risk, token-treasury volatility, and Travel Rule obligations under the Transfer of Funds Regulation (Regulation (EU) 2023/1113, applicable since 30 December 2024) all push primary clearing banks toward refusal. Under the TFR, originator and beneficiary information must accompany every CASP-to-CASP crypto transfer with no de minimis threshold; for transfers to or from self-hosted wallets above €1,000, the CASP must additionally verify the customer’s ownership or control of the wallet.^[3] The practical pathway combines an EU-licensed EMI for euro flows, a DLT-friendly bank in a digital-asset-aware jurisdiction for token-treasury custody, and a regulated trust company for stablecoin and bitcoin holdings.

The fifth component is ongoing compliance: smart-contract audits and continuous bug bounty, sanctions screening at the front-end and at the fiat on/off-ramp, transaction monitoring for any CASP-classified surface, DORA controls for ICT third-party risk under Regulation (EU) 2022/2554 (applicable since 17 January 2025), and Travel Rule compliance for any CASP-to-CASP transfer.^[4]

Infrastructure Checklist

Component	What It Involves	Typical Timeline
Legal wrapper (Foundation)	Holds protocol treasury, contracts with developers, provides legal counterparty for grants and exchanges	4 to 8 weeks
Operating entity	Employs developers, runs the front-end, contracts with vendors, holds the fiat float	1 to 4 weeks
Perimeter analysis	Determines whether MiCA, VARA, or other licensing applies; documents the Recital 22 position in writing	2 to 6 weeks (parallel to wrapper formation)
Fiat banking arrangement	SEPA and USD operating accounts, token-treasury custody, on/off-ramp	2 to 6 months
Smart-contract audit and bug bounty	Pre-launch security review; competitive audit; continuous bounty	4 to 12 weeks initial, then continuous
Compliance stack	KYC for the fiat on/off-ramp, sanctions screening, transaction monitoring, DORA, Travel Rule	4 to 8 weeks initial, then continuous

The components are not parallel. The legal wrapper and operating entity must exist before banking can be arranged, before audits can be contracted, and before any compliance vendor can be onboarded. Perimeter analysis must precede smart-contract deployment, because architectural choices (admin keys, fee accrual mechanics, upgradability) determine whether MiCA applies. Fiat banking is the longest-pole item in most builds: pre-qualification through the partner network typically begins in parallel with the wrapper formation, not after it.

Choosing the Right Jurisdiction

The jurisdiction choice determines the available legal wrapper, the regulatory perimeter, the tax treatment of the protocol treasury, the fiat banking options, and the credibility signal to exchanges, custodians and institutional counterparties. For DeFi and Web3 projects the choice is between offshore foundation jurisdictions (Cayman, UAE ADGM, Panama, Saint Kitts & Nevis), and EU MiCA jurisdictions (Cyprus, Czech Republic), each suited to a different protocol profile.

Jurisdiction Comparison

Factor	Cayman Islands	UAE (VARA + ADGM)	Panama	Cyprus	Czech Republic
Primary licence / wrapper	VASP Act 2020 registration or Phase 2 licence; Foundation Company for DAO wrapper	VARA VASP licence (8 categories); ADGM DLT Foundation for DAO wrapper	Private Interest Foundation (Law 25 of 1995); no VASP regime in force	MiCA CASP authorisation under CySEC	MiCA CASP authorisation under ČNB
Minimum capital	None statutory (business-plan adequacy)	VARA: AED 100k to 1.5m+ by activity≈ $27K–408K+; ADGM DLT Foundation: USD 50k initial asset value (Section 19)	USD 10,000 endowment	€50k / €125k / €150k (Article 67 MiCA)	€50k / €125k / €150k (Article 67 MiCA)
Application / state fee	Approx. USD 1,200 to 6,000	AED 40k to 100k + 50% per additional activity≈ $11K–27K	USD 300 government + Resident Agent	€10,000 (non-refundable)	Approx. CZK 50,000≈ $2K
Realistic timeline	3 to 9 months	6 to 12 months (two-stage VARA process)	2 to 4 weeks (Foundation only)	6 to 12 months	6 to 12 months
EU passporting	No	No	No	Yes	Yes
Corporate tax	0%	9% above AED 375k profit; 0% in qualifying free zones≈ $102K	Territorial: 0% on foreign-source income	15% (raised from 12.5% effective 1 January 2026); 8% flat on crypto-asset disposals	21%
Local presence	Registered office; CIMA-acceptable directors; Foundation Secretary required	Physical office in DWTC free zone or onshore; resident senior management	Resident Agent (Panamanian lawyer); no employee requirement	Cyprus office; majority EU-resident board; MLRO	Czech office; EU-resident management body; MLRO
Banking access	Difficult	Moderate	Moderate to Difficult	Moderate	Moderate

Choose the Cayman Islands if the project is a protocol with a treasury holding governance tokens or stablecoins, expects to be cited by name on third-party platforms, and wants the deepest pool of crypto-fluent professional service providers. The Cayman Foundation Company is the dominant DAO wrapper globally because it can become an “orphan” entity with no shareholders, supervised by individuals or service providers (not members), and used by major DeFi protocols including those of the Aave and Compound generations.^[5] The VASP Act 2020 Phase 2 licensing regime applies where the protocol’s front-end is custodial or operates a trading platform. Cayman is the default for protocols planning institutional integrations; it is not the right base for projects seeking active EU retail distribution. See the full crypto licensing hub.

Choose the United Arab Emirates if the project wants a credible regulated home with onshore market access, MENA institutional flow, and the ability to issue tokens or run a custodial front-end under a recognised framework. The UAE offers three relevant building blocks:

VARA licensing: an eight-category model covers advisory, broker-dealer, custody, exchange, lending, management, transfer and VA issuance, with application fees from AED 40,000 to AED 100,000 per activity and annual supervision fees of AED 80,000 to AED 200,000 per activity.^[6]
ADGM DLT Foundations: the 2023 Regulations are the only foundation regime in the world purpose-built for DLT use and DAO governance, requiring minimum initial asset value of USD 50,000 payable in fiat (Section 19), a council of two to sixteen members, and a written charter governing token issuance and treasury rules.^[7]
Tax and enforcement: UAE corporate income tax is 9% above AED 375,000 of taxable profit, with 0% in qualifying free zones. VARA enforcement has intensified: on 7 October 2025, VARA penalised 19 firms for unlicensed virtual-asset activity, with fines ranging from AED 100,000 to AED 600,000.^[8]

See the crypto licensing hub.

Choose Panama if the project wants a low-cost, low-friction wrapper for the protocol treasury, territorial tax treatment, and no Phase 2 licensing overlay. The Panama Private Interest Foundation under Law 25 of 1995 is among the lowest-friction DAO wrappers globally: USD 10,000 endowment minimum, USD 300 annual government fee, Foundation Council of at least three members, and full asset separation from the founder under Article 11.^[9] Panama was removed from the FATF grey list on 27 October 2023 and from the EU AML high-risk list on 14 March 2024; the Commission’s subsequent Delegated Regulation on the AML high-risk-third-countries list reinforced its exit.^[10] Panama is appropriate for treasury and holding structures, not for protocols that need a regulated licence on the front-end.

Choose Cyprus if the project plans an EU front-end with active marketing into EEA users, intends to operate as a regulated CASP, and wants a Pillar Two-aligned 15% corporate income tax base with deep professional-services infrastructure. CySEC’s CASP authorisation under MiCA carries the standard tiered capital requirements set by Article 67 and Annex IV: €50,000 for Class 1 (advisory, reception and transmission, order execution, placing, transfer services, portfolio management), €125,000 for Class 2 (custody and administration of crypto-assets, and exchange of crypto-assets for funds and for other crypto-assets), and €150,000 for Class 3 (operation of a trading platform). Where an authorisation spans multiple classes, the highest applicable threshold applies; Article 67(3) further requires CASPs to hold the higher of the statutory minimum or one quarter of the preceding year’s fixed overheads.^[12]

Capital must be held in qualifying own-funds instruments; a treasury position in BTC or stablecoins does not satisfy the regulatory minimum. CySEC has set a 27 February 2026 deadline for legacy CASPs to file MiCA applications, with the EU-wide transitional period ending 1 July 2026. See the full Cyprus crypto licensing guide.

Choose the Czech Republic if the project wants an EU MiCA CASP authorisation with a more efficient regulator interface than the larger member states. The Czech National Bank (ČNB) supervises CASPs under MiCA, with the local AML Act 2024 implementing transposition. Czech Republic offers a 21% corporate tax rate and EU passporting under a single CASP authorisation. The Czech Republic is appropriate for projects that want EU regulatory status without the supervisory backlog visible in Germany, the Netherlands and other tier-1 EU member states.^[13] See the crypto licensing hub.

Recital 22 enforcement risk. As of May 2026, no DeFi protocol has formally tested the “fully decentralised” exemption against an EU regulator’s enforcement file. ESMA’s stated position is that the exemption is narrow and applied case-by-case (Joint EBA-ESMA Report, January 2025).^[2] Founders relying on Recital 22 should document the position contemporaneously with smart-contract deployment, including governance-token distribution, admin-key controls, fee-accrual mechanics, and front-end ownership. A protocol that grows past de facto centralisation thresholds without updating its position paper is exposed to retroactive CASP-scope determination by the home NCA of any EU jurisdiction where the front-end is accessible.

Setting Up Your Company

Company formation is the first operational step for a DeFi or Web3 project, because the foundation wrapper, the operating entity, the fiat banking application, and the smart-contract audit engagement all require a registered legal person. The most common formation mistake is incorporating the operating entity in the wrong jurisdiction (typically a US LLC or a UK Ltd held personally by the founders), then restructuring once it becomes clear the entity cannot host the protocol treasury or contract with regulated counterparties. The cost is 2 to 4 months and €40,000 to €100,000 in restructuring fees.

In short: the wrapper jurisdiction and the operating-entity jurisdiction do not have to match. A Cayman Foundation Company can hold the protocol treasury while a Czech Republic CASP operates the front-end. The two entities are linked by a service agreement that defines what the operating entity does on behalf of the foundation, and what the foundation pays the operating entity. The first conversation with company formation sets that architecture; restructuring it later is the expensive option.

Formation by Jurisdiction

Jurisdiction	Entity Type	Formation Cost	Timeline	Minimum Capital
Cayman Islands	Foundation Company; Exempted Company for operating entity	USD 15,000 to USD 35,000 (Foundation); USD 6,000 to USD 10,000 (Exempted Company)	Foundation: 4 to 8 weeks; Exempted Company: 2 to 4 weeks	None statutory
United Arab Emirates	ADGM DLT Foundation; ADGM private company limited by shares; or DIFC LLC for operating entity	USD 25,000 to USD 60,000 (DLT Foundation, incl. CSP retainer); USD 12,000 to USD 25,000 (LLC)	DLT Foundation: 8 to 14 weeks; LLC: 4 to 8 weeks	USD 50,000 initial asset value (DLT Foundation, Section 19)
Panama	Private Interest Foundation (Law 25 of 1995); Sociedad Anónima for operating entity	USD 2,500 to USD 5,000 (Foundation) plus USD 300 annual; USD 1,500 to USD 3,000 (SA)	2 to 4 weeks	USD 10,000 endowment (Foundation)
Saint Kitts & Nevis	Nevis Business Corporation (BC) or International Business Company (IBC); for VASP applications, a locally-domiciled entity	USD 3,500 to USD 7,500	1 to 2 weeks	None statutory
Cyprus	Private limited company	€4,500 to €8,000	2 to 4 weeks	€1,000 share capital; €50k to €150k CASP own-funds at authorisation
Czech Republic	Společnost s ručením omezeným (s.r.o.)	€3,500 to €6,500	2 to 4 weeks	CZK 1 minimum share capital; €50k to €150k CASP own-funds at authorisation

The two-entity structure (foundation plus operating entity) is the working architecture for most protocols of meaningful scale. The foundation holds the treasury and the protocol-level intellectual property; the operating entity employs developers, runs the website and front-end, and contracts with third parties. The service agreement between the two is the document the regulator opens an information request on when assessing whether the protocol is “fully decentralised” or whether the operating entity is a CASP. The drafting of that agreement is a regulatory exercise, not a corporate one. What MiCA does not assess at the protocol layer it assesses at the operating-entity layer: the foundation’s legal-form choice (Cayman Foundation Company, ADGM DLT Foundation, Panama Private Interest Foundation) does not, by itself, resolve the CASP-of-record question, which turns on which entity controls the upgrade keys, accrues the protocol fees, and operates the front-end accessible to EEA users.

Licensing Requirements

A DeFi or Web3 project needs one of three positions, supported by contemporaneous documentation: a “fully decentralised” position under MiCA Recital 22 with no licensing requirement; a CASP authorisation under MiCA in the EU; or a VARA, CIMA, or other equivalent licence outside the EU. The MiCA CASP capital floor under Article 67 + Annex IV is €50,000 for Class 1 (advisory, reception and transmission, order execution, placing, transfer services, portfolio management), €125,000 for Class 2 (custody and administration, and exchange of crypto-assets for funds and for other crypto-assets), and €150,000 for Class 3 (operation of a trading platform).^[12]

MiCA scope and the Recital 22 carve-out

Recital 22 of Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) states that “where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation.” Two operative points govern its application. First, Recital 22 is non-binding as a preamble; the operative articles contain no definition of “fully decentralised.” Second, ESMA has stated that the exemption “remains uncertain” and must be applied case-by-case (ESMA Second Consultation Package, paragraph 108).^[2]

The Joint EBA-ESMA Report on DeFi (published 13 January 2025) identifies seven indicators of residual centralisation that pull a service back inside MiCA:^[2]

Existence of admin or upgrade keys.
Fee accrual to a treasury controlled by a named party.
An identifiable front-end or UI operator.
Active EU marketing.
Governance-token concentration in a small number of wallets.
Treasury management by an identifiable foundation.
Bridge or oracle dependencies that introduce intermediaries.

Partial decentralisation is not a safe harbour: Recital 22 itself states that MiCA applies “when part of such activities or services is performed in a decentralised manner.” DeFi represents approximately 4% of global crypto-asset market value, with European Economic Area users representing above-average adoption. The common mistake is treating Recital 22 as a binary qualifier rather than an evidentiary file: a protocol with an upgradable multisig, a foundation-controlled treasury, and a named front-end operator fails the “fully decentralised” test on the EBA-ESMA factor analysis even where the smart contracts themselves are non-custodial, and the home NCA can determine the front-end is the operative CASP regardless of how the protocol layer is governed.

CASP triggers for front-ends and DAOs

The CASP activities most likely to apply to a DeFi or Web3 front-end are operation of a trading platform for crypto-assets (where the front-end matches third-party orders), exchange of crypto-assets for funds or for other crypto-assets (where the operator facilitates swaps), custody and administration of crypto-assets (where the front-end controls smart-contract vaults), and transfer services (relevant to bridge front-ends). A non-custodial smart contract that the operator cannot upgrade is the strongest defence against CASP scope; an upgradable contract controlled by a multisig with named signers pulls the operator into scope.

Token issuance under MiCA Title II

For tokens that are neither asset-referenced tokens (Title III) nor e-money tokens (Title IV), MiCA Title II applies. The issuer must draft a white paper meeting Annex I requirements, notify the home national competent authority at least 20 working days before publication, ensure marketing communications are consistent with the white paper, and act honestly, fairly and professionally (Article 14). The iXBRL machine-readable formatting requirement entered into application on 23 December 2025, with the ESMA XBRL taxonomy published on 5 August 2025.^[14] Most DeFi governance tokens fall under Title II.

Non-EU licensing pathways

VARA (Dubai): eight activity-specific licences under the Virtual Assets and Related Activities Regulations 2023, supported by 2024 to 2025 Rulebooks. Application fees are AED 40,000 for Advisory, VA Issuance, and VA Transfer and Settlement Services, and AED 100,000 for Broker-Dealer, Custody, Exchange, Lending and Borrowing, and VA Management and Investment Services. Annual supervision fees per activity are AED 80,000 for Advisory and VA Transfer and Settlement Services, and AED 200,000 for Broker-Dealer, Custody, Exchange, Lending and Borrowing, and VA Management and Investment Services, payable per activity per year in advance. Multi-activity applications attract a Licence Extension Fee of 50% of the lower of the two application fees. The licensing process is two-stage: an Initial Disclosure Questionnaire leading to an Approval to Incorporate, followed by the full VASP application leading to a licence. Typical end-to-end timeline is 6 to 12 months.^[6]

Cayman Islands VASP Act 2020: Phase 1 registration applies to AML and cybersecurity for any virtual asset service provided to the public. Phase 2 licensing for trading platforms and custodians commenced incrementally from 2024. Following the February to April 2024 Ministry of Financial Services consultation, the Virtual Asset (Service Providers) (Amendment) Act 2024 broadened the “Owner/Operator” definition to capture trading platforms and DAOs without an identifiable managing group.^[15] Private sales (per the Virtual Asset (Service Providers) Regulations 2020, “not advertised and made available to a limited number of persons or entities”) fall outside the Act, as do gratuitous airdrops. No statutory capital floor: adequacy is assessed against the business plan.

ADGM DLT Foundations Regulations 2023: the wrapper-only regime. Minimum initial asset value USD 50,000 payable in fiat (Section 19), paid up within six months of incorporation; Foundation Council of at least 2 and at most 16 councillors; mandatory Charter setting out objects, token-issuance rules, and asset rules; optional Guardian role overseeing Council compliance with the Charter; annual audited accounts published on the foundation’s website; periodic security audits of data-protection and IT systems shared with the Registrar; Company Service Provider engagement mandatory unless granted “exempt foundation” status.^[7]

Saint Kitts & Nevis Virtual Asset Act 2020 (as amended by Act 9 of 2024): VASP registration with the Financial Services Regulatory Commission (Nevis division). The 2024 amendment aligns the Act with FATF Recommendation 15 standards.^[11] Capital and fees are prescribed by subsidiary SRO.

Saint Lucia Virtual Asset Business Act, No. 24 of 2022: assented 15 December 2022; commenced 28 December 2022. The FSRA issued its General Circular on VASPs on 4 August 2025, confirming that the FSRA is the supervisory authority.^[18] The Act requires a licensee to place in escrow assets equivalent to a minimum of 15% of the total value of client funds held (section 12(1)). Application and licence fees are not yet prescribed by subsidiary legislation as of May 2026.

DORA application to MiCA CASPs

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) applies to MiCA CASPs from 17 January 2025. Obligations include a comprehensive ICT risk management framework, classification and reporting of major ICT incidents within hours, resilience testing including threat-led penetration testing every three years for significant entities, an ICT third-party risk register (first submission 30 April 2025), and contracts with ICT providers including audit rights, exit strategies and subcontracting controls (Commission Delegated Regulation (EU) 2025/532 on subcontracting of ICT services supporting critical or important functions, in force 22 July 2025). On 18 November 2025, the European Supervisory Authorities designated 19 critical ICT third-party providers, including AWS, Microsoft Azure, Google Cloud, Oracle, SAP and Deutsche Telekom.^[4] Penalties reach 2% of annual worldwide turnover for financial entities; critical ICT third-party providers additionally face daily periodic penalty payments of up to 1% of average daily worldwide turnover under Article 35(6).

The eighth update to the Directive on Administrative Cooperation, Directive (EU) 2023/2226 (DAC8), has applied since 1 January 2026.^[19] DAC8 imposes automatic exchange of crypto-asset transaction data on reporting crypto-asset service providers (RCASPs) that provide services to EU-resident users, irrespective of where the RCASP is established. A non-EU operator with EU customers is captured; full decentralisation under MiCA Recital 22 does not by itself displace DAC8 reach where an identifiable operator, front-end, or treasury counterparty exists. The first reporting cycle covers calendar-year 2026 transactions, filed by 31 January 2027 to the competent authority of the RCASP’s nexus Member State. Penalty exposure is set by each Member State within the harmonised band of Article 25a of Directive 2011/16/EU; in practice, national transpositions cluster at €20,000 to €150,000 per breach with daily continuance fines.

See the full Cyprus CASP authorisation guide and the crypto licensing hub.

Banking

Fiat banking is the single most underestimated component of a DeFi or Web3 build. Primary clearing banks routinely reject DeFi-adjacent counterparties, and the rejection rates do not fall meaningfully even when the project has a foundation wrapper, a published audit, and a clear regulatory position. The practical reality, as of May 2026, is that fiat on/off-ramp banking is a multi-institution exercise: an EU-licensed EMI for operational euro flows, a DLT-friendly bank in a digital-asset-aware jurisdiction for token-treasury custody, and where applicable a regulated US trust company for stablecoin and bitcoin holdings.

Most banks decline DeFi mandates for five reasons:

Counterparty anonymity: DeFi end-users are typically unidentifiable to the protocol, so the bank cannot perform meaningful Source-of-Wealth or Source-of-Funds analysis on the protocol’s effective customers.
Smart-contract operational risk: an exploit creates liability exposure for any bank funding operations or holding treasury.
Token-treasury volatility: protocol treasuries denominated in native governance tokens can swing 70% within a quarter, complicating creditworthiness.
Travel Rule exposure: Regulation (EU) 2023/1113, applicable since 30 December 2024, makes banks accountable for the originator and beneficiary information their CASP-classified counterparties send and receive.^[3]
DORA third-party risk: banks treat any DeFi-adjacent counterparty integrating via APIs as an ICT-risk node.

In practice, the foundation wrapper alone does not unlock banking; what the credit committee underwrites is the operating entity’s ability to evidence its KYC posture toward the front-end users, the upgrade-key custody arrangements over the smart contracts, and the oracle and bridge dependencies that route value through identifiable intermediaries, because those are the points where the bank inherits residual AML and operational liability.

The practical universe of accepting institutions divides into four archetypes. The first is an EU-licensed Electronic Money Institution with a documented digital-asset onboarding policy, used for SEPA in/out, payroll, and vendor payments; typically a tier-two EMI in a digital-asset-aware jurisdiction with a crypto-fluent compliance team. The second is a DLT-licensed bank in a small EU jurisdiction (the DLT Act in Liechtenstein and its peers), used for DAO treasury custody and stablecoin operational balances. The third is a regulated US trust company operating under New York or Wyoming supervision, used for institutional bitcoin and stablecoin holdings with monthly attestation. The fourth is a UAE onshore commercial bank with a non-objection to hold accounts for a VARA-licensed VASP.

In short: Jagelski & Partners pre-qualifies fiat banking across the partner network before the entity files for authorisation, because the pre-qualification letter from a candidate operational bank is one of the documents the regulator opens an information request on once the CASP application lands. The partner network placed fourteen billion euros in client turnover across 90+ institutions in 2025. See the full banking overview and the crypto and fiat settlement guide covering on/off-ramp architecture.

Ongoing Compliance

Compliance is a permanent operating expense, not a one-time licensing cost. For a Class 3 MiCA CASP-classified DeFi front-end, the annual run-rate is typically €500,000 to €1.2 million, plus the €150,000 own-funds floor; for a registration-only Cayman or Saint Kitts & Nevis VASP, the annual run-rate is closer to USD 150,000 to USD 400,000.

The five permanent obligations for any CASP-classified surface are anti-money-laundering controls and Travel Rule compliance under the Transfer of Funds Regulation; transaction monitoring and sanctions screening at the front-end (with vendor pricing from approximately USD 25,000 to USD 80,000 per annum); DORA controls including the ICT third-party risk register, incident classification and reporting, and threat-led penetration testing for significant entities; smart-contract audit cadence (initial pre-launch audit plus every material upgrade plus competitive audit plus continuous bug bounty); and external audit of the financial statements and ICT controls.

Smart-contract audit cost ranges as of 2025 to 2026 break down by complexity:

Simple module: an ERC-20 or staking contract costs USD 8,000 to USD 50,000.
Moderate DeFi primitive: lending, AMM or governance protocols cost USD 50,000 to USD 150,000.
Complex protocol: a new L1/L2 chain costs USD 150,000 to USD 600,000 or more for formal verification.

Top-tier engineer rates are approximately USD 25,000 per engineer-week at Trail of Bits and OpenZeppelin (Arbitrum Research and Development Committee proposals, 2024 to 2025), with retainer-model engagements common at protocols with treasury size above USD 100 million.^[16] Industry best practice for protocols with TVL above USD 100 million is two independent audits, a competitive contest on a platform such as Code4rena or Sherlock, and a continuous bug bounty on Immunefi (which had paid USD 100.21 million across more than 3,000 bug-bounty reports as of September 2024, with 77.5% going to smart-contract vulnerabilities; the single largest payout was USD 10 million for a Wormhole cross-chain bridge vulnerability).^[17]

The real constraint is not the pre-launch audit budget, which is finite, but the obligation to re-audit on every material upgrade plus the continuous bug-bounty programme; protocols that treat the first audit as a one-time spend rather than as the opening cost of a permanent security operating line typically discover the gap at the point of an upgrade-driven incident, where the marginal cost of remediation runs five to ten times the recurring audit cadence they declined to fund.

Upcoming regulatory milestones within 12 months: the MiCA legacy-VASP transitional period ends 1 July 2026; the European Commission is expected to publish its mid-2026 assessment under MiCA Article 142, potentially leading to dedicated DeFi legislation; and CySEC’s filing deadline for legacy CASPs is 27 February 2026.

Realistic Timeline and Costs

End-to-end timeline from initial scoping to operational front-end is typically 6 to 12 months for an offshore registration build, and 9 to 18 months for an EU MiCA CASP build. Technology development (smart-contract audits, front-end, infrastructure) runs in parallel with the licensing file; banking onboarding is the critical-path item in most schedules.

Cost Breakdown by Phase

Phase	Timeline	Cost Range	Notes
Wrapper & Operating Entity Setup	4 to 12 weeks	EUR 15,000 to EUR 70,000	Cayman Foundation + Exempted Company: USD 25k to 50k; ADGM DLT Foundation + LLC: USD 40k to 85k; Panama Foundation + SA: USD 5k to 10k; Cyprus or Czech s.r.o. + holding structure: EUR 10k to 20k
Licensing & Perimeter Analysis	3 to 12 months	EUR 25,000 to EUR 250,000	Recital 22 position paper: EUR 15k to 35k; VASP registration (Cayman, SKN, Panama): USD 25k to 75k; MiCA CASP file (Cyprus, Czech): EUR 80k to 250k including capital
Fiat Banking & Treasury	2 to 6 months	EUR 5,000 to EUR 40,000	Account opening fees, KYC documentation, multi-institution pre-qualification; substantial founder time investment not reflected in fee figures
Smart-Contract Audits & Launch Tech	6 to 16 weeks	USD 30,000 to USD 600,000+	Simple ERC-20 / vesting: USD 8k to 20k; moderate DeFi (lending, AMM): USD 50k to 150k; complex multi-chain or new L1: USD 150k to 600k; competitive audit + bug bounty add 20% to 40%
Total: Year 1	6 to 18 months	EUR 75,000 to EUR 850,000+	Ongoing compliance from year 2: EUR 500k to 1.2m annual for Class 3 MiCA CASP; USD 150k to 400k annual for offshore VASP registration

As of May 2026, figures above include professional fees, government fees, audit fees, and minimum regulatory capital where applicable. They do not include founder salaries, marketing spend, the protocol token-distribution event, or post-launch security incident response. Currency convention: EUR for EU phases; USD for non-EU phases; AED where VARA-specific; figures are converted at the prevailing rate where required for comparability.

Frequently Asked Questions

Costs & Timeline

Jagelski & Partners scopes builds in the range of EUR 75,000 to EUR 850,000 for year 1, covering wrapper and operating-entity formation, regulatory perimeter analysis or CASP licensing, fiat banking onboarding, and smart-contract audits. The low end represents a Panama or Cayman wrapper with a simple ERC-20 audit and EMI-only banking; the high end represents an EU MiCA Class 3 CASP authorisation with multi-chain audits and competitive audit contests. Ongoing compliance from year 2 is EUR 500,000 to EUR 1.2 million annually for a regulated CASP, or USD 150,000 to USD 400,000 for an offshore VASP registration. The cost of getting the structure wrong (typically discovered 9 to 12 months into the build) is restructuring fees of EUR 40,000 to EUR 100,000 plus 2 to 4 months delay.

Operational readiness in 6 to 12 months for an offshore registration build (Cayman, Panama, Saint Kitts & Nevis), and 9 to 18 months for an EU MiCA CASP build (Cyprus, Czech Republic). Smart-contract audits run in parallel with the regulatory file. The critical-path item is fiat banking onboarding, which typically takes 2 to 6 months and runs in parallel with both formation and audit work. Jagelski & Partners’ partner network pre-qualifies banking before the licensing file is filed, because the operational-bank pre-qualification letter is a document the regulator opens an information request on once the application lands.

Licensing

It depends on the architecture and the marketing perimeter. A fully decentralised protocol with no identifiable operator, no admin keys, no fee accrual to a controlled treasury, and no active EU marketing may rely on Recital 22 of Markets in Crypto-Assets Regulation and operate without a licence. Most protocols of meaningful scale do not satisfy that standard. Where a front-end is operated, a treasury is controlled by a foundation, or fees accrue to a named party, a CASP authorisation is typically required (€50,000 to €150,000 minimum capital depending on activity class). Outside the EU, the equivalent is a VARA licence (UAE), a Cayman VASP registration or Phase 2 licence, or a Saint Kitts & Nevis VASP registration. The first deliverable on any DeFi or Web3 build is a written perimeter analysis, not a smart contract.

MiCA applies unless the service is provided “in a fully decentralised manner without any intermediary” (Recital 22). The Joint EBA-ESMA Report under MiCA Article 142 confirms that “very few DeFi systems achieve truly full decentralisation.” ESMA assesses decentralisation case-by-case, looking for indicators of residual centralisation: admin or upgrade keys, fee accrual to a controlled treasury, an identifiable front-end operator, active EU marketing, governance-token concentration, treasury management by an identifiable foundation, and bridge or oracle dependencies. Partial decentralisation is not a safe harbour. A protocol relying on Recital 22 should document the position contemporaneously and update it as the protocol evolves.

A DAO needs a CASP authorisation when the protocol or its front-end provides one of the ten CASP activities listed in Article 3(1)(16) of MiCA. The most common triggers are operation of a trading platform (where the front-end matches third-party orders), exchange of crypto-assets for funds or for other crypto-assets (where the operator facilitates swaps), custody of crypto-assets (where the front-end controls smart-contract vaults), and transfer services (for bridge front-ends). A DAO that operates a front-end with admin keys, a fee mechanism, and active EU marketing will typically need a CASP authorisation regardless of whether the smart contract itself is non-custodial. A DAO that issues only a governance token and operates no front-end may avoid CASP scope but still falls under MiCA Title II for the token issuance.

Domicile & Banking

The six eligible jurisdictions Jagelski & Partners covers for DeFi and Web3 builds are Cayman Islands (Foundation Company plus optional VASP), UAE (VARA licence plus ADGM DLT Foundation wrapper), Panama (Private Interest Foundation), Saint Kitts & Nevis (VASP registration), Cyprus (MiCA CASP), and Czech Republic (MiCA CASP). Cayman remains the dominant DAO wrapper jurisdiction for protocols with institutional integrations; the UAE is the strongest fit where MENA market access and onshore presence matter; Panama is appropriate for treasury-only structures; Cyprus and Czech Republic are the routes for EU passporting. Other commonly-cited jurisdictions (Switzerland, BVI, Marshall Islands, Wyoming, Liechtenstein) are not covered by Jagelski’s partner network; we will reference them as comparators where relevant but cannot deliver direct service in those jurisdictions.

There is no single best jurisdiction; the choice depends on the protocol’s distribution profile, treasury size, marketing perimeter, and institutional integrations. For a protocol with a treasury above USD 50 million and institutional integrations, Cayman Foundation Company plus an EU operating entity (Cyprus or Czech Republic CASP) is the default. For a UAE-domiciled team targeting MENA flow, ADGM DLT Foundation plus a VARA-licensed operating entity is the working architecture. For a small protocol with treasury-only operations, Panama Foundation alone may be sufficient. Jagelski & Partners scopes the jurisdictional fit in the first conversation, before any incorporation is filed.

Fiat banking for a DeFi or Web3 project is a multi-institution exercise, not a single-bank application. The practical architecture combines an EU-licensed Electronic Money Institution for operational euro flows, a DLT-friendly bank in a digital-asset-aware jurisdiction for token-treasury custody, and where applicable a regulated US trust company for stablecoin and bitcoin holdings. Primary clearing banks reject DeFi-adjacent counterparties at the first application in most cases; the path through is pre-qualification across multiple institutions before any formal application is filed. Jagelski & Partners pre-qualifies banking through the partner network covering 90+ institutions before the regulatory file lands, because the operational-bank pre-qualification letter is one of the documents the regulator opens an information request on.

Start Your DeFi or Web3 Assessment

Book a strategy call. Jagelski & Partners scopes the legal wrapper, regulatory perimeter, fiat banking arrangement, and compliance stack for DeFi and Web3 projects across six jurisdictions, with operational readiness in 6 to 12 months.

Book a DeFi or Web3 Assessment →

Initial consultations are free · Response within 24 hours

References

Show all references

Stuarts Humphries, Cayman Structures for Crypto, Web3 and Blockchain Entities, stuartslaw.com, accessed 15 May 2026.
European Securities and Markets Authority, Joint EBA-ESMA Report on Recent Developments in Crypto-Assets (Article 142 MiCAR), ESMA75-453128700-1391 / EBA/Rep/2025/01, esma.europa.eu, 13 January 2025.
European Banking Authority, Travel Rule Guidelines (EBA/GL/2024/11), eba.europa.eu, 4 July 2024.
Pillsbury Winthrop Shaw Pittman, DORA Now Fully in Effect, pillsburylaw.com, accessed 15 May 2026.
Bolder Group, Why a Cayman Foundation is the Premier Legal Wrapper for Your DAO, boldergroup.com, accessed 15 May 2026.
Virtual Assets Regulatory Authority (VARA), Schedule 2: Supervision and Authorisation Fees, vara.ae, accessed 15 May 2026.
Abu Dhabi Global Market, DLT Foundations Regime Announcement, adgm.com, 2 November 2023.
Virtual Assets Regulatory Authority (VARA), Enforcement Notice: 19 Unlicensed Firms Penalised, vara.ae, 7 October 2025.
Government of Panama, Law 25 of 12 June 1995 on Private Interest Foundations, bcca.com.pa, accessed 15 May 2026.
PR Newswire, Panama Officially Removed from FATF Grey List, prnewswire.com, 27 October 2023.
Saint Christopher and Nevis Law Commission, Virtual Asset (Amendment) Act, No. 9 of 2024, lawcommission.gov.kn, gazetted 20 June 2024.
ComplyFactor, CySEC CASP Capital Requirements, complyfactor.com, accessed 15 May 2026.
Zampa Partners, One Year of MiCA: The Evolving Landscape of EU Crypto-Asset Regulation, zampapartners.com, December 2025.
European Securities and Markets Authority, MiCA: Markets in Crypto-Assets Regulation, esma.europa.eu, accessed 15 May 2026.
XReg Consulting, Navigating Cayman’s VASP Act Amendments, xreg.consulting, accessed 15 May 2026.
7BlockLabs, 2026 Smart Contract Audit Costs Benchmarks, 7blocklabs.com, accessed 15 May 2026.
Immunefi, Press and Bounty Statistics, immunefi.com, accessed 15 May 2026.
Financial Services Regulatory Authority (Saint Lucia), General Circular: Notice on VASPs, fsrastlucia.org, 4 August 2025.
Council of the European Union, Council Directive (EU) 2023/2226 of 17 October 2023 amending Directive 2011/16/EU on administrative cooperation in the field of taxation (DAC8), OJ L of 24 October 2023, application date 1 January 2026, eur-lex.europa.eu, accessed 19 May 2026.

How to Build a DeFi or Web3 Project: Licensing, Banking & Infrastructure