eWpG — Gesetz über elektronische Wertpapiere (Electronic Securities Act, effective 2021-06-10) — allows issuance of securities without physical document, including Kryptowertpapiere registered on DLT/blockchain
statute · Bundestag · 2021-06-03· 0/2 anchored
LicensingIn force
Scope: This law enables the issuance of securities in electronic form, including crypto securities (Kryptowertpapiere) registered on a DLT. It establishes the legal framework for creating and transferring these dematerialized assets.
Gap or ambiguity: The act delegates specific technical and operational requirements for crypto securities registers to subsequent ordinances (§ 23). This creates an opportunity for certifiers to define best practices for register integrity and security.
source ↗German Penal Code
statute · Bundestag · 1871-05-15
Treaty between the Federal Republic of Germany and the German Democratic Republic on the Establishment of German Unity
guidance · — · 1990-08-31
KryptoFAV — Kryptowertpapierregisterführungsverordnung — regulates crypto-securities register maintenance: technical, organizational and governance requirements
regulation · BMF · 2022-06-17· 0/2 anchored
LicensingIn force
Scope: This ordinance regulates crypto fund units and the entities responsible for maintaining the register for them. It specifies which legal provisions are applicable.
Gap or ambiguity: The provided text is only a table of contents. The substantive articles of the regulation are missing, making it impossible to assess specific requirements or ambiguities.
source ↗Regulation on the Specification of Notification Requirements for the Disclosure of Inside Information under Section 36 of the Crypto Markets Supervision Act (Crypto Market Disclosure Regulation - KMMV)
regulation · BaFin · 2025-08-25· 1/2 anchored
LicensingImplementing
Scope: This regulation specifies the content, format, and transmission method for notifications to BaFin regarding the disclosure of inside information for crypto-assets. It also covers notifications for delaying such disclosures.
Gap or ambiguity: The regulation requires notifications be sent via an electronic channel to be announced on BaFin's website. The specific technical standards and protocols for this reporting system are not yet defined.
Evidence (1) — verbatim quotes from the source
Status
“This Regulation shall enter into force on the day following its promulgation.”
BDSG — Bundesdatenschutzgesetz (German Federal Data Protection Act) — domestic GDPR complement; governs personal data in KYC/onboarding
statute · Bundestag · 2017-06-30· 1/6 anchored
In force
Scope: This is Germany's Federal Data Protection Act, which complements the GDPR. It governs the processing of personal data, impacting crypto services during KYC and client onboarding.
Gap or ambiguity: The act mandates general principles like 'data protection by design' (§ 71) but lacks specific technical standards for crypto systems. This allows certifiers to define and audit best practices for privacy on blockchain.
Due DiligenceIndependent CertificationRegulatory Compliance SupportSkyInsights — AML / KYT
Evidence (1) — verbatim quotes from the source
Status
“Bundesdatenschutzgesetz”
EU Digital Operational Resilience Act (DORA) 2022/2554 — ICT risk management, third-party governance and incident reporting for financial entities including CASPs
regulation · European Parliament & Council · 2022-12-14· 0/5 anchored
Implementing
Scope: This regulation establishes a comprehensive framework for digital operational resilience in the EU financial sector. It sets harmonized rules for ICT risk management, incident reporting, resilience testing, and managing ICT third-party risk.
Gap or ambiguity: The regulation relies heavily on future Regulatory Technical Standards (RTS) from the ESAs to specify key details, such as incident reporting thresholds and testing methodologies. This creates an opportunity for certifiers to help firms implement the high-level principles ahead of the final detailed rules.
Incident ResponseL1 Chain AuditPenetration TestingSecurity GuidanceSkynet — Threat MonitoringSmart Contract Audit
source ↗Trade Tax Act
statute · Bundestag · 2002-10-15
Scope: The provided text is metadata for the German Trade Tax Act of 2002 and does not contain substantive regulatory details.
source ↗EU DAC8 Directive 2023/2226 — implements OECD CARF in EU; automatic exchange of crypto-asset tax information
regulation · Council of the EU · 2023-10-17· 3/3 anchored
RegistrationImplementing
Scope: This directive establishes a framework for the mandatory automatic exchange of tax-relevant information on crypto-assets among EU Member States. It requires crypto-asset service providers to perform due diligence on users and report their transaction data to national tax authorities.
Gap or ambiguity: The directive requires providers to determine on a case-by-case basis if a crypto-asset is reportable, creating ambiguity for assets like certain NFTs or utility tokens. A certifier could offer a standardized framework for classifying assets to ensure consistent reporting.
Due DiligenceSkyInsights — AML / KYT
Evidence (3) — verbatim quotes from the source
Regime
“For the purpose of complying with the reporting requirements referred to in paragraph 1, each Member State shall lay down the necessary rules to require a Crypto-Asset Operator to register within the Union.”
Status
“Member States shall adopt and publish, by 31 December 2025, the laws, regulations and administrative provisions necessary to comply with this Directive. They shall immediately inform the Commission thereof.”
Requires AML / KYT
“Each Member State shall take the necessary measures to require Reporting Crypto-Asset Service Providers to fulfil the reporting requirements and carry out the due diligence procedures laid down in Sections II and III of Annex VI, respectively.”
BGB — Bürgerliches Gesetzbuch (German Civil Code) — general contract and consumer law applicable to CASP-customer relations
statute · Bundestag · 1896-08-18· 0/1 anchored
In force
Scope: The German Civil Code (BGB) provides the general legal framework for contracts, obligations, and consumer protection. These principles apply to the contractual relationship between crypto-asset service providers and their customers.
Gap or ambiguity: The BGB is technology-neutral and lacks specific rules for crypto-assets, such as smart contract defects or digital asset custody standards. Certifiers can help bridge this gap by establishing best practices that demonstrate compliance with general duties of care under the code.
Smart Contract Audit
source ↗Regulation on the Delegation of Powers to Issue Legal Ordinances to the Federal Financial Supervisory Authority
regulation · BaFin · 2002-12-13
WpPG — Wertpapierprospektgesetz (German Securities Prospectus Act) — companion of EU Prospectus Regulation; applies to public offerings of security tokens
statute · Bundestag · 2018-06-08· 2/2 anchored
LicensingIn force
Scope: This act governs the requirement to prepare, have approved by the regulator, and publish a prospectus for public offerings of securities, including security tokens.
Gap or ambiguity: The law requires full disclosure in the prospectus but does not specify technical standards for security tokens. This creates a gap regarding the expected level of technical due diligence and disclosure for smart contracts and underlying protocols.
Due DiligenceSmart Contract Audit
Evidence (2) — verbatim quotes from the source
Regime
“Gesetz über die Erstellung, Billigung und Veröffentlichung des Prospekts, der beim öffentlichen Angebot von Wertpapieren oder bei der Zulassung von Wertpapieren zum Handel an einem organisierten Markt zu veröffentlichen ist”
Status
“Gesetz über die Erstellung, Billigung und Veröffentlichung des Prospekts, der beim öffentlichen Angebot von Wertpapieren oder bei der Zulassung von Wertpapieren zum Handel an einem organisierten Markt zu veröffentlichen ist”
Act on Sales Prospectuses for Securities
statute · Bundestag · 2005-03-03
Solidarity Surcharge Act 1995
statute · Bundestag · 1993-06-23
Scope: This act appears to be a tax law concerning a solidarity surcharge and does not contain any provisions related to crypto-assets.
Gap or ambiguity: The provided text is not a regulation for crypto-assets, so no specific gaps or ambiguities related to the sector can be identified.
source ↗GwG — Geldwäschegesetz (Anti-Money Laundering Act) — central AML/CFT law; after FinmadiG, CASPs and ART issuers are explicitly obliged entities (§2 GwG) with KYC, monitoring and FIU reporting duties
statute · Bundestag · 2017-06-23· 0/9 anchored
LicensingIn force
Scope: This is Germany's central Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) law. It defines obliged entities, including crypto-asset service providers, and mandates risk management, customer due diligence (KYC), monitoring, and reporting obligations.
Gap or ambiguity: The law is principles-based, requiring risk analysis and internal safeguards (§4, §6) without specifying technical standards for crypto firms. This creates an opportunity for independent certifiers to audit the adequacy of AML/KYT systems and risk assessment methodologies, especially concerning transfers to/from self-hosted wallets (§15a).
Due DiligenceSkyInsights — AML / KYTSkynet — Threat Monitoring
source ↗Regulation on enhanced due diligence requirements for the transfer of crypto assets (Crypto Asset Transfer Regulation - KryptoWTransferV)
regulation · BMF · 2023-05-22· 1/2 anchored
In force
Scope: This regulation establishes enhanced due diligence requirements for the transfer of crypto-assets. It focuses on anti-money laundering (AML) obligations.
Gap or ambiguity: The provided text is a high-level notice, lacking the specific technical standards for complying with the Travel Rule. This creates an opportunity for providers of AML/KYT compliance solutions to define best practices.
Due DiligenceSkyInsights — AML / KYT
Evidence (1) — verbatim quotes from the source
Status
“Veröffentlichungsdatum: 26.05.2023”
KStG — Körperschaftsteuergesetz (Corporate Income Tax Act) — companies are always taxed on crypto gains (no 1-year holding exemption); ~15% + Soli + Gewerbesteuer
statute · Bundestag · 1977-08-31· 1/1 anchored
In force
Scope: This act governs corporate income tax in Germany. As applied to crypto-assets, it subjects corporate entities to taxation on all gains, without the one-year holding period exemption available to individuals.
Evidence (1) — verbatim quotes from the source
Status
“Körperschaftsteuergesetz”
WpHG — Wertpapierhandelsgesetz (Securities Trading Act) — German implementation of MiFID II; governs trading of security tokens, market conduct, market abuse
statute · Bundestag · 1994-07-26· 0/3 anchored
LicensingIn force
Scope: This act is the German implementation of MiFID II. It governs the trading of securities, including security tokens, and establishes rules for market conduct, market abuse, and organizational requirements for investment firms.
Gap or ambiguity: The act's application to novel crypto-assets depends on their classification as 'financial instruments,' which can be ambiguous. Detailed technical standards for organizational and conduct rules (e.g., Sections 80, 89) are often set by ordinances, creating a need for interpretation and certification.
Incident ResponsePenetration TestingSecurity GuidanceSkynet — Threat Monitoring
source ↗StGB §261 — Strafgesetzbuch §261 (German Penal Code) — money laundering criminal offence
statute · Bundestag · 1992-09-15· 1/2 anchored
ProhibitionIn force
Scope: This section of the German Penal Code defines the criminal offense of money laundering. It criminalizes concealing, transferring, or using assets derived from unlawful acts to obscure their illicit origin.
Gap or ambiguity: The law's application to crypto-assets hinges on proving knowledge or negligent ignorance of illicit origins. This creates an opportunity for blockchain analysis and compliance tools to establish a standard of care for market participants.
Evidence (1) — verbatim quotes from the source
Status
“Wer eine Tat nach Absatz 1 oder Absatz 2 als Verpflichteter nach § 2 des Geldwäschegesetzes begeht, wird mit Freiheitsstrafe von drei Monaten bis zu fünf Jahren bestraft.”
EStG §22 — Einkommensteuergesetz §22 (Income Tax Act) — sonstige Einkünfte; covers staking/lending crypto income
statute · Bundestag · 1934-10-16· 1/1 anchored
In force
Scope: This section of the German Income Tax Act defines the tax treatment for 'other income'. It is interpreted to cover income from crypto-asset activities like staking and lending under the category of income from services.
Gap or ambiguity: The law does not explicitly mention crypto-assets, staking, or lending. The classification of such income under this section relies on administrative and judicial interpretation, creating ambiguity for taxpayers.
Evidence (1) — verbatim quotes from the source
Status
“Sonstige Einkünfte sind”
WpIG — Wertpapierinstitutsgesetz (Securities Institutions Act) — prudential regime for investment firms providing security-token services
statute · Bundestag · 2021-06-12· 1/4 anchored
LicensingIn force
Scope: This act establishes the prudential and licensing framework for investment firms in Germany. It includes specific provisions for firms providing crypto-asset services, such as qualified crypto custody.
Gap or ambiguity: The law mandates risk management (§ 45) and asset segregation for crypto custody (§ 69a) but does not specify detailed technical standards. This leaves room for interpretation on acceptable IT security controls and key management practices, creating an opportunity for certifiers.
Incident ResponsePenetration TestingRegulatory Compliance SupportSecurity GuidanceSkyInsights — AML / KYTSkynet — Threat Monitoring
Evidence (1) — verbatim quotes from the source
Status
“Gesetz zur Beaufsichtigung von Wertpapierinstituten”
Act Establishing the Federal Financial Supervisory Authority (FinDAG)
statute · BaFin · 2002-04-22
KAGB — Kapitalanlagegesetzbuch (Capital Investment Code) — governs investment funds; relevant for crypto funds and Kryptofondsanteile
statute · Bundestag · 2013-07-04· 0/3 anchored
LicensingIn force
Scope: This law governs the management, administration, and distribution of investment funds (UCITS and AIFs) in Germany. It sets out authorization and operational requirements for fund managers and depositaries.
Gap or ambiguity: The KAGB establishes general duties for asset safekeeping (§ 72, § 81) but lacks specific technical standards for crypto-asset custody. This creates an opportunity for certifiers to establish best practices for private key management and secure storage solutions under this framework.
Incident ResponsePenetration TestingRegulatory Compliance SupportSecurity GuidanceSkynet — Threat Monitoring
source ↗Income Tax Act
statute · Bundestag · 1934-10-16
KMAG — Kryptomärkteaufsichtsgesetz (Crypto-Asset Markets Supervision Act) — designates BaFin as MiCA competent authority; defines supervisory powers (incl. public warnings §47); §50 grandfathering of national licenses until 2025-12-31
statute · Bundestag · 2024-12-27· 2/4 anchored
LicensingImplementing
Scope: This act implements the EU's MiCA regulation in Germany, designating BaFin as the competent authority. It defines supervisory powers, authorization procedures, and transitional rules for existing crypto service providers.
Gap or ambiguity: The act references high-level requirements like 'Digital Operational Resilience' (§26) and 'reserve assets' (§28) without specifying detailed technical standards. This creates a gap for independent certifiers to audit against best practices or forthcoming EU technical standards.
Incident ResponsePenetration TestingProof of ReservesRegulatory Compliance SupportSecurity GuidanceSkynet — Threat Monitoring
Evidence (2) — verbatim quotes from the source
Regime
“Kapitel 2 Durchsetzung der Zulassungsvorbehalte”
Status
“§ 50 Übergangsvorschrift zur Erbringung von Kryptowerte-Dienstleistungen nach Artikel 143 der Verordnung (EU) 2023/1114”
Fiscal Code
statute · BMF · 2025-01-23
EStG §23 — Einkommensteuergesetz §23 (Income Tax Act) — private sale transactions; key crypto rule: gains on crypto held <1 year taxable at marginal rate (0–45%); after 1-year holding period, fully tax-free; €1,000 annual exemption
statute · Bundestag · 1934-10-16· 0/1 anchored
In force
Scope: This law defines the tax treatment for private sales of assets, including crypto-assets. Gains are taxable if the asset is held for less than one year and tax-free if held for more than one year.
Gap or ambiguity: The law does not explicitly mention crypto-assets. The conditions that extend the tax-free holding period to ten years for assets used to generate income create ambiguity for staking or lending activities.
source ↗FinmadiG — Finanzmarktdigitalisierungsgesetz (Financial Market Digitalization Act, 27/12/2024) — umbrella law implementing MiCA, TFR and DORA in Germany; Article 1 creates the KMAG; subsequent articles amend KWG, WpHG, WpIG, KAGB, HGB, GwG, ZAG
statute · Bundestag · 2024-12-27· 7/7 anchored
LicensingImplementing
Scope: This is an umbrella law implementing the EU's MiCA, TFR, and DORA regulations in Germany. It creates the KMAG (Crypto Markets Supervision Act) and amends various existing financial laws.
Gap or ambiguity: As an implementation of broad EU regulations, specific technical standards and supervisory expectations from the German regulator (BaFin) are not yet fully detailed. This creates an opportunity for certifiers to help establish best practices for compliance.
Incident ResponseL1 Chain AuditPenetration TestingProof of ReservesSecurity GuidanceSkyInsights — AML / KYTSkynet — Threat MonitoringSmart Contract Audit
Evidence (7) — verbatim quotes from the source
Regime
“(regime: `licenciamento`, status: `em_implementacao`)”
Status
“(regime: `licenciamento`, status: `em_implementacao`)”
Requires technical audit
“`exige_auditoria_tecnica` → `['smart_contract_audit', 'l1_chain_audit']`”
Requires proof of reserves
“`exige_proof_of_reserves` → `['proof_of_reserves']`”
Requires penetration test
“`exige_pentest` → `['penetration_testing']`”
Requires AML / KYT
“`exige_kyt_aml` → `['skyinsights_aml_kyt']`”
Requires custody security
“`exige_seguranca_custodia` → `['penetration_testing', 'skynet_threat_monitoring', 'incident_response', 'security_guidance']`”
KWG — Kreditwesengesetz (Banking Act) — defines Kryptowerte and kryptografische Instrumente (§1(11)); historical basis for crypto custody licensing (Kryptoverwahrgeschäft)
statute · Bundestag · 1961-07-10· 0/4 anchored
LicensingIn force
Scope: This is Germany's primary Banking Act, which defines crypto-assets (Kryptowerte) and establishes a licensing regime for financial services. It specifically regulates crypto-asset custody (Kryptoverwahrgeschäft) as a licensed activity.
Gap or ambiguity: The act establishes high-level obligations for crypto custody and risk management but does not specify detailed technical standards. This creates an opportunity for independent certifiers to audit against industry best practices to demonstrate compliance.
Incident ResponsePenetration TestingRegulatory Compliance SupportSecurity GuidanceSkyInsights — AML / KYTSkynet — Threat Monitoring
source ↗ZAG — Zahlungsdiensteaufsichtsgesetz (Payment Services Supervision Act) — applies when crypto model touches payment services or e-money (interface with EMTs)
statute · Bundestag · 2017-07-17· 1/4 anchored
LicensingIn force
Scope: This act regulates payment services and e-money business in Germany. It establishes a licensing and supervision framework for payment and e-money institutions, which applies to crypto-asset models that fall under these definitions.
Gap or ambiguity: The act provides general principles for operational and security risk management (Sec. 53) but lacks specific technical standards for crypto-assets. This creates an opportunity for certifiers to establish best practices for IT security and risk management in a crypto context.
Incident ResponsePenetration TestingProof of ReservesRegulatory Compliance SupportSecurity GuidanceSkynet — Threat Monitoring
Evidence (1) — verbatim quotes from the source
Status
“§ 66 Übergangsvorschriften für Zahlungsinstitute, die bereits über eine Erlaubnis verfügen”
EU Prospectus Regulation 2017/1129 — public offerings and admissions to trading of securities (applies to security tokens)
regulation · European Parliament & Council · 2017-06-14· 2/3 anchored
LicensingIn force
Scope: This regulation harmonizes the rules for the prospectus to be drawn up, approved, and published when securities are offered to the public or admitted to trading on a regulated market in the EU.
Gap or ambiguity: The regulation is technology-neutral and does not address risks specific to crypto-assets, such as smart contract vulnerabilities or blockchain protocol risks. This creates a gap for technical assurance and certification services.
Smart Contract Audit
Evidence (2) — verbatim quotes from the source
VermAnlG — Vermögensanlagengesetz (Capital Investments Act) — regime for non-securities investment products with prospectus/VIB duties (some investment tokens)
statute · Bundestag · 2011-12-06· 1/2 anchored
LicensingIn force
Scope: This act establishes a regime for non-securities capital investments, requiring issuers to publish an approved sales prospectus and an information sheet before a public offering. It focuses on investor protection through disclosure.
Gap or ambiguity: The act is a general capital markets law and does not contain specific technical requirements for crypto-assets. How its disclosure and auditing rules apply to the technical specifics of investment tokens is not defined, leaving a gap for technical standards.
Evidence (1) — verbatim quotes from the source
Status
“Gesetz über Vermögensanlagen”
Act on the Electricity and Gas Supply (Energy Industry Act)
statute · Bundestag · 2005-07-07
Scope: This act regulates the electricity and gas supply in Germany. The provided text does not contain any provisions related to crypto-assets.
Gap or ambiguity: This legislation does not apply to crypto-assets, so there are no specific regulatory gaps or ambiguities concerning them within this text.
source ↗