By CertiK service

For each security service, see which jurisdictions trigger it and how attractive each market is right now.

Penetration Testing

Jurisdictions triggering

Norms triggering

High-maturity markets

Top markets for Penetration Testing

Country	Region	Lead regulator	Maturity	Next deadline	Days	Score
BR — Brazil	LATAM	BCB	High	2026-10-30	155	82.9
DE — Germany	EU	Bundestag	High	—	—	63.4
HK — Hong Kong	APAC	SFC	High	—	—	63.4
GB — United Kingdom	EU	FCA	High	2027-10-25	515	63.2
SG — Singapore	APAC	MAS	High	—	—	60.6
FR — France	EU	Parlement	High	—	—	57.7
AE — United Arab Emirates	MENA	CBUAE	Medium	—	—	56.8
AR — Argentina	LATAM	BCRA	Medium	—	—	56.8
TR — Türkiye	MENA	null	Medium	—	—	56.8
US — United States	NA	IRS	Medium	—	—	51.0
CA — Canada	NA	null	High	—	—	49.1
IT — Italy	EU	Parlamento Italiano	Medium	—	—	48.2
ZA — South Africa	Africa	SARS	Medium	—	—	48.2
JP — Japan	APAC	FSA	Medium	—	—	45.3
UY — Uruguay	LATAM	Parlamento	Medium	—	—	45.3
CH — Switzerland	EU	FINMA	Medium	—	—	42.5

Norms that trigger Penetration Testing

US2015-06-24

NY BitLicense — 23 NYCRR Part 200 (NYDFS) — virtual currency business activity license for New York; one of the strictest crypto licenses in the US; NYDFS also grants limited-purpose trust charters as an alternative route

The regulation requires a license for virtual currency business activities involving New York or its residents. This includes transmitting, custodying, buying, selling, exchanging, or issuing virtual currency.

US1934-06-06

US Securities Exchange Act of 1934 (15 U.S.C. §78a et seq.) — regulates secondary markets, exchanges, brokers/dealers; created the SEC

This statute governs the secondary trading of securities in the U.S. It establishes registration and reporting requirements for exchanges, brokers, dealers, and issuers.

US2025-07-17

CLARITY Act — Digital Asset Market Clarity Act of 2025 (H.R. 3633) — BILL, NOT YET LAW; proposes market structure framework; would give CFTC exclusive jurisdiction over digital-commodity spot markets (BTC, ETH) and keep SEC over investment-contract assets; House-passed Jul/2025, Senate Banking markup expected 2026

This bill proposes a regulatory framework for digital assets, splitting jurisdiction between the CFTC for digital commodities and the SEC for investment-contract assets. It regulates exchanges, brokers, and dealers.

US2025-07-18

GENIUS Act — Guiding and Establishing National Innovation for U.S. Stablecoins Act (Public Law 119-27, signed 2025-07-18) — FIRST FEDERAL CRYPTO LAW; creates Permitted Payment Stablecoin Issuer (PPSI) regime; 100% reserve, par redemption; treats PPSIs as BSA financial institutions; excludes payment stablecoins from the definition of 'security'

This law establishes a federal licensing framework for payment stablecoin issuers, known as Permitted Payment Stablecoin Issuers (PPSIs). It mandates 1:1 reserves, monthly public reserve reporting, and par value redemption.

HK2025-11-03

SFC Circulars of 2025-11-03 — expansion of products and global liquidity — VATPs may distribute VA-exposure products, tokenised securities, stablecoins; conduct staking; trust/client accounts; integrate order books with global affiliates for shared liquidity; relax 12-month track-record for professional-only tokens

This guidance expands the scope for licensed Virtual Asset Trading Platforms (VATPs), permitting new products like tokenized securities and stablecoins, staking, and shared global liquidity.

HK2023-05-23

Consultation Conclusions on the Proposed Regulatory Requirements for Virtual Asset Trading Platform Operators Licensed by the Securities and Futures Commission

This document proposes a comprehensive licensing and regulatory framework for centralized virtual asset trading platforms operating in or marketing to Hong Kong. It covers requirements for custody, AML/CFT, token admission, and introduces investor protection measures to allow access for retail investors.

HK2025-05-30

Stablecoins Ordinance, Cap. 656

This ordinance establishes a mandatory licensing regime for issuers of specified stablecoins in Hong Kong. It also regulates the offering, advertising, and fraudulent activities related to these assets.

VARA Compliance and Risk Management Rulebook — cross-activity compliance, governance, risk management for VARA-licensed entities

This rulebook establishes comprehensive compliance, risk management, and AML/CFT obligations for entities licensed by VARA. It includes specific rules for handling client money and client virtual assets.

AE2024-08-01

CBUAE Payment Token Services Regulation (PTSR) — Circular No. 2 of 2024 (effective Aug 2024) — stablecoin regime; distinguishes Dirham Payment Token (AED-backed, CBUAE-licensed issuer) from Foreign Payment Token (non-AED, CBUAE-registered issuer); licences issuance, custody/transfer, conversion; bans algorithmic stablecoins and privacy tokens as means of payment; 100% reserves; applies UAE-wide except DIFC/ADGM (but reaches VARA entities)

This regulation establishes a licensing and registration framework for payment token (stablecoin) services in the UAE. It covers issuance, custody, and conversion, distinguishing between AED-backed tokens (licensed) and foreign currency-backed tokens (registered).

AE2022-02-28

Dubai Law No. 4 of 2022 — Regulating Virtual Assets in the Emirate of Dubai; creates VARA (Virtual Assets Regulatory Authority); first dedicated VA regulator in the world; covers Dubai and its economic free zones except DIFC

This law establishes the Virtual Assets Regulatory Authority (VARA) and a mandatory licensing regime for Virtual Asset Service Providers (VASPs) in Dubai, excluding the DIFC.

CH2020-09-25

Swiss DLT Act (2021) — Federal Act on the Adaptation of Federal Law to Developments in DLT; umbrella law amending 10 statutes; creates ledger-based securities / register value rights (Registerwertrechte) in the Code of Obligations; creates DLT trading facilities in FinMIA; regulates crypto segregation in bankruptcy; in force Aug 2021

This act adapts Swiss federal law for DLT, creating ledger-based securities (register value rights) and a new license category for DLT trading facilities. It also clarifies the segregation of crypto-assets in bankruptcy.

IT2014-03-04

Legislative Decree No. 44 of 4 March 2014

This decree implements the EU's Alternative Investment Fund Managers Directive (AIFMD) into Italian law. It regulates the authorization, operation, and supervision of managers of alternative investment funds (AIFs).

IT1998-02-24

Italian TUF — Testo Unico della Finanza (Legislative Decree 58/1998) — when token is a financial instrument / security token, the capital-markets regime applies (offering, prospectus, intermediation) under CONSOB — OUTSIDE MiCA

This law establishes the general framework for financial instruments and intermediaries in Italy. It applies to crypto-assets that qualify as financial instruments (security tokens), subjecting them to licensing and conduct rules.

IT2024-09-05

Italian Legislative Decree No. 129 of 5 September 2024 ('Decreto MiCA', effective 2024-09-14) — implements MiCA in Italy; designates CONSOB (conduct, transparency, fair dealing, market abuse, supervision of non-ART/EMT crypto) and Banca d'Italia (prudential supervision of ART/EMT issuers + AML); amends TUF and TUB (banking consolidated act); MiFID-style 'fit & proper' + IAS/IFRS + external audit + internal controls

This decree implements the EU's MiCA regulation in Italy. It designates CONSOB and the Bank of Italy as the competent national authorities for supervising crypto-asset services and issuers.

CA2021-06-29

Canada Retail Payment Activities Act (RPAA) — registration and supervision of payment service providers (PSPs) including those performing retail payment functions with crypto/tokens; administered by Bank of Canada

The act requires Payment Service Providers (PSPs) to register with the Bank of Canada. Supervision focuses on operational risk management, incident response, and safeguarding end-user funds.

CSA crypto-platforms regulation and enforcement actions hub — landing page tracking all registered Crypto Asset Trading Platforms (CTPs) and enforcement

This guidance outlines the registration regime for Crypto Asset Trading Platforms (CTPs) operating in Canada. All CTPs, including foreign platforms serving Canadians, must register with securities regulators and adhere to investor protection conditions.

ZA2025-10-01

FSCA Information Request 2 of 2025 (October 2025) — requires all licensed and provisional CASPs to submit operational and risk data (AML, custody, stablecoins, reserves, consumer protection, cross-border activity); basis for evolving the regulatory framework

Requires licensed and provisional CASPs to submit operational and risk data. The request covers AML, custody, stablecoins, reserves, consumer protection, and cross-border activity.

UY2025-08-21

BCU draft regulation of the RNMV for PSAVF (2025-08-21) — proposed modification of the Recopilación de Normas del Mercado de Valores: prior BCU authorization required, minimum equity of 1,500,000 UI, BCU sight deposit of 50,000 UI, regulator guarantee of at least 2,000,000 UI, cybersecurity/custody/AML requirements; transition period until 2026-06-30

This is a proposed regulation for Virtual Asset Service Providers (PSAVF). It establishes a prior authorization regime with minimum capital, guarantee, cybersecurity, custody, and AML requirements.

UY2009-12-02

Uruguay Law No. 18,627 — Securities Market Law (Ley del Mercado de Valores) — updated by the LAV to cover securities issued and traded in DLT format; financial VAs are equated to book-entry securities (valores escriturales); public offering, registration and supervision by SSF/BCU

This law establishes a registration regime for the public offering of securities in Uruguay, supervised by the Superintendency of Financial Services (SSF). It was updated to explicitly cover securities issued on DLT, treating them as a form of book-entry security.

SG2001-10-05

Singapore Securities and Futures Act 2001 (SFA) — applies when a digital token is a capital markets product (tokenized securities, derivatives); governs offers, prospectus, intermediation, organized markets

This act applies when a digital token is classified as a capital markets product, such as a security or derivative. It regulates market operators, clearing facilities, and capital markets services licensees.

SG2024-05-09

Notice on Technology Risk Management

This notice sets technology risk management requirements for licensed digital payment token service providers. It focuses on system reliability, availability, and the protection of customer information.

SG2023-08-15

MAS Stablecoin Regulatory Framework (SCS) — finalized 15 August 2023 — applies to single-currency stablecoins (SGD or G10) issued in Singapore; 100% high-quality reserves with monthly independent attestation + annual audit; segregation, par redemption, disclosures

This framework applies to single-currency stablecoins (SCS) issued in Singapore and pegged to the Singapore Dollar or any G10 currency. It establishes requirements for reserve assets, capital, redemption, and disclosure.

GB2017-07-19

UK Payment Services Regulations 2017 (PSRs) — payment services associated with e-money tokens

This regulation establishes an authorization regime for UK payment institutions. It sets out operational, safeguarding, and conduct of business requirements for payment services, which can include those related to e-money tokens.

GB2011-02-09

UK Electronic Money Regulations 2011 (EMRs) — if a fiat-referenced token qualifies as e-money, EMRs/PSRs regime applies and the token is excluded from the 'qualifying cryptoasset' financial-promotion category

This regulation establishes an authorization and prudential supervision regime for electronic money issuers. It applies to fiat-referenced crypto-tokens if they meet the legal definition of e-money.

GB2023-06-08

FCA FG23/3 — Finalised non-handbook guidance on cryptoasset financial promotions — practical application including store-of-value claims, rates of return, on/off-ramp

This guidance clarifies rules for communicating or approving financial promotions for qualifying cryptoassets in the UK. It focuses on ensuring promotions are fair, clear, and not misleading, covering various models like stablecoins and yield products.

GB2025-05-28

CP25/14: Stablecoin issuance and cryptoasset custody

This consultation paper proposes rules for the issuance of qualifying stablecoins and the custody of qualifying cryptoassets in the UK.

GB2025-05-28

CP25/15: A prudential regime for cryptoasset firms

This consultation paper proposes prudential rules and guidance for issuing qualifying stablecoins and safeguarding qualifying cryptoassets in the UK.

AR2025-03-14

CNV General Resolution No. 1058/2025 — FULL PSAV REGULATION; imposes registration, cybersecurity, asset custody, AML, and risk-disclosure duties; requires ANNUAL SYSTEMS AUDIT; sets adequacy deadlines; CNV may suspend/revoke registrations; unregistered PSAVs may be judicially blocked

This regulation establishes a mandatory registration regime for Virtual Asset Service Providers (VASPs) in Argentina. It imposes comprehensive duties including AML, cybersecurity, asset segregation, and public proof-of-reserves.

DE2022-12-14

EU Digital Operational Resilience Act (DORA) 2022/2554 — ICT risk management, third-party governance and incident reporting for financial entities including CASPs

This regulation establishes a comprehensive framework for digital operational resilience in the EU financial sector. It sets harmonized rules for ICT risk management, incident reporting, resilience testing, and managing ICT third-party risk.

DE1994-07-26

WpHG — Wertpapierhandelsgesetz (Securities Trading Act) — German implementation of MiFID II; governs trading of security tokens, market conduct, market abuse

This act is the German implementation of MiFID II. It governs the trading of securities, including security tokens, and establishes rules for market conduct, market abuse, and organizational requirements for investment firms.

DE2021-06-12

WpIG — Wertpapierinstitutsgesetz (Securities Institutions Act) — prudential regime for investment firms providing security-token services

This act establishes the prudential and licensing framework for investment firms in Germany. It includes specific provisions for firms providing crypto-asset services, such as qualified crypto custody.

DE2013-07-04

KAGB — Kapitalanlagegesetzbuch (Capital Investment Code) — governs investment funds; relevant for crypto funds and Kryptofondsanteile

This law governs the management, administration, and distribution of investment funds (UCITS and AIFs) in Germany. It sets out authorization and operational requirements for fund managers and depositaries.

DE2024-12-27

KMAG — Kryptomärkteaufsichtsgesetz (Crypto-Asset Markets Supervision Act) — designates BaFin as MiCA competent authority; defines supervisory powers (incl. public warnings §47); §50 grandfathering of national licenses until 2025-12-31

This act implements the EU's MiCA regulation in Germany, designating BaFin as the competent authority. It defines supervisory powers, authorization procedures, and transitional rules for existing crypto service providers.

DE2024-12-27

FinmadiG — Finanzmarktdigitalisierungsgesetz (Financial Market Digitalization Act, 27/12/2024) — umbrella law implementing MiCA, TFR and DORA in Germany; Article 1 creates the KMAG; subsequent articles amend KWG, WpHG, WpIG, KAGB, HGB, GwG, ZAG

This is an umbrella law implementing the EU's MiCA, TFR, and DORA regulations in Germany. It creates the KMAG (Crypto Markets Supervision Act) and amends various existing financial laws.

DE1961-07-10

KWG — Kreditwesengesetz (Banking Act) — defines Kryptowerte and kryptografische Instrumente (§1(11)); historical basis for crypto custody licensing (Kryptoverwahrgeschäft)

This is Germany's primary Banking Act, which defines crypto-assets (Kryptowerte) and establishes a licensing regime for financial services. It specifically regulates crypto-asset custody (Kryptoverwahrgeschäft) as a licensed activity.

DE2017-07-17

ZAG — Zahlungsdiensteaufsichtsgesetz (Payment Services Supervision Act) — applies when crypto model touches payment services or e-money (interface with EMTs)

This act regulates payment services and e-money business in Germany. It establishes a licensing and supervision framework for payment and e-money institutions, which applies to crypto-asset models that fall under these definitions.

BR2025-11-10

BCB Resolution No. 520 of 2025

This resolution establishes a licensing framework for Virtual Asset Service Providers (VASPs) in Brazil. It defines VASP categories, operational rules, governance, and asset segregation requirements.

BR2026-01-22

BCB Normative Instruction No. 701 of 2026 — technical-certification requirements by independent qualified firms for crypto-asset intermediation/custody licenses (anchors Res. 520 arts. 20 and 23)

This norm details the requirements for a mandatory technical certification by an independent firm. This certification is a prerequisite for entities seeking to provide crypto-asset intermediation and custody services in Brazil.

BR2004-08-18

CVM Instruction No. 409 of August 18, 2004

This 2004 instruction establishes the general rules for the constitution, administration, operation, and registration of traditional investment funds in Brazil. It does not apply to specific fund types like private equity or real estate funds.

BR2021-05-06

BCB Resolution No. 93, of May 6, 2021, provides for the internal audit activity in consortium administrators and payment institutions.

This resolution mandates internal audit activities for various financial institutions. An amendment will extend these requirements to virtual asset service providers (VASPs) starting in March 2026.

BR2017-07-13

CVM Instruction No. 588, of July 13, 2017

This rule regulates public offerings of securities by small businesses through online investment crowdfunding platforms. It establishes an authorization regime for the platforms and a registration exemption for the offerings.

BR2020-08-12

BCB Resolution No. 1, of August 12, 2020

This regulation establishes the Brazilian instant payment system, Pix. It defines the rules, participants, governance, and operational framework for 24/7 real-time fund transfers.

BR2022-12-21

Brazilian Law No. 14,478 of 2022 (Virtual Assets Framework)

This law establishes a licensing framework for Virtual Asset Service Providers (VASPs) in Brazil. It also criminalizes fraud involving virtual assets and subjects VASPs to national AML/CFT regulations.

BR2003-12-29

CVM Instruction No. 400 of 2003

This regulation governs the process for public offerings of securities in Brazil's primary and secondary markets. It establishes the registration requirements with the CVM to ensure investor protection through disclosure.

BR2021-04-08

BCB Resolution No. 85 of 2021 — cybersecurity policy for payment institutions (companion of CMN 4,893)

This resolution establishes a mandatory cybersecurity policy for payment institutions and other regulated entities, including virtual asset service providers from 2026. It details requirements for risk management, incident response, and contracting cloud services.

BR2021-02-26

CMN Resolution No. 4,893 of 2021 — cybersecurity policy and cloud-processing/storage requirements for BCB-regulated institutions; extended to SPSAVs by Res. 520

This resolution establishes a cybersecurity policy and requirements for contracting cloud computing services for financial institutions. It mandates risk management, incident response plans, and specific security controls.

FR2019-05-22

French PACTE Law n° 2019-486 of 22 May 2019 — created PSAN status (Prestataire de Services sur Actifs Numériques) and the definition of digital assets (actifs numériques = tokens + virtual currencies); pioneering, inspired MiCA

This law created the French legal framework for Digital Asset Service Providers (PSAN). It defines digital assets and establishes a dual regime of mandatory registration and optional licensing for various crypto-asset services.

FR2024-10-15

French Ordonnance n° 2024-936 of 15 October 2024 — markets in crypto-assets — adapts the Code monétaire et financier to MiCA; allocates AMF/ACPR powers; creates new Title II bis Livre II CMF on legal nature of digital assets; institutes simplified procedure for registered PSANs

This ordinance adapts the French Monetary and Financial Code to the EU's MiCA regulation. It establishes the legal framework for the MiCA licensing regime in France and sets a transitional period for existing registered providers (PSANs).

JP2009-06-24

Payment Services Act (Act No. 59 of 2009)

The regulation establishes a registration system for Electronic Payment Service Providers, which offer payment initiation and account information aggregation services. It mandates contracts with banks and measures for user data security.

JP2009-06-24

Japan Payment Services Act (PSA / 資金決済法) — base framework defining 'Crypto Asset' (暗号資産) and licensing the Crypto Asset Exchange Service Providers (CAESP / 暗号資産交換業者) that must register with the FSA; client-asset segregation, governance, cybersecurity, fit-and-proper for officers; world-pioneering crypto-exchange regulation (2017, after Mt. Gox)

This act establishes a foundational framework for payment services in Japan. It defines 'Crypto Asset' and creates a registration regime for Crypto Asset Exchange Service Providers (CAESPs) under the Financial Services Agency (FSA).

JP1981-06-01

Banking Act

This act establishes the licensing, operational, and supervisory framework for banks in Japan. It also regulates related entities like bank holding companies, bank agents, and electronic payment service providers.

TR2024-07-02

Law on Amendments to the Capital Markets Law (Law No. 7518)

This law establishes a comprehensive licensing and supervision framework for Crypto-Asset Service Providers (CASPs) in Türkiye. It empowers the Capital Markets Board to regulate their activities, with technical criteria for IT systems set by TÜBİTAK.

Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions (Law No. 6493)

This law establishes a licensing framework for payment institutions and electronic money institutions in Turkey. It regulates payment services, systems, and the issuance of electronic money.