A decentralised autonomous organisation (DAO) is a blockchain-based governance structure in which rules encoded as smart contracts – self-executing programs that run on a distributed ledger – replace the conventional corporate hierarchy of directors, officers and shareholders. DAOs issue governance tokens, allow token holders to propose and vote on protocol changes, and execute those changes automatically without a central intermediary. For a digital-asset business evaluating this architecture, the legal question is immediate and consequential: does the absence of a traditional legal person eliminate regulatory exposure, or does it merely relocate it?
The answer, consistently emerging across the major regulatory regimes, is the latter. Regulators from ESMA and the national competent authorities enforcing MiCA to the SEC, CFTC and FinCEN in the United States have made clear that legal form does not determine regulatory substance. A DAO that operates an exchange, issues tokens carrying financial rights, or pools and deploys user capital may be a virtual asset service provider (VASP) – an entity required to hold a licence, maintain AML/CFT programmes, and comply with the Travel Rule (the obligation to pass originator and beneficiary data with a transfer) – regardless of whether it has registered articles of incorporation. This guide maps the regulated perimeter, the structural options available to operators, and the liability questions that arise when a DAO or its underlying smart contracts cause loss.
The sections that follow move from definition to regulatory classification, then to legal wrappers, cross-border exposure, liability, practical structuring choices, and the questions that should prompt immediate engagement with counsel.
What Is a DAO and How Does It Function Legally?
A DAO is a protocol-governed entity whose constitutional rules live in code rather than a memorandum of association. Token holders vote on proposals – fee changes, treasury allocations, protocol upgrades – and the smart contract executes the outcome without a board resolution or officer signature. Economically, the structure can resemble a partnership, a cooperative, a fund or a company depending on what the protocol actually does.
That economic substance is exactly where regulators start their analysis. In our practice advising DeFi operators, we consistently observe that the first regulatory question is not "what does the whitepaper call this?" but "what rights does the token confer and what service does the protocol provide?" A governance token that also entitles holders to a share of protocol revenue is, in substance, a financial instrument. A protocol that matches buyers and sellers of digital assets is, in substance, an exchange. The label "DAO" does not change either characterisation.
The common-law tradition offers a further complication. Where a DAO lacks a legal wrapper, courts in England and Wales, Singapore and Hong Kong have shown willingness to treat the token-holder collective as a general partnership – meaning every holder could bear joint and several liability for protocol-level acts. That is not a theoretical risk. It is an outcome that has been considered in litigation involving unincorporated DeFi structures, and it is one of the most powerful arguments for early formalisation.
How Do Major Regulatory Regimes Classify DAO Activity?
Whether a DAO falls inside the regulated perimeter turns on activity, not architecture – and the leading regimes analyse that activity through well-developed classification tests.
Under MiCA, the EU's cross-sector regime administered by ESMA and national competent authorities, a crypto-asset service provider authorisation is required for a defined list of activities: exchange, custody, portfolio management, transfer, advice and others. A DAO protocol that provides any of those services to EU users is in scope, even if the protocol has no EU establishment. The territorial reach of MiCA is broad: it captures services offered to persons located in the EU. A fully decentralised protocol with no identifiable issuer may escape the whitepaper requirement for "other crypto-assets," but the CASP authorisation question depends on whether any person – a foundation, a developer company, a front-end operator – is providing the service.
In the United States, the SEC applies the Howey investment-contract analysis to governance tokens and has signalled that decentralisation is a spectrum, not a binary. The CFTC asserts jurisdiction over digital asset derivatives and spot commodity markets. FinCEN's money-services-business rules apply to any person engaged in money transmission, including smart-contract-based systems where a person exercises control. The NYDFS BitLicense requirement applies to New York-resident users or counterparties regardless of where the protocol is deployed.
VARA in Dubai takes an activity-based approach across its rulebooks: advisory, broker-dealer, custody, exchange, lending, management and transfer/settlement activities each require a separate licence authorisation. A DAO treasury that deploys capital into yield strategies and is accessible to VARA-supervised participants will attract scrutiny under the management and lending rulebooks.
The MAS Payment Services Act in Singapore captures digital payment token services. The SFC in Hong Kong has implemented a VASP licensing regime for virtual-asset trading platforms. Both regulators have indicated that the economic function of the protocol – not its governance structure – determines whether a licence is required. In our cross-border practice, we regularly advise operators who discovered mid-build that their DAO's mechanics brought them inside the regulated perimeter of two or three jurisdictions simultaneously.
CTA #1: If you are evaluating a DAO structure for a new protocol or migrating an existing product to on-chain governance, the regulatory classification step should happen before the architecture is finalised. Map your options with our DeFi and tokenization team before those decisions are locked.
What Legal Wrapper Suits a DAO?
The right legal wrapper for a DAO depends on the protocol's activities, its token structure, its user base and its treasury needs – and no single form is universally optimal.
Operators we advise routinely consider several structural forms. Each involves trade-offs.
A foundation – typically established in Switzerland (FINMA's environment is established for non-profit crypto foundations), the Cayman Islands (under CIMA supervision), or Panama – provides a legal person that can hold IP, own the front-end domain, employ developers, and interface with exchanges and banks. A foundation does not have equity shareholders, which aligns with the ethos of decentralised governance. The risk is that if the foundation exercises meaningful control over the protocol, regulators may treat the foundation as the CASP and apply the full licensing burden to it.
A DAO LLC structure – available in Wyoming (under US state law), the Marshall Islands and, more recently, certain other permissive jurisdictions – provides a legal person whose operating agreement can incorporate on-chain governance mechanics. This form offers limited liability to members. The trade-off is US nexus: a Wyoming DAO LLC subjects the entity to US federal jurisdiction, which may bring SEC, CFTC and FinCEN analysis into direct play.
A BVI or Cayman foundation company provides a hybrid: a company that has no shareholders but has a purpose and a board, controlled by the constitutional documents rather than equity. This form is common for protocol treasuries because it can hold assets, enter contracts and issue tokens without creating equity claims. The BVI FSC and CIMA have established supervisory expectations for virtual-asset service providers operating through these structures under the VASP Acts in each jurisdiction.
A Swiss association or Verein offers a membership-based structure with legal personality under Swiss civil law. Token holders can be members. FINMA's guidance on token classification – distinguishing payment, utility and asset tokens – applies to any Swiss-resident issuer.
In our practice, the most common architecture combines a non-profit foundation (to own IP and the protocol) with an operating company (to employ staff, hold regulatory authorisations and provide services) and a separate treasury vehicle. Each entity has a defined role; liability is compartmentalised; regulatory obligations attach to the entity that actually provides the regulated service. We assess classification against the substance of rights – the governance token, the fee-share mechanics, the treasury deployment – not the marketing label on the whitepaper.
How Does Token Classification Affect a DAO?
Token misclassification is one of the most consequential errors an operator can make, and it is far more common than operators expect. The AUDIENCE_PAIN is not abstract: mis-classifying a token can convert a product launch into an unregistered securities offering, with enforcement, disgorgement and personal liability for founders as potential consequences.
The classification analysis under MiCA distinguishes between asset-referenced tokens (ARTs), e-money tokens (EMTs) and "other" crypto-assets. A governance token that also carries economic rights – fee-share, buyback entitlements, treasury distributions – may be characterised as an ART depending on what it references. An EMT tracks a single fiat currency and requires the issuer to hold a banking or e-money licence. "Other" crypto-assets still require a whitepaper filed with the relevant national competent authority if offered to EU users above the applicable threshold.
The SEC's Howey test asks whether there is an investment of money in a common enterprise with an expectation of profit derived from the efforts of others. For most governance tokens launched by a team that continues to develop the protocol, the "efforts of others" element is difficult to defeat. The degree of decentralisation matters at the margin – a protocol that is genuinely community-run with no dominant developer team is more defensible – but that is a factual question requiring evidence, not a legal conclusion available at the point of a token launch press release.
A common assumption is that a "utility" label on a whitepaper settles the legal classification. It does not. Regulators in every major jurisdiction apply a substance-over-form analysis. A token that can be used to pay fees on the protocol but also entitles the holder to governance rights and a proportionate share of protocol revenue carries mixed characteristics. The classification that applies is driven by the dominant economic reality, not the name chosen at marketing.
In the AIFC environment, the AFSA in Kazakhstan applies its own digital-asset taxonomy. The MFSA in Malta – transitioning from the VFA framework to MiCA CASP – has applied a similar substance analysis for several years. The FCA in the United Kingdom requires crypto-asset businesses to register under the Money Laundering Regulations, and separately regulates crypto-asset financial promotions with strict approval requirements that turn, in part, on token classification.
What Is the Cross-Border Regulatory Exposure of a DAO?
A DAO has no headquarters. It runs on distributed nodes, its contributors are dispersed globally, and its users access it from any internet-connected device. That architecture creates layered, simultaneous regulatory exposure across multiple jurisdictions – and no single licence resolves it.
The cross-border reality, as we see it in practice, is structured around three axes. First, the jurisdiction where the legal wrapper sits (the foundation, the LLC, the treasury vehicle) determines which regulator has primary supervisory authority over that entity. Second, the jurisdictions where users are located determine which access restrictions, financial promotions rules and consumer-protection regimes apply. Third, the jurisdiction where developers and contributors are located may bring those individuals inside the regulated perimeter as the "persons" who are providing a service – even if the smart contract itself is jurisdictionless.
For EU users, MiCA's extraterritorial reach is explicit: the regulation applies to offers and services directed at persons in the EU regardless of the issuer's establishment. A DAO protocol accessible to EU users without geofencing is offering services into the EU. The question of whether a CASP authorisation is required turns on whether any identifiable person is providing the service – but the direction-of-travel in ESMA guidance is toward holding front-end operators, interface providers and foundation boards responsible where the underlying protocol has no legal person.
For US users, the analysis is more fragmented. Federal regulators apply their respective mandates; state money-transmitter licensing is required in most states for any transmission of value. Geofencing US users – blocking IP addresses – reduces but does not eliminate exposure, particularly where the protocol has known US-domiciled governance token holders.
Allied counsel in the relevant jurisdiction are essential for any DAO operating across more than two major markets. The interaction between, for example, a Cayman foundation, MiCA obligations arising from EU users, and US nexus created by a Wyoming-domiciled core contributor team requires coordinated, multi-seat advice. We structure that analysis as a single mandate rather than three disconnected workstreams.
How Do AML and the Travel Rule Apply to a DAO?
FATF Recommendation 15 extends AML/CFT obligations to virtual asset service providers – and FATF guidance makes clear that a "VASP" can include a DeFi protocol or its controlling persons where those persons exercise sufficient control or influence over the service.
The practical effect is significant. If a DAO's legal wrapper or its front-end operator is classified as a VASP, it must implement a customer due diligence programme, screen against sanctions lists, file suspicious transaction reports, and comply with the Travel Rule – the obligation, recognised by FATF and implemented in MiCA, the Payment Services Act in Singapore, the VASP Acts in BVI and Cayman, and the applicable US Bank Secrecy Act provisions, to transmit originator and beneficiary information with transfers above the applicable threshold. That threshold varies by jurisdiction and should be verified against current legislation before implementation.
The tension for DAOs is structural. The Travel Rule assumes identifiable sending and receiving institutions. In a peer-to-peer DeFi environment, neither the protocol nor the counterparties may be identifiable in the conventional sense. Regulators have not resolved this tension uniformly. The emerging consensus – reflected in ESMA technical standards under MiCA – is that the obligation attaches to the closest available regulated intermediary: the exchange that onboarded the user, the custodian holding the wallet, or the front-end service that the user accessed. A DAO that operates a regulated front-end, or whose foundation provides a hosted interface, will likely be treated as that intermediary.
In our practice, we see operators caught by this question at two points: first, when they apply for a banking relationship and the bank requires a documented AML programme for the protocol's transaction flow; and second, when a regulator conducts a thematic review and asks who is responsible for the Travel Rule compliance for the interface. Neither question has a simple answer if the DAO's AML architecture was not designed at the outset.
Who Is Liable When a Smart Contract Fails?
Smart contract failure – whether through a code exploit, an oracle manipulation, a governance attack, or a logic error – raises liability questions that no legal regime has yet answered comprehensively, but that courts in several leading forums have begun to address.
The threshold question is identifying a defendant. In England and Wales, the courts have recognised cryptocurrency as property in a series of decisions following AA v Persons Unknown [2019] and Osbourne v Persons Unknown [2022]. That recognition supports proprietary claims and injunctive relief even against unknown defendants. Where a DAO exploiter can be identified on-chain, a claim can be filed and a worldwide freezing order – an injunction freezing a defendant's assets globally – sought. The DIFC Courts in Dubai have issued worldwide freezing orders in support of foreign proceedings, and courts in Singapore and Hong Kong have granted proprietary injunctions over misappropriated crypto assets.
Where the loss arises not from an external attacker but from the smart contract's own operation – a bug that drained user funds, a governance vote that was manipulated to redirect the treasury – the liability picture is more complex. Claims may lie against the developer who deployed the contract, the auditor who certified it, the foundation that controls upgrades, or the governance token holders who voted for the change that caused the loss. In common-law jurisdictions, negligence, breach of fiduciary duty and unjust enrichment are all available theories. The identification of the right defendant requires on-chain forensic analysis and careful reading of the protocol's governance documentation.
In a recent recovery matter, a Web3 investment vehicle engaged us after a governance exploit drained a significant portion of its treasury. We coordinated on-chain forensic tracing, identified wallet clusters associated with the exploit, and worked with allied counsel to file for disclosure orders in a common-law forum. The combination of a professional forensic report, transaction hash evidence and a prompt court application produced a freezing order within days of the exploit – before the attacker had fully dispersed the funds.
The recovery window after a smart contract exploit is short. On-chain movements happen in blocks, not business days. An operator that waits more than a few hours to instruct counsel and forensics is operating against an adversary who may already be bridging assets across chains or converting to privacy-coin instruments. The CFAAR network – launched in London in September 2021 – connects specialist legal and forensic practitioners specifically for this type of rapid-response matter.
CTA #2: If a smart contract exploit or governance attack has occurred, or if you are conducting a pre-launch liability audit of your DAO's governance architecture, a targeted legal assessment can surface the exposure and the available remedies. Map your options with our disputes desk before the window closes.
Practical Structuring Decisions for DAO Operators
The structural choices available to a DAO operator reduce to a set of concrete decisions, each with regulatory and liability consequences.
Decision 1: Legal wrapper selection. The choice between a foundation, a DAO LLC, a Cayman or BVI foundation company, and a Swiss association depends on the protocol's activity profile, its user geography and its treasury mechanics. A protocol with EU users and a revenue-generating token faces different wrapper considerations than a pure-governance protocol with no economic rights attached to the token. There is no universal answer; the analysis starts with the activity and works backward to the form.
Decision 2: Token architecture. Separating governance rights from economic rights – where the protocol's design permits it – can simplify the classification analysis. A governance token that carries no fee-share, no buyback entitlement and no proportionate treasury claim is more defensible as a utility instrument. Whether that separation is credible in practice depends on the protocol's actual mechanics, not its documentation.
Decision 3: CASP/VASP trigger analysis. Before deployment, map every service the protocol provides against the CASP activity categories under MiCA and the VASP categories in the jurisdictions where users will be located. Where a regulated activity is identified, determine whether the foundation, the operating company or neither is the appropriate regulated entity – and build the authorisation timeline into the launch plan.
Decision 4: AML architecture. Design the KYC/AML programme for the front-end interface at the same time as the smart-contract architecture. Retrofitting compliance to a deployed protocol is significantly more expensive and operationally disruptive than building it in. The Travel Rule compliance mechanism – how originator and beneficiary data will be collected and transmitted – should be documented before the first user transaction.
Decision 5: Upgrade governance. The protocol's upgrade mechanism – multisig, timelock, on-chain vote – determines who bears liability for post-deployment changes. A timelock gives users the ability to exit before a change takes effect. A multisig without community oversight concentrates control in a small group and may undermine the decentralisation argument. Document the upgrade process and its governance rationale explicitly.
Operators we advise who work through these five decisions systematically before launch encounter significantly fewer structural problems at the licensing and banking stages. The cost of pre-launch analysis is a small fraction of the cost of a mid-operation restructuring or a regulatory enforcement response.
Which DAO Structure Suits Which Operator Profile?
The right architecture depends on the operator's specific circumstances. The following profiles illustrate the decision logic, not a universal prescription.
Profile A – Protocol with no economic token, EU users, non-profit ethos. A Swiss foundation or a Cayman foundation company with no CASP-triggering activity may be sufficient. The foundation owns IP, employs developers, and provides the front-end. No CASP authorisation is required if the front-end does not provide a listed service. AML obligations attach to the foundation in proportion to any fiat on/off-ramp it operates. Timeline to structure: a matter of weeks once the activity analysis is complete. Key risk: governance token reclassification if fee mechanics are added post-launch.
Profile B – DeFi exchange protocol with swap, liquidity provision and fee-share token. The exchange function is a CASP-triggering activity under MiCA. A CASP-authorised operating company – likely in a single EU member state for passport purposes – sits alongside a non-profit foundation that owns the protocol IP. The fee-share token requires a whitepaper and may require ART analysis. Timeline: CASP authorisation timelines vary by national competent authority and should be verified against current legislation. Key risk: the foundation being treated as the actual service provider if the operating company lacks genuine substance.
Profile C – DAO fund, treasury management, yield strategies, institutional users. Fund regulation applies in most jurisdictions – under MiCA's portfolio management CASP category, under VARA's management activity rulebook, or under equivalent regimes in Singapore (MAS) or the Cayman Islands (CIMA). An institutional-grade treasury DAO with disclosed governance and a regulated management vehicle is structurally achievable; the path requires coordinated licensing, banking and tax analysis from the outset. Timeline: longer than a standard CASP authorisation; the fund-regulation layer adds complexity. Key risk: treasury assets being treated as client money with corresponding segregation and safeguarding requirements.
When Should a DAO Operator Engage Legal Counsel?
The answer is earlier than most operators do – and the inflection points are predictable.
Counsel should be engaged at the token design stage, before the economic mechanics of the governance token are finalised. That is when classification decisions are still reversible. It is also when the choice of legal wrapper is unconstrained by existing registrations, banking relationships or user expectations.
The second critical moment is before a banking relationship is sought. Banks conducting onboarding due diligence on a DAO-affiliated entity will ask for a legal opinion on the token, a documented AML programme, and an explanation of the governance structure. Operators who arrive at that conversation without prepared answers face extended onboarding timelines or rejection. We have seen this pattern repeatedly across European, UAE and Asian banking markets.
The third moment is at any significant protocol upgrade that changes the economic mechanics of the token or the services the protocol provides. A protocol that adds a lending feature, a fiat on-ramp, or a staking reward mechanism post-launch may cross a regulatory threshold that the original analysis did not contemplate. The MiCA CASP regime is explicit that adding a listed activity triggers the authorisation requirement, regardless of when the protocol was originally deployed.
Finally, any security incident – exploit, governance attack, key compromise – requires immediate legal engagement. The recovery window is measured in hours, not days, and the forensic and legal steps must run in parallel, not sequentially.
Related at OBOLUS
- DeFi, Tokenization and Smart-Contract Law – our core practice covering protocol structuring, token classification and smart-contract disputes.
- How to Structure a Real-World Asset Tokenization – step-by-step guide to the legal and regulatory mechanics of RWA tokenization.
- Digital-Asset Licensing in the Isle of Man – analysis of the Isle of Man's VASP regime for operators seeking a regulated EU-adjacent base.
FAQ
Can a DeFi protocol be regulated?
Yes. Regulatory classification turns on economic function, not architecture. A DeFi protocol that provides exchange, custody, lending or portfolio management services to users in a regulated jurisdiction may require a CASP authorisation under MiCA, a VASP licence under the applicable national regime, or both. Where no identifiable legal person provides the service, regulators are increasingly looking to front-end operators, foundations and core contributor teams as the responsible parties. Geofencing reduces but does not eliminate exposure.
What legal wrapper suits a DAO?
There is no single answer. A non-profit foundation – Swiss, Cayman or BVI – suits a protocol IP holder with no CASP-triggering activity. A Cayman or BVI foundation company suits a treasury vehicle. A DAO LLC (Wyoming or Marshall Islands) suits a US-nexus structure with known members and limited-liability needs. Complex protocols combining exchange, custody and fund functions typically require a layered structure: a foundation for IP, an authorised operating company for regulated services, and a separate treasury vehicle. The activity analysis drives the form selection.
Who is liable when a smart contract fails?
Liability depends on the cause of failure and the jurisdiction. In England and Wales, Singapore and Hong Kong, courts have recognised cryptocurrency as property and have granted injunctions and disclosure orders against exploiters. Developer liability in negligence, auditor liability and governance-vote liability are all live theories where identifiable parties made decisions that caused the loss. Where the DAO has no legal wrapper, common-law courts may treat token holders collectively as a general partnership, exposing each member to joint and several liability. Early formalisation and a documented upgrade governance process substantially reduce that exposure.
OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance that sit around them. We structure licensing, banking and tax as one mandate rather than three disconnected workstreams. Digital assets are the whole of our practice. We assess token classification against the substance of rights conferred, not the marketing label on the whitepaper. To discuss your DAO structure, contact info@oboluslaw.com.
By Roman Levitt, Technology & DeFi Counsel – specialising in smart-contract architecture review, DeFi protocol structuring and token classification across EU, UAE and Asia-Pacific regimes.
This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.