Few questions left open by Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA) are as consequential as the treatment of decentralized finance (DeFi). While MiCA established a framework for crypto-asset issuers and crypto-asset service providers (CASPs), it intentionally excluded one area from its scope. MiCA recital 22 states that “where crypto-asset services are provided in a fully decentralized manner without any intermediary, they should not fall within the scope of this Regulation.”
This so-called DeFi exemption reflects a practical reality: MiCA was built around identifiable actors. Where no person provides a service or exercises control, traditional regulatory tools struggle to assign legal responsibility.
Through its targeted consultation under Articles 140 and 142 MiCA, launched on 20 May 2026, the European Commission is now exploring whether, and to what extent, that assumption still holds in practice. The consultation reflects an increasing regulatory focus on how existing frameworks could apply to decentralized activity.
From Binary Categories to Degrees of Decentralization
The consultation defines DeFi as software programs deployed on blockchains or other distributed ledger technologies that operate autonomously without intermediaries and offer financial functions such as trading, lending, borrowing or portfolio management. At the same time, it acknowledges a broader understanding of DeFi that includes any blockchain-based applications, including applications that have an identifiable intermediary or person exercising control over its operation.
This distinction highlights a growing tension within MiCA. The existing framework effectively assumes a binary world in which a service is either fully decentralized and thus outside the regulatory scope of MiCA, or intermediated and therefore subject to regulation. Market reality, of course, is considerably more complex. Many allegedly decentralized protocols retain identifiable developers, concentrated governance, admin-key control, upgrade rights or organized entities responsible for promotion and ecosystem development. Decentralization often exists on a spectrum rather than as a binary characteristic.
A notable feature of the European Commission’s consultation is that it does not primarily focus on regulating fully decentralized protocols directly. Instead, it explores whether responsibility can be attached to identifiable persons exercising influence over a protocol, or to regulated intermediaries facilitating access to it.
Among the criteria proposed are:
existence of an identifiable intermediary;
control by an identifiable person over key functionalities of a DeFi protocol;
concentration of governance power over key functionalities;
custody or control of user assets within or through the DeFi protocol;
closed-source DeFi protocol code; and
marketing of a DeFi protocol by an identifiable person or entity.
These criteria identify circumstances in which legal responsibility may be attributed despite the use of decentralized technology. The consultation suggests that future regulation may focus less on whether a protocol labels itself as decentralized and more on whether meaningful control, access or economic influence remains concentrated in identifiable hands.
The Importance of Interfaces and Economic Control
A further question is whether regulatory responsibility should attach not only to technical control over a protocol, but also to the way in which users are given access to it. In practice, most DeFi protocols are accessed through websites, mobile applications, APIs, wallets or aggregators operated by identifiable persons. Even where the underlying smart contracts are autonomous, those interfaces may determine how users interact with the protocol, which risks are disclosed, which assets are displayed, and whether access is facilitated or restricted. Similarly, fee switches, treasuries, token allocations and other mechanisms of economic benefit may indicate that identifiable persons continue to exercise influence over the ecosystem. This suggests that future regulatory analysis may focus not only on who controls the code, but also on who controls access, communication and economic value extraction.
Regulating Through Gatekeepers
Therefore, if genuinely decentralized protocols cannot easily be regulated directly, regulators may seek to regulate access to them instead.
This possibility is explored through the consultation’s discussion of CASPs. The European Commission asks whether risks arising from fully decentralized protocols should be addressed indirectly by requiring CASPs to conduct due diligence on the protocols to which they connect clients.
The consultation examines whether CASPs should:
provide warnings and risk disclosures;
be liable for certain types of incidents where they facilitate access to the relevant DeFi application;
limit access to certified protocols;
discourage or discontinue access to protocols associated with illicit activity;
discontinue facilitating connection to decentralized DeFi applications in general; or
rely on public or private whitelists and blacklists.
Such indirect regulation through CASPs could preserve the formal exclusion of fully decentralized protocols from MiCA while nevertheless bringing significant parts of the DeFi ecosystem within a regulatory framework. For CASPs, this could ultimately resemble product governance and protocol due diligence obligations. The question would no longer be whether a protocol is regulated, but whether a regulated intermediary can justify providing access to it.
Certification as a New Regulatory Layer
Perhaps the most innovative aspect of the consultation is the exploration of certification schemes for DeFi protocols.
According to the European Commission’s consultation, certification of a DeFi application would involve verifying that it robustly mitigates smart contract vulnerabilities and operational risks more generally, and that it functions in accordance with its publicized performance. The consultation asks whether certification should apply broadly across DeFi services or only to specific categories, whether certification should become mandatory for certain protocols, and whether CASPs should be permitted to connect clients only to certified protocols.
Historically, financial regulation has focused on supervising institutions. Banks, investment firms, payment institutions and other regulated entities obtain licenses and become subject to ongoing prudential and conduct supervision. DeFi challenges that model because the relevant infrastructure may consist primarily of software rather than institutions.
Certification would represent a different regulatory approach. Rather than supervising institutions through licensing and ongoing oversight, regulators could establish standards for protocol architecture, governance, operational resilience and code security, with compliance assessed through technical review. Certification may also create a self-identification incentive: developers, governance participants or other persons involved in a protocol may be encouraged to come forward voluntarily in order to obtain certification. From a regulatory perspective, that would reveal the person or entity through whom compliance obligations could be addressed. For DeFi participants, certification would increase compliance costs but could also facilitate greater institutional adoption by providing common standards for security, operational resilience and auditability.
Beyond the DeFi Exemption
What this consultation reveals is a growing regulatory focus on how financial regulation should apply where financial functions are performed through software rather than traditional intermediaries. At least three possible approaches emerge from the consultation. The first is to develop clearer criteria for determining when a protocol is sufficiently decentralized to remain outside the regulatory perimeter. The second is to regulate access through CASPs and other regulated gatekeepers. The third is to introduce certification frameworks that assess protocols themselves rather than only the entities behind them.
Conclusion: From Intermediary-Based Supervision to Function-Based Regulation
The DeFi exclusion remains in place for now. Yet the consultation suggests that the European Commission is actively exploring where responsibility can be attached in decentralized environments. The key question is no longer whether DeFi warrants regulatory attention, but how regulatory obligations may be applied when financial functions are performed through software rather than traditional intermediaries.
Stakeholders may submit comments via the European Commission’s questionnaire until 31 August 2026 at the following link: https://ec.europa.eu/eusurvey/runner/mica-review-targeted-2026