The meaning of fully decentralised under MiCA


Jonathan Galea

It is difficult to understate how dissatisfied I am with the use of the words ‘fully decentralised’ in MiCA. As a ‘legal romantic’, I found it hard to stomach the use of a term that is factually impossible to obtain made it to the final version of MiCA, even though it is in the preamble rather than formally forming part of the law. I am a fervent believer of the maxim “Lex non Cogit Ad impossibilia” which means that the law cannot compel a person to do anything vain or impossible or to do something which he/she cannot possibly perform.

It seems that the European Security Markets Authority (ESMA) is in agreement with the above, as is evidently shown in the second consultant package on MiCA’s RTS/ITS (referred to as ‘2CP’ throughout the article below). To set the tone for the rest of the argumentation below, a reading of our first article on MiCA and DeFi is recommended, along with a reference to the contentious Recital 22 partially quoted below:

This Regulation should apply to natural and legal persons and certain other undertakings and to the crypto-asset services and activities performed, provided or controlled, directly or indirectly, by them, including when part of such activities or services is performed in a decentralised manner. Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation. This Regulation covers the rights and obligations of issuers of crypto-assets, offerors, persons seeking admission to trading of crypto-assets and crypto-asset service providers. [emphasis added by author]

In the first part which we previously published, a conclusion was drawn that the test to determine whether a person falls within scope of MiCA vis-à-vis the topic of DeFi consists of two stages:

  1. Does the person meet the definition of a CASP as laid out under Article 3(1)(15) of MiCA?
  2. If the person meets such a definition, are they providing one or more of the crypto-asset services as defined under Articles 3(1)(16) to 3(1)(26)?

The main issues that were identified were the broad definitions attributed to CASPs and certain crypto-asset services, the rationale of which is justified and understandable, were it not for Recital 22 which casts some doubt on the delineation of what can be deemed as within scope or otherwise. A study of ESMA’s second consultation package, however, provides some critical clarity on this heated debate.

As the most extensive consultation package on MiCA by ESMA so far, it covers multiple topics, with the section of interest for the purpose of this article being the one tackling the continuity and regularity in the performance of crypto services, particularly the parts talking about the use of, and interaction with, permissionless distributed ledger technology (DLT).

ESMA is proposing the following definition for a permissionless DLT[1]:

‘permissionless distributed ledger technology’ means a technology that enables the operation and use of distributed ledgers in which no entity controls the distributed ledger or its use or provides core services for the use of such distributed ledger, and DLT network nodes can be set up by any persons complying with the technical requirements and the protocols.[2]

There are some immediate parallels to be drawn to the pervading theme running throughout legislative and regulatory efforts on DeFi undertaken by other institutions such as FATF and IOSCO, particularly the insistency that in order for a permissionless and/or decentralised ecosystem to subsist, no single entity can be seen as exercising control over the underlying ledger. The proposed definition further states that apart from control over the distributed ledger, such control also cannot extend over the use of such distributed ledger, and in the same vein, a single entity cannot exercise control to a degree where the provision of core services from its end is seen as fundamental and essential for the use of such distributed ledger.

In other words, it is not permissible for a single entity to provide core services for the use of a distributed ledger without which that same distributed ledger cannot function or outright exist, in order for the definition of a permissionless DLT to be met. On this latter point, I have taken the liberty of providing some further interpretation myself, because any single person can provide core services for maintenance and proper functioning of a permissionless DLT; the best examples that come to mind are Blockstream vis-à-vis Bitcoin, and ConsenSys vis-à-vis Ethereum. Naturally, the presence of certain persons which may be seen as playing a bit more of an important development role versus others does not mean that without them the underlying distributed ledger network cannot be used. Arguably, the proposed definition should be tweaked in order to reflect this better, in the spirit of ensuring that the neutral realities of the technologies in question are faithfully reflected in the law.

Speaking of technological reflections within the law, it is a relief to see that ESMA itself is seemingly politely puzzled at the legislator’s use of the term ‘fully decentralised’, as evidenced by point 108 of the 2CP:

ESMA acknowledges Recital 22 of MiCA that “(…) Where crypto-asset services are provided in a fully decentralised manner without any intermediary” should fall outside the scope of MiCA but also notes that the exact scope of this exemption remains uncertain. ESMA considers that an assessment of each system should be made on a case-by-case basis considering the features of the system. In this context, ESMA considers it useful to clarify how pre-trade transparency should apply to such protocols. This is without prejudice to any possible clarification that can be published in the future regarding the scope of the exemption for fully decentralised systems. [emphasis added by author]

ESMA goes on further to firmly acknowledge that decentralisation is not binary, but rather a range that starts from centralisation to an increasing degree of decentralisation, which degree can never entertain a threshold beyond which one can state that there is ‘full decentralisation’. This is evidenced under point 98 of the 2CP, which states that:

With DEXs, the blockchain takes the place of the intermediary. DEXs use autonomous code (often referred to as a ‘smart contracts’), to execute trades directly on the settlement layer of the blockchain (with differing degrees of decentralisation). [emphasis added by author]

Indeed, one can also safely argue that in order to minimise the risk of a permissionless DLT not remaining so, there should be more persons participating in various functions, ranging from development roles to partaking in the consensus mechanism as validators, miners, or nodes. The more there are such functionaries, the more decentralised the underlying network or protocol will be. There can never be an amount at which one can say that decentralisation has now been achieved and no more persons are needed, because the establishment of such an amount would mean that the DLT is, a contrario sensu, permissioned.

Indeed, ESMA clarifies that MiCA by no means is intended to prevent or prohibit the use of permissionless DLT by CASPs under point 71 of the 2CP, where it states that in setting certain differences between the uses of permissioned and permissionless DLT infrastructures by CASPs, no favourism over one or the other should be meted by the regulator. Unreasonably requiring CASPs to inflexibly or indiscriminately adhere to outsourcing requirements as outlined under Article 73 “when usage of permissionless DLT infrastructures are involved would arguably unintentionally prohibit their use of permissionless DLTs by a failure to comply—an outcome that would be contrary to the spirit of MiCA”.

However, the coup de grâce in this thesis lies in point 63 of the 2CP, which states the following:

As it relates to contractual arrangements, Article 73 of MiCA (on outsourcing) elaborates how CASPs should address the risks associated with third-party providers. But there is no legal basis to consider a permissionless DLT used by a CASPs as a third-party provider because no formal contractual relationship (such as a service level agreement) is required to interact with permissionless blockchains. And if the use of permissionless DLT infrastructure does not constitute a third-party provider relationship (in the traditional contractual sense) then it would not fall under scope of the requirements of the MiCA outsourcing article. In this case, permissionless DLTs may be considered a form of “common good”9 resource whereas a permissioned DLT operated by a commercial enterprise will likely have contracts available for ‘white-labelled’ blockchain products; in which case it can be considered as a “third-party provider”. [emphasis added by the author]

This is not only interesting but extremely important, as ESMA is firmly stating that the use of a permissionless DLT by a CASP cannot be construed as a formal contractual relationship, since such is not needed in the first place, and secondly, a permissionless DLT is a “common good” resource not operated by a single person or entity, meaning that in any case a formal contractual relationship cannot exist since a legal contract needs a minimum of two parties. Indeed, ESMA is using this line of reasoning to exclude the use of permissionless DLTs by CASPs from the requirements of MiCA’s outsourcing article.

This supports the argument that as long as a particular protocol or platform (collectively called ‘technology’) as the case may be meets the definition of a ‘permissionless DLT’ (mutatis mutandis) in that no entity is controlling the technology or its use, or without which the technology in question cannot be used, and anyone can participate as long as the technical requirements are met and complied with, then that same technology can be categorised as permissionless. Since a permissionless technology cannot have any single person in control as per the definition of a permissionless DLT, this in turn means that the technology itself must be sufficiently decentralised to such a degree, that is where no person is controlling it or its use.

This theorisation can be materially applied to DeFi protocols or platforms that are based on, or integrated with, a permissionless DLT. As long as the DeFi technology, which loosely and generally consists of a suite of smart contracts executed on a permissionless DLT with a front-end that provides a GUI through which a user can interact with the smart contracts, is not within the control of a single entity, and no single entity likewise controls its use or is providing core services without which the DeFi technology cannot function, then that same DeFi technology falls outside of MiCA’s scope. This necessitates a level of decentralisation at multiple levels, including the existence of multiple front-ends so that access to the smart contracts through a GUI does not depend on a single front-end operated by an entity, as arguably front-ends are the main means of access to the underlying smart contracts constituting the DeFi technology.

Additionally, and by way of tackling it from a different angle, in order for a DeFi protocol or platform to fall within scope of MiCA, there must exist a service provider – client relationship, as propounded in our previous article. Without a service provider – client relationship, users accessing a DeFi technology are not doing so as clients of CASPs providing crypto-asset services; it can well be argued that users are accessing a “common good resource”, as referenced under point 63 of the 2CP. Ideally, any elements that could lead to the establishment of a service provider – client relationship, such as the charging of fees (excluding transaction fees payable to validators/miners), should be minimised or eliminated so that the existence of such a relationship is not present. This would serve as a double-layered ‘protection’ for a DeFi technology to soundly fall within the exemption afforded under MiCA.

Therefore, it is safe to conclude that as long as no person is controlling a DeFi protocol/platform and its use, and no person is playing a fundamental and essential role for the functioning of a DeFi protocol/platform without which such DeFi protocol/platform cannot be used, then that same DeFi protocol/platform can be deemed to be exempted from MiCA’s scope. Or, to use the very words that the legislator loves and I loathe, it can be deemed to be ‘fully decentralised’.  

[1] Article 1, RTS on measures that crypto-asset service providers must take to ensure continuity and regularity in the performance of services [pg. 102 of the Consultation Paper]
[2] A ‘Distributed Ledger’ is defined under Article 3(1)(2) of MiCA as an information repository that keeps records of transactions and that is shared across, and synchronised between, a set of DLT network nodes using a consensus mechanism.


Cryptocurrency Regulation