Decentralised Finance (DeFi) has potential to reshape the financial landscape, offering open, programmable alternatives to traditional banking.
In their joint report on recent developments in cryptoassets from January 2025, the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) estimate that the DeFi market represents about EUR 78 billion or 4% of total cryptoasset market capitalisation with an estimated 7.2 million DeFi users in the EU. But with its rise come serious questions: can finance function without institutions? Who is responsible when things go wrong? And how can regulators protect consumers and financial stability without stifling innovation?
What is DeFi and how does it work?
There is no legal definition of DeFi, but most commonly it is understood to be a blockchain-based financial infrastructure detached from a central institution (eg an issuer or intermediary). From a technical perspective, DeFi platforms are usually based on Ethereum as a settlement layer, followed by the asset layer, which consists of the assets issued based on the respective settlement layer (coin/token). A protocol layer stores decentralised apps (DApps) that perform the DeFi functions using smart contracts. The application layer is the platform’s front end that provides access to its DApps. On top, there is an aggregation layer providing easier access to one or more DeFi platforms and functions – typically via a web browser or an app (Aggregator).
The DApps are software applications that run in a blockchain rather than on a central server. Unlike traditional apps controlled by a central institution, DApps operate on peer-to-peer networks and execute functions such as trading, exchanging and lending cryptocurrencies using smart contracts: self-executing codes that govern how digital assets are transferred, without needing human involvement, central oversight or any manual steps. A defining feature of DApps is that their code is open source. They are constantly checked by the blockchain verification process and their integrity compared with the entire database. However, since DApps are based on predefined protocols/smart contracts, they cannot react independently to changing circumstances.
For subsequent adjustments, developers regularly establish decentralised control processes. This so called 'on-chain governance' is usually conducted by a decentralised autonomous organisation (DAO), a group of users holding governance tokens. The DAO decides on changes to the protocols, smart contracts or oversight. However, the level of decentralisation of DeFi platforms is not binary, but rather fluid and varies greatly. So far, this segment lacks established standards like voting and minority rights as well as the authority and responsibility of users with managements rights.
The Aggregators are frequently operated by service providers independent from the DAO and platform’s developers. They provide straightforward access to DeFi services for users without deep technical knowledge. Furthermore, they provide bundled access to multiple DeFi functions or even platforms in one interface. This enables users to combine various DeFi functions and carry out comprehensive transactions even across platforms.
How is DeFi regulated in the EU?
While DeFi presents itself as a borderless, permissionless financial system, it increasingly intersects with national and supranational regulatory frameworks. Regulators are all faced with similar issues regarding DeFi platforms: without a central entity, how can territorial jurisdiction be determined and who is responsible for compliance?
MiCA - Europe’s flagship crypto regulation
The Regulation on markets in crypto-assets (EU) 2023/1114 (MiCA) marks a watershed moment for the EU’s crypto landscape. It regulates issuers of crypto-assets, and crypto-asset service providers (CASPs). However, MiCA excludes crypto-asset services that are “provided in a fully decentralised manner without any intermediary.” This means truly decentralised platforms, where no person or entity controls the system, are outside the scope of MiCA.
However, most DeFi platforms retain some level of centralisation – through developer teams, admin keys, front-end websites, or DAO structures. If any person can be identified as exercising effective control, they may fall within MiCA’s scope and require a CASP licence. The same applies to service providers operating Aggregators which, depending on the services offered, might be performing cryptoasset services under a centralised regime and thus fall within the scope of MiCA.
MiFID II - when DeFi meets traditional financial instruments
DeFi applications may allow the trading of tokenised financial instruments, including shares, bonds, or derivatives represented on the blockchain. Where traditional financial products are tokenised and traded, existing financial law applies, regardless of technological packaging. In such cases, the EU Directive on markets in financial instruments (EU) 2015/65 (MiFID II) may apply. This depends on the qualification of the token as a financial instrument under MiFID II. A DeFi platform offering a trading platform can fall within the scope of MiFID II as a regulated multilateral trading facility (MTF). MiFID II does not provide for an explicit exclusion of fully decentralised platforms and so applies to DeFi platforms providing regulated services. However, with increasing decentralisation, challenges for regulators in determining jurisdiction and responsible persons are increasing.
Responsibility for compliance with MiFID II is, in principal, assigned to the entity providing the regulated services. However, without a central entity operating a platform, authorities might look to DAOs or individuals holding a significant share of voting rights in the respective DAO. The qualifying holdings regime already in place with regards to shareholders of entities providing regulated services is based on the assumption that a holding of 10% or more in the service provider grants influence over its governance. This may be a concept to be applied to voting rights in DAOs, such that persons controlling at least 10% of voting rights are assumed to have a degree of control of the platform and may therefore be assigned responsibility for compliance.
MiFID II regulators have jurisdiction either from the entity’s registered office or from the provision of regulated services in their respective geographical market. Without a central entity providing DeFi functions and therefore no determinable registered office, jurisdiction will result from the provision of services in specific markets. This is the case in particular if marketing is targeted towards clients in a specific country (eg by using messages or spokespersons specific to a country). However, Article 61 MiCA and Article 42 MiFID II both exclude non-EU service providers from scope of application as long as services are provided at the exclusive request of the client.
Focus on Austria
Taking Austria as an example of individual Member State activity, Austria’s Financial Markets Anti-Money Laundering Act (FM-GwG) imposes obligations on CASPs focussing on prevention of money laundering and terrorism financing, requiring robust KYC/AML procedures as well as transaction monitoring and reporting.
Since the implementation of MiCA, the registration of CASPs under the FM-GwG – exclusively mandatory up until 31 December 2024 – is part of the MiCA-approval regime. An additional registration for CASPs within the scope of MiCA is no longer required under FM-GwG but its obligations still apply.
Decentralisation is not binary, it's a spectrum – and the Austrian Financial Markets Authority (FMA) generally applies a substance-over-form approach and puts emphasis on a case by case assessment. Like other regulators it will likely be closely watching 'pseudo-decentralised' services.
Potential and benefits of DeFi
Despite regulatory ambiguity and technological infancy, DeFi holds significant transformative potential for global financial systems. Its unique architecture enables novel financial services, improved market efficiency, and greater access - particularly in traditionally underserved markets.
Innovation at scale
DeFi is driven by open-source smart contracts, allowing developers across the globe to build and deploy financial products without the permission of intermediaries or institutions, challenging traditional views on risk, trust and value creation. This has given rise to entirely new financial instruments, such as:
- Flash loans: instant, unsecured loans that are borrowed and repaid within a single blockchain transaction - useful for arbitrage, refinancing, or liquidations.
- Synthetic assets: tokenised derivatives that replicate the price of real-world assets (eg stocks, fiat currencies), enabling cross-market exposure without traditional infrastructure.
- Yield farming and liquidity mining: new models of incentivising users to participate and provide liquidity to platforms, often through the distribution of tokens.
Financial inclusion
One of DeFi’s most cited promises is its potential to democratise access to financial services. By design, DeFi protocols are accessible to anyone with an internet connection and a crypto wallet - no credit score, paperwork, or bank account required. This can be particularly impactful in developing economies, where millions remain unbanked or underbanked. DeFi could offer access to savings tools, loans, and global remittances, often with lower barriers and costs than traditional financial systems.
Interoperability and composability
DeFi protocols are often described as “money legos” due to their composable nature. A lending platform, for example, can be integrated into a trading platform or a synthetic asset protocol, allowing developers to stack and combine services seamlessly. This modularity fosters rapid experimentation and market-driven evolution, enabling the creation of highly customisable financial ecosystems without the friction of inter-institutional coordination.
Cost efficiency and speed
By eliminating traditional intermediaries - banks, brokers, clearinghouses - DeFi drastically reduces transaction costs and allows for near instant settlement of trades. Smart contracts execute automatically and transparently, removing the need for back-office reconciliation or manual verification. Although some of these advantages are dependent on the scalability of the underlying blockchain, the long-term efficiency gains are compelling, especially in high-volume or cross-border use cases.
Risks and challenges
Alongside these opportunities, DeFi presents a new class of legal, technical, and economic risks that are complex and often difficult to mitigate within the decentralised ecosystem.
Smart contract vulnerabilities
Despite their deterministic logic, smart contracts are only as secure as the code they’re built on. History has shown that DeFi protocols are frequently subject to exploits due to bugs or design flaws or manipulation of oracles (i.e. smart contracts introducing real world data to the blockchain). This may affect price feeds and trigger unintended outcomes. Since many DeFi projects are unregulated and unaudited or only partially reviewed, users bear significant risk. (for more on smart contracts see here.
Lack of legal accountability and regulatory uncertainty
DeFi platforms controlled by DAOs - lacking formal legal personality - raise questions about accountability, liability and applicability of contract law without a clear counterparty. This accountability vacuum challenges established principles of consumer protection and legal enforceability.
Furthermore, DeFi projects face a growing patchwork of uncertain and evolving regulatory environments, without clear guidance on the applicability of MiCA, MiFID II and AML laws. These grey areas create compliance risks, deter institutional participation, and may expose developers to unexpected legal consequences.
Money laundering and sanctions evasion
The pseudonymous and borderless nature of DeFi makes it attractive for illicit actors. Funds can be moved, swapped, and concealed through mixers (services pooling and distributing coins to inhibit transaction tracing), bridges (services exchanging coins from different blockchains), and decentralised exchanges, with limited oversight or traceability. Regulators are increasingly concerned about DeFi’s use in money laundering operations, terrorist financing and circumvention of sanctions. Projects that provide user interfaces or governance functions may inadvertently become gatekeepers or intermediaries in the eyes of authorities - even if the underlying smart contracts are decentralised.
Governance centralisation and capture
While many DeFi protocols claim to be community-driven, the reality is often more centralised. A small number of token holders may dominate voting outcomes or core development teams may retain privileged control. Protocol upgrades or emergency actions may rest in the hands of a few insiders. This leads to what some call “decentralisation theatre” - where systems appear open but remain functionally centralised. This undermines the very rationale for regulatory leniency and the user’s trust.
Where do we go from here?
DeFi represents more than just a technological innovation, it is a reimagining of how financial infrastructure can function: open, permissionless, transparent, and globally accessible. However, it exists today in a legal and regulatory grey zone, raising fundamental questions about liability, enforceability, financial stability, and compliance. While regulators grapple with how to apply existing frameworks - or design new ones tailored to decentralised systems - DeFi continues to evolve. Legal clarity will be essential to support responsible innovation while addressing concerns around consumer protection, systemic risk, and financial crime. Notably, the lines between “traditional” and “decentralised” finance are beginning to blur. Established Fintechs are increasingly exploring services in relation to DeFi - either by leveraging blockchain infrastructure, by participating in regulated versions of DeFi protocols or by providing Aggregators.
