Malta regulator proposes new DAO category in DeFi rulebook
Malta’s financial watchdog is pushing to carve out a formal place in law for decentralized autonomous organizations (DAOs), as European authorities step up their focus on DeFi under the Markets in Crypto-Assets (MiCA) regime.
In a discussion paper released on June 12, the Malta Financial Services Authority (MFSA) launched a public consultation, open until July 10, to gather industry views on how decentralized finance should be treated under the EU’s crypto rulebook. At the center of the proposal is a new legal notion: “software-based organizations.”
‘Software-based organizations’ as a legal wrapper for DAOs
Instead of drafting a standalone DAO law, the MFSA suggests introducing software-based organizations as a broader legal category. This concept is designed to capture DAOs and similar blockchain-native structures that are largely governed by code rather than by traditional corporate hierarchies.
Under the proposal, the organization would be recognized in law as a distinct legal entity, separate from the underlying smart contracts, protocols, and software components it uses. In other words, the legal entity and the codebase would be treated as related but independent layers.
Regulators argue that drawing this line between the entity and its technology could help address recurring issues in DeFi: fragmented governance, unclear accountability, and difficulty assigning responsibility when something goes wrong. If an identifiable organization sits atop the protocol, authorities could more easily determine who must comply with regulations and who is accountable for disclosures, risk management, and user protection.
MiCA leaves fully decentralized systems outside its scope
The MFSA paper underscores a critical nuance in MiCA: fully decentralized projects fall outside the regulation’s remit. MiCA is built around the idea of regulated intermediaries, so if there is no central operator, no custodian, and no controlling entity, the framework effectively has no one to license or supervise.
“MiCA excludes fully decentralised models from its regulatory scope, meaning that projects without intermediaries or central control may not need to comply with MiCA,” the document notes.
However, the regulator points out that many protocols describing themselves as “decentralized” still retain meaningful points of control: admin keys, core teams that can upgrade contracts, or small groups influencing governance votes. This gray area complicates classification. If a project is not truly decentralized, but also not organized like a traditional firm, how should it be treated under MiCA? The proposed software-based organization category is Malta’s attempt to fill this gap.
Building on Malta’s early crypto-law experiments
Malta was among the first European jurisdictions to adopt a specialized crypto framework in 2018, positioning itself as a hub for digital asset businesses. The new consultation extends that earlier effort into the DeFi space, where regulatory questions have become more pressing as protocols handle growing volumes of assets and users.
The MFSA’s move reflects a broader shift from treating DeFi as a marginal niche to viewing it as a core part of the digital asset ecosystem that needs clear guardrails. By trying to define legal parameters for software-governed organizations, Malta is also signaling that it wants to remain competitive as MiCA reshapes the European landscape.
Centralization risks in DeFi governance
Concerns about how decentralized DeFi really is have been growing among policymakers and central banks. In March, a working paper from the European Central Bank examined governance patterns in four major DeFi protocols. The study concluded that voting power and decision-making authority were heavily concentrated among a relatively small circle of participants.
That concentration raises a practical problem for classification under MiCA: if a handful of addresses can push through changes, override community decisions, or redirect protocol funds, it becomes difficult to argue that the system is “fully” decentralized in the sense MiCA uses.
Under the MFSA’s logic, these are precisely the projects that might be captured by the software-based organization model: not traditional companies, but not pure public infrastructure either. Giving them a legal wrapper could allow regulators to align requirements-such as governance disclosures, conflict-of-interest rules, or risk warnings-with the reality of who actually wields power.
EU-wide review of whether MiCA fits DeFi
Malta’s initiative comes as Brussels reassesses whether MiCA, agreed before DeFi’s latest growth wave, adequately covers protocols that operate primarily through code. In May, the European Commission started a targeted review of MiCA and called for feedback on several sensitive topics, including:
– whether interest-bearing stablecoin products should be more tightly controlled,
– how DeFi activity should be monitored and, where necessary, regulated,
– and whether there are regulatory blind spots that might require additional legislation.
This review signals that MiCA may not be the final word on crypto regulation in Europe, especially when it comes to protocol-level financial services that do not fit easily into existing categories of “issuer,” “custodian,” or “service provider.”
Countdown to full MiCA implementation
All of this debate is unfolding against a hard deadline. EU authorities are preparing for the final implementation phase of MiCA. After a phased transition, the grace period ends on July 1, 2026. From that date, crypto exchanges, brokers, and wallet providers operating without a MiCA authorization will be barred from serving clients in the European Union.
The European Securities and Markets Authority (ESMA) has clarified that any firm still offering crypto-asset services without the appropriate MiCA license after the cut-off would be in breach of EU law. ESMA also expects non-compliant businesses to plan for an orderly exit: winding down operations, supporting customers in transferring funds and tokens, and-where possible-assisting users to move to either authorized providers or self-custody solutions.
A massive transition for Europe’s crypto industry
Data compiled by law firm Hogan Lovells highlight the scale of the adjustment ahead. As of 2024, Europe counted more than 3,000 virtual asset service providers. Yet by May 2026, only 194 entities had secured approval as crypto-asset service providers, including banks and other credit institutions.
This discrepancy suggests that hundreds, if not thousands, of existing players will either have to obtain authorization, merge, relocate, overhaul their business models-or exit the market altogether-before the July 2026 deadline. Projects with DeFi exposure will face an additional layer of complexity, as they must determine whether and how MiCA applies to them.
Within that context, Malta’s consultation is more than a technical legal exercise. It is part of a broader European effort to decide how to handle crypto-native structures that blur the line between protocol and company, code and corporate personhood.
—
Why a DAO-specific approach matters now
The timing of Malta’s proposal is not accidental. As DeFi protocols move beyond simple token swaps into lending, derivatives, asset management, and even real-world asset tokenization, regulators are less willing to accept structures where no one appears legally accountable.
For DAOs, the benefits of a formal legal wrapper can be significant:
– Reduced personal liability for contributors, who might otherwise be treated as part of an unincorporated partnership.
– Ability to sign contracts, hire service providers, and open bank accounts under a legally recognized entity.
– Clearer tax and accounting treatment, which is increasingly important for protocols interacting with traditional finance.
– More predictable regulatory expectations, making it easier to engage with institutional users and regulated counterparties.
The trade-off, of course, is that legal recognition tends to come with obligations-reporting, governance standards, and potential supervisory oversight.
What Malta’s “software-based organization” could mean in practice
If Malta proceeds with its proposal, software-based organizations could function as a flexible framework that covers a range of crypto-native structures, such as:
– DAOs running lending or trading protocols,
– on-chain investment clubs and vaults,
– cross-chain infrastructure managed through token voting,
– or even NFT platforms where key decisions are governed by smart contracts.
The legal entity might, for example, be required to:
– register its purpose and governance model,
– disclose who can upgrade or pause contracts,
– set out how token voting works and how conflicts of interest are handled,
– and maintain basic risk-management policies, especially when user funds are at stake.
Such a structure would not remove the on-chain governance layer, but would complement it with an off-chain legal framework, potentially making it easier to resolve disputes, respond to hacks, or cooperate with regulators.
The decentralization spectrum under MiCA
One of the underlying challenges for EU regulators is that “decentralization” is not binary. Many protocols exist on a spectrum:
– At one end are highly centralized platforms that market themselves as DeFi but rely on a company-controlled backend and admin keys.
– In the middle are hybrid projects: smart contracts on public blockchains, but with core teams that retain emergency powers or heavy influence over governance.
– At the far end are infrastructure-like protocols whose governance is widely dispersed, with no identifiable controlling group.
MiCA clearly covers the first category. The third category, truly decentralized systems, are currently out of scope. Malta’s software-based organization idea is primarily aimed at the vast middle ground, where there is enough centralization for accountability but enough decentralization that traditional corporate forms are a poor fit.
Implications for DeFi builders and investors
For DeFi developers targeting EU users, the evolving framework presents both risks and opportunities:
– Design choices may become regulatory choices. How upgradeable contracts are, who holds multi-sig keys, and how voting power is distributed could determine whether a project is treated as in-scope under MiCA.
– Jurisdiction shopping may intensify. If Malta offers a clear, workable legal path for DAOs, some teams may choose to base their legal entities there while operating across the EU under MiCA-compliant structures.
– Institutional adoption could accelerate. Pension funds, asset managers, and banks are more likely to interact with DeFi protocols that have recognized legal entities and transparent governance frameworks.
For token holders and users, more formalized structures could bring improved transparency, standardized disclosures about protocol risks, and clearer remedies when things go wrong-though they may also reduce the ability of some projects to operate in a regulatory vacuum.
Potential challenges and open questions
Despite its promise, Malta’s proposal raises several unresolved issues:
– How to measure “sufficient decentralization.” At what point does a software-based organization become so decentralized that it no longer needs a legal wrapper-or vice versa?
– Cross-border enforcement. Even with a Maltese entity, protocol participants may be globally dispersed. How effective can enforcement or supervision be in that scenario?
– Balancing innovation and control. Too rigid a framework might drive developers away from the EU; too loose a framework may fail to address the very governance risks regulators are worried about.
– Interaction with other EU and national laws. MiCA is only one piece of the puzzle; securities law, consumer protection, AML rules, and prudential regulations may all intersect with DeFi activity.
These questions are likely to shape the feedback Malta receives during its consultation and will influence how any final rules are drafted.
A test case for Europe’s approach to code-native entities
Ultimately, Malta’s initiative is a test of whether European regulators can design rules for entities whose core operations are encoded in smart contracts rather than in corporate bylaws. If successful, the software-based organization concept could provide a template for other EU states-and perhaps inform future amendments to MiCA itself.
If it fails, either by proving unworkable for developers or unattractive for investors, the EU may find itself facing a fragmented landscape, with some projects fleeing to more permissive jurisdictions and others struggling to retrofit traditional legal forms onto code-native systems.
As the July 2026 MiCA deadline approaches, the pressure to find answers will only increase. For now, Malta’s consultation marks a significant step in Europe’s attempt to bring DAOs and DeFi within a coherent regulatory perimeter-without smothering the very innovation that made them possible.