“What’s legal in one country may be a license violation in another; that’s where most founders get caught.”

Viktor Juskin, co-founder of LegalBison, explains how cryptocurrency founders must navigate the complex regulatory landscape of 2026, from MiCA and DORA compliance to DAO liability and jurisdictional strategies in the EU, US, and UAE.

Viktor Juskin is co-founder and managing partner of LegalBisona global boutique legal and business services firm and licensed corporate services provider specializing in corporate structuring for FinTech and digital asset projects. LegalBison operates in over 50 jurisdictions with offices in Poland, Estonia, Bahrain, Costa Rica, Panama and Malaysia, serving clients ranging from major cryptocurrency exchanges to venture capital-backed payment platforms.

In this interview, he addresses the operational realities of the post-2026 transition regulatory framework: from the reach of DORA on IT infrastructure and the end of DAO immunity, to travel rules interoperability gaps and how founders should structure their jurisdictional strategy in the EU, US and UAE.

What does “running a global crypto business” really mean from a regulatory perspective? What surprises the founders the most?

It means that every country where you have users, process transactions or market your services is potentially a jurisdiction where you need authorization. Founders think globally about their product. The application works everywhere and blockchain does not care about borders. Regulators, on the other hand, think locally. They are concerned about whether their residents are being served, whether funds are being retained, and whether marketing is targeting their market. A single platform can generate obligations in a dozen jurisdictions at the same time. Each of these locations will have different requirements, deadlines, and application deadlines.

What specific business activities typically trigger licensing requirements that founders do not anticipate?

First, there is centralization. In the case of the MICA license, it means the existence of any specific service provider that directly or indirectly controls the project. The moment you hold a user’s private keys or maintain control over their assets, most jurisdictions classify you as a custodian/service provider, and that triggers licensing. Founders who think they are simply creating a cryptocurrency exchange are often creating a regulated escrow service. Second, the entry and exit fiduciary activity. Conversion between traditional currency and digital assets triggers payment regulations in almost all jurisdictions. Third, active marketing. Some countries distinguish between passively accepting clients who find you and actively soliciting clients on their territory. If your activities fall into the second category, you may need to register, even if your company is incorporated abroad. In many jurisdictions, there are also strict rules regarding reverse solicitation. Therefore, companies that own a crypto exchange license cannot rely solely on “global reverse request.”

How do you identify if a particular service requires licensing in a given jurisdiction?

It starts with the business model rather than the jurisdiction. Map every activity your platform performs: is it centralized? Do you retain funds from users? Do you execute operations on behalf of users? Does it facilitate transfers between parties? Do you offer advice? Each of these activities, to name a few, has a regulatory classification that varies by country. At LegalBison, we typically map such activities based on the regulatory frameworks of each of our clients’ target jurisdictions. The result is a matrix: which activities require which authorizations, where. That matrix is ​​the foundation of your entire corporate and licensing strategy, and without it, frankly, it’s a lot of guesswork.

DORA is often discussed as a capital and governance requirement. What is its real scope in IT infrastructure for crypto companies?

DORA goes far beyond capital. Regulation requires companies to map their entire ICT supply chain, which means identifying each third-party technology provider in their stack and formally assessing the risks they involve. A crypto platform running on AWS with a third-party KYC provider, third-party escrow solution, and out-of-the-box trading engine has four or five entities in that chain before you even count the subcontractors. Each link must be documented, evaluated and managed according to a formal third-party risk framework.

Boards of directors are now personally responsible for managing ICT risks. A major technological failure is a responsibility of the board of directors with possible enforcement consequences by the European Supervisory Authorities. CASP-licensed entities, for example, must also conduct regular resilience testing and report significant ICT incidents to their national competent authority. DORA sets a compliance standard closer to what banks maintain than what most EU-licensed VASPs have historically built.

Many DeFi founders assume that operating through smart contracts and decentralized governance means they fall outside the traditional regulatory purview. Is that assumption still valid in 2026?

It was never a reliable assumption in the first place. The CFTC case against Ooki DAO has only demonstrated this. The DAO was classified as an unincorporated association and the enforcement action demonstrated that regulators are willing and able to target decentralized structures that lack a traditional legal entity. Decentralization does not protect you from the consequences of non-compliance.

Regulators are following the pattern of operational control. If you implement the protocol, hold administrative keys, or exercise governance voting power that functions as administrative control, you are a potential law enforcement target, regardless of how the structure is labeled. The principle of same risk, same rule applies: if a DeFi protocol performs the economic function of a regulated intermediary, regulators treat it as such. If you want to create a DeFi application, you will need to ensure that there is no element of centralization, no licensed activity in the markets you are targeting, and that you do not actively solicit clients in markets that have licensing requirements.

The FATF Travel Rule requires VASPs to share originator and beneficiary data on transfers. In practice, what are the main barriers to compliance?

Interoperability is the key issue. The travel rule requires data to travel with the transaction, but different VASPs in different jurisdictions use compliance systems that are not always technically compatible. When a transfer goes from a supported EU VASP using one protocol to a counterparty using a different standard, the data exchange can fail completely. Global adoption remains low, meaning the infrastructure to enforce the requirement is still being built. But over time, we assume it will continue that way.

we in LegalBison We will see that non-compliance with the travel rule becomes more of a commercial barrier than a legal one. Qualifying VASPs in regulated markets sometimes reject transfers from non-compliant counterparties, regardless of where the sender is incorporated. The network effect of regulated participants enforces the rule even when local law does not.

If a founder’s business model is based on the issuance of stablecoins, how is the regulatory matrix different from a standard exchange?

The MiCA regulation creates two distinct categories. Asset-referenced tokens are linked to a basket of assets or currencies. E-money tokens are backed by a single official fiat currency. Each category carries different authorization requirements, reservation obligations and governance standards. Capital and liquidity frameworks are substantially more demanding than those faced by a standard CASP.

Founders need to understand when they face real regulatory exposure. If an ART or EMT reaches a volume or systemic importance threshold set by the European Banking Authority, the issuer comes under the direct supervision of the EBA. That means higher capital reserves, stricter liquidity management requirements, and interoperability obligations that go beyond what MiCA imposes at the base level.

As the United States moves toward a more innovation-friendly framework and the UAE continues to attract digital asset companies, how should founders approach the EU-US-UAE decision in 2026?

The correct answer depends on the business model and target markets. The EU is the most demanding but offers the most commercially valuable result. A CASP authorization in one member state provides a passport for all 27 EU countries. The transition period for existing VASP registries ends no later than July 2026, but Member States can and have shortened it. Lithuania has eliminated the grandfathering period entirely and its national deadline is December 30, 2024. Others have reduced it to 12 months, expiring in December 2025. For companies that assumed they had until mid-2026, the choice of the competent national authority depends on their readiness for compliance.

In the United States the situation is changing. ETFs and spot were approved. The SEC and CFTC have clearer limits on what each oversees. Stablecoin rules at the federal level are taking shape. For founders seeking institutional capital, there is now enough regulatory structure to plan.

The United Arab Emirates operates differently. Dubai’s VARA framework and Abu Dhabi’s ADGM regime are rigorous but transparent. The VARA regulation is specific to each activity, which makes it easier to reach compliance obligations. The free zone’s zero-tax environment is attractive, but the structural requirements can be a challenge. The strategic variable is where your customers are and what regulatory signal matters to them.

Viktor Juskin is co-founder of LegalBisona global boutique legal and business services firm and authorized corporate services provider for FinTech and digital assets projects.