Crypto & Web3

Legal Status of Decentralised Finance (DeFi): Classification and Regulatory Challenges in the EU and Serbia

Decentralised finance — abbreviated DeFi — represents one of the most dynamic, yet legally most demanding, segments of the crypto […]

Decentralised finance — abbreviated DeFi — represents one of the most dynamic, yet legally most demanding, segments of the crypto ecosystem. Unlike traditional financial services, DeFi protocols operate through smart contracts without a central governing institution, making them fundamentally different from anything that existing regulatory frameworks had previously taken into account. This text is informational in character and does not substitute for individual legal advice.

The DeFi ecosystem encompasses a wide range of financial activities conducted directly between users through smart contracts on public blockchain networks such as Ethereum. Decentralised exchanges (DEXs), lending and borrowing protocols, yield farming platforms, automated market makers (AMMs), and derivatives — all are forms of financial activity conducted without traditional intermediaries.

The legal complexity of DeFi stems from several key characteristics: – Absence of a central subject: There is no company, person, or body that would be the singular bearer of liability. – Global accessibility: Protocols are accessible to anyone with an internet connection, without jurisdictional boundaries. – Autonomous execution: Smart contracts execute automatically according to pre-defined logic, without human intervention. – User pseudonymity: User identification is not inherently built into the technical infrastructure.

These characteristics make the application of classical financial law to DeFi extremely complex.

The question of the regulatory treatment of a specific DeFi activity depends on whether it meets the statutory criteria for a financial service or financial instrument. In the EU, MiCA (the Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114) explicitly excludes “genuinely decentralised” crypto-assets and services from its scope, but does not clearly define what this means, and the exemption is interpreted narrowly in practice.

European regulators — primarily ESMA (the European Securities and Markets Authority) and the ECB (European Central Bank) — have warned that many DeFi projects presenting themselves as decentralised in fact have identifiable holders of control (founding teams, companies, or decentralised autonomous organisation — DAO — tokens carrying voting rights). In such cases, regulators may attempt to apply existing rules to identified persons or entities.

Lending protocols may be qualified as providers of credit services. Decentralised exchanges, depending on how they function, may be treated as multilateral trading facilities. Yield farming activities may generate income that falls within the tax and regulatory sphere.

Serbia: Application of the Digital Assets Act to DeFi

The Serbian Law on Digital Assets (Digital Assets Act, “Official Gazette of the RS” No. 153/2020; in force from 30 June 2021) was not designed with DeFi in mind. The Act defines categories of service providers and prescribes licensing obligations, but faces the same conceptual challenge as EU regulation: there is no clear provision on who is liable when there is no central subject.

In practice, Serbian regulators may attempt to apply the law to: – companies or individuals who founded or actively manage a DeFi protocol; – users who employ DeFi for activities that, if conducted in a centralised manner, would require a licence.

Users of DeFi in Serbia should pay particular attention to potential tax obligations arising from DeFi activities — income from liquidity rewards, interest on lent assets, and income from yield farming activities are generally taxable.

Regulatory Approaches in Comparative Law

Different jurisdictions approach DeFi regulation in different ways. The United States applies doctrinal tests (such as the Howey test) to assess whether a DeFi token or protocol falls under securities regulation. Singapore and certain other jurisdictions are developing dedicated “sandbox” mechanisms that allow experimentation with limited regulatory obligations. Some jurisdictions are considering rules based on the technical characteristics of the protocol rather than on the legal form of the operator.

The common denominator across all these approaches is a focus on activities that carry high risk for end users (high leverage, illiquid markets, complex derivatives) and AML/CFT obligations (anti-money laundering and countering the financing of terrorism), even in a decentralised environment.

Risks for Users and Operators of DeFi Platforms

In addition to regulatory uncertainties, DeFi carries specific legal risks:

  • Hacks and smart contract exploits: Who bears liability when a protocol is technically compromised? Without a central subject, the legal protection available to users is minimal.
  • Market manipulation: “Rug pull” scenarios, where founders abandon a project with users’ funds, are increasingly appearing on the radar of prosecutors and regulators.
  • Cross-border liability: A user in one jurisdiction using a protocol based in another — which law applies?

For operators: founding or managing a DeFi protocol that attracts users from the EU or Serbia carries regulatory risk even if the entity is formally located outside those jurisdictions.

Frequently Asked Questions (Q&A)

Is using DeFi protocols legal in Serbia? The mere use of publicly available DeFi protocols is not explicitly prohibited. However, the tax obligations arising from DeFi activities are real and must be met. In addition, certain DeFi activities that functionally correspond to regulated financial services may be subject to regulatory scrutiny.

Can EU regulators reach anonymous DeFi protocols? EU regulators are increasingly monitoring the DeFi space and cooperating with blockchain analytics companies. Pseudonymity does not mean complete anonymity, and identified actors may be subject to regulatory action, including retroactively.

What is “truly decentralised” under MiCA? MiCA does not provide a precise definition. ESMA has announced guidance on this topic, but until that guidance is finally adopted, the area remains regulatorily undefined. Projects that hold administrative keys, have a company operating in the background, or rely on centralised governance tokens will have difficulty claiming to be “genuinely decentralised.”

What DeFi risks can a lawyer identify prior to investment? A legal analysis of a DeFi investment covers: the jurisdiction of the protocol, identification of the operating entity and its regulatory exposure, analysis of the smart contract from a liability perspective, the tax implications of the planned activities, and strategies for the protection of digital assets.

Conclusion

DeFi is a field in which legal uncertainties still outweigh clarity. However, this does not mean an absence of legal risk — quite the contrary. Proactive legal assessment prior to investing in or building a DeFi protocol can prevent serious consequences. For specific DeFi activities, the applicable analysis is an individual legal assessment of the circumstances of each particular case.

Sources: – https://www.ecb.europa.eu/press/pub/financial-stability/html/ecb.fsrbox202305_02~6c00224d4e.en.html – https://www.esma.europa.eu/press-news/esma-news/esma-updates-statement-dlt-and-defi – https://www.bis.org/publ/arpdf/ar2023e.htm – https://www.mfin.gov.rs/propisi/zakoni/zakon-o-digitalnoj-imovini-sluzbeni-glasnik-rs-br-1532020 – https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114

The content of this website is informational and does not constitute legal advice. For specific legal advice, contact a lawyer directly. The firm operates in accordance with the Law on the Legal Profession and the Code of Professional Ethics for Lawyers.

Scroll to Top