France crypto regulation in 2026 is no longer a purely national question. A company targeting French clients must assess the interaction between the legacy PSAN framework, the EU-wide MiCA regime under Regulation (EU) 2023/1114, AML/CFT duties, the crypto Travel Rule under the recast Transfer of Funds framework, and adjacent rules on payments, e-money, market abuse, outsourcing and consumer disclosures.
France crypto regulation in 2026 is no longer a purely national question. A company targeting French clients must assess the interaction between the legacy PSAN framework, the EU-wide MiCA regime under Regulation (EU) 2023/1114, AML/CFT duties, the crypto Travel Rule under the recast Transfer of Funds framework, and adjacent rules on payments, e-money, market abuse, outsourcing and consumer disclosures.
This page is a legal-practical overview, not legal advice. Whether a France crypto license, registration or MiCA authorisation is required depends on the exact service, token design, client location, marketing model and corporate structure.
Key regulatory facts, timeline markers, and practical next steps for a fast initial read.
This made France one of the earliest EU jurisdictions with a dedicated digital asset service provider framework.
The strategic consequence was a shift from fragmented national regimes to harmonised EU authorisation logic.
Stablecoin-related rules and CASP-related rules did not become operational at the same moment, which is why timing analysis matters.
Existing PSAN status, MiCA authorisation route, AML stack, marketing perimeter and cross-border basis must be checked together.
The short answer is this: crypto is legal in France, but regulated activities require analysis under MiCA, legacy PSAN logic, French AML/CFT rules and adjacent financial services law. For founders, exchanges, custodians and token issuers, the practical question is not whether France has crypto rules; it is which layer applies first. A custody or exchange model aimed at French users will usually trigger a regulated-perimeter review. A stablecoin structure may fall into ART or EMT rules under MiCA. A token with equity-like or bond-like rights may fall outside MiCA and into securities law. A foreign company serving France cannot rely on informal online access if its conduct amounts to active solicitation or organised market entry. In practice, the French route is about five things: classify the token correctly, classify the service correctly, identify the regulator touchpoints, build AML and Travel Rule controls, and document governance in a way a regulator can test.
The decisive shift is that France crypto regulation can no longer be read through the old PSAN lens alone. Before MiCA, France was known for a dedicated domestic regime. After MiCA, the strategic centre of gravity moved to EU-wide authorisation and rule harmonisation, while France remains critical for supervision, AML/CFT practice, enforcement and local market conduct.
| Topic | Legacy Approach | Current Approach |
|---|---|---|
| Core market-entry logic | France-focused PSAN registration and optional licensing concepts shaped market access. | MiCA authorisation and EU passporting are central for CASP-scale activity, with French supervisory touchpoints still operationally important. |
| Geographic strategy | Firms often planned jurisdiction by jurisdiction. | Firms now design for an EU operating model, then test French marketing, AML and consumer-facing execution. |
| Token analysis | Token treatment was often framed around national digital-asset concepts. | Token qualification must distinguish MiCA crypto-assets, ARTs, EMTs, and instruments that may instead fall under MiFID II or payments law. |
| Compliance build-out | Registration readiness often dominated the discussion. | Regulators now expect a fuller operating model: governance, disclosures, complaints, ICT controls, outsourcing oversight, sanctions controls and Travel Rule execution. |
The correct legal reading starts with MiCA, then tests whether other EU or French rules displace or supplement it. This matters because many failed market-entry plans come from using the label ‘crypto’ as if it were a complete legal category. It is not. The same product can trigger crypto, securities, e-money, AML and ICT resilience obligations at the same time.
| Law / Regime | Scope | Applies To | Why It Matters |
|---|---|---|---|
| MiCA — Regulation (EU) 2023/1114 | Issuers of certain crypto-assets and crypto-asset service providers (CASPs). | Custody, exchange, platform operation, order handling, advice, portfolio management, transfer services and certain token issuance/disclosure models. | It is the main EU framework for crypto market access, conduct, disclosures and supervision. |
| French PSAN framework | Legacy French digital asset service provider regime under the French Monetary and Financial Code. | Historical registrations, transition analysis and firms that entered France before MiCA became the main reference point. | You need it to understand existing market participants, register history and transition positioning. |
| EU Transfer of Funds framework | Crypto Travel Rule obligations. | Transfers involving regulated crypto service providers and the collection/transmission of originator and beneficiary data. | It turns AML compliance into an operational messaging and recordkeeping problem, not just a policy problem. |
| French and EU AML/CFT framework | Customer due diligence, suspicious activity reporting, sanctions controls, monitoring and record retention. | Crypto firms with regulated exposure to French or EU AML obligations. | In enforcement practice, weak AML controls are often noticed before more technical licensing defects. |
| MiFID II and related securities law | Financial instruments, investment services and related market conduct rules. | Tokens that function as transferable securities or other financial instruments rather than MiCA crypto-assets. | If a token is a financial instrument, MiCA is generally not your primary regime. |
| Payments and e-money framework | Payment services, electronic money and redemption-linked value structures. | Models with fiat rails, stored value, payment execution or EMT-adjacent features. | Many crypto businesses underestimate how quickly a wallet or on/off-ramp model can cross into payment regulation. |
| DORA and ICT resilience rules | Operational resilience, incident handling, third-party ICT risk and testing. | Regulated financial entities and overlapping operating models using critical ICT providers. | Cybersecurity, vendor dependency and incident response are now board-level compliance subjects. |
The practical map is straightforward. AMF is the authority most businesses associate with France crypto regulation because it is central to market-facing crypto supervision and register visibility. ACPR, attached to Banque de France, matters where prudential, AML/CFT, payments or e-money issues arise. TRACFIN receives suspicious transaction reports. At EU level, ESMA and EBA shape supervisory convergence and technical interpretation, while the European Commission sets the legislative architecture.
Primary French market authority for crypto-facing supervision, register visibility, investor-facing disclosures and national implementation touchpoints.
You target French clients with regulated crypto services, need to assess legacy PSAN status, or need clarity on French market conduct expectations.
Prudential and AML/CFT-relevant authority, especially where the business model overlaps with banking, payments, e-money or broader financial-sector supervision.
Your model has fiat rails, safeguarding-like functions, redemption mechanics, payment execution or prudential risk implications.
French financial intelligence unit for suspicious activity reporting and AML intelligence.
Your AML framework identifies reportable suspicious activity linked to money laundering, terrorist financing or sanctions evasion risk.
Institutional anchor for the French prudential ecosystem and broader financial stability context.
Your structure touches prudential supervision, payment-system questions or systemic risk dialogue.
EU securities and markets authority supporting supervisory convergence and guidance under EU financial law, including MiCA-related interpretation.
You need to understand EU-level expectations, passporting implications or whether a token may fall into securities-law territory.
EU banking authority relevant to prudential and stablecoin-related interpretation, especially where banking or e-money logic overlaps.
Your model involves EMTs, prudential questions, reserve structures or financial-sector overlap.
EU legislator and policy driver behind MiCA, AML reforms and digital finance architecture.
You need the source legal framework rather than only national guidance.
The right question is not ‘Are we a crypto company?’ but ‘Which regulated service are we actually performing for clients in or from France?’ A business can call itself software-only and still drift into regulated custody or order transmission. Conversely, a protocol tooling provider may remain outside scope if it does not intermediate, control client assets or provide a regulated service. In 2026, the perimeter test should be run service by service, token by token and jurisdiction by jurisdiction.
Custody and administration of crypto-assets for clients
Usually requires authorisation
Operation of a crypto-asset trading platform
Usually requires authorisation
Exchange of crypto-assets for funds
Usually requires authorisation
Exchange of crypto-assets for other crypto-assets
Usually requires authorisation
Execution of orders on behalf of clients
Usually requires authorisation
Reception and transmission of orders for crypto-assets
Usually requires authorisation
Providing advice on crypto-assets
Usually requires authorisation
Portfolio management on crypto-assets
Usually requires authorisation
Transfer services for crypto-assets on behalf of clients
Usually requires authorisation
Pure software publishing without intermediation or control of client assets
Needs case-by-case analysis
| Business Model | MiCA Relevance | Adjacent Regimes | Practical Answer |
|---|---|---|---|
| Centralised exchange serving French retail users | High; likely CASP analysis under MiCA. | AML/CFT, Travel Rule, sanctions screening, consumer disclosures, possible payments overlap. | Assume authorisation analysis is required before launch. |
| Custodian wallet provider with recovery control or key influence | High; custody is a core regulated trigger. | Safeguarding controls, cybersecurity, outsourcing, AML/KYC. | Treat this as regulated unless the facts clearly show non-custodial architecture. |
| Issuer of a stable-value token linked to fiat or a basket | High; may fall into EMT or ART classification. | E-money, prudential, reserve, redemption and disclosure rules. | Token classification must be resolved before any market launch. |
| NFT marketplace for genuinely unique items with no financialisation features | Potentially limited or outside core MiCA scope depending on structure. | Consumer law, AML risk, sanctions, IP and platform conduct issues. | Do not assume exemption if the collection is fractionalised, standardised or marketed as an investment product. |
| DeFi front-end with governance influence, fee capture and active user onboarding | Fact-sensitive; decentralisation claims do not automatically remove regulatory risk. | AML, consumer protection, sanctions, possible service intermediation analysis. | The legal answer depends on who controls the interface, keys, treasury, upgrades and customer relationship. |
| Foreign EU CASP passporting into France | High; passporting may be available if the home-state basis is valid. | French marketing practice, AML operations, complaints handling, local language and consumer communications. | Passporting can solve authorisation duplication, but not all local conduct and operational issues. |
A token label used in marketing has no legal force. The legal test looks at rights, claims, redemption mechanics, governance features, transferability, standardisation and how the token is actually distributed and used. This is why ‘utility token’, ‘NFT’ or ‘community token’ can be legally misleading descriptions if the instrument behaves like something else.
| Category | Core Feature | Typical Trigger |
|---|---|---|
| MiCA crypto-asset | A digital representation of value or rights transferable and storable electronically using distributed ledger or similar technology. | Starting point for many non-security, non-e-money crypto products. |
| Utility token | Intended to provide digital access to a good or service supplied by the issuer. | May fall under MiCA, but the real analysis depends on substance, not label. |
| Asset-referenced token (ART) | Purports to maintain stable value by referencing another value, right or combination, other than a single official currency. | Stablecoin-like structures with basket or reference-value mechanics. |
| E-money token (EMT) | Purports to maintain stable value by referencing the value of one official currency. | Fiat-referenced stablecoin logic with strong payments/e-money relevance. |
| Financial instrument token | Gives rights or economic exposure consistent with transferable securities or other MiFID II instruments. | Usually moves the analysis outside MiCA and into securities law. |
| Possible excluded NFT-style token | Claimed uniqueness or non-fungibility. | Requires caution because series issuance, fractionalisation or investment marketing can undermine the exclusion argument. |
Yes: Start with MiFID II and related securities rules, not MiCA.
No: Continue to MiCA classification.
Yes: Assess EMT treatment and payments/e-money overlap.
No: Continue to the next test.
Yes: Assess ART treatment.
No: Continue to the next test.
Yes: Test whether the structure is truly unique in substance, not only in metadata or branding.
No: It may fall into general MiCA crypto-asset treatment.
Yes: Utility-token logic may apply, but only if the rights and distribution model support that conclusion.
No: Reassess whether the token is investment-like, payment-like or otherwise misclassified.
The practical point is simple: PSAN explains how France built its early crypto market, while CASP under MiCA explains how firms should think about scalable EU market access in 2026. Existing French market participants, investors and counterparties still use PSAN terminology, so ignoring it creates diligence gaps even where MiCA is now the primary strategic framework.
Legacy registrations and historical compliance posture still matter in due diligence and transition analysis.
Market-entry planning shifted from country-by-country licensing to EU-wide authorisation strategy.
The answer affects governance design, disclosures, passporting, vendor onboarding and launch sequencing.
Legacy register status still matters. For counterparties, investors and acquirers, checking whether a firm was previously known under the French PSAN framework remains a basic diligence step even when the current operating model is built around MiCA.
The highest-value step is pre-application perimeter analysis. Most weak applications do not fail because the form is incomplete; they fail because the business model, token logic, group structure or outsourcing design was never scoped correctly. In France, that means testing the service against MiCA definitions, checking whether any part of the model falls into payments, e-money or securities law, and identifying whether AMF, ACPR or a home-state EU authority is the main route.
Map each product feature to a legal service category: custody, exchange, platform operation, order handling, advice, portfolio management, transfer services, issuance or hybrid activity. Include app flows, API flows and affiliate channels, not just headline products.
Determine whether the token is a general MiCA crypto-asset, ART, EMT, financial instrument, or a fact-sensitive edge case such as an NFT-style structure. This step often changes the entire licensing route.
Confirm whether the route is a French filing, a MiCA home-state authorisation with passporting implications, or a model that also needs analysis under prudential or payments law.
Prepare the programme of operations, governance map, ownership chart, internal controls, outsourcing policy, complaints handling, safeguarding logic, ICT security framework and AML/CFT architecture.
Demonstrate KYC/KYB, beneficial ownership verification, sanctions screening, transaction monitoring, alert handling, suspicious activity escalation and Travel Rule data handling. Regulators increasingly test whether the control actually works in operations.
Expect iterative regulator questions on ownership transparency, outsourcing concentration, governance competence, safeguarding design, white paper or disclosure logic, and cross-border servicing assumptions.
Authorisation is the start of supervision, not the end of the project. Firms need board reporting, incident escalation, complaints records, control testing and change-management procedures after go-live.
The file should read like one operating model, not like disconnected policy appendices.
| Document | Purpose | Owner |
|---|---|---|
| Programme of operations | Explains what the firm will do, for whom, through which channels and under which controls. | Legal / Strategy / Operations |
| Corporate structure and beneficial ownership file | Shows who controls the business and whether the ownership chain is transparent. | Legal / Corporate Secretariat |
| Governance framework | Defines board oversight, senior management accountability and committee structure. | Board / Compliance |
| AML/CFT policy | Sets customer risk methodology, screening, monitoring, escalation and reporting rules. | MLRO / Compliance |
| KYC/KYB procedures | Documents onboarding, beneficial ownership verification, EDD and refresh cycles. | Compliance / Operations |
| Sanctions and wallet-screening framework | Explains how the firm screens persons, entities and blockchain exposure. | Compliance / Financial Crime |
| Travel Rule operating procedure | Shows how originator and beneficiary data is collected, transmitted, reconciled and retained. | Compliance / Product / Engineering |
| Custody and safeguarding policy | Explains key control, segregation, wallet architecture and incident handling. | Security / Operations |
| ICT security and incident response plan | Documents access control, logging, key management, breach escalation and recovery. | Security / Engineering |
| Outsourcing and third-party risk policy | Shows vendor oversight for cloud, KYC, analytics, custody tech and payment partners. | Operations / Risk / Legal |
| Complaints handling procedure | Demonstrates consumer-facing governance and escalation discipline. | Compliance / Customer Operations |
| Disclosure and marketing review framework | Controls white papers, website claims, risk warnings and fairness of communications. | Legal / Marketing / Compliance |
There is no single reliable market-wide number for a France crypto license build because cost depends on whether the firm is exchange-led, custody-led, issuer-led, retail-facing, institutional-only, fiat-connected or passporting from another EU state. The durable cost drivers are governance, AML operations, security architecture, legal structuring and vendor stack integration.
| Cost Bucket | Low Estimate | High Estimate | What Drives Cost |
|---|---|---|---|
| Legal scoping and licensing analysis | Variable | Variable | Depends on token complexity, group structure, cross-border model and whether securities or payments law is also implicated. |
| AML/KYC and sanctions stack | Variable | Variable | Usually includes onboarding tools, beneficial ownership checks, PEP/sanctions screening, transaction monitoring and case management. |
| Travel Rule implementation | Variable | Variable | Cost depends on transfer volume, counterparty coverage, data standards and integration with wallet operations. |
| Custody and security controls | Variable | Variable | Architecture choices such as MPC, HSM, cold-storage operations and segregation controls materially affect spend. |
| Governance and staffing | Variable | Variable | Senior compliance, MLRO, security and control-function staffing often outweigh filing costs over time. |
| Outsourcing and audit readiness | Variable | Variable | Vendor due diligence, contractual controls, testing and evidence retention are recurring costs, not one-off items. |
The main misconception is that France crypto regulation is a license-fee problem. In reality, the larger budget line is the operating control environment required to survive supervision after launch.
A compliant French or France-targeting crypto business needs more than customer identification. The baseline stack includes customer due diligence, beneficial ownership verification for legal entities, PEP and sanctions screening, blockchain transaction monitoring, escalation rules, suspicious activity reporting to TRACFIN, record retention and Travel Rule data handling for relevant transfers. The operational nuance is that regulators increasingly test whether controls are calibrated to crypto-specific risk factors such as mixers, chain-hopping, privacy-enhancing tools, rapid in-and-out fiat conversion, mule-account patterns and exposure to sanctioned wallet clusters.
| Workflow Step | Control | Owner |
|---|---|---|
| Onboarding | KYC/KYB, beneficial ownership, sanctions and PEP screening, product-risk classification. | Compliance / Operations |
| Wallet attribution | Assess whether the wallet is hosted, unhosted or linked to a higher-risk pattern; screen addresses and clusters. | Financial Crime / Blockchain Analytics |
| Transaction execution | Apply rules for sanctions, unusual behaviour, threshold logic, velocity and source/destination risk. | Operations / Monitoring Team |
| Travel Rule exchange | Collect and transmit originator and beneficiary information using the firm’s chosen interoperability method; retain evidence. | Compliance / Product / Engineering |
| Alert review | Investigate typology-based alerts, document rationale, escalate where required. | AML Investigations |
| Suspicious activity reporting | File internal and external reports where suspicion thresholds are met. | MLRO / TRACFIN reporting function |
| Ongoing review | Refresh customer risk, retune scenarios, review false positives and test control effectiveness. | Compliance / Risk |
The three realistic routes are: a French setup, an EU home-state MiCA authorisation with passporting logic, or a narrower fact-specific cross-border model that does not amount to unauthorised active solicitation. The legal risk usually arises from conduct, not website availability alone. French-language campaigns, local sales outreach, localised onboarding funnels, euro payment integrations and customer-support targeting can all strengthen the case that the firm is actively serving the French market.
Reverse solicitation is narrow and evidence-sensitive. It is not a scalable go-to-market strategy if the firm is actively creating demand in France through advertising, affiliate distribution, local events, SEO targeting, influencer campaigns or onboarding infrastructure tailored to French users.
Regulators typically notice the same patterns first: misleading marketing, weak KYC, poor beneficial ownership transparency, inadequate Travel Rule implementation, unclear token classification, weak safeguarding logic and overreliance on vendors without oversight. The practical consequence is that enforcement exposure often appears before a formal licensing dispute is fully argued, because the firm’s operating evidence already shows consumer, AML or governance weaknesses.
Legal risk: Unauthorised activity, supervisory intervention, restrictions, enforcement escalation and reputational damage.
Mitigation: Run a perimeter analysis before launch and document the legal basis for each service and jurisdiction.
Legal risk: Consumer protection and disclosure breaches; increased supervisory scrutiny.
Mitigation: Use fair, clear and not misleading communications with documented legal review and risk warnings.
Legal risk: AML/CFT breaches, reporting failures and possible enforcement referrals.
Mitigation: Implement risk-based onboarding, monitoring, escalation and TRACFIN reporting procedures.
Legal risk: AML compliance failure and operational non-compliance with transfer-data obligations.
Mitigation: Build a tested Travel Rule workflow with governance over counterparties, exceptions and recordkeeping.
Legal risk: Wrong licensing route, defective disclosures and possible securities or payments-law exposure.
Mitigation: Prepare a written token-classification analysis tied to rights, redemption mechanics and distribution facts.
Legal risk: Governance failure, ICT risk and inability to evidence control effectiveness.
Mitigation: Maintain vendor due diligence, service mapping, contractual controls, contingency planning and board reporting.
Legal risk: Client harm, supervisory action and severe reputational loss after incidents.
Mitigation: Document wallet segregation, key management, access control, reconciliation and incident response.
This page covers regulatory perimeter, licensing, AML/CFT, Travel Rule, token classification and market-entry logic. It does not replace tax advice. A firm can be properly authorised and still have unresolved tax, accounting or reporting issues. The reverse is also true: tax treatment does not validate regulatory status. For founders, the key governance point is to separate legal workstreams while keeping them coordinated.
| Topic | Why It Matters | Responsible Team |
|---|---|---|
| Corporate tax and transaction tax analysis | Revenue model, token flows and treasury treatment can create tax consequences independent of licensing status. | Tax / Finance |
| Accounting treatment of crypto-assets and liabilities | Balance-sheet presentation, impairment logic and reserve treatment affect audit readiness and investor reporting. | Finance / Audit |
| Regulatory vs tax perimeter mapping | A product may be outside MiCA yet still create taxable events, or vice versa. | Legal / Tax / Finance |
Pre-launch checklist
Sequence these after the core perimeter, governance, and launch-control decisions are stable.
Open the key issues founders, compliance teams and legal leads usually need to confirm before launch.
Yes. Crypto is legal in France, but regulated activity is not the same as mere legality. In 2026, a business serving French clients must assess MiCA, legacy PSAN relevance, AML/CFT duties, the Travel Rule and any overlap with securities, payments or e-money law before launch.
There is no single one-size-fits-all French crypto regulator. AMF is central for market-facing crypto supervision and register visibility, while ACPR matters for prudential, AML/CFT and payment or e-money overlap. TRACFIN handles suspicious activity reporting, and EU authorities such as ESMA and EBA shape the wider framework.
Usually yes, or at minimum you need a formal authorisation analysis. Running a crypto exchange for French clients typically triggers regulated service questions under MiCA, plus AML/KYC, Travel Rule, sanctions and consumer-disclosure obligations. The exact route depends on whether you operate locally or under a valid EU home-state basis.
PSAN is the legacy French digital asset service provider regime. CASP is the EU-level crypto-asset service provider concept under MiCA. In practical terms, PSAN explains the historical French market structure, while CASP explains the harmonised EU authorisation logic that matters for scalable operations in 2026.
MiCA became the central EU framework, but it does not make French law irrelevant. France still matters for supervision, AML/CFT practice, enforcement, legacy PSAN analysis, local market conduct and overlap with the French Monetary and Financial Code. The correct approach is layered, not either-or.
Potentially yes, but only on a valid legal basis. The usual routes are a French setup, an EU home-state authorisation with passporting logic, or a narrower cross-border model that does not amount to active solicitation. A website being accessible in France is not, by itself, a reliable market-entry strategy.
Some are, some may not be, and the answer depends on structure rather than branding. A genuinely unique NFT may sit outside core MiCA treatment, but series issuance, fractionalisation, investment-style marketing, platform intermediation or financial rights can change the analysis materially.
Yes, the crypto Travel Rule applies through the EU transfer-of-funds framework and affects firms handling relevant crypto transfers. In practice, firms need processes for collecting, transmitting and retaining originator and beneficiary data, plus procedures for hosted and unhosted wallet scenarios.
Stablecoin analysis starts with MiCA classification. A token referencing one official currency may be an EMT; a token referencing a basket or other value mix may be an ART. Depending on structure, ACPR, AMF, EBA and payments or e-money rules may all become relevant.
Start with the relevant official registers and the firm’s claimed legal basis. In practice, diligence should check whether the firm relies on French legacy PSAN status, a current authorisation route, or an EU home-state basis under MiCA. Register review should be combined with legal-basis verification, not used in isolation.
No. Tax and regulation are related but distinct. A firm can have a valid regulatory basis and still face separate tax or accounting issues, and tax treatment does not confirm licensing status. Founders should run tax, regulatory and accounting workstreams in parallel.
If you are launching an exchange, custody product, token issuance, broker flow or France-facing crypto platform, start with service classification, token classification and regulator mapping. That is the shortest path to a defensible France market-entry plan in 2026.
