MiCA, DAC8, DORA and Travel Rule: 2026 Compliance for Czech Crypto Exchanges

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
19.5.2026 | ARROWS law firm

In 2026, crypto-asset service providers in the Czech Republic and the EU are facing an unprecedented wave of regulatory requirements. The MiCA Regulation, now fully enforced, and the DAC 8, DORA and FATF Travel Rule directives are transforming their operating model. This article explains what crypto exchanges must do, what the risks of non-compliance are, and what issues both Czech and foreign operators encounter on the Czech market.

The photograph shows a lawyer discussing the topic of regulatory requirements for crypto-asset services.

Key takeaways

  • MiCA authorisation is mandatory and the final deadline is approaching: All crypto exchanges and crypto-asset service providers must hold an active licence from the Czech National Bank by 1 July 2026. The transitional period for entities that submitted their application on time is ending, and entities without a valid authorisation must not continue providing services.
  • AML/CFT obligations are now central: Crypto exchanges must implement comprehensive Know Your Customer (KYC) systems, transaction monitoring, sanctions screening, and suspicious activity reporting. Breaches of these obligations have recently resulted in significant fines, reaching hundreds of millions to billions of euros in serious cases involving the largest global players.
  • DAC 8 reporting starts in 2026: From 1 January 2026, crypto exchanges must report detailed information on their clients’ transactions to the relevant tax authorities, representing a fundamental shift in transparency and creating new obligations for their users.
  • DORA and technical resilience are non-negotiable: The Digital Operational Resilience Act (DORA) requires crypto exchanges to implement robust cyber protections, monitor security incidents, and comply with strict data protection standards, with the requirements fully applicable from 17 January 2025.

MiCA and its impact on Czech crypto exchanges

The MiCA Regulation (Markets in Crypto-Assets Regulation) introduces a single regulatory framework for all crypto-asset service providers (CASPs) across the European Union. In the Czech Republic, the competent authority role has been assumed by the Czech National Bank (CNB), which began issuing authorisations under harmonised European standards on 30 December 2024. Any crypto exchange that wants to provide services legally to the Czech population or any EU population must currently undergo a strict authorisation process.

Although this may seem like a formal requirement, the reality is more complex. The authorisation process is highly selective and requires meeting very stringent criteria. Entities that provided services before 30 December 2024 and applied for authorisation by 30 December 2025 could continue operating during the transitional period; however, this transitional period ends no later than 1 July 2026. After that date, every service provider must already hold a valid licence.

Mandatory authorisation and the licensing process

What exactly does the regulator assess? First and foremost, governance and control systems—how the company has set up decision-making processes, what its AML/CFT policy is, how it addresses risks, and who bears responsibility. Second is capital adequacy—the minimum initial capital varies depending on the services provided.

For example, operating a crypto-asset trading platform, exchanging crypto-assets for fiat currency or other crypto-assets, or receiving and transmitting orders relating to crypto-assets requires initial capital of EUR 125,000 (Article 63 MiCA). For custody services, it is EUR 150,000 (Article 63 MiCA).

Third are security measures, which fall under the DORA Regulation. Fourth is the verification of beneficial owners and their suitability. Without addressing all of these points, the CNB will not grant authorisation.

The CNB issued the first few authorisations during 2025 and in early 2026. This means the process is demanding and the number of licensed operators remains low so far. For entrepreneurs, the message is clear: the authorisation process takes months, requires high-quality legal and compliance preparation, and cannot be handled on an improvised basis.

Companies that recognised this earlier and started preparing from 2024 now have an advantage. Those that hesitated face a real risk of having to suspend operations.

Contents of the authorisation file and practical obstacles

What specific documents and information must a crypto exchange submit? MiCA sets out a long list. The basics include a detailed description of the organisational structure, including the alignment of management bodies, an explanation of who is responsible for what, and how the independence of the compliance and risk management functions is ensured.

This is not a document that merely “records” the structure formally, but a demonstration of how it actually operates. Other important elements include financial models and a three-year plan. The crypto exchange must demonstrate that it has realistic revenues, is not dependent on a single client, and has the resources to meet regulatory obligations.

ARROWS’ Prague-based attorneys often see situations where smaller entities underestimate the true costs required for compliance teams, audits, or technical infrastructure. An AML/CFT policy with a “risk-based” approach is also necessary, meaning different levels of verification for clients from high-risk countries and different levels for ordinary local clients.

It cannot be the same for everyone. An IT security audit by an independent third party is essential and must include penetration testing, vulnerability testing, and compliance with DORA.

Ownership and co-control arrangements, including information on all persons with influence over decision-making, are also material. If there are foreign individuals behind the company, their background must be vetted. Many entrepreneurs believe that preparing such a file can be done quickly.

In practice, it takes 6–12 months if the company is already partially prepared. If it is only just starting, even longer timeframes should be expected. Attorneys from ARROWS, a Prague-based law firm, help clients structure the file so that it meets the CNB’s expectations and is aligned with other legal obligations (e.g., tax, corporate governance, etc.).

Passporting and operations in other EU countries

One of MiCA’s major advantages is so-called passporting. If a crypto exchange obtains authorisation in the Czech Republic (or any other EU country), it can then provide its services across the Union without having to obtain licences in each country separately.

It is sufficient to notify the CNB of the intention to provide services, which will then be recorded in the ESMA register. This sounds like a major advantage for expansion—and in many respects it is. However, in practice there are limitations.

A crypto exchange may passport only those services for which it is authorised in its home country—it must not expand its service offering abroad without approval from its home regulator. Furthermore, if it has more than 15 million annually active users in a given host country, it becomes subject to direct supervision by the European Securities and Markets Authority (ESMA), which means increased regulatory scrutiny.

In addition, some states may retain additional requirements for information and data collection. For Czech entities, this means a realistic plan: first obtain Czech authorisation, then expand into other countries gradually and carefully.

ARROWS attorneys address precisely these cross-border aspects and understand the specifics of individual jurisdictions. We have partners for this within the ARROWS International network, which is useful when dealing with more complex structures with a foreign element.

Most frequently asked questions about the MiCA authorisation process

1. How long does it take to obtain MiCA authorisation in the Czech Republic?

Based on the experience of ARROWS attorneys and the Czech National Bank (ČNB) itself, the process typically takes 6–12 months from the submission of a complete application. If the file is incomplete or contains errors, the regulator will return it for completion and the process will be extended. In some cases, the ČNB will request additional clarification or an audit. The most critical part is the preparation, which should take at least 3–6 months. Therefore, it is recommended to start as early as possible—each month of delay means a risk that, after 1 July 2026, the entity will find itself outside the legal market.

2. Is it possible to continue operating without authorisation until 1 July 2026?

No. The transitional period ends on 1 July 2026. Entities that provided services before 30 December 2024 and submitted an application for authorisation by 30 December 2025 could continue operating until 1 July 2026, provided that authorisation had not been granted or refused earlier. However, after 1 July 2026 it is not legal to provide services without authorisation. It is best to contact ARROWS, a Prague-based law firm (office@arws.cz), and verify your position.

3. What are the main reasons why the ČNB refuses authorisation?

Most commonly: (a) insufficient AML/CFT policies that are not realistic for the given type of business, (b) weak risk management—it's not clear who is responsible for what, (c) a security audit reveals critical flaws in the IT infrastructure, (d) owners or managers do not meet the fit-and-proper test, (e) insufficient capital or underestimation of operating costs. ARROWS attorneys can help eliminate these risks already during the preparation stage.

DORA Regulation and digital security

Although DORA (Digital Operational Resilience Act) is not a crypto-specific regulation but a general regulation of the financial sector, it also applies to crypto exchanges. It entered into force on 16 January 2023, but its requirements apply and are fully enforceable from 17 January 2025 (Article 64 DORA).

What does DORA specifically require? Above all, three pillars: (1) ICT risk management – the process by which a crypto exchange addresses cyber risks, who is responsible for them, and how the risks are managed.

(2) Third-party risk management – if a crypto exchange uses third parties (large cloud platforms, payment gateways, etc.), it must understand what risks it has assumed as a result. (3) Incident reporting – in the event of a major cyber incident, the crypto exchange must report it to the ČNB without undue delay and ensure damage is minimised.

From the perspective of crypto exchanges, the criterion of “critical third-party providers” (CTPPs) is particularly complex. If a crypto exchange relies on a large cloud platform or a payment gateway and it fails, regulators seek to prevent systemic risk from spreading.

This means that each such critical third party must be assessed, contractually secured (with audit and access rights), and, where possible, backup solutions should exist. In practice, this means: crypto exchanges that run on “cheap hosting” and have a simple IT infrastructure without redundancies cannot be DORA-compliant. They must invest in 24/7 monitoring of security threats and incidents.

Penetration tests at least once a year and IT risk documentation with a threat matrix and mitigating measures are essential. Incident management is also key, defining what happens in the event of a ransomware attack or a data breach.

Redundant measures are necessary to ensure system functionality if one component fails. Employee security training is also important.

The Czech National Bank issues and will continue to issue detailed recommendations and requirements for supervision of digital security. It is not enough to have a security policy “on paper”—it must be genuinely implemented.

DAC 8 and tax transaction reporting obligations

Directive DAC 8 (Directive on Administrative Cooperation – eighth amendment) opens a new chapter in the transparency and traceability of cryptocurrency transactions. This directive, adopted by the EU as part of the fight against tax evasion and money laundering, extends reporting obligations to crypto exchanges and their clients.

What exactly does DAC 8 require?

From 1 January 2026, crypto exchanges established in the Czech Republic must collect and report to the relevant Ministry of Finance the relevant information on all reportable crypto-asset transactions. This concerns tax residence—i.e., in which country the client has tax obligations.

Transaction data is important—who sent it, to whom, in what amount, in which cryptocurrency, and when. The type of transaction is also reported—crypto-to-fiat exchange, crypto-to-crypto exchange, purchase of goods/services, staking, lending, etc.

Exchange rates and the CZK equivalent are key—what the exchange rate was on the transaction date and what the amount was in Czech crowns. The reporting obligation applies to all relevant crypto-asset transactions that meet the definition under DAC 8.

Crypto exchanges must keep records of all transactions in case of a later inspection, whether or not they are subject to central reporting.

When and to whom is the report submitted?

Crypto exchanges submit the report once a year by 30 June for the previous calendar year. The recipient is the competent tax office, which is part of the Financial Administration of the Czech Republic.

The information is then automatically shared among the tax authorities of individual EU countries and other countries that have joined the OECD initiative (CRS standard). This means that if a Czech entity has part of its funds purchased in the Czech Republic and part on an exchange, for example in Singapore or the United Kingdom (if these countries are part of the automatic exchange of information under the CRS standard or other agreements), the tax authorities of those countries will receive information about that client.

Impact on clients

For clients of crypto exchanges, this means an entirely new transparency regime. They can no longer buy crypto “anonymously” and hope that no one will know about it.

If a specific client does not provide the crypto exchange with the necessary information (such as tax residence), the crypto exchange is obliged to suspend services for that client. This also creates a new situation for entrepreneurs or investors who previously thought they had “at least some crypto for themselves, without reporting”.

From 2026, this will no longer apply. This reflects a global trend. The FATF and the EU have decided that “crypto will not remain beyond the reach of the law forever”, and they are gradually integrating it into standard financial supervision.

Most frequently asked questions about DAC 8 reporting and tax obligations

1. How must a crypto exchange report data under DAC 8?

Reporting is carried out once a year by 30 June for the previous year. The crypto exchange submits to the relevant Ministry of Finance (the competent tax office) a list of all relevant transactions with details of the client’s tax residence, the type of transaction, and the exchange rate. The data is then automatically shared among the EU and other contracting states. This is therefore not a paper report, but a structured data file, usually in XML format.

2. What happens if a crypto exchange ignores DAC 8 and does not report?

Under Czech and European regulations, a crypto exchange faces significant fines in the millions of Czech crowns, a ban on operating in the Czech Republic, and it may be placed on a list of non-cooperative entities. Moreover, this creates legal risk for clients themselves—if the crypto exchange does not report, the tax authorities may decide that the client’s relationship with the exchange was not “legal” at all and is subject to additional review and resolution.

3. Can an individual investor/trader influence a crypto exchange’s tax reporting?

Yes. The investor must provide the crypto exchange with their tax residency. If they fail to do so, the crypto exchange is required to suspend services to them. If the investor provides false information (e.g., claims to be a foreign resident when they are a Czech tax resident), they face tax penalties and potentially criminal liability for fraud. In practice, this means anonymous crypto trading is a thing of the past.

AML/CFT obligations and compliance

Anti-money laundering (AML) and counter-terrorist financing (CFT) are becoming one of the most sensitive areas of regulation for crypto exchanges. In recent years, some of the world’s largest exchanges have been fined for failures in their AML/CFT systems.

For example, one of the world’s largest exchanges paid substantial fines in the billions of US dollars, and other entities have been penalized in the millions of euros. This signals how seriously regulators approach the enforcement of these obligations.

Know your customer (KYC) – the cornerstone

KYC is a core element of compliance. Before opening an account for a client, a crypto exchange must identify the client, verify their identity against an ID document, and also determine their source of funds (Source of Funds). At a minimum, this includes the name—it must be the client’s real name.

Date of birth is also required—to verify age and, in some countries, also for registration in central databases. An address is essential—either permanent residence or a business address.

The account type is also important—an individual, a legal entity, or something else. And finally, the purpose of use—why the account is being opened (trading, long-term investing, purchasing goods, etc.).

In practice, this means every client must go through verification, which in an online setting often includes a liveness test (a selfie with an ID), an OCR test (optical character recognition of the document), and screening against PEP (Politically Exposed Persons) and sanctions lists.

Transaction monitoring and the Travel Rule

Once a client has passed KYC verification, the crypto exchange must continuously monitor their transactions. The Travel Rule, set by the FATF and now implemented through MiCA, requires that for every transfer above EUR 1,000 (or the equivalent amount in USD) between crypto exchanges or to an unhosted wallet, the identity of both the sender and the recipient is captured and verified.

In practice, this works as follows: when a client sends crypto from one exchange to another, the sending exchange must transmit information with the transaction such as “the recipient is person XYZ, passport number ABC, address DEF”. The recipient exchange verifies and archives this information. If the recipient were a person on a sanctions list, the exchange should stop the transaction.

This sounds simple, but in practice it means that every exchange must have established communication channels with other exchanges, digital infrastructure for exchanging information, and staff to manage it. Many smaller exchanges that have not implemented these systems in time face difficulties in enforcing the requirements.

Reporting suspicious activity (SAR/STR)

If a crypto exchange detects a transaction that appears suspicious—for example, a sudden inflow of funds from a person without justification, a transaction involving a person on a sanctions list, or structured small transactions that together create a sum intended to circumvent limits—it must report it.

A report (Suspicious Activity Report – SAR, or in the EU a Suspicious Transaction Report – STR) is submitted to the Financial Analytical Office (Finanční analytický úřad, FAÚ) in the Czech Republic, or to the relevant Financial Intelligence Unit (FIU) in other EU countries. If the exchange finds that it has received a transaction from someone who is already on a sanctions list, it is required to block the transaction, freeze the assets, and inform the Czech National Bank (ČNB) and the FAÚ.

The reality is that regulators have previously focused on cases where exchanges had a huge volume of unprocessed or insufficiently analyzed suspicious transactions that were not reported in time. During an inspection, the Czech National Bank (ČNB) monitors precisely this point: how long it takes to analyze a transaction, how the decision-making process is documented, and whether SAR/STR reports are submitted without undue delay.

Sanctions screening and specific threats in 2026

In 2025, there was a major increase in sanctions and their application to the crypto sector. According to available reports and analyses, there has been a significant rise in the value of transactions involving sanctioned entities. Russia, Iran, and North Korea actively use crypto exchanges to circumvent sanctions, and regulators are closely monitoring and responding.

OFAC (Office of Foreign Assets Control) has in the past sanctioned a number of crypto exchanges that facilitated transactions with entities from Russia, Iran, and North Korea. The European Union has adopted sanctions packages specifically targeting crypto-asset services.The UK Office of Financial Sanctions Implementation (OFSI) is taking a similar approach.

What does this mean for a Czech crypto exchange? It means it cannot accept clients from certain countries, cannot send or receive transactions to/from certain countries, and cannot do business with certain persons listed on sanctions lists.

Sanctions management requires at least one screening before onboarding—verifying that the client is not on OFAC, EU, UK, or other relevant lists. Ongoing screening is also necessary—monitoring whether the client is added to a list during the course of the relationship.

Record-keeping is key—archiving when screening was performed, what the result was, and who performed it. And last but not least, transaction blocking—if a suspicious transfer is detected, it must be stopped.

All of this requires modern compliance software and processes. A crypto exchange that tries to do everything manually or has outdated systems will very quickly find itself at risk of fines and reputational damage.

Practical issues crypto exchanges are dealing with in 2026

Until 1 July 2026, crypto exchanges that provided services before 30 December 2024 and submitted an authorisation application by 30 December 2025 could continue operating under the so-called transitional regime, even if they did not yet have final authorisation. After that date, it ends completely—no authorisation, no business.

ESMA has clearly stated that any entity providing services without a licence will, as of 1 July 2026, be in breach of EU law and will be subject to enforcement. This creates a very stressful situation.

Companies that, in lawyers’ view, deserve authorisation but whose files the Czech National Bank (ČNB) has not yet finished processing will have to either actively manage existing clients and prevent new ones from coming on board, or risk legal penalties.

Crypto entrepreneurs face a lack of access to banking

One of the major problems for crypto exchanges in the Czech Republic is that traditional banks (e.g., those linked to older Canadian or Scandinavian groups) do not want to deal with crypto. They commonly refuse to open standard bank accounts for crypto exchanges, or they close accounts even when the exchange is compliant with regulations.

This is paradoxical, because MiCA grants crypto exchanges a licence to operate – but without a bank account they cannot fully benefit from that licence. A number of Czech crypto exchanges therefore look for banking partners abroad – in Lithuania, Estonia, Malta, or in the United States (if they have EU sub-entities).

However, this usually means additional compliance, additional AML obligations, and higher costs.

The problem of tokenisation and asset classification

MiCA strictly distinguishes between different types of crypto-assets: mainstream cryptocurrencies (e.g., Bitcoin, Ethereum), asset-referenced tokens (ARTs), e-money tokens (EMTs), and other crypto-assets. Each category has different requirements.

The problem is that many projects (e.g., wrapped tokens, various DeFi protocols) fall into a grey area. Is it a security, a commodity, or something else entirely?

The EU is trying to clarify this, but for a Czech crypto exchange it means it must handle the classification itself, along with the related regulatory obligations. The attorneys at ARROWS, a Prague-based law firm, focus on precisely these classification issues and can help clients structure their offering so that it complies with the regulations of individual countries.

Potential issues

How ARROWS can help (office@arws.cz)

Missing or incomplete authorisation after 1 July 2026 – An entity without an active MiCA licence must suspend all activities; it faces penalties of up to 10% of annual revenues (turnover) (Article 111 MiCA), withdrawal of the licence, and potentially even criminal liability.

The attorneys at ARROWS, a Prague-based law firm, will prepare a comprehensive authorisation file, secure all required documents, financial models, AML policies, and security audits required by the Czech National Bank (ČNB). We represent the client in dealings with the regulator.

Non-compliance with AML/CFT systems – Weak KYC procedures, inadequate SAR/STR reporting, and transaction monitoring lead to fines that can reach tens to hundreds of millions of Czech crowns, and to regulatory intervention.

ARROWS can help design and implement risk-based KYC processes, set up transaction monitoring, train the compliance team, and ensure that reporting is carried out on time and correctly.

DAC 8 reporting and tax considerations – From 2026, crypto exchanges must report transactions to the tax authorities. Incorrect reporting or erroneous data lead to significant fines, which can reach millions of Czech crowns, and to additional tax assessments for clients.

ARROWS, a Prague-based law firm, will ensure the legal structure for reporting, tax-efficient setup, and communication with the relevant Ministry of Finance. We also advise clients on their tax obligations.

DORA incidents and cyber risk – If a security incident occurs (hack, ransomware), it is not only a data loss issue, but also an obligation to notify the Czech National Bank (ČNB) without undue delay; an unprepared crisis response leads to fines and loss of trust.

We will help structure an incident management plan, set up monitoring, and manage communications with the regulator. We represent the client during the incident and communicate with the Czech National Bank (ČNB). We have experience with crisis management in similar situations.

Sanctions screening and Travel Rule compliance – If a crypto exchange does not block transactions of sanctioned persons or does not implement the Travel Rule, it faces high fines and reputational attacks.

ARROWS can help clients select the right compliance software, set up screening processes, and ensure documentation. We also represent the client if an inspection or enforcement action occurs.

Final summary

2026 represents a moment of transformation for everyone doing business with cryptocurrencies in the Czech Republic. The MiCA Regulation, with the final deadline of 1 July 2026 for the end of the transitional period, DAC 8 obligations from 1 January 2026, compliance requirements under the FATF Travel Rule, and the DORA Regulation on digital resilience – all of this means that operating a crypto exchange is no longer a matter of a few computers and a handful of people.

It is a complex operation requiring legal infrastructure, compliance systems, IT security, audit, and ongoing monitoring. For crypto exchanges, this has real impacts: without authorisation after 1 July 2026 they cannot remain on the market; without proper AML/CFT they risk high fines (in the tens to hundreds of millions of Czech crowns for serious breaches); and without DORA compliance they risk system failure and sanctions.

At present, there is only very limited time left for the remaining entities that still do not have authorisation to have a chance to obtain it. Others will, in practice, end up outside the legal market. This is not pessimism, but the reality of regulatory developments.

In a positive sense, this means that the crypto sector is gradually “normalising” and ceasing to be a grey area. Clients have more protection, exchanges are supervised, and the system as a whole is safer. In a negative sense, it means higher costs, more complex operations, and strict compliance.

If you are a crypto exchange or a crypto-asset service provider and you are not sure how to proceed, do not hesitate to contact the attorneys at ARROWS, a Prague-based law firm (office@arws.cz). We offer comprehensive legal advice on crypto-asset regulation under Czech and EU legislation, preparation of authorisation files for the Czech National Bank (ČNB), setup of AML/CFT systems, DORA implementation, and assistance with DAC 8 reporting.

If you have an international element – e.g., you have clients in other EU countries or you are planning expansion – we have the ARROWS International partner network to address these cross-border matters.

Frequently asked questions about crypto exchanges and their obligations in 2026

1. What exactly is a crypto exchange under MiCA, and when do MiCA obligations apply?

In MiCA terminology, a crypto exchange is a “Crypto-Asset Service Provider” (CASP) that provides services such as buying and selling cryptocurrencies for fiat currency, exchanges between different cryptocurrencies, custody (safekeeping), or advisory services. MiCA applies to any entity that performs these activities and has clients in the EU. Therefore, if a Czech entity operates an exchange and has Czech or any EU clients, it must comply with MiCA obligations. This is not possible without authorisation from the Czech National Bank (ČNB). The attorneys at ARROWS can help determine precisely which of your activities fall within MiCA’s scope and which obligations therefore apply to you.

2. We run a smaller exchange – does MiCA apply to us even if we only have a few dozen clients?

Yes, absolutely. MiCA applies to all CASPs, regardless of their size. The only exception is fully decentralised platforms with no identifiable operator, but these are very rare. If you are an identifiable entity and you carry out activities covered by MiCA, you must meet the requirements. Even a small exchange must not assume it is “too small” for regulation. The attorneys at ARROWS work with clients of all sizes and can apply proportionality to the scale of the operation, but the requirements cannot be avoided entirely.

3. Would it be possible to “emigrate” abroad and thus avoid regulation?

This is a question many entities ask. However, the answer is no. If your exchange has even one Czech or EU client, you are subject to MiCA, even if your legal entity is registered outside the EU. ESMA and the Czech National Bank (ČNB) monitor and enforce this. If you attempt to circumvent regulation (e.g., by concealing your place of establishment), you risk substantial fines and potentially even criminal liability. It is far better to be proactive, obtain authorisation, and have a “passport” across the entire EU. The attorneys at ARROWS can help structure this safely and in compliance with the law.

4. Approximately how much will a compliance team, IT security, and the authorisation process cost?

It is difficult to generalise, but as an order of magnitude: preparing the authorisation file (legal, audit, security) typically costs hundreds of thousands of Czech crowns (CZK 300,000–800,000) and requires investment in qualified advisors. Annual compliance operations (KYC, monitoring, SAR/STR, reporting) cost hundreds of thousands to millions of Czech crowns (CZK 500,000–2 million) per year, depending on the number of clients and complexity. IT infrastructure with security and DORA compliance may require investments in the low millions of Czech crowns per year. These costs are real and must be factored into business models. Entities that have not realised this will soon find that the crypto business is not as cheap as it seems. The attorneys at ARROWS can help with projections and will ensure your costs do not “run away” due to unnecessary mistakes.

5. What are the main checkpoints that the Czech National Bank (ČNB) reviews during an inspection?

ČNB focuses primarily on: (a) the AML/CFT policy and its practical implementation—this is not just a document, but real processes, (b) KYC procedures—it selects clients at random and verifies whether KYC was performed correctly, (c) transaction monitoring—whether detected suspicious transactions are properly handled and reported, (d) SAR/STR reporting—whether it was made without undue delay, (e) IT security and incident management—whether it is handled in line with DORA, (f) ownership structure and management—whether managers are suitable (fit-and-proper test). In each category, ČNB takes a sample and examines it in detail. If it finds material deficiencies, warnings and a fine follow.

6. What happens if I lose clients or money due to a hack—am I liable?

Under MiCA and DORA, you are liable. A crypto exchange must keep clients’ crypto-assets segregated (asset segregation), must not use them for its own account, and must protect them against cyberattacks. If a hack occurs and clients lose money, you are liable. This also applies to third parties—if you hire a cloud provider and it fails on security, you are still liable. This is why DORA requires each CASP to have insurance (or equivalent financial guarantees). The attorneys at ARROWS can help structure insurance coverage and risks properly.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: