The Malta Financial Services Authority (MFSA) has opened a public consultation on whether decentralised finance protocols that retain centralised features should fall within the European Union’s Markets in Crypto-Assets Regulation, testing how far the framework’s exemption for fully decentralised services actually reaches.

The discussion paper, published on 12 June 2026 and open for responses until 10 July, accepts that MiCA excludes crypto-asset services provided in a fully decentralised manner without any intermediary, while noting that most DeFi protocols keep administrator keys, concentrated governance, upgrade rights, and control over user-facing interfaces. Those retained levers could pull a protocol back inside the regulatory perimeter.

The MFSA stresses that the paper sets out no policy position and that its proposals remain non-binding. The exercise extends a track record that has made Malta a primary EU licensing base, where Blockchain.com won EU-wide approval through the MFSA to offer custody and wallet services across the European Economic Area.

MiCA Offers no Test For Full Decentralisation

Recital 22 of MiCA places services that operate without any intermediary outside the regulation, yet the paper holds that judging whether a protocol clears that threshold demands a case-by-case assessment of its governance, operational, and control features.

Drawing on the European Commission’s MiCA review consultation, the MFSA lists indicators of incomplete decentralisation. These include an identifiable intermediary, control through admin keys over key functions, concentrated governance power, custody of user assets by the protocol, absence of open-source code, and marketing by an identifiable entity.

The paper asks whether decentralisation should be treated as a spectrum rather than a binary state, and whether authorised crypto-asset service providers integrating DeFi components should run smart-contract audits, governance reviews, and risk assessments.

Financial crime runs alongside the scope question. The MFSA points to the Financial Action Task Force’s “same risk, same rule” principle, under which persons exercising control over a protocol may qualify as virtual asset service providers. Citing FATF and Chainalysis figures, the paper records that stablecoins accounted for roughly 84 percent of illicit virtual asset transaction volume in 2025, a risk that sharpens as licensed players such as BVNK passport stablecoin infrastructure across the EEA under MiCA.

Malta Floats Legal Wrappers For DeFi

The paper canvasses structures that could give DeFi projects clearer footing, including recognising software-based organisations as a legal category and treating decentralised autonomous organisations as one type within it. Segregated cell companies feature as a second option, ring-fencing assets across internal cells that mirror on-chain modularity, though the MFSA warns that a central entity could itself read as evidence of centralisation.

Guardian agents and account abstraction round out the review. The regulator questions when guardian authority amounts to effective control, and argues that a provider holding signature weight or controlling validation logic in a smart contract account may be performing custody captured by MiCA. The consultation lands amid an EU supervision fight, after the MFSA rejected calls to hand crypto oversight to ESMA and ESMA moved to expand its mandate over crypto trading platforms. The Authority will review feedback before deciding whether to develop detailed proposals.