Crypto Regulation by Country: A Complete 2026 Overview

Crypto regulation by country is no longer a question of whether crypto is legal. Across every major market it is, and the live questions are now: which authority supervises the activity, under which law, and what licence or registration the business needs to operate. This overview lines up 16 of the world's most important regulated jurisdictions on the same axes, from the EU's single MiCA rulebook to the multi-regulator system in the United States, so you can read the global picture in one place and then drill into the country that matters to you.

The differences between these regimes are differences of gateway and statute, not legality. A crypto exchange in Frankfurt, New York, Singapore and Hong Kong is doing the same economic activity, yet each enters through a different legal door: a harmonised EU authorisation, a federal-plus-state patchwork, a payments-law licence, or a securities-regulator permit. Understanding which door applies is the first practical step in any licensing decision.

How crypto is regulated around the world (the short answer)

Across all major jurisdictions in this overview, cryptocurrency is legal and regulated, and none of them impose an outright ban. The differences lie in the gateway and the governing law, not in legality. Every regime is anchored to a named regulator and a specific statute, from the EU's Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) to country-specific frameworks elsewhere.

A scope note up front: this is a complete overview of the major regulated markets, not of every country on earth. It covers 16 leading jurisdictions where crypto activity is licensed and supervised. It does not cover restrictive or ban jurisdictions (for example, blanket banking-access bans) in depth, and those markets sit outside the comparison below. If you need our complete guide to crypto licensing, that pillar sets out the wider licensing landscape behind this regulatory snapshot.

Three regulatory gateways: securities, payments, and AML

Most national crypto regimes can be sorted into one of three legal gateways, and the same business activity can pass through a different gateway depending on the country. The first is the securities-regulator gateway, where a crypto asset is treated as an investment or security: the US Securities and Exchange Commission (SEC) and Hong Kong's Securities and Futures Commission (SFC) are the clearest examples. The second is the payments-law gateway, where the activity is licensed as a payment service: Singapore's Monetary Authority (MAS) and Japan's Financial Services Agency (FSA) frame crypto this way. The third is the AML and money-services gateway, where the primary trigger is anti-money-laundering supervision: the US FinCEN, the UK FCA, Canada's FINTRAC and Australia's AUSTRAC all centre their crypto oversight on AML registration.

Knowing your gateway tells you which regulator you answer to, which statute governs you, and how heavy the prudential and conduct expectations are likely to be. The three-gateways diagram below maps representative countries into each lane.

The FATF baseline that ties national rules together

One reason national AML rules look so similar is a shared foundation: the Financial Action Task Force (FATF) defines the Virtual Asset Service Provider (VASP) and sets the Travel Rule that most countries have transposed into domestic law. This common baseline is why the Commonwealth AML-first regimes, the EU's AML expectations folded into the CASP authorisation, and the US FinCEN MSB rules all rhyme even where the licensing label differs. Our FATF VASP framework page sets out the definition and the Travel Rule threshold in detail.

VERIFY before publish: a FATF primary source has not yet been cited in this draft because FATF.org returns a 403 to automated fetches. A human must add a verified FATF citation here, or this FATF-baseline paragraph must be cut before the page goes live (see brief Known unknowns).

Crypto regulation by country: the master comparison table

The table below is the core of this overview: one verified record per jurisdiction, on the same five axes. For each market it shows the legal status, the primary regulator, the regime or registration name, the governing law, and whether the licence passports to other countries. Every regulator and statute string is taken verbatim from the official source cited in the brief.

For a deeper, side-by-side view that adds factors beyond legal status, see our country-by-country comparison matrix.

How to read this table (legal status, regulator, regime, law)

A word on the "Legal?" column. "Legal" here means the activity is legal and regulated, not that it is unrestricted. In every market in the table, running a crypto exchange or custody business without the relevant licence or registration is unlawful, so "legal" is a statement about availability of a regulated path, not about a free-for-all. The "passporting" column flags the single most consequential structural difference in global crypto regulation: only the EU's MiCA CASP authorisation passports automatically across borders. A New York BitLicense, a Singapore DPT licence and a UAE VARA permit are each confined to their own jurisdiction.

European Union: one harmonised MiCA rulebook

The European Union is the clearest example of regulatory harmonisation in crypto. The Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114, created a single, directly applicable rulebook for all 27 member states. Its stablecoin rules, covering asset-referenced tokens (ART) and e-money tokens (EMT), applied from 30 June 2024, and the Crypto-Asset Service Provider (CASP) authorisation regime with the remaining titles applied from 30 December 2024. The decisive feature is passporting: one CASP authorisation lets a firm serve customers across the entire single market without re-licensing country by country. Our MiCA regulation explained guide covers the full framework.

NCAs, ESMA and EBA: who supervises what

MiCA supervision is three-tiered. National competent authorities (NCAs) handle day-to-day authorisation and supervision of CASPs in their own state, such as BaFin in Germany or the Bank of Lithuania. The European Securities and Markets Authority (ESMA) sets technical standards, maintains central registers and drives supervisory convergence so the rulebook is applied consistently. The European Banking Authority (EBA) provides standards and takes a lead role in overseeing significant stablecoins. This layering means a single legal text is applied locally but coordinated centrally, which is exactly what makes EU-wide passporting workable.

National regimes folding into MiCA (Germany, Estonia, Lithuania)

Before MiCA, EU member states ran their own national crypto regimes, and those are now legacy or transitional. In Germany, the crypto custody business authorisation under §1(1a) KWG has existed since 1 January 2020, and from 30 December 2024 crypto-asset services require MiCAR authorisation, with transitional reliance on an existing KWG authorisation permitted. In Estonia, the Financial Intelligence Unit issued VASP authorisations until the end of 2024, with around 100 active authorisations on record, before supervision passed to Finantsinspektsioon as the MiCA NCA. Lithuania's legacy VASP transition period has likewise ended, with the Bank of Lithuania now granting CASP authorisations. The common thread: national registrations are being absorbed into one EU licence.

United States: a fragmented, multi-regulator system

If the EU is the model of harmonisation, the United States is the model of fragmentation. There is no single federal crypto law and no single federal crypto regulator. Instead, jurisdiction is split between three federal agencies, layered on top of state-by-state money-transmitter licensing and New York's bespoke BitLicense. For operators, this means a US launch can require registration or licensing with multiple authorities at once, depending on what the asset is and what the business does.

SEC, CFTC and FinCEN: securities, commodities, and AML

At the federal level, three agencies divide the field. The SEC claims crypto assets that are "investment contracts" under the Howey test, applying the Securities Act of 1933 and the Securities Exchange Act of 1934. The CFTC treats Bitcoin and certain virtual currencies as commodities and regulates crypto derivatives under the Commodity Exchange Act. The FinCEN treats exchangers and administrators of convertible virtual currency as Money Services Businesses (MSBs) for AML purposes under the Bank Secrecy Act. The same token can therefore touch all three regimes, depending on how it is offered and used.

State money-transmitter licences and the New York BitLicense

Above the federal layer sits a state layer. Money-transmitter licensing is handled state by state, so a national US service may need licences in many states at once. New York runs its own dedicated regime: the BitLicense, required for Virtual Currency Business Activity under 23 NYCRR Part 200, supervised by the New York Department of Financial Services. The BitLicense is jurisdiction-specific and does not passport, which is one reason US market entry is treated as a multi-front exercise rather than a single application.

What changed in 2026 (SEC interpretive release)

In 2026 the SEC issued an interpretive release on 17 March 2026, "Application of the Federal Securities Laws to Certain Types of Crypto Assets and Certain Transactions Involving Crypto Assets," which supersedes the withdrawn 2019 Framework and sets out a taxonomy of which crypto assets are and are not securities. The Howey test remains binding precedent. This is recent and evolving, so it should be read in full before treating any specific classification as settled.

VERIFY before publish: only the PDF URL and a snippet of this March 2026 release were captured at research stage, not the full text. Do not state any definitive non-security classification as settled until the full release is read (see brief Known unknowns).

United Kingdom and Switzerland: AML registration vs FINMA licensing

Two important European-but-non-EU regimes sit outside the MiCA bloc and take noticeably different approaches. The United Kingdom currently anchors crypto supervision in anti-money-laundering registration, while Switzerland operates a fuller financial-market licensing model under FINMA. Searchers frequently compare the two, so it helps to set them side by side.

United Kingdom: FCA cryptoasset AML/CTF registration

In the UK, the Financial Conduct Authority (FCA) supervises cryptoasset firms through AML/CTF registration under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). This is an AML-anchored gateway: the registration focuses on financial-crime controls rather than a full prudential authorisation. A broader financial-services regime for cryptoassets has been in development.

VERIFY before publish: the 2026 status and commencement of the UK's broader cryptoasset financial-services regime are not confirmed from a primary source. Present it as "in development", not "in force", until verified (see brief Known unknowns).

Switzerland: FINMA, the DLT Act and SRO membership

Switzerland, home to the Crypto Valley in Zug, regulates crypto activity through the Swiss Financial Market Supervisory Authority (FINMA). Depending on the activity and deposit and collective-custody thresholds, a firm may need a FinTech licence or a full banking licence; trading venues can require a DLT trading facility authorisation; and AML obligations are met through membership of a self-regulatory organisation (SRO). The governing stack includes the Banking Act, the Financial Services Act (FinSA), the Anti-Money Laundering Act (AMLA) and the DLT Act. This is a fuller licensing model than the UK's AML-only registration, which is one reason Switzerland is treated as a credibility benchmark. For the detail, see our breakdown of Switzerland (FINMA) requirements.

Asia: payments-law gateways and a securities gateway

Asia does not have a single regulatory style. The region splits cleanly between markets that regulate crypto under payments law and at least one that regulates it through the securities regulator. Flattening "Asia" into one bucket misses the most important practical distinction, so the three leading regimes are set out separately below.

Singapore: MAS, the DPT licence and the DTSP regime

Singapore runs a payments-law gateway. The Monetary Authority of Singapore (MAS) licenses Digital Payment Token (DPT) services under the Payment Services Act 2019, with firms authorised as either a Standard Payment Institution or a Major Payment Institution depending on transaction volumes. A separate DTSP regime under the Financial Services and Markets Act 2022 adds further obligations. Capital-markets tokens can also engage the SFA 2001 and FAA 2001.

VERIFY before publish: several MAS pages were intermittently unavailable at research stage and the PSA/DTSP facts rest on official search snippets. Re-fetch the MAS source before final citation (see brief Known unknowns).

Japan: FSA registration under the Payment Services Act

Japan operates one of the oldest formal crypto-exchange regimes. The Financial Services Agency (FSA) registers Crypto Asset Exchange Service Providers under the Payment Services Act, with the Financial Instruments and Exchange Act (FIEA) covering crypto derivatives. Like Singapore, Japan's primary gateway is payments law rather than securities law, which shapes how exchanges and custodians are authorised.

Hong Kong: SFC and the VATP licensing regime

Hong Kong is the regional securities-gateway example. The Securities and Futures Commission (SFC) runs a Virtual Asset Trading Platform (VATP) licensing regime, effective 1 June 2023, anchored in the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) and the Securities and Futures Ordinance (SFO) under a dual-licence structure. The contrast with Singapore and Japan is the point: same activity, different legal door.

Middle East: the UAE's zone-based regulation

The United Arab Emirates is not one crypto regime but several, layered by zone. This zone-based structure is a distinguishing feature of the region and a frequent source of confusion for operators choosing where to set up.

VARA (Dubai), ADGM FSRA (Abu Dhabi) and DIFC DFSA

Within the UAE there are three separate frameworks. The Virtual Assets Regulatory Authority (VARA) regulates virtual assets across the Emirate of Dubai, excluding the DIFC, acting under Dubai Law No. 4 of 2022 and the Virtual Assets and Related Activities Regulations 2023. In Abu Dhabi, the Financial Services Regulatory Authority (FSRA) of the ADGM free zone runs its own virtual-asset framework. A third regime, the DIFC's Dubai Financial Services Authority (DFSA), operates separately again. The practical takeaway is that "a UAE crypto licence" is ambiguous until you specify the zone.

VERIFY before publish: the exact ADGM FSRA instrument titles are not from a primary source and the DIFC DFSA regime was not researched from a primary source. Either fetch the precise titles from adgm.com / the DFSA, or scope the page's UAE claim to VARA plus ADGM only (see brief Known unknowns).

Commonwealth markets: an AML-first model (Canada and Australia)

Canada and Australia share an AML-first approach. Both regulate crypto principally through the money-services and anti-money-laundering gateway at the federal level, with securities matters handled by separate authorities. This makes them structurally similar to each other and to the UK's current AML-anchored model.

Canada: FINTRAC MSB registration and provincial securities rules

In Canada, dealing in virtual currency is a Money Services Business service that must register with FINTRAC under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Federal supervision is AML-led through FINTRAC, while securities questions, where a token is treated as a security, fall to provincial securities regulators. The split mirrors the broader Commonwealth pattern.

Australia: AUSTRAC and DCE provider registration

In Australia, Digital Currency Exchange (DCE) providers must register with AUSTRAC under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, with DCEs having been regulated since 2018. As in Canada, the entry point is AML registration rather than a full prudential licence, and securities-style obligations sit in a separate regime.

Security, commodity or payment instrument: how classification differs by country

The single biggest reason the same business is regulated differently around the world is classification: what the law decides a crypto asset legally is. The United States splits assets between securities, handled by the SEC under the Securities Act 1933 and Exchange Act 1934, and commodities, handled by the CFTC under the Commodity Exchange Act. Japan and Singapore, by contrast, frame crypto primarily through payments law, the Payment Services Act in Japan and the Payment Services Act 2019 in Singapore. The EU takes a third route and classifies crypto-assets by category under MiCA, so the same token maps to a defined regulatory class with its own rules.

This is the "three gateways" idea made concrete. A token that is a security in one country may be a payment instrument in another, which changes the regulator, the statute and the licence required. For exchange operators specifically, classification dictates the licence path, which is covered in our guide to how to start a licensed crypto exchange.

How to choose a jurisdiction for your crypto licence

This overview is a map, not a recommendation. The right jurisdiction depends on your activity, your target customers, your appetite for prudential obligations, and whether you need cross-border reach. As a rule of thumb, if you want to serve the whole EU from one licence, the MiCA CASP authorisation and its passport are decisive; if you need US retail access, you must plan for the SEC/CFTC/FinCEN split plus state licensing; if you want a payments-led regime, Singapore or Japan; and if Swiss credibility matters, FINMA. Compare the structural trade-offs in our guide to the best countries for a crypto licence, then move to the practical steps in how to get licensed.

From our practice. In our advisory work the most expensive mistakes are not legal, they are sequencing mistakes: choosing a jurisdiction before settling what the token actually is, then discovering the activity falls under a different gateway than assumed. We work backward instead, fixing the classification and the target market first, and only then selecting the regulator and regime that fit. No two mandates follow the same path, because the same exchange model can land in three different legal doors across three countries.

Match your activity to the right regulatory gateway

A short decision logic helps narrow the field before any deep due diligence:

• Running an exchange or trading platform points toward a securities or payments licence: a VATP licence in Hong Kong, a DPT licence in Singapore, a CASP authorisation in the EU.
• Offering custody points toward custody-specific authorisation: a CASP authorisation in the EU, the crypto custody business authorisation under KWG in Germany.
• Moving money or operating as a money-services business points toward the AML gateway: MSB registration in the US and Canada, DCE registration in Australia, FCA registration in the UK.

Map your core activity to its gateway, then the regulator and statute follow from the country you choose. To see how each gateway maps onto a business model rather than a country, our complete guide to crypto licensing pillar walks through the full decision tree.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed lawyers, no commitment. Book a Call