Research Report: Crypto-Assets, Tokenization, and Digital Infrastructures - Regulatory Framework and Legal Profiles
The integration of distributed ledger technologies (DLT) into financial markets has triggered a profound shift in European and national legal frameworks, forcing a complex synthesis between fostering technological innovation and safeguarding financial stability and public savings. The dematerialization of financial instruments, the tokenization of real-world assets (RWA), and the automation of contractual obligations via smart contracts are no longer confined to regulatory "sandboxes." Instead, they form the cornerstone of a heavily regulated financial landscape. However, this transition faces systemic asymmetries. These stem from chronic domestic administrative delays in implementing technical decrees and deep-seated structural friction between the absolute immutability of distributed ledgers and traditional civil law doctrines governing property, asset transfer, and debtor liability.
The Expiration of the MiCAR Transitional Period: The July 1, 2026 Horizon
The upcoming final deadline of the transitional period under Regulation (EU) No. 2023/1114 (Markets in Crypto-Assets Regulation - MiCAR), set for July 1, 2026, marks a watershed moment for the digital asset industry. From this date forward, providing crypto-asset services within the European Union will be strictly prohibited for any entity lacking formal, prior authorization granted under the MiCAR framework. European supervisory authorities have established a highly demanding path for this transition. Unauthorised operators active in the market must implement "orderly wind-down plans" before July 1, 2026. These plans must guarantee the seamless transfer of client crypto-assets to fully licensed Crypto-Asset Service Providers (CASPs) or to self-hosted wallets, ensuring zero economic loss or disruption to retail investors.
The uncompromising rigidity of this transition reflects the EU legislator's determination to block regulatory evasion. Licensed CASPs are expressly prohibited from outsourcing or delegating critical operational functions—such as custody of private keys or client funds—to unlicensed entities, even if those entities belong to the same corporate group. Furthermore, "reverse solicitation" by third-country intermediaries is restricted to narrow, non-systematic exceptions and is entirely inapplicable to systematic, business-to-business (B2B) relationships. This shrinking regulatory space led Consob (Italy), AMF (France), and FMA (Austria) to release a joint Position Paper on September 15, 2025, calling for further centralization. Pointing out the limits of the current national ex-post reporting system to ESMA, the three regulators warned against systemic "regulatory arbitrage" by global players establishing headquarters in member states with more relaxed supervisory practices. Their primary proposal is to transfer direct licensing, supervisory, and sanctioning powers to ESMA for all significant CASPs, mirroring the centralized architecture of the banking Single Supervisory Mechanism (SSM).
Legislative Decree 129/2024 and the Italian Supervisory Architecture
Italy adapted its national framework to MiCAR via Legislative Decree No. 129 of September 5, 2024, which entered into force on September 14, 2024. Comprising 48 articles divided into six titles, the decree establishes a bipolar supervisory governance model, splitting responsibilities between the Bank of Italy and Consob while setting out clear mechanisms for domestic and cross-border cooperation. This division of competences aligns with traditional financial supervisory objectives:
- Bank of Italy: Designated as the competent authority for prudential supervision, systemic financial stability, crisis management, and anti-money laundering/countering the financing of terrorism (AML/CFT). It oversees issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs), as well as the prudential aspects of CASPs. The Bank of Italy is responsible for verifying the three-year capital adequacy of issuers and the robustness of their internal governance.
- Consob: Tasked with investor protection, orderly market operations, market integrity, and enforcing the market abuse regime (insider trading and market manipulation) under Title VI of MiCAR. It is the primary licensing authority for specialized CASPs (following consultation with the Bank of Italy) and leads the enforcement against unauthorized financial promotions.
Operational coordination is managed through a formal Memorandum of Understanding (MoU) signed in March 2025, which regulates joint opinions and approvals. For instance, the authorization of an ART white paper issued by credit institutions or Class 1 investment firms (SIMs) requires joint approval by the Bank of Italy and Consob. The decree also outlines a severe administrative sanctioning regime. Physical persons face fines ranging from €5,000 to €1,000,000, which can be increased up to threefold the illicit profit made. For corporate entities, fines can reach up to 10% of total annual turnover or double the profit generated, with supervisors empowered to remove administrative bodies or initiate judicial inspections under Article 2409 of the Civil Code.
To protect token holders, Legislative Decree 129/2024 introduces strict asset segregation and insolvency regimes modeled after traditional finance. The reserve of assets backing ARTs or EMTs must be legally segregated from the issuer's general estate. These reserves are exclusively dedicated to satisfying token redemption claims and are completely shielded from claims by other creditors of the issuer. In the event of an issuer’s bankruptcy, the reserves are liquidated to redeem token holders first. For any remaining unpaid balances, token holders are admitted to the bankruptcy proceedings as general unsecured creditors (creditori chirografari). If a specialized ART issuer experiences an irreversible crisis, it is subjected to banking compulsory administrative liquidation (liquidazione coatta amministrativa), whereas specialized CASPs undergo the insolvency regime designed for investment firms (SIMs).
Tokenization of Financial Instruments: The Italian Fintech Decree (D.L. 25/2023)
The tokenization of financial instruments and their circulation via distributed ledgers find structured regulatory footing in Italy under Decree-Law No. 25 of March 17, 2023 (the Fintech Decree), converted into Law No. 52/2023. This decree aligns the Italian framework with Regulation (EU) 2022/858 (the DLT Pilot Regime), which established a three-year experimental window for trading and settling digital securities. The Fintech Decree introduces a third legal regime for the form and circulation of securities (shares, bonds, and S.r.l. debt instruments), which runs parallel to traditional physical certificates and the centralized dematerialization regime managed by Central Securities Depositories (CSDs) under the Consolidated Law on Finance (TUF).
The core of the Fintech Decree rests on key articles governing the life cycle of digital securities:
- Article 2 (Definitions): Defines the "digital circulation register" and the "registry keeper" (responsabile del registro).
- Article 3 (Scope): Identifies the specific categories of financial instruments eligible for digital ledger registration.
- Article 4 (Issuance and Transfer): Mandates that the creation and transfer of digital financial instruments occur solely through entries on authorized DLT registers.
- Article 5 (Register Requirements): Requires that DLT registers ensure data integrity, authenticity, non-repudiation, non-duplication, and validity, preventing unauthorized alterations and providing direct, real-time access to Consob and the Bank of Italy.
- Article 6 (Legal Effects of Entries): Establishes that digital ledger entries carry the same legal weight as traditional physical delivery or centralized dematerialization, serving as the exclusive proof of entitlement to the underlying rights.
- Article 13 (Obligations of the Registry Keeper): Obligates keepers to guarantee the accuracy, completeness, and continuous updating of issuer records, alongside maintaining cyber-resilience and operational business continuity.
Registry keepers must be registered in a public list maintained by Consob, under procedures detailed in Consob Resolution No. 22923 of December 6, 2023. From an AML perspective, Article 26-bis of the decree classifies registry keepers as "other non-financial operators" under Legislative Decree 231/2007, subjecting them to strict customer due diligence (CDD) and suspicious activity reporting (SAR). Under Article 30, administrative fines ranging from €5,000 to €5,000,000 apply to any registry keeper failing to meet operational standards. A prominent domestic application of this framework is the European Investment Bank's (EIB) €100 million digital bond issued on the public Ethereum blockchain (under the ERC20 standard), which settled in wholesale central bank money utilizing the Bank of Italy's interoperable "TIPS Hash Link" solution. On the tax front, the Ministry of Economy and Finance (MEF) confirmed that digital bonds are subject to the standard 26% substitute tax on financial yields.
Capital Markets Reform and S.r.l. Quota Dematerialization
The tokenization landscape reached a major corporate milestone with the enactment of the Capital Markets Law (Law No. 21 of March 5, 2024). Article 2 of this law expands the legal definition of Small and Medium Enterprises (SMEs) by raising the maximum market capitalization threshold from €500 million to €1 billion, thereby widening the scope of companies eligible for simplified capital market regimes. Crucially, Article 3 introduces a groundbreaking structural change: S.r.l.s that qualify as SMEs may optionally opt for the dematerialization of their quotas, amending Article 26 of Decree-Law No. 179/2012 by inserting paragraphs 2-bis to 2-quater. Consequently, these quotas can be admitted to centralized dematerialization systems under Article 83-bis et seq. of the TUF, allowing them to circulate with the same ease and low transaction costs as S.p.A. shares.
Simultaneously, Article 28, paragraph 2, letter a-bis) of the Fintech Decree grants Consob the regulatory power to extend DLT-based tokenization to the quotas of all S.r.l.s, regardless of their SME status. This convergence represents a major shift away from the traditional, rigid corporate dogmas of the Italian Civil Code, under which the S.r.l. was strictly conceived as a closed, personalistic corporate model whose quotas could not be represented by shares or become the object of public financial offerings (Article 2468 of the Civil Code).
However, opening S.r.l.s to capital markets via DLT creates a significant legal asymmetry between the instant, peer-to-peer nature of blockchain transfers and the public-policy-driven registration requirements of the Italian Register of Companies (Registro delle Imprese). Under Italian corporate law, a quota transfer only produces legal effects toward the company and third parties once it is formally registered with the Register of Companies. This process historically requires notary or accountant validation. As a result, there is a serious risk of a "dual circulation regime." A transfer of quota-representative tokens on a DLT might be contractually valid between the buyer and seller (inter partes) but completely ineffective and invisible to the company itself and third-party creditors (erga omnes) unless formally filed with the Register of Companies, undermining the speed and liquidity benefits of blockchain networks.
To further facilitate corporate financing, the Capital Markets Law also relaxes debt issuance limits. Article 7 amends Article 2483 of the Civil Code, stating that when S.r.l. debt securities are issued exclusively to professional investors, the requirement to have a supervised financial intermediary act as a guarantor of the issuer’s solvency is waived, dramatically reducing issuance costs. In terms of corporate governance, Article 13 increases the statutory limit for multiple-voting shares from 3 to 10 votes per share, while Article 14 expands loyalty-voting mechanisms under the TUF, enabling founding partners to preserve corporate control even as they open their capital to digital and traditional investors alike.
The Legal Nature of Tokens under Article 810 of the Italian Civil Code
The digitization of proprietary rights via distributed ledgers demands a deep ontological and civil law inquiry into the nature of tokens to determine where they fit within Book III of the Italian Civil Code ("Of Property"). The analysis begins with Article 810 of the Civil Code, which states that "things that can form the object of rights are assets (beni)." Traditionally, Italian civil law scholarship restricted the concept of "things" (cose) to physical, tangible matter (res corporales), excluding incorporeal assets from the scope of property law. This physicalist view is now widely considered obsolete. The explicit legal recognition of intangible assets, such as intellectual property (Article 2575 of the Civil Code), software (assimilated to literary works by Legislative Decree No. 518/1992), and radio spectrum frequencies, confirms that physical materiality is not a mandatory prerequisite for an asset to be classified as a "bene" under the law.
Modern civil law doctrine applies a functional, interest-oriented theory. A legal asset arises from the synthesis of a legally protected human interest (aimed at acquiring the utility of a resource) and a legal position structured by the legal system to guarantee exclusive control over that resource. From this perspective, non-financial tokens—such as utility tokens and Non-Fungible Tokens (NFTs)—can be categorized as intangible legal assets. They represent immutable, unique digital records on a DLT that grant exclusive control to the wallet holder. This exclusivity is secured by public-private key cryptography, which functionally replicates the exclusive enjoyment of physical property. In the case of Real-World Asset (RWA) tokenization (e.g., real estate), a physical asset is fractionally divided into multiple digital tokens, each representing a proportional interest in the underlying property. The transfer of the token via a DLT transaction represents a digital "traditio" (delivery), empowering the wallet holder to claim the corresponding physical rights or cash flows generated by the underlying physical asset.
Conversely, there is a clear consensus rejecting the classification of tokens as traditional bills of exchange or negotiable instruments (titoli di credito). Legal scholars and courts agree that the physical medium (the chartula) is an indispensable element of paper-based negotiable instruments, serving to physically incorporate the underlying right. Since a DLT token completely lacks a physical medium, it cannot benefit from traditional paper-based circulation rules. Instead, it is classified as an electronic document of legitimization, with its transfer governed by the special rules of DLT circulation and general contract and assignment rules under the Civil Code.
The Legal Status of Smart Contracts: The AgID Regulatory Inertia
The Italian legal system introduced a formal definition of smart contracts under Article 8-ter, paragraph 2, of Decree-Law No. 135/2018 (converted into Law No. 12/2019). The statute defines a smart contract as "a computer program operating on distributed ledger technologies, the execution of which automatically binds two or more parties based on effects pre-defined by them." Paragraph 3 of the same article states that a smart contract satisfies the statutory requirement of a written contract (forma scritta) provided that the parties have been electronically identified through a process meeting the technical standards established by the Agency for Digital Italy (AgID).
However, more than seven years after the law’s enactment, AgID has still not issued the general technical guidelines for electronic identification, creating a significant regulatory vacuum. In the absence of these guidelines, smart contracts do not benefit from an automatic legal presumption of written form. Consequently, their validity as written contracts remains subject to the discretionary evaluation of courts in the event of a dispute. To bypass this barrier, market players rely on Article 20, paragraph 1-bis of the Digital Administration Code (CAD). This article states that the written-form validity and evidentiary weight of an electronic document are evaluated in court based on the security, integrity, and immutability of the technology used. In practice, the lack of AgID guidelines has rendered the specific written-form provision of Law 12/2019 redundant, leaving businesses in a state of ongoing uncertainty regarding the formal enforceability of purely code-coded agreements.
From an interpretive and dogmatic standpoint, a major conflict exists regarding the concept of "execution." Under Italian civil law, a contract is concluded by the mutual consent of the parties (Article 1321 of the Civil Code) and is logically and chronologically separate from the performance of the obligations. In a smart contract, however, the execution of the computer code (the automated if/then logic) is simultaneous with or entirely absorbs the consent phase. Deploying or interacting with the program constitutes the manifestation of will, and the contract's execution is hardcoded into the protocol, eliminating the possibility of voluntary non-performance. Legal and technical experts therefore distinguish between:
- Smart Contract Code: The raw computer code deployed on a blockchain (e.g., Solidity code), which is not a contract in itself but an automated execution tool.
- Smart Legal Contract: A contract structured through a combination of natural legal language and automated computer code, where the code implements or automates specific clauses of a broader legal agreement.
Developers and legal practitioners must navigate this distinction with extreme care. Because code deployed on a public DLT is functionally immutable, deploying a smart contract on-chain can be legally construed as an offer to the public or an irrevocable offer under Article 1326 of the Civil Code. This immutability makes it exceptionally difficult to adapt the agreement to unexpected external changes or to incorporate flexible contract-termination clauses, such as evaluating whether a breach of contract is of "minor importance" under Article 1455 of the Civil Code. Furthermore, smart contracts must be coordinated with emerging European regulations:
- Digital Operational Resilience Act (DORA): Imposes strict ICT security and resilience standards on financial entities, requiring them to verify the reliability and safety of smart contracts through independent audits and vulnerability testing before deployment.
- Artificial Intelligence Act (AI Act): Applies directly to smart contracts that incorporate automated decision-making or machine-learning algorithms to assess creditworthiness, price risk, or manage digital asset portfolios.
In a partial effort to address this regulatory vacuum, AgID issued specific technical rules on May 15, 2024, for a single, narrow use case: the certification of DLT platforms used to issue electronic surety bonds (under Article 106, paragraph 3 of the Italian Public Procurement Code). These rules mandate that platforms must meet Class 1 requirements, guaranteeing the absolute inalterability of system logs. Electronic identification of the parties must achieve a "substantial" or "high" assurance level under the eIDAS Regulation. Finally, the surety bond must be written onto the ledger via a smart contract, allowing any public authority to verify the bond's validity in real-time. This application demonstrates the immense potential of DLT in preventing fraud within public tenders.
The Structural Friction between Blockchain and the GDPR
The absolute immutability and permanent record-keeping of DLT systems, legally mandated by Article 8-ter of Italian Law No. 12/2019, create an unresolved systemic conflict with the General Data Protection Regulation (GDPR - Regulation EU 2016/679). Specifically, Article 17 of the GDPR establishes the "Right to Erasure" (or "Right to be Forgotten"), which obligates data controllers to erase personal data without undue delay when the data is no longer necessary or when the data subject withdraws consent.
The core architecture of blockchain networks—relying on sequentially linked blocks validated via cryptographic consensus mechanisms (e.g., Proof of Work or Proof of Stake)—makes the physical deletion or retroactive modification of recorded data technically impossible. Altering past records would break the cryptographic chain, invalidating the entire ledger across all network nodes. While the use of public keys and cryptographic hashes provides robust pseudonymization (encouraged by Recitals 28 and 29 of the GDPR), public wallet addresses and transaction histories are still classified as personal data. This is because they can easily be linked to real-world identities when combined with external databases, such as the Know-Your-Customer (KYC) registries maintained by CASPs.
This creates a clear legal paradox: to comply with Law 12/2019, a DLT platform must guarantee that data is absolutely unalterable, but to comply with the GDPR, it must allow for data modification or deletion (Article 16 and 17 GDPR). To mitigate this liability, "privacy by design" best practices recommend never storing personal data (even in encrypted or hashed form) directly on-chain. Instead, operators should deploy off-chain architectures where personal data is stored in traditional, securable databases, and only a non-reversible cryptographic hash is anchored to the blockchain. If the underlying data is deleted from the off-chain server, the remaining on-chain hash is rendered entirely anonymous and devoid of any informational value, ensuring compliance with both frameworks.
The Recast Transfer of Funds Regulation (TFR - Regulation UE 2023/1113)
To combat money laundering and terrorist financing, the European Union enacted Regulation (EU) 2023/1113 (the recast Transfer of Funds Regulation - TFR), which became fully applicable on December 30, 2024, alongside the rollout of MiCAR licensing. The TFR recast repeals the previous Wire Transfer Regulation (Regulation EU 2015/847) and extends the Financial Action Task Force’s (FATF) "Travel Rule" (Recommendation 16) directly to crypto-asset transfers.
The most significant change is the complete elimination of any de minimis threshold for crypto-asset transfers processed by CASPs. While traditional fiat bank transfers under €1,000 within the EU benefit from simplified reporting rules, every single crypto-asset transfer (even if valued at a fraction of a cent) must be accompanied by the verified personal data of both the originator and the beneficiary:
- Originator Data: Full name, distributed ledger address or crypto-asset account number, and at least one of the following: physical postal address, national identity document number, or date and place of birth.
- Beneficiary Data: Full name, and distributed ledger address or crypto-asset account number.
This data must be transmitted securely, in a structured format, and either prior to or simultaneously with the transfer. In the case of batch transfers (multiple individual transfers bundled into a single file), each individual transfer must be fully traceable. Receiving CASPs must have risk-based procedures to detect missing or incomplete data, empowering them to suspend, reject, or request information for non-compliant transfers, and report repeat offenders to AML authorities. All collected data must be retained for at least five years, extendable to ten years under national criminal investigations.
Furthermore, exceptionally strict rules apply to transfers involving self-hosted (or unhosted) wallets, which present elevated AML risks due to the lack of a regulated financial intermediary. For any transfer exceeding €1,000 to or from a self-hosted wallet, the mediating CASP is legally required to verify whether its client owns or controls that wallet. The European Banking Authority (EBA) guidelines (EBA/GL/2024/11, paragraph 83) clarify that a client’s simple written self-disclosure is insufficient. Instead, CASPs must use active verification methods, such as requiring the client to sign a cryptographic message using the wallet's private key, executing a micro-transaction of a specified amount to or from the wallet, or deploying advanced blockchain analytics to verify that the wallet is not associated with illicit activities or darknet markets. Failing to comply with TFR mandates exposes CASPs to severe administrative fines of up to 10% of their total annual turnover, or double the economic benefit derived from the violation.
Conclusion and Future Outlook
The transition toward fully digitized financial markets based on distributed ledgers is an irreversible process, backed by a highly comprehensive European regulatory framework. However, the long-term success of the "token economy" in Italy and Europe hinges on resolving the systemic legal asymmetries highlighted in this report. It is of paramount importance that AgID immediately issues the technical guidelines for smart contract identification under Law 12/2019, ensuring that the legislative effort does not remain a dead letter and that market players are not left in perpetual litigation. Similarly, establishing a standardized, automated technical interface between DLT registers and the Register of Companies is essential to synchronize S.r.l. quota transfers in real-time, preventing the emergence of a disjointed dual circulation regime. Only by guaranteeing absolute legal certainty, enforcing DORA-compliant cybersecurity, and centralizing supervision under ESMA can the European Union secure its position as a global leader in digital finance.
Editorial note from the Law Firm: This article has purely informative and educational purposes and does not constitute in any way a legal opinion or personalized professional advice.

// Commenti