EU Regulation
Crypto regulation in Europe is evolving fast. Here is a plain-language overview of the frameworks that govern how we operate, and what each one means for you as a client.
Markets in Crypto-Assets Regulation
MiCA (Regulation EU 2023/1114) is the European Union's comprehensive regulatory framework for crypto-assets. It entered into force in June 2023, with provisions for asset-referenced tokens and e-money tokens applying from June 2024, and the full framework (including authorization requirements for Crypto-Asset Service Providers) applying from December 30, 2024.
MiCA replaces the patchwork of national regulations that previously governed crypto businesses across EU member states. Before MiCA, each country had its own licensing regime. Bulgaria, where Novudi is registered, was among the countries that implemented VASP registration requirements early. Under MiCA, these national registrations are being replaced by a unified EU-wide authorization system.
What MiCA Covers
CASP Authorization
Crypto-Asset Service Providers must obtain authorization from a national competent authority. This includes capital requirements, governance rules, and conduct-of-business obligations. Existing VASPs benefit from a transitional period of up to 18 months depending on the member state.
White Paper Obligations
Issuers of crypto-assets must publish a detailed white paper disclosing key information about the asset, the issuer, and the risks involved. This does not apply to service providers like Novudi, but it means the assets we facilitate are subject to greater transparency standards.
Consumer Protection
MiCA introduces specific rules to protect retail consumers: clear communication about risks, prohibition of misleading marketing, right to withdraw from certain transactions, and liability rules for CASPs in case of security breaches or operational failures.
What MiCA Means for Novudi Clients
Do I need to do anything differently under MiCA?
No. As a client, the transition is seamless. You may notice minor improvements to our disclosures and communications, but the core service remains the same. MiCA primarily affects how we are regulated, not how you use our services.
Is Novudi authorized under MiCA?
Novudi (Novu Tech Ltd) is a registered VASP under Bulgarian law, supervised by the Financial Supervision Commission. Under MiCA's transitional provisions, existing VASPs may continue operating while the full authorization process is completed. Bulgaria has set a transitional period in line with the regulation's maximum of 18 months from December 30, 2024. We are actively working through the MiCA authorization process.
Will MiCA affect the assets Novudi can offer?
MiCA gives regulators new tools to restrict or delist certain tokens that don't meet transparency requirements. In practice, the major cryptocurrencies (BTC, ETH, SOL, USDT, USDC, XRP, BNB, and other top-tier assets) are well-established and supported under MiCA. We continuously review our asset list to ensure compliance.
Does MiCA mean Novudi can operate across the entire EU?
Yes, eventually. One of MiCA's key benefits is the EU-wide passport. Once a CASP is fully authorized in one member state, it can provide services across the entire EEA without needing separate licenses. This will simplify cross-border operations for both providers and clients.
The Travel Rule for Crypto Transfers
The Transfer of Funds Regulation (TFR, Regulation EU 2023/1113) extends the so-called "Travel Rule" to crypto-asset transfers. Adopted alongside MiCA and applicable from December 30, 2024, it requires CASPs to collect and transmit information about the originator (sender) and beneficiary (receiver) of every crypto-asset transfer.
Unlike traditional wire transfers under the original TFR (which has a de minimis threshold of EUR 1,000), the crypto Travel Rule applies to all transfers regardless of amount. This means that even a small Bitcoin transaction requires the sending CASP to include the sender's full name, account number, and address (or national ID number, or customer ID, or date and place of birth), and the receiving CASP must verify the beneficiary's identity.
The logic behind the zero-threshold approach is that crypto transfers can easily be split into smaller amounts to evade detection. By requiring identification for every transfer, regulators aim to close this gap.
How the Travel Rule Affects You
What information does Novudi collect for the Travel Rule?
For outgoing transfers, we record the sender's full name, account identifier, and one of the following: address, national ID number, customer ID number, or date and place of birth. For incoming transfers, we verify the beneficiary's full name and account identifier. This information is transmitted securely between CASPs.
Does the Travel Rule apply to self-hosted wallets?
Yes, with some nuances. When a transfer is sent to or from a self-hosted wallet (also called "unhosted" or "non-custodial" wallet), the CASP involved must still collect the required information about its own client. For transfers above EUR 1,000 to or from a self-hosted wallet, the CASP must also verify the ownership of that wallet. Since Novudi operates on a non-custodial model and sends directly to your wallet, we implement these checks as part of our standard KYC process.
Will the Travel Rule slow down my transactions?
In most cases, no. Because we already collect comprehensive KYC information during onboarding, the additional data required by the Travel Rule is typically already on file. The information exchange between CASPs happens electronically and does not add noticeable delay to transaction processing.
How is Travel Rule data transmitted between providers?
CASPs use secure electronic messaging protocols to exchange Travel Rule data. These systems are designed to ensure that personal information is transmitted only to the counterparty CASP and is protected with encryption during transit. The data is not published on the blockchain or accessible to third parties.
Anti-Money Laundering Framework
The EU's fight against money laundering has evolved through a series of directives. The 5th Anti-Money Laundering Directive (5AMLD, Directive 2018/843) was the first to bring virtual asset service providers under AML obligations. The 6th AML Directive (6AMLD, Directive 2018/1673) harmonized the definition of money laundering offenses across all member states and introduced stricter penalties.
In 2024, the EU adopted a comprehensive new AML package that represents the most significant overhaul in decades. It includes: the AML Regulation (AMLR), a directly applicable single rulebook that replaces the directive-based approach; the 6th Anti-Money Laundering Directive (AMLD6), which replaces the previous 4th and 5th directives; and the creation of the Anti-Money Laundering Authority (AMLA), a new EU-level supervisory body headquartered in Frankfurt.
AMLA will have direct supervisory powers over the highest-risk financial entities, including certain CASPs. It will also coordinate national Financial Intelligence Units (FIUs) and set binding technical standards for AML compliance across the EU.
How Novudi Implements AML/CFT
Customer Due Diligence
Every client undergoes identity verification (CDD) before trading. For higher-risk profiles (politically exposed persons, clients from higher-risk jurisdictions, or unusually large transactions), we apply Enhanced Due Diligence (EDD) with additional documentation and scrutiny.
Transaction Monitoring
All transactions are monitored against risk-based rules and patterns. Unusual activity (structuring, rapid turnover, inconsistent source of funds) triggers internal review. We also perform blockchain analytics to assess the origin and destination of crypto-asset flows.
Sanctions Screening
Every client and transaction is screened against EU, UN, and OFAC sanctions lists. We maintain up-to-date sanctions databases and perform checks at onboarding and on an ongoing basis. Matches result in immediate blocking and reporting to the relevant authorities.
What happens if Novudi identifies suspicious activity?
We file a Suspicious Activity Report (SAR) with the Bulgarian FIU (Financial Intelligence Directorate at SANS). We are legally prohibited from informing the client that a SAR has been filed (this is called the "tipping-off" prohibition). Depending on the nature of the suspicion, the transaction may be frozen pending investigation.
How long does Novudi keep AML records?
Under Bulgarian law and EU regulations, we retain all KYC documentation, transaction records, and compliance records for a minimum of five years after the end of the business relationship or the date of the transaction. Some records may be retained longer if required by specific regulatory orders.
General Data Protection Regulation
The General Data Protection Regulation (Regulation EU 2016/679, GDPR) has been in effect since May 25, 2018. It governs how organizations collect, process, store, and share personal data of individuals in the EU. For a crypto service provider that handles sensitive identification documents, financial data, and transaction records, GDPR compliance is not optional. It is foundational.
GDPR creates an inherent tension with AML regulations: on one hand, we are required to collect extensive personal data for KYC compliance; on the other, we must minimize data collection and limit retention. Navigating this balance correctly is one of the more complex aspects of operating a regulated crypto business in Europe.
Novudi resolves this by collecting only the data strictly necessary for regulatory compliance (lawful basis: legal obligation under AML regulations) and retaining it for the minimum period required by law. Once the retention period expires, data is securely deleted or anonymized.
GDPR and Your Personal Data
Right to Access
You can request a copy of all personal data we hold about you. We respond to access requests within 30 days. The data is provided in a structured, machine-readable format.
Right to Rectification
If any of your personal data is inaccurate or incomplete, you have the right to request correction. Contact us with the specific data point and we will update our records promptly.
Right to Erasure
You can request deletion of your personal data. However, this right is limited where we are legally required to retain data (e.g., AML record-keeping obligations of five years). We will delete any data not subject to legal retention requirements.
What personal data does Novudi collect?
We collect: full name, date of birth, nationality, residential address, government-issued ID document (number and copy), proof of address, email address, phone number, transaction history, and blockchain wallet addresses. For corporate clients, we also collect UBO information, company registration documents, and articles of association.
Who can access my data?
Your data is accessible only to Novudi's compliance team and authorized personnel on a need-to-know basis. We share data with our EU-regulated identity verification provider (as a data processor under GDPR), and with competent authorities (regulators, FIU, law enforcement) when legally required. We never sell personal data or share it for marketing purposes.
How is my data stored and protected?
All personal data is encrypted at rest and in transit. We use AES-256 encryption for stored data and TLS 1.3 for data transmission. Access controls are implemented with role-based permissions and multi-factor authentication. Our infrastructure is hosted within the EU, and we perform regular security audits.
Digital Operational Resilience Act
DORA (Regulation EU 2022/2554) has been applicable since January 17, 2025. It establishes uniform requirements for the security of network and information systems of financial entities, including CASPs authorized under MiCA. DORA covers ICT risk management, incident reporting, digital operational resilience testing, and management of ICT third-party risk.
In practical terms, DORA means that crypto service providers must meet the same IT security and operational resilience standards as banks and investment firms. This includes maintaining documented ICT risk management frameworks, implementing business continuity plans, reporting significant ICT incidents to competent authorities within strict timelines, and conducting regular penetration testing.
DORA also regulates the relationship between financial entities and their critical ICT service providers (such as cloud infrastructure providers). This ensures that the entire technology chain, not just the front-facing service, meets appropriate security and resilience standards.
The Regulatory Landscape at a Glance
MiCA
Reg. EU 2023/1114. Comprehensive crypto-asset regulation. CASP authorization, consumer protection, market integrity, EU passport. Fully applicable since December 2024.
Travel Rule (TFR)
Reg. EU 2023/1113. Originator/beneficiary info for all crypto transfers. Zero threshold. Applied since December 2024.
AML Package
AMLR + AMLD6 + AMLA. Single AML rulebook, new EU supervisory authority in Frankfurt, direct oversight of high-risk entities. Adopted 2024, phased application 2025-2027.
GDPR
Reg. EU 2016/679. Data protection. Collection minimization, explicit consent or legal basis, data subject rights, breach notification. In effect since May 2018.
DORA
Reg. EU 2022/2554. ICT risk management, incident reporting, resilience testing, third-party risk. Applied since January 2025.
eIDAS 2.0
Reg. EU 2024/1183. EU Digital Identity Wallet. Will enable streamlined, cross-border identity verification for financial services. Expected to simplify KYC processes significantly once national wallets are deployed.
Regulation FAQ
Is crypto legal in the EU?
Yes. Buying, selling, holding, and transferring crypto-assets is legal in the EU. MiCA provides the regulatory framework that specifically legalizes and regulates these activities. What is prohibited is providing crypto-asset services without proper authorization, not the activity of trading or holding crypto itself.
Why does regulation matter for crypto users?
Regulation provides legal certainty, consumer protection, and recourse mechanisms. If you trade with an unregulated entity and something goes wrong, you have limited legal options. With a regulated provider, you benefit from capital requirements (the company must maintain financial reserves), conduct rules (clear obligations on pricing transparency and communication), and complaint procedures supervised by a public authority.
Does Novudi report my transactions to tax authorities?
Novudi complies with all applicable reporting obligations. The EU's Directive on Administrative Cooperation (DAC8, adopted in 2023) requires crypto service providers to report certain transaction data to tax authorities starting from January 1, 2026. This aligns with the OECD's Crypto-Asset Reporting Framework (CARF). We will comply with these requirements as they come into effect. Tax obligations are the responsibility of each individual client based on their country of tax residence.
What is the difference between a VASP and a CASP?
VASP (Virtual Asset Service Provider) is the term used in international standards (FATF) and in national pre-MiCA regulations, including Bulgaria's current framework. CASP (Crypto-Asset Service Provider) is the term used by MiCA. Functionally, they describe the same type of entity: a company that facilitates crypto-asset transactions for clients. As MiCA's authorization process replaces national VASP registrations, the terminology is shifting from VASP to CASP.
Where can I verify Novudi's regulatory status?
Novu Tech Ltd is registered in Bulgaria with Unified Identification Code (UIC) 207892707, verifiable through the Bulgarian Commercial Register. Our VASP registration is supervised by the Financial Supervision Commission of Bulgaria (FSC). You can contact the FSC directly to verify our status.
Questions About Regulation?
Our compliance team is available to answer specific questions about how EU regulations affect your transactions.
Contact Us