When Digital Assets Regulations Intersect With Privacy and Security Requirements
-
March 20, 2025
-
Kicking off 2025, there is a tremendous amount of speculation and expectation for what the year will hold for the digital assets industry, particularly in anticipation of more regulatory clarity and market growth. In the European Union (“EU”), the full force of the Markets in Crypto-Assets Regulation (“MiCAR”) has taken effect, alongside the Transfer of Funds Regulation and the Digital Operational Resilience Act.1 These three regulatory pillars work together to establish a comprehensive oversight of digital assets, addressing market integrity, anti-money laundering risks and operational security as crypto natives, fintech companies and financial services institutions navigate the implications and opportunities. In the United States, a new Executive Order and a new Congress are expected to spur rapid change in the digital assets regulatory regime.2
In some instances, these new legal and regulatory developments may conflict with existing data privacy and security laws, or introduce additional compliance burdens, adding complexity for organizations striving to engage with the digital assets ecosystem in a compliant manner. As new innovations and regulatory oversight progress in parallel, industry players must renew their focus on governance, compliance and due diligence.
Understanding how to work through and address the many nuances of this emerging industry first requires a level set of the current state of lawmaking activity. While the landscape is varied worldwide, organizations in Europe and the United States should at a minimum examine their current obligations under MiCAR and take stock of the latest developments within the U.S. government.
MiCAR’s aim is to regulate, simplify and make the post-trading of crypto assets more secure within EU member states. Supplementary regulations to further reinforce this intention are in development as well. For example, the European Securities and Markets Authority is working on a demarcation of MiCAR from the Markets in Financial Instruments Directive, to provide additional clarity to organizations and consumers. Four key objectives that have been outlined for MiCAR include:3
- Increased protection against fraud for consumers.
- Removal of regulatory barriers for dealing with crypto assets.
- To provide companies with new sources of financing.
- To open the development of new business models via crypto payment methods as well as new investment opportunities.
There is an expectation that the strong consumer protection regulations under MiCAR could increase user trust in EU-based crypto firms, giving them an edge in attracting a broader customer base — especially in markets concerned about security and transparency. Conversely, this focus on transparency and compliance could be a burden to EU-based companies specializing in DeFi or privacy-centric projects, potentially pushing innovation in these areas to less-regulated jurisdictions.
Meanwhile, uncertainty remains in the United States, though the recent Executive Order from President Trump and other signals from government officials provide indicators of what’s likely to come. Specifically, the new Executive Order directed the creation of a consolidated task force or working group to evaluate the digital assets space and determine guidance for regulation within 180 days. It also suggests that there will likely be one dedicated regulatory body set to oversee crypto in the United States, a contrast to the current environment, where numerous agencies have overseen it through regulation by enforcement. If this is the end result of future regulation, the industry will gain clarity around how to comply and which agency to answer to.
Additionally, the incoming U.S. Securities and Exchange Commission leadership has indicated a crypto-friendly stance, suggesting the likelihood that more crypto exchange-traded funds (“ETFs”) will gain approval in the year ahead.4 Already, the SEC has backed out of crypto enforcement actions, notably dropping a high-profile investigation and lawsuit in early 2025.
Many industry participants also anticipate progress on legislation on stablecoins and market structure bills. Further discussions and drafting of the Financial Innovation and Technology for the 21st Century Act (“FIT21”) bill, which could provide greater regulatory clarity for digital assets, is expected.5 This legislation aims to clarify standards for decentralization, intermediary requirements and the potential evolution of future regulations, to support innovation and growth in the United States.
Stablecoins and stablecoin custody comprise another key area in the legislative landscape. Stablecoins currently seem to be gaining more traction in legislative discussions than other forms of cryptocurrency, largely because this category of digital assets can be easier to understand and valuate due to being linked to real world assets. With stablecoin regulation, there will be a lot of discussion and decision making needed around whether traditional banks will be allowed to participate in that ecosystem, and if so, whether that activity will be subject to current banking rules.
In the context of privacy and security requirements, there are numerous benefits and challenges in the current approaches to digital assets regulations. For one, digital assets are much easier to trace than fiat; so, when concerns of illicit finance (or cyber ransom payments) arise, investigators and law enforcement have a robust set of tools available to them to follow the funds and see which individuals and entities they are flowing to. This is often not possible, or at a minimum, more complex, with fiat currency, given that the trail of money can be obfuscated.
The ability to track and trace can help law enforcement and governments identify dark markets, crackdown on illicit funds transfers and track the activities of cyber actors who may be transacting with cryptocurrency. In a recent House Financial Services Committee hearing, some lawmakers referenced this benefit of traceability, confirming that there’s increasing recognition of the potential benefits digital assets introduce to financial markets, as well security objectives.6 It will be important for law enforcement, government agencies, the industry and investigative experts to engage in this issue together and consider it in decisions about how to regulate the digital assets industry and its overlap with privacy and security issues.
MiCAR reinforces data privacy and security standards that underpin many established EU laws. For example, it requires crypto asset service providers to implement comprehensive data privacy measures by linking obligations directly to those within the General Data Protection Regulation (“GDPR”), including privacy-by-design principles and personal data encryption requirements. However, as MiCAR is enforced across EU jurisdictions, crypto businesses operating in multiple regions may face challenges with varied enforcement approaches by local regulators, particularly where there are discrepancies in privacy and security standards.
Depending on enforcement approaches across Europe and impending legislation in the United States, businesses operating in this space may find it challenging to harmonize efforts to comply with digital assets laws alongside privacy and security laws. For example, consider the possibility of a future bill that requires companies to disclose the amounts and types of cryptocurrency they have paid in ransoms to cyber criminals following a security incident. More than just policy could be at issue.
In this scenario, if a company were compromised in a cyberattack and required to make a public disclosure of the ransoms it paid out, it could result in the company becoming a larger future target for other criminal enterprises. So, while it might make sense on one hand to provide disclosure as to where funds are going and what cryptocurrencies were used, doing so could put companies (and by extension, their customers, employees and partners) in harm’s way. This hypothetical is just one example of how the complex web of regulations around digital assets may create nuanced or unforeseen conflicts for organizations. Therefore, policy decisions around cryptocurrency will require balancing the need for transparency around the use of cryptocurrency in criminal matters alongside the risks such transparency might exacerbate.
Because this is a developing space undergoing rapid and ongoing change, organizations must prioritize regulatory compliance and sound governance. Crypto businesses will likely need to allocate significant legal, operational and financial resources to ensure compliance with digital assets rules and fulfill a range of data protection and reporting obligations. Companies in the industry will also need to distinguish the differences between guidance and mandates from various governments and adjacent laws, (such as privacy and security regulations, as well as establish specific processes to address requirements across their organization. Implementation, testing and third-party validation of compliance controls will be paramount, and will require expert guidance. Knowing how to be compliant and how to prove it will be essential to reduce the risk of violating various financial, crypto and data protection laws.
Footnotes:
1: European Securities and Markets Authority, “Markets in Crypto-Assets Regulation (MiCA)” (last accessed March 2025).
2: The White House, “Strengthening American Leadership in Digital Financial Technology” (January 23, 2025).
3: European Securities and Markets Authority, “Markets in Crypto-Assets Regulation (MiCA)” (last accessed March 2025).
4: U.S. Securities and Exchange Commission, “Mark T. Uyeda Named Acting Chairman of the SEC” (2025).
5: Congress.gov, “Financial Innovation and Technology for the 21st Century Act” (July 2023).
6: House Committee on Financial Services, “Hearing Entitled: A Golden Age of Digital Assets: Charting a Path Forward” (February 2025).
Published
March 20, 2025
Key Contacts
Senior Managing Director, Global Leader of Blockchain & Digital Assets
Senior Managing Director