EU Crypto Sanctions Framework 2026 — CASP Compliance Guide

The EU sanctions framework structure

EU sanctions framework operates through several layers:

EU consolidated sanctions list. The Council of the EU maintains the consolidated list covering individuals, entities, vessels, and other subjects of EU restrictive measures. The list is updated continuously — new designations are added by Council decision, existing designations are reviewed periodically. EU CASPs must screen against the consolidated list at customer onboarding and continuously throughout the customer relationship.

Sectoral sanctions packages. Major sectoral regimes restrict specific economic activity:

• Russia (Council Regulation 833/2014 and subsequent amendments) — most extensive sectoral regime, including specific crypto-asset transaction prohibitions
• Belarus (Council Regulation 765/2006 and amendments) — paralleling Russia framework
• Iran (Council Regulation 267/2012) — comprehensive financial-services restrictions
• North Korea (Council Regulation 329/2007) — near-total embargo
• Other targeted regimes

Country embargoes. Comprehensive country-specific embargoes affecting trade and financial-services activity. Cuba, Syria, Venezuela (sectoral), and various others operate under country-specific Council Regulations.

Implementing legislation in member states. Each EU member state has national legislation implementing EU sanctions framework — penalty rules, enforcement authority designation, reporting obligations. The national implementation varies; the EU framework is binding.

Russia/Belarus crypto provisions

The Russia and Belarus sanctions packages contain specific crypto-asset transaction provisions that CASPs must comply with:

Prohibition on crypto-asset wallet provision. EU CASPs are prohibited from providing crypto-asset wallet, account, or custody services to Russian persons (broadly defined) or persons located in Russia. The prohibition operates regardless of transaction value.

Prohibition on crypto-asset transactions. EU CASPs cannot facilitate crypto-asset transactions for or with Russian persons or entities. The scope includes exchange transactions, transfers, custody operations.

Specific entity sanctions. Numerous Russian financial institutions, oligarchs, government officials, and entities are individually designated. CASPs must screen against these specific designations at onboarding and continuously.

Sectoral overlays. Additional restrictions apply to specific sectors — Russian government finance, Russian energy, Russian luxury imports, others. Crypto-asset activity tied to these sectors faces enhanced scrutiny.

Reporting obligations. CASPs must report frozen assets, refused transactions, and attempted breach activity to national competent authorities. Reporting frameworks vary by member state.

The Russia/Belarus framework has been extended and tightened multiple times through 2022-2026. Operators must monitor amendments continuously — the framework evolves rapidly.

Country embargo regimes

Several EU country embargo regimes affect crypto-asset activity:

Iran. Council Regulation 267/2012 establishes the EU Iran sanctions framework. Iran is one of the most-restricted jurisdictions globally. EU CASPs face near-total prohibition on Iran-related crypto-asset activity. Customer screening must identify Iran connections; transactions involving Iran must be blocked.

North Korea. Council Regulation 329/2007 establishes near-total embargo on North Korea. EU CASPs cannot conduct any crypto-asset activity with North Korea persons or entities. North Korea has been particularly active in crypto-asset theft (Lazarus Group, others); CASPs face elevated screening requirements.

Cuba, Syria, Venezuela (sectoral). Country-specific frameworks impose various restrictions. CASPs with customer base in these jurisdictions face specific compliance obligations.

Geographic IP blocking. Many CASPs implement geographic IP blocking to restrict access from sanctioned jurisdictions. This is operationally common but does not substitute for customer-level screening — sanctioned persons can route through non-sanctioned-jurisdiction connections.

OFAC overlay for US-touching activity

Any US-touching activity triggers US OFAC sanctions compliance. The US extraterritorial reach is substantial.

US-touching triggers:

• US customers (residence, citizenship, or substantive US connection)
• US dollar denominated transactions
• US payment infrastructure (US correspondent banks, US-licensed payment processors)
• US-based investors or substantial US ownership
• US-based vendors or service providers

OFAC SDN list. OFAC’s Specially Designated Nationals list covers individuals, entities, vessels, and other designated subjects. Real-time screening against SDN list at customer onboarding and continuously.

OFAC 50% rule. Entities 50%+ owned by sanctioned persons are themselves sanctioned even if not explicitly listed. Beneficial ownership screening must capture this layered exposure.

Sectoral US sanctions. NS-MBS-LIST (national security mining/blockchain), Non-SDN Communist Chinese Military Companies List, others. Specific industry-sector restrictions.

Enforcement actions. OFAC has enforced against non-US crypto operators for US-touching violations. Tornado Cash (2022), various exchange enforcement actions through 2023-2026. Penalties have run into hundreds of millions of dollars.

EU CASPs with any meaningful US connection need OFAC-compliant infrastructure regardless of EU sanctions screening. The two systems operate in parallel — EU compliance does not substitute for OFAC compliance.

Blockchain analytics for sanctions screening

Crypto-asset sanctions compliance requires blockchain analytics integration. The operational landscape includes several providers:

Chainalysis. Most-established blockchain analytics provider. Comprehensive sanctioned-wallet databases. Real-time transaction screening API. Industry standard for many large operators.

Elliptic. Established analytics provider with strong EU presence. Sanctions screening capabilities. Risk-rating framework.

TRM Labs. Modern analytics platform with growing market share. Comprehensive sanctions screening. Strong US enforcement-cooperation reputation.

Crystal Blockchain. EU-focused analytics platform. Sanctions screening and broader compliance support.

Coinfirm, Merkle Science, Scorechain, others. Various secondary providers with specific niche or regional positioning.

Most operators integrate multiple providers for redundancy and broader coverage. Single-provider strategies produce screening-gap risk where the provider misses recent designations or coverage areas.

Blockchain analytics screening operates at multiple touchpoints:

• Customer onboarding — wallet ownership history screening
• Transfer screening — real-time check at transfer initiation
• Ongoing monitoring — periodic re-screening of customer wallet activity
• Receipt screening — incoming transfer source-wallet screening

Operational compliance build

Sanctions compliance build for a typical EU CASP involves several workstreams:

Real-time screening infrastructure. Customer onboarding screening, transaction-level screening, continuous re-screening against updated lists.

Blockchain analytics integration. API integration with one or more analytics providers. Risk-rating workflow. Alert handling framework.

Geographic restriction infrastructure. IP-based geographic blocking. Customer-stated residence verification. Jurisdiction-restriction compliance.

Alert investigation framework. Compliance team workflow for screening alerts. False-positive disposition. Confirmed-match escalation.

Asset freezing capability. Operational capability to freeze customer assets and transactions when sanctions match confirmed. Reporting to national competent authority.

Reporting and recordkeeping. Reports to national CA on frozen assets, refused transactions, attempted breach activity. Audit-ready records of all sanctions-screening activity.

Training and certification. AML/sanctions team training, compliance officer certification, ongoing knowledge maintenance.

First-year sanctions compliance build runs EUR 100-300k typically for mid-tier CASPs. Ongoing operational cost runs EUR 50-150k per year. The build is one of the more sensitive aspects of MiCA CASP compliance — errors produce strict-liability enforcement exposure.

Practical takeaways

EU crypto sanctions compliance is operationally demanding and produces strict-liability enforcement risk. Three principles:

Build for continuous screening, not one-time onboarding check. Sanctions designations change daily. Continuous re-screening, real-time transaction screening, and blockchain analytics integration are operational requirements.

Address OFAC overlay for any US-touching activity. Even nominally EU-only operations often have US connections. OFAC compliance applies; sanction enforcement is active.

Integrate blockchain analytics for self-hosted wallet sanctions screening. Transfers to/from sanctioned-person-controlled self-hosted wallets are prohibited regardless of VASP-side screening. Analytics integration is the operational standard.

For corrections, updates, or counsel referrals on EU crypto sanctions compliance, email [email protected].