Crypto regulation in 2025: Implications for blockchain infrastructure providers

In 2025, crypto regulation entered a new era. Jurisdictions have transitioned from fragmented guidance to structured legislative frameworks, shaping compliance for providers of blockchain infrastructure.

In this blog post, we detailed 2025’s key regulations in EU and the US for blockchain. Here is a brief overview and the consequences for blockchain infrastructure providers. 

Introduction to 2025’s regulatory climate

In the EU, MiCA became fully applicable on December 30, 2024, introducing unified rules for crypto‑asset issuers and service providers across all member states.

Globally, the OECD’s CARF/DAC8 framework mandates automatic exchange of tax and transaction data from January 2026 (EU), with U.S. reporting rules under the IRS starting January 2025.²

Meanwhile, U.S. legislation such as the GENIUS Act for stablecoins, the CLARITY Act to clarify regulatory treatment, and the SEC’s “Project Crypto” initiative are reshaping the landscape.³

What impact do these regulations have on infrastructure providers?

Blockchain infrastructure providers must build a documented ICT (information and communication technology) risk‑management framework (including risk identification, business continuity, and recovery planning), maintain incident‑detection and classification systems, conduct digital operational resilience testing (such as threat‑led penetration tests), and monitor subcontracted ICT suppliers under contractual oversight rules.

Risk identification: Creating a detailed inventory of all ICT assets—including hardware, software, systems, and dependencies—and identifying potential threats such as cyberattacks, downtime, or data breaches.⁴

Risk assessment and tolerance setting: Evaluating each identified risk in terms of its likelihood and potential impact. Organizations must define acceptable thresholds to guide decision‑making on which risks to mitigate, transfer (e.g. via insurance), accept, or avoid.

Risk mitigation and control design: Implementing appropriate strategies, protocols, processes, and tools to reduce or remove identified risks. This includes cybersecurity controls, access management, encryption, and incident response mechanisms.

Continuous monitoring and reviews: Regularly monitoring ICT risks and control effectiveness, and reviewing the framework at least annually or following significant ICT incidents or audit findings.

Documentation and auditability: Organizations must maintain thorough documentation of their ICT risk management framework, controls, decision‑making processes, and audit trails. Internal audits must assess both the framework and the residual risk remediation process.⁵

Security benchmarks: ISO 27001 and SOC 2 Type II

ISO 27001 and SOC 2 Type II are now precursors for institutional engagement. ISO 27001 establishes a global standard for a fully functioning Information Security Management System (ISMS), while SOC 2 focuses on ongoing controls around security, availability, confidentiality, processing integrity and privacy.

SOC 2 Type II audits validate controls over a period (typically six to twelve months), offering prospective clients evidence of sustained operational governance and risk management in practice.⁶

In order to keep the trust of networks and staking providers, blockchain infrastructure providers need to achieve both certifications, strengthening credibility: ISO 27001 signals strategic, risk‑based governance; SOC 2 demonstrates continuous, audit‑ready operations. Together, they align with expectations from regulated financial clients and institutional partners.

At Moonlet, these certifications are more than regulatory checkboxes—they are core to our promise of trust and resilience.

As institutional participation in blockchain deepens and regulatory scrutiny sharpens, staking providers and validators must prove they operate with the same rigor as traditional financial infrastructure. 

By pursuing both ISO 27001 and SOC 2 Type II, Moonlet is reinforcing its position as a secure and dependable infrastructure partner. For our users, these certifications mean their data, assets, and delegated stake are managed under internationally recognized standards of information security and operational integrity. It’s a commitment to transparency, compliance, and long-term alignment with both blockchain ecosystems and the institutions that are increasingly powering them.

Tax reporting obligations: CARF / DAC8

Under CARF / DAC8, crypto‑asset service providers (CASPs) operating in the EU must collect user-level tax and transaction data and report it to tax authorities beginning from January 2026 (with preparatory systems in 2025).

This requires businesses that directly interact with user funds, such as custodians and exchanges, to implement stringent compliance measures. These measures include capturing KYC and tax data, implementing formal reporting workflows, and enabling secure data exchange. For companies that provide the underlying technology for these services, this creates a new role: that of a crucial partner in achieving regulatory compliance. Even non-custodial solution providers must ensure their infrastructure can integrate with their clients' systems to facilitate the necessary transaction monitoring and data reporting, thereby enabling their clients to meet the required audit standards.

Custody standards and asset segregation

In both U.S. and EU frameworks, regulatory requirements for crypto custody are aligning toward established principles from securities markets: strict separation of client assets, documented beneficial ownership, resilience roles for custodians, and audit trails to prevent misuse or commingling of funds. These requirements elevate expectations for transparency and robustness in custody and staking interfaces.

These layered frameworks together define a complex compliance landscape for blockchain infrastructure providers. But providers such as Moonlet who comply can position themselves as resilient, secure, and governance‑ready partners for regulated financial players.

Sources and further reading

¹ https://www.innreg.com/blog/eu-crypto-regulation-guide 

² https://www.scorechain.com/blog/crypto-regulation-eu-2025 

³ https://www.kiplinger.com/investing/cryptocurrency/genius-clarity-anti-cbdc-acts-what-bitcoin-investors-need-to-know 

⁴ https://www.digital-operational-resilience-act.com/ 

⁵ https://www.strongdm.com/blog/iso-27001-vs-soc-2