In the blockchain world, technology often moves faster than the law – and startups that act quickly and boldly do not always act with sufficient legal awareness.
Unfortunately, many legal mistakes made in the early stages of development can hinder the scaling of a project, discourage investors, or lead to costly consequences. This is especially true now, as the European Union strives to foster new technologies and strengthen its innovation capacity.
What’s worse, startups often repeat the same patterns: poorly designed token issuances, lack of corporate safeguards, faulty documentation, or ignoring regulatory obligations.
- Lack of Token Classification Analysis
Many blockchain projects start by issuing their own token, usually assuming it has a “utility” function. Unfortunately, from a legal standpoint, the name does not matter – the function does. A token that can be sold for profit, grants dividend rights, represents a stake in the venture, or serves as an investment may be classified as a financial instrument.
In practice, this may create the need to prepare a prospectus, notify the financial regulator, and comply with the MiFID II regime[1]. Ignoring such obligations can result in serious financial sanctions and reputational damage.
If a token is not a financial instrument but still qualifies as a crypto-asset under the MiCA regulation[2], other requirements must be met, such as preparing an appropriate issuance document (a whitepaper) in line with EU standards.
Conclusion? According to attorney-at-law Wojciech Ługowski, before making the decision to issue a token, it is worth asking: What does the token really do, and what obligations follow from that?
- Lack of Required Licenses and Authorizations
Some founders assume that since their project runs on decentralized infrastructure, it is not subject to any regulations. This is a misconception. Even decentralized platforms can provide services that, in the eyes of regulators, require a license – for example, custody of tokens for users, brokerage in exchanges, or operating a trading platform.
According to Ługowski, many of these activities require obtaining the status of a Crypto-Asset Service Provider (CASP). Operating without such status effectively means conducting business without authorization.
Additionally, a startup may be considered an obliged institution required to implement AML/CFT procedures – meaning it must register, prepare internal documentation, identify clients, and report suspicious transactions.
- Documentation That Fails to Protect
A whitepaper is not a marketing brochure. It is a document that may be treated as a statement directed at investors – which means legal risk. If a whitepaper promises profits, omits risks, or lacks information about the team and legal structure of the project, it can be grounds for liability for misrepresentation.
MiCA imposes requirements on the content of whitepapers – and even if approval is not required, they must be prepared carefully, reliably, and with expert input. The same level of diligence applies to platform terms and conditions, privacy policies, and service-use rules. According to Ługowski “poor documentation is not only a sanction risk – it is also a red flag for investors and partners”.
The most common mistakes include:
- lack of a “Risks” section,
- unrealistic descriptions of token functions,
- outdated or contradictory document versions,
- failure to align documentation with the project’s actual structure.
Additionally, if a project stores personal data, emails, or uses cookies, it must comply with GDPR[3]. This requires preparing a privacy policy and adjusting data-processing procedures accordingly.
- Lack of Agreements Between Founders
This is a frequent problem in young teams. Everyone focuses on the product, but no one writes down the rules of cooperation – until the first conflict (or success) comes along, which can turn the project upside down. The absence of a shareholders’ agreement, vesting provisions, or exit rules is a recipe for chaos.
Even at the MVP stage, it is worth:
- defining who contributes what to the project,
- documenting how tokens and shares are allocated,
- setting voting and decision-making rules,
- introducing vesting and reverse-vesting clauses for founders,
- writing down exit rules and dispute-resolution mechanisms.
This does not need to be a 40-page investment agreement, but a few key points – ideally prepared with an advisor – should be put in writing.
- Lack of Defined Legal Form
Who conducts business within a given project? The project manager? The main founders jointly? Or perhaps all investors together with the initiators? Any larger venture should define how it intends to operate and who business partners, investors, and clients will be contracting with. There are many options.
One option is establishing capital companies in offshore jurisdictions such as the British Virgin Islands or the Cayman Islands. These countries are known for their openness to new blockchain projects and ease of doing business. Local law also imposes relatively few obligations on new companies.
On the other hand, some investors view offshore jurisdictions as high-risk countries and may approach cooperation very sceptically.
Moreover, establishing an offshore company does not exempt a project from complying with regulations in the countries where it operates.
Other solutions tailored to startups include various foundations in countries such as Liechtenstein or Luxembourg, limited liability companies in Estonia, or – created specifically for DAOs by the state of Wyoming in the USA – the DAO LLC.
- Data and AML Compliance Issues
Processing user data is now standard, even for very early-stage projects. But GDPR and AML are not just obligations for banks – they also apply to blockchain startups.
Do you collect emails? Store KYC data? Serve users from the EU? Then you must remember to:
- have a privacy policy,
- inform users about data processing,
- secure data in line with the “privacy by design” principle,
- appoint a person responsible for data,
- implement at least basic AML/KYC procedures.
This does not need to be perfect from the start – but the total absence of documents or practices is a red flag for business partners, banks, and funds.
Conclusion
A blockchain startup is not just lines of code and a pitch deck. It is also a team, a structure, obligations, and – increasingly – compliance with regulations that can affect access to markets, capital, and users.
Legal mistakes do not always result from bad intentions, but they always have consequences. Before a project goes live on a launchpad, an exchange, or before meeting with an investor, it is worth carrying out a simple compliance audit and building a foundation that allows growth without unnecessary risks.
In the era of MiCA, AMLD5, DORA, and MiFID II, compliance may well be your greatest asset compared to other emerging projects.
[1] Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (recast) (OJ L 173, 12.6.2014, p. 349, as amended).
[2] Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (OJ L 150, 9.6.2023, p. 40, as amended).
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, as amended)