Legal Expert Articles | Litigator

Portrait of Panayotis Yannakas, Litigation and General Practice Lawyer in Cyprus, used as the cover image for an article on the value of generalist legal practice.

Posts

General Lawyer: Why I Practice Law without a Specialty Label

Clients ask it reflexively: “What do you specialise in?” The question sounds like due diligence, but it rests on a false premise. It assumes that legal problems arrive wearing the correct jurisdictional badge and stay within their lane. They do not. They never have. Yet the legal market has spent decades encouraging this belief, rewarding lawyers who carve themselves into ever-narrower slices and market depth at the expense of breadth.

I am a Litigation and General Practice Lawyer in Cyprus, and I introduce myself as such deliberately. In a profession where “specialist lawyer” is a title anyone can claim and no institution will verify, the generalist who sees a legal matter whole offers something the narrow practitioner structurally cannot: peripheral vision.

The Unverified Label

A specialist physician earns a credential the state validates and the profession enforces. The”specialist lawyer“, in most jurisdictions and certainly in Cyprus, has simply decided to describe himself that way. The Cyprus Bar Association recognises no formal specialisation system. The ABA’s own rules protect the word certified; the title specialist remains open to anyone willing to print it on a business card.

Legal services are what economists call credence goods: quality is opaque before, during, and after the engagement. When clients cannot verify expertise, an unverified specialty title acquires persuasive force far beyond its informational content. The generalist who is transparent about his breadth offers something more honest: a clear picture of how he practises, rather than a label no regulator has endorsed.

The Blind Spots of Narrow Practice

Professor Moorhead’s research on cognitive narrowness found that specialist lawyers referred out-of-specialty problems at roughly half the rate of generalists and were more likely to tell a client that no course of action existed, even where the true limitation was the lawyer’s own focus rather than the merits. The specialist, in other words, does not always know what he is missing.

Real legal situations arrive in clusters. A redundancy becomes an employment claim, a tortious dispute, and, where the employer enjoys diplomatic status, a question of sovereign immunity. A commercial contract can conceal a fraudulent misrepresentation, an insolvency risk, and a criminal exposure. The generalist treats the legal landscape as a terrain: uneven, interconnected, and requiring constant peripheral vision.

Why Breadth Wins

David Epstein’s distinction between “kind” and “wicked” learning environments applies directly to law. Chess rewards repetition; litigation does not. The facts never repeat themselves exactly, and the intersections between regulatory regimes, contractual obligations, and human behaviour are never quite the same twice. Breadth of experience is itself the primary mechanism by which sound judgement is formed.

A study in Nature Computational Science examined over sixty thousand federal civil proceedings and found near-zero correlation between prestige rankings and actual litigation outcomes. Courts are staffed by generalists, and lawyers who have spent a career in a single regulatory corridor can find, at the moment of argument, that they are speaking fluently in the wrong language. The generalist speaks the court’s own language; the specialist often has to translate.

The full article covers the academic research, the economic case, the Cyprus regulatory framework, and why I chose to call myself a General Lawyer.

Read the full article

MiCAR crypto regulation visual showing stablecoin, Bitcoin, Ethereum and EU symbols with circuit board design representing EU digital asset compliance framework

Posts

359

Crypto in EU: MiCAR Stablecoin Rules, Self-Hosted Wallets & Travel Rule

LIKE THIS 359

EUR stablecoins have reached €1 billion in market capitalization since MiCAR came into force. That figure represents 0,2% of the global stablecoin market. The regulatory framework meant to establish European leadership in digital assets has instead produced a regulated enclave where compliance costs exceed competitive advantages.

Nine European banks announced a consortium to issue a joint stablecoin precisely because existing offerings failed to achieve scale. The conclusions below emerge from examining how MiCAR reshapes the relationship between crypto-asset service providers, traditional banking, and individuals who thought distributed ledger technology might offer an alternative to both.

Regulatory Framework

Funds PSD2

💳 Debit Cards

Electronic Money EMD2

📱 PayPal

E-Money Tokens MiCAR

🪙 EURC

Funds PSD2 💳 Debit Cards

↓

Electronic Money EMD2 📱 PayPal

↓

E-Money Tokens MiCAR 🪙 EURC

Each inner category inherits the regulatory requirements of its enclosing framework while adding layer-specific obligations.

MiCAR treats e-money tokens as a technological variant of electronic money. Article 48(2) provides that EMTs "shall be deemed to be electronic money," incorporating them within EMD2's architecture while adding crypto-specific requirements. Issuers must satisfy both frameworks simultaneously. This nested classification carries practical consequences: EMT issuers face a dual regulatory burden that shapes market structure and competitive dynamics.

What Changes for Holders

Traditional electronic money under Directive 2009/110/EC creates a contractual relationship between holder and issuer. You cannot send PayPal funds to someone without a PayPal account. E-money tokens present a different reality. Distributed ledger technology enables peer-to-peer transfers between wallet addresses without the recipient ever establishing a contractual relationship with the issuer.

Traditional E-Money EMD2

E-Money Tokens MiCAR

Legal Basis

Contractual Agreement

Operation of Law (Art. 49)

Account with Issuer

Required

Not Required

Claim Arises From

Issuer's Ledger Entry

The Token Itself

Redemption Right

Per Contract Terms

At Any Time, At Par

Transfer Mechanism

Centralized Ledger

Peer-to-Peer via DLT

Case C-661/22 (ABC Projektai): "The minimum requirement for e-money issuance is a contractual agreement between user and issuer."

Reserve Requirements

The 30/60% Rule

MiCAR requires 30% of reserves to be held as deposits in EU credit institutions. For significant EMTs (reserves exceeding €5 billion or 10 million users), this threshold increases to 60%. The remaining reserves may be held in highly liquid financial instruments.

The Arithmetic Problem

Banks operate under fractional reserve ratios, retaining roughly 10% as liquid reserves. If a stablecoin issuer holds €10 billion and regulation requires €6 billion in bank deposits, the bank retains €600 million in liquid form. Redemption demands exceeding that figure trigger simultaneous liquidity pressure for both.

"In such a framework, stablecoin reserves are held as commercial bank deposits, and commercial banks engage in fractional reserve lending and maturity transformation. This creates a direct transmission channel through which the banking system's fundamental mechanics become the foundation of stablecoin stability."

Board of Governors of the Federal Reserve System, International Finance Discussion Paper No. 1334 (2022)

€5B Significant EMT threshold

2–3% Own funds requirement

€100K EU deposit insurance limit

20% Reserves accessible within 1 day

MiCAR vs GENIUS Act

Both frameworks mandate 100% reserve backing. The divergence lies in implementation. MiCAR channels reserves through commercial banks operating fractional reserve mechanics. The United States' GENIUS Act permits reserves in Treasury securities with near-zero credit risk, prohibits rehypothecation, and mandates bankruptcy-remote subsidiaries.

European Union

30–60% held in bank deposits
Unified balance sheet approach
€100.000 deposit insurance applies
Concentration limits across multiple banks
EMD2 + MiCAR dual compliance

United States

Treasury securities permitted
Bankruptcy-remote subsidiaries required
First-priority security interest for holders
Rehypothecation explicitly prohibited
Non-bank issuers permitted

Travel Rule Requirements

MiCAR addresses licensed intermediaries. It says nothing about individuals who hold their own cryptographic keys. That gap is filled by Regulation 2023/1113, the Transfer of Funds Regulation, which imposes the following obligations on CASPs:

All transactions

Collect originator and beneficiary information

Above €1.000

Verify ownership/control of self-hosted addresses

Self-hosted wallets

Maintain whitelists per EBA Guideline 86

High-risk patterns

Report to Financial Intelligence Unit (Recital 45)

Deadline

Technical compliance mandatory since July 31, 2025

The verification requirement is not a prohibition. It is a compliance friction that routes transactions through banking-integrated intermediaries. Licensed exchanges maintain whitelists of "verified" addresses. Unverified addresses are functionally blocked by operational necessity rather than by law. Article 37 mandates the Commission to assess by June 2026 whether additional restrictions are necessary.

Market Response to Delisting

When ESMA's January 2025 guidance required removal of unauthorized stablecoins, major exchanges delisted USDT by March 31, 2025. EUR stablecoin liquidity declined approximately 18% in Q1 2025. Compliant alternatives captured less than 2% of the market previously served by USDT. Users migrated to unregulated channels rather than regulated alternatives.

Practical Advises

Dual Compliance Burden

EMT issuers must satisfy both EMD2 authorization requirements and MiCAR-specific obligations. ESMA's Supervisory Briefing (January 2025) specifies that CASP authorization applications must include TFR compliance policies, self-hosted wallet verification procedures, and transaction monitoring systems.

Banking Partners

Concentration limits restrict deposits: no more than 25% with systemically important institutions, 15% with large credit institutions, 5% with smaller banks. Issuers must cultivate relationships with multiple banking partners where "crypto-friendly banks in Europe" remain scarce.

Secondary Market Rights

An individual who acquires EURC through an exchange possesses tokens without any contractual relationship with Circle. Under MiCAR Article 49, that holder possesses a legal right to reimbursement at par by operation of law rather than contract.

Concluding Observation

MiCAR's architects constructed a regulatory fortress around EUR stablecoins. The framework mandates integration with European credit institutions, imposes concentration limits requiring relationships with multiple banking partners, and channels reserves through balance sheets exposed to maturity transformation and leverage risks.

What emerges may not be a framework designed primarily to shield European consumers from crypto volatility. It may instead be one ensuring that Europeans seeking alternatives to traditional banking find no alternatives within the regulated perimeter. The regulation's recitals speak of consumer protection and financial stability. The architecture suggests additional concerns: populations bypassing banks they consider inaccessible, value transfers outside institutional surveillance, and the prospect of European citizens circumventing restrictions the Union enforces.

Whether MiCAR addresses the structural exclusions that gave rise to alternative financial infrastructure in the first place is a question the regulation never asked.

The Essays

December 2025

EUR Stablecoins and MiCAR: A Critical Assessment of the EU's Regulatory Architecture

Traces how the EMT concept evolved from electronic money under Directive 2009/110/EC, examines reserve requirements and prudential supervision, and contrasts MiCAR with the US GENIUS Act. Section 5 addresses why alternatives to traditional banking exist and why EUR stablecoins remain at 0,2% of global market capitalization.

Read the Essay

January 2026

Self-hosted Wallets under EU Law: Compliance through Intermediation

Regulation 2023/1113 creates requirements for blockchain analysis and risk mitigation that effectively necessitate in-house screening capabilities. The Travel Rule Guidelines (EBA/GL/2024/11) became applicable December 30, 2024. This essay examines what verification obligations mean for users who hold their own keys.

Read the Essay

January 2026

E-Money vs. Crypto: From Contractual Claim to Statutory Redemption Rights

Case C-661/22 established that e-money issuance under EMD2 requires express contractual agreement. MiCAR departs from this model. Article 49 creates a legal right to reimbursement by operation of law. The distinction matters for anyone acquiring tokens through secondary markets.

Read the Essay

Posts

372

This Year’s DataGuidance Contribution: Data Breach Notifications in Cyprus

This Year’s DataGuidance Contribution: Data Breach Notifications in Cyprus

Updated DataGuidance analysis on Cyprus data breach notifications: GDPR-NIS2-DORA convergence, Article 12 of Law 125(I)/2018, and recent Commissioner decisions from 2024-2025.

LIKE THIS 372

Book me

One year after my research contribution to OneTrust’s compliance platform DataGuidance regarding data breach notifications in Cyprus, I have updated this year’s white paper with significant developments.

The Convergence of GDPR, NIS2 and DORA

The most significant change concerns the interconnection of GDPR with new European legislation. In Cyprus, the NIS2 Directive was transposed through Law 89(I)/2020, while the DORA Regulation applies directly to financial entities through CySEC Circular C700 (April 2025).

This means that in cases of data breaches involving cybersecurity incidents, organizations must examine not only GDPR but also whether more specific frameworks such as NIS2 (for critical sectors) or DORA (for financial services) apply, which may impose additional or more stringent notification obligations.

Cyprus-Specific Exception: Article 12

My updated analysis examines in depth Article 12 of Law 125(I)/2018, which maintains the same substantive requirements as Article 34(3) of GDPR for exceptions from the obligation to notify data subjects (such as encryption, subsequent measures, or disproportionate effort).

However, in Cypriot practical application, data controllers in the majority of cases consult with the Commissioner’s Office before deciding not to notify data subjects, receiving guidance on a case-by-case basis.

Additionally, Article 12 provides data controllers with the possibility to request formal exemption from the Commissioner in sensitive cases involving national security, public safety, or judicial independence (based on Article 23 GDPR), through a formal procedure that includes an impact assessment and prior consultation.

This Year’s Commissioner Decisions

The updated article includes five recent decisions that shape practical application:

Doctor Case (77/21): Unlawful access to medical data through the GESY System with a fine of €1,500.
Land Registry Case (21/12/2023): Cyberattack without data breach but with inadequate security measures – imposition of reprimand and order to strengthen security.
Google Analytics Cases (28/2/2024): Unlawful international data transfers to the USA without fines but with compliance order within one month.
Health Insurance Organization Case (18/12/2024): Double fine (€1,500 for incomplete response to access request + €3,000 for non-cooperation with the Authority).
GESY Doctor Case (3/9/2024): Processing beyond purpose with reprimand without fine.

Conclusion.

The update reflects a more complex reality: organizations in Cyprus can no longer examine GDPR in isolation. An integrated approach is required that takes into account sectoral legislation, particularly when a data breach is connected to a cybersecurity incident.

The full updated article is available on the OneTrust DataGuidance platform. If you have any questions regarding data breach notifications or data protection law in Cyprus, please do not hesitate to contact me.

Paternity & DNA Testing in Cyprus Family Courts

Artistic DNA helix representing paternity testing and genetic evidence before Cyprus Family Courts

Paternity & DNA Testing in Cyprus Family Courts

LIKE THIS 182

When family relationships are disputed, scientific evidence becomes essential. Cyprus Family Courts have wielded genetic testing as a tool for establishing paternity since 2006, when Article 24A was introduced to the Children (Affiliation and Legal Status) Law. The legal framework balances the right to truth with fundamental privacy protections, creating a nuanced system where consent remains paramount but refusal carries legal consequences.

In the landmark case Mary Jane Supatan v. Nikola Peristianu (2006) 1 A.A.D. 1417, the Court of Appeal clarified that while courts can issue directions for blood sampling, they cannot compel compliance. What they can do is draw inferences from refusal. This distinction protects constitutional rights while recognizing that DNA evidence, when voluntarily provided, offers near-certainty in paternity disputes. The question is not whether genetic testing violates privacy, but how courts navigate the tension between establishing familial truth and preserving individual autonomy.

The Legal Framework

Article 24A of Law 187/91 grants Family Courts authority to issue directions for hematological, genetic or other appropriate examinations to determine biological paternity. The distinction between directions and orders is critical: the alleged father retains the right to refuse testing without facing contempt proceedings or forced compliance.

However, refusal is not without consequence. When a party declines testing after court directions, the tribunal may draw any inference that appears reasonable under the circumstances. As the Supreme Court held in subsequent appeals, refusal to submit to DNA testing, absent compelling justification, creates a strong inference of paternity when combined with other evidence. The framework protects both the child’s right to know their parentage and the alleged father’s bodily autonomy, resolving the tension through evidentiary inference rather than physical compulsion.

Privacy Rights and Consent

The intersection of genetic testing with privacy rights remains carefully guarded. Article 15 of the Cyprus Constitution and Article 8 of the European Convention on Human Rights protect private and family life from arbitrary interference. Medical procedures, including blood sampling, constitute interventions that require legal justification and individual consent.

Cyprus legislation respects these protections while recognizing that family law disputes involve competing rights: the mother’s right to establish paternity, the child’s right to know their biological parents, and the alleged father’s right to privacy and bodily integrity. The system resolves this through procedural safeguards: courts issue directions only when paternity is genuinely disputed, testing follows medical protocols that protect data confidentiality, and results are used strictly for the judicial proceedings at hand. This calibrated approach ensures that genetic evidence serves justice without becoming an instrument of invasive state power.

When DNA Testing Becomes Necessary

Paternity disputes typically arise in three contexts: mothers seeking child support from alleged fathers who deny parentage, fathers seeking custody or contact rights when mothers dispute biological connection, and inheritance cases where legitimacy determines estate distribution. In each scenario, genetic evidence can resolve factual disputes that would otherwise devolve into credibility contests with limited probative value.

Strategic timing matters. Requesting DNA testing early in proceedings demonstrates good faith and can accelerate resolution, particularly when the alleged father genuinely doubts paternity. Conversely, waiting until trial to raise testing objections may be interpreted as tactical delay rather than principled opposition. For mothers pursuing support claims, establishing biological paternity is typically the first step toward obtaining maintenance orders. For alleged fathers, voluntary testing that excludes paternity provides complete defense, while refusal to test when paternity is plausible creates evidentiary burdens that are difficult to overcome. The legal framework makes cooperation advantageous when one is confident in the biological facts, and makes refusal costly when doubt exists.

Need detailed analysis of Cyprus case law, constitutional considerations, and strategic approaches to DNA evidence in family proceedings?

Read my full article (Greek)

Posts

440

CPR 2023 & Mediation: A Critical Appraisal

CPR 2023 & Mediation: A Critical Appraisal

LIKE THIS 440

Cyprus’ civil justice system stands at a crossroads. The 2023 Civil Procedure Rules represent the most radical transformation since independence, elevating mediation from peripheral option to central pillar of dispute resolution. What was once a system frozen in 1958 now embraces pre-action protocols, judicial case management, and structured alternative dispute resolution.

Yet this revolution brings profound tensions: Can mandatory mediation coexist with the right to access courts? How do we balance efficiency with justice, confidentiality with accountability, voluntary participation with institutional pressure? As Cyprus navigates between European directives and local legal culture, these reforms reshape not just procedure but the very philosophy of how disputes should be resolved.

The Procedural Revolution

The overriding objective transforms litigation from adversarial combat to managed resolution. Pre-action protocols now require parties to exchange information, narrow issues, and genuinely consider settlement before filing suit. Small claims under €10,000 follow simplified procedures, while judges wield unprecedented powers to direct cases toward mediation.

This isn’t merely administrative reform—it’s a cultural shift. Lawyers must now justify why they haven’t mediated. Courts can impose cost sanctions on unreasonable refusals. The message is clear: litigation is the last resort, not the first response. Yet implementation reveals friction between Anglo-Saxon efficiency models and Mediterranean legal traditions.

Ethics & Enforcement Dilemmas

Mediation’s promise of voluntary resolution meets complex ethical terrain. Private caucus sessions, while enabling frank discussion, raise questions about information asymmetry and mediator influence. The balance between absolute confidentiality and the need for transparency when settlements are challenged creates a fundamental tension in the process.

Cyprus’ proposed Article 15A, mandating initial mediation for disputes under €5,000, exemplifies the broader European debate. Drawing from precedents like Halsey and Alassini, courts must determine whether mandatory ADR represents proportionate reform or constitutes an unacceptable barrier to justice under Article 6 ECHR. The challenge lies in preserving mediation’s voluntary essence within increasingly institutionalized frameworks.

Navigating the New Landscape

The intersection of EU Directive 2008/52/EC, Cyprus Law 159(I)/2012, and the 2023 CPR creates a complex regulatory matrix. Mediation Settlement Agreements now achieve «super contract» status—enforceable as court orders through simplified Part 8 procedures. Yet this elevation brings scrutiny: How do we balance the sanctity of confidentiality against claims of duress? Can mandatory initial sessions under proposed reforms survive Article 6 ECHR challenges?

International dimensions add further complexity. While the Singapore Convention promises global enforceability for mediated settlements, Cyprus remains outside this framework. Meanwhile, English precedents from Halsey to Lomax shape local interpretation, as courts grapple with when refusal to mediate becomes unreasonable—and when compulsion violates fundamental rights. The path forward demands not blind adoption but thoughtful calibration between efficiency imperatives and justice principles.

Reimagining Dispute Resolution under Cyprus’ CPR 2023
Explore how the 2023 Civil Procedure Rules revolutionize Cyprus’ civil justice framework through the lens of mediation. This comprehensive analysis examines the “overriding objective” that now governs all litigation, dissects the three pre-action protocols that reshape lawyer-client dynamics, and evaluates how small claims procedures and cost sanctions create powerful incentives for settlement. Drawing from English precedents and early implementation experiences, the article assesses whether Cyprus is genuinely transitioning to a mediation-forward model or merely adding procedural layers. Essential reading for practitioners navigating the new rules, understanding enforcement mechanisms for Mediation Settlement Agreements, and anticipating how judges will exercise their expanded case management powers.

Read Part 1: CPR & Mediation Framework

Mediation under Pressure: Ethics, Duress & Mandatory Models
This comprehensive analysis examines the tension between mediation’s theoretical foundations and its practical implementation across European jurisdictions. The article explores the ethical dimensions of private caucus meetings, the enforceability challenges of Mediation Settlement Agreements when duress is alleged, and the evolving jurisprudence on mandatory ADR schemes. Through detailed examination of landmark cases including Halsey v Milton Keynes NHS Trust, Alassini v Telecom Italia, and recent English precedents, it evaluates whether mandatory mediation schemes comply with Article 6 ECHR guarantees of access to justice. The analysis covers Cyprus’ proposed Article 15A amendments requiring initial mediation sessions for disputes under €5,000, the implications of the Singapore Convention for international commercial settlements, and the elevated legal status of MSAs as «super contracts» under the new CPR framework. Essential for practitioners navigating the constitutional limits of compulsory ADR and understanding the proportionality principles that govern modern dispute resolution policy.

Read Part 2: Ethics & Mandatory Mediation

Posts

183

Digital Possession in Criminal Law

Digital Possession in Criminal Law

LIKE THIS 183

In December 2021, I defended a related case in the Larnaca District Court where the prosecution’s evidence hinged on thousands of images and videos found in browser cache files. The technical challenge was profound: proving that automatic app storage doesn’t constitute legal possession under Cyprus criminal law.

My client accessed content through Telegram groups and web browsers—ordinary internet usage that generated over 3,000 cached files without his knowledge or control. The prosecution argued these cached terrorism-related materials proved “possession” under Article 9 of the Counter-Terrorism Law. We demonstrated that cache files are ephemeral technical residues: created automatically, stored invisibly, and beyond user control. The case crystallized a fundamental question for the digital age: when machines store data autonomously, where does criminal liability begin?

The Legal Framework

Criminal possession requires both knowledge and control. The Cyprus Penal Code’s definition demands awareness that material exists and the ability to exercise dominion over it. Cache files fail both tests: users don’t know they exist, can’t access them without technical expertise, and have no control over their creation or deletion.

The Ninth Circuit’s landmark decision in United States v. Kuchinski established the principle that cached files without user knowledge cannot constitute possession. Cyprus courts have followed this reasoning, recognizing that viewing content online differs fundamentally from deliberately storing it. The distinction protects citizens from strict liability for their browsers’ automated processes.

Technical Realities

Browsers cache content to improve performance, not preserve evidence. Files appear and vanish according to algorithms users never see. The cache directory sits buried in system folders, inaccessible through normal navigation. Even finding these files requires specialized knowledge most users lack.

This automation matters legally. When prosecution conflates temporary technical storage with intentional possession, it criminalizes the act of browsing itself. Every click potentially becomes a crime if the wrong content gets cached. Such interpretation would make the internet legally unusable, turning standard web protocols into instruments of strict criminal liability.

Defending Digital Rights

Cache possession cases reveal how criminal law struggles with digital reality. The traditional mens rea framework—requiring both knowledge (Wissen) and will (Wollen)—remains essential for justice. Without it, automated processes become tripwires for prosecution, and technical ignorance becomes criminal negligence.

For defense counsel, the strategy is clear: distinguish deliberate downloading from passive caching, demonstrate the defendant’s lack of technical knowledge, and emphasize the absence of user control. Expert testimony on browser mechanics often proves decisive. Courts increasingly recognize that «possession» cannot extend to files users neither created, accessed, nor knew existed. This precedent protects not just individual defendants but the principle that criminal law requires human agency, not machine automation.

Want the complete analysis—case law, technical frameworks, and defense strategies for cache possession cases?

Read the full article

Cyberpunk digital illustration of DAC7 tax directive with neon accents and futuristic circuitry.

Posts

176

DAC7 Directive: ΤΑΧ Insights for Businesses

LIKE THIS 176

The DAC7 Directive represents a decisive shift in how the EU approaches tax compliance for digital platforms. What began as a gig-economy measure now covers almost every platform-mediated transaction—services, rentals, and goods. For operators, the challenge is no longer only technical integration but ongoing governance under evolving tax regulations.

This professional overview outlines key takeaways for businesses and advisors navigating this fast-changing regulatory environment.

Key implications

Platform operators face expanded reporting duties, including verification of seller data, quarterly aggregation, and OECD-standard XML filings. Even outside the EU, companies with EU users must comply—extending the directive’s reach beyond European borders.

This expansion aligns with global transparency goals but imposes structural costs that smaller platforms and start-ups often struggle to absorb.

Market dynamics

Exemptions, such as those for large listed entities or high-volume rental operators, tend to shield incumbents while leaving smaller service providers exposed. The result is a competitive asymmetry that risks slowing innovation across digital marketplaces.

Businesses must treat DAC7 as more than a formality: it reshapes operational models and requires strategic planning alongside legal and financial expertise.

Looking ahead

The EU is unlikely to stop at DAC7. Additional layers of technology regulations are on the horizon, meaning compliance is becoming a permanent discipline. For business leaders, early adaptation is not just risk management—it can also serve as a differentiator in trust, transparency, and market positioning.

To explore deeper legal analysis and case-specific commentary, I invite you to read the full essay on my blog.

Want the full essay with detailed examples, legal analysis, and unintended consequences of DAC7?

Read the full article on my Blog

Posts

166

Radio Equipment Directive: A New Cybersecurity Chapter

Radio Equipment Directive: A New Cybersecurity Chapter

LIKE THIS 166

On 1 August 2025 the Radio Equipment Directive (RED) entered a new phase for the EU market. What used to be a radio/spectrum framework has become a baseline for cybersecurity compliance across most connected products. Phones, routers, wearables, IoT sensors—if it talks to a network, it now lives under a tougher playbook.

Three levers drive the shift: Article 3(3)(d) on network protection, 3(3)(e) on personal data safeguards (with extra attention to toys/childcare/wearables), and 3(3)(f) on fraud prevention. Their technical expression is the EN 18031 series, which turns high-level legal duties into testable security outcomes: access control, secure updates, storage/comms security, monitoring, and resilience.

What changes in practice

The new technology regulations push manufacturers to prove they’ve embedded security by design—strong authentication, sane defaults, hardened update paths, and meaningful logging. That’s good news for users and for providers tired of botnets fueled by cheap, insecure devices.

The flip side: implementation isn’t trivial. EN 18031 can limit self-declaration, nudging products toward Notified Body reviews when features (e.g., open firmware loading) break the assumptions behind presumption of conformity. Real costs rise, timelines stretch, and market entry becomes a governance exercise as much as an engineering one.

Innovation vs. lock-down

Here lies the tension. Security hardening is essential, but blunt restrictions risk collateral damage to openness, repairability, and research. Projects that rely on custom ROMs or community firmware can be caught in the compliance crossfire, even when their security posture is exemplary.

The EU’s broader policy mix complicates the picture: Right to Repair and the Digital Markets Act promote user choice and longevity, while strict readings of RED may incentivize locked bootloaders and closed ecosystems. Smart guidance is needed so cybersecurity regulations don’t quietly erode user agency.

Looking ahead

RED isn’t the end of the journey. The upcoming Cyber Resilience Act will raise the floor again, and overlapping regimes will make compliance a continuous discipline. Treat RED as more than a checkbox: it’s a chance to build trust, reduce incident costs, and differentiate on engineering quality.

A pragmatic playbook: map product features against EN 18031; document threat models and secure-update chains; avoid dark corners (weak password policies, silent telemetry); and, where openness matters, design for user-enrollable keys and verifiable modding paths. That’s how technology regulations and innovation can coexist.

Want the deep dive—EN 18031 mechanics, self-declaration pitfalls, and the bootloader controversy?

Read my full article

The Unverified Label

The Blind Spots of Narrow Practice

Why Breadth Wins

Regulatory Framework

What Changes for Holders

Reserve Requirements

The 30/60% Rule

The Arithmetic Problem

MiCAR vs GENIUS Act

Travel Rule Requirements

Practical Advises

Concluding Observation

The Essays

EUR Stablecoins and MiCAR: A Critical Assessment of the EU's Regulatory Architecture

Self-hosted Wallets under EU Law: Compliance through Intermediation

E-Money vs. Crypto: From Contractual Claim to Statutory Redemption Rights

The Legal Framework

Privacy Rights and Consent

The Procedural Revolution

Ethics & Enforcement Dilemmas

The Legal Framework

Technical Realities

Key implications

Market dynamics

What changes in practice

Innovation vs. lock-down

Quick Links

Services

Contact Me