This section provides a general explanation of innovative technological trends (DAO, DeFI, NFT, tokens, etc.) that may be related to the provision of financial services or similar activities. 

This information does not constitute legal advice or an explanation. We recommend that related parties assess and legally qualify their activities in advance, if necessary, with the help of a professional legal adviser. Consumers of innovative solutions are advised to assess the risks they may be exposed to when using their financial means.
We also recommend that you consult the draft EU Regulation on Markets in Crypto-assets (MiCA) and related proposals.

A Decentralized Autonomous Organization (DAO) operates as a computer program in a blockchain according to coded rules, or smart contracts. It is designed to be transparent, fully member-controlled, and without central management. In other words, DAO is a form of digital collaboration, with its functions being mathematically automated. The DAO management and control functions are shared horizontally among its members, which eliminates the need for a centrally managed structure. DAOs are used, for example, in decentralised finance (DeFi), which requires an organisation operating on the same principle to manage its applications in order to comply with the principle of decentralisation, i.e. there is no centralised management.

In order to set up a DAO, one needs to write up ‘smart contracts’, which encode the rules for how the organisation will operate. Therefore, a DAO must still have a central development team at the beginning. Subsequent governance decisions are made by votes of the holders of the organisation’s governance tokens. Drawing a parallel with traditional public limited companies, governance tokens are essentially voting rights at the general meeting of the organisation, i.e. one person may hold more than another. It may be possible to both earn and buy governance tokens from different DAOs. 

What is the legal status of DAOs?

DAOs can be divided into two categories: registered DAOs, which are structured in accordance with the laws of a particular country and registered in the relevant commercial register, and unregistered DAOs, which are set up outside the legal framework defined by national law and are not registered in a commercial register. Most of the DAOs in circulation are unregistered and their legal status is currently unclear, may depend on specific circumstances, and it is not excluded that they may qualify based on existing law and through already existing legal institutions. For example, if a DAO is not a registered company within the meaning of the Commercial Code, it needs to be clarified whether it would still have to declare and pay taxes or open a bank account and, if so, who would have the authority or obligation to do so in the event of a decentralised autonomous organisation if the purpose is inherently to exclude managers and representatives. 

In addition to the uncertain legal definition of DAOs, there are other risks associated with their involvement: 

Cyber risks – The security of the ‘smart contracts’ of DAOs may not be guaranteed. This may be caused, for example, by unintentional errors in the protocol code that attackers can exploit. This scenario played out in the event of the first hedge fund type organisation named DAO, from which a hacker managed to steal assets due to a coding error. There is also the possibility of intentional ‘backdoors’ left by developers in the underlying code of the organisation, through which the DAO can be attacked at a later stage of development. DAOs generally use a blockchain (e.g. Ethereum) that is not controlled by the DAO itself. This also makes them vulnerable to attacks against the blockchain in general. There can also be the so-called 51% attacks, where the majority of blockchain validators manipulate the blockchain. 

Risks stemming from the governance/management model – Governance decisions of DAOs (e.g. changes to ‘smart contracts’) are made on the basis of a vote on governance tokens, where a certain number of tokens equals one vote. However, a large number of governance tokens can be concentrated in the hands of individual groups or persons, with which voting can be influenced. This calls into question the decentralisation of the organisation. A large number of tokens can be retained by DAO developers, for example, to earn future revenue from their work. 

There may also be cartel cases among holders of governance tokens. Due to the anonymity of the blockchain, it may not be possible to identify the real holders of the governance rights, i.e. the tokens appear to be equally distributed in the public code, but not in reality. In addition to the problem of concentration of governance tokens in the hands of individuals, the DAO ‘smart contracts’ can be difficult for the general public to understand, which gives its developers, who are well versed in the contracts, an advantage in influencing organisational behaviour.

Inactive ‘shareholders’ – DAOs may face situations where a large number of governance token holders remain inactive in the decision-making process. As a result, it may not be possible to make changes to the organisation’s ‘smart contracts’ or to make other management decisions. This can lead to security risks as well as deadlock in the DAO operations. In order to avoid this situation, the underlying contracts of the DAOs may set a low voting threshold for decision-making, which increases the risk of influence falling into the hands of individuals. 

The long-term nature of the decision-making process – Insofar as making changes to the DAO ‘smart contracts’, as well as other decisions affecting the organisation, requires a vote due to the absence of a central governing body, the decision-making process may have a long-term nature. However, in a DAO operating as an investment fund, for example, a lengthy selection time can lead to financial losses for investors. 

In regulating DAOs, it is important to strike a balance between a sound regulatory framework and the freedom to experiment and innovate needed to develop the technology. The OECD Financial Action Task Force (FATF), in its recent guidance on virtual assets and its service providers, called for this responsibility to be placed on the creators, owners, and operators of the DeFi applications who retain control or sufficient influence over the application, even if these applications appear to be decentralised.