Blockchain and Irish Law

Further reading from this practice: What is a Notary Public in Cork?, Notary Public vs Commissioner for Oaths in Ireland, The apostille process in Cork — a working guide, Irish company law in 2026 — what a CFO must know, Brexit and your commercial contracts five years on. For Hugh's background and qualifications, see Hugh Phelan.

The question is not whether blockchain transactions are valid under Irish law. They are. The question is how a body of statute, regulation and case law that pre-dates the technology by several centuries adapts when value moves across an immutable distributed ledger, when a contract is partly written in Solidity, when a notarial act must be performed in respect of a token, and when a regulator wants to know where exactly the customer sits.

This is a working note on how I answer that question for corporate clients in 2026. It is written from a Cork practice that advises companies in the digital-asset and fintech space, and it deliberately confines itself to Irish law as transposed and applied. Anyone reading this should treat it as analysis, not advice.

The legal status of digital assets in Ireland

Ireland has no single statute that defines a digital asset. There is no Irish equivalent of the position taken by the UK Law Commission in its 2023 final report on digital assets, where a third category of personal property was endorsed. What Ireland has instead is the ordinary law of property, contract and tort, read alongside specific financial-services legislation, EU regulation, and a body of regulatory practice issued by the Central Bank.

For most practical purposes the analysis runs as follows. A unit of cryptocurrency held in a wallet is property capable of being owned, transferred and held on trust. The Revenue Commissioners have taken this position since 2018 and have applied it to capital gains, VAT and corporation tax matters in successive eBriefs. The courts, in the limited Irish authority that exists, have treated crypto-assets as property for the purposes of freezing orders. The English position in AA v Persons Unknown [2019] EWHC 3556 (Comm) is persuasive but not binding here, and a careful practitioner does not rely on it as if it were.

The classification matters because everything downstream — capacity to charge as security, ability to seize under enforcement, recognition in insolvency, treatment on death — runs off whether the asset is property at all. The view I take with corporate clients is that for a token that is not a security and not e-money, it is property, but it is property with a particular vulnerability: the location of the asset, in any meaningful sense, is the location of the private key. That is not a satisfying answer in jurisdictional terms, and Irish conflicts-of-law doctrine has not yet caught up.

Smart contracts and the "code is law" myth

The phrase "code is law" survives mostly in conference slides. It does not survive contact with the Irish courts.

A smart contract — a piece of self-executing code on a blockchain — is, in Irish law, evidence of a contract. It is not the contract itself, unless the parties have agreed that the code is the operative instrument. In every commercial deployment I have advised on, the operative instrument is a written agreement governed by Irish law (or, more often, English law with Irish carve-outs for consumer protection), and the smart contract is the execution mechanism. The agreement governs; the code executes.

This matters when the code does something the parties did not intend. The DAO incident of 2016 is the textbook example, but smaller versions occur weekly across decentralised finance. If the code transfers funds in a way the underlying agreement does not authorise, the Irish position — which I take to follow from ordinary contract principles — is that the recipient holds those funds on constructive trust for the transferor, and that the law of restitution applies. The fact that the transfer is immutable on-chain does not extinguish the obligation; it merely complicates the remedy.

The drafting consequence is that a smart-contract deployment cannot be left to the engineering team. The operative agreement must say what governs in the event the code misbehaves, must identify a person against whom relief can be sought, must specify the jurisdiction in which that relief will be pursued, and must address the practical question of how an immutable on-chain state is reconciled with an off-chain order of an Irish court. None of this is theoretical.

KYC and AML obligations: the 5AMLD and 6AMLD transposition

The Fifth Anti-Money Laundering Directive was transposed in Ireland by the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021. That Act brought virtual asset service providers ("VASPs") into the regulated population for the first time. The Sixth Directive, transposed by amendments completed in 2022, extended predicate-offence liability and tightened directors' personal exposure.

The practical consequence for any business handling crypto-assets in Ireland is that the Central Bank's VASP registration regime applies. Registration is not optional and the standards are not light. A VASP must demonstrate fitness and probity of beneficial owners, must operate a risk-based AML/CFT programme, must conduct customer due diligence in line with the Act, and must file suspicious transaction reports through the Financial Intelligence Unit and the Revenue Commissioners.

The harder question for an in-house counsel is the line between activity that requires VASP registration and activity that does not. A holding company that owns tokens passively does not. A platform that exchanges fiat for tokens, or one token for another, or that custodies tokens for users, does. The line cases — a software provider whose product happens to facilitate transfers, an investment vehicle that buys and sells on its own account, a loyalty programme that issues a token redeemable for fiat-equivalent benefits — require careful analysis against the statutory definition. The penalty for getting this wrong, under section 109 of the 2010 Act as amended, is criminal liability that attaches to the firm and to the responsible individuals.

A general counsel building a crypto programme inside an Irish company should therefore answer three questions before any other. First: do we conduct a virtual asset service as defined? Second: if yes, do we register with the Central Bank or do we restructure to fall outside the definition? Third: who, by name, is responsible for AML compliance, and is that person actually capable of the job? The Central Bank's enforcement history in the credit-institution sector suggests that the third question is the one most often answered badly.

GDPR and the immutability problem

The General Data Protection Regulation, given direct effect in Ireland by the Data Protection Act 2018, gives a data subject the right to erasure under Article 17. A blockchain, by design, does not permit erasure. This is the most visible doctrinal collision in the entire field and it has not been resolved by any Irish court or by the Data Protection Commission in a published decision specific to blockchain.

The working answer I give to clients is structural rather than doctrinal. The Article 17 right is not absolute; it is subject to exceptions, including the exercise of freedom of expression, compliance with a legal obligation, and the establishment of legal claims. A well-designed blockchain deployment minimises on-chain personal data — typically by storing only hashes or pointers on-chain and keeping the underlying personal data in an off-chain database where erasure is straightforward. The on-chain hash, if it cannot be linked back to an identifiable person without disproportionate effort, may not constitute personal data at all.

That argument is defensible but it is not safe. The Data Protection Commission has not endorsed it. The European Data Protection Board's 2024 guidelines indicate that pseudonymised data on a blockchain remains personal data where the controller retains the means to re-identify. A general counsel in Ireland must therefore treat any on-chain deployment that touches personal data as a high-risk processing operation, conduct a Data Protection Impact Assessment under Article 35, and document the architectural choices that minimise on-chain identifiability. The DPIA is not a formality; it is the document the Commission will ask for if the deployment becomes the subject of a complaint.

The notarial dimension

I act as a Notary Public, appointed by the Chief Justice of Ireland and the President of the Supreme Court, commissioned for life. The notarial function attaches to instruments and to facts. When a transaction is recorded on a blockchain, the notarial question is whether the act of recording can itself be a notarial act, and the answer, for now, is no in Ireland.

What I can do is notarise an instrument that authorises a transaction on a blockchain — a power of attorney for a digital-asset custodian, a corporate resolution authorising a token issuance, an affidavit attesting to ownership of a wallet at a particular block height. The notarial act sits off-chain and references the on-chain state by hash. That is the cleanest form because it preserves the evidentiary weight of a notarial certificate while leaving the chain to do what it does.

For foreign-use documents that involve digital assets — and most do, because the counterparties are rarely Irish — the apostille process under the Hague Convention applies to the notarial certificate, not to the blockchain record. A practitioner who tries to apostille a blockchain hash is misreading the Convention. The apostille certifies the notary's signature and seal; the hash, if the document contains one, is simply part of the instrument the notary has authenticated.

This will change. The Faculty of Notaries Public Ireland has been considering the question of electronic notarial acts since 2023, and the European Commission's proposals on digital notarisation are likely to require implementation in member states. For the moment, however, an Irish notarial act in respect of a digital-asset transaction remains a paper instrument, signed, sealed and capable of being apostilled by the Department of Foreign Affairs in the ordinary way.

MiCA and the Central Bank registration regime

The Markets in Crypto-Assets Regulation became fully applicable on 30 December 2024. It is the first comprehensive EU-level regime for crypto-assets that fall outside the existing financial-services perimeter — primarily utility tokens and asset-referenced tokens. Ireland's Central Bank is the competent authority and has issued a consultation paper and several authorisations under the transitional regime.

The practical change MiCA brings for an Irish operator is that the previous patchwork — VASP registration under the AML Act, e-money authorisation where applicable, securities regulation under Prospectus Regulation and MiFID II for tokens that qualify — now sits alongside a dedicated regime for crypto-asset service providers ("CASPs") and a regime for issuers of asset-referenced and e-money tokens. The boundaries between these are not always obvious and a careful classification at the design stage saves an enormous amount of work later.

The Central Bank's stance, communicated through its 2025 guidance, is that an entity carrying on a regulated crypto-asset service in Ireland after the end of the transitional period without authorisation under MiCA is operating unlawfully and the directors are personally exposed. The transitional grandfathering for existing VASP-registered firms is generous but finite. Any Irish company that intends to operate as a CASP beyond 2026 should be in active authorisation discussions now.

Five principles for a CFO or general counsel

1. Classify the asset before you account for it, custody it, or contract about it. Whether a token is a security, e-money, a utility token, an asset-referenced token, or none of these determines every downstream legal question. Do not allow the engineering team to answer this. The classification is a legal exercise informed by the technology, not a technology exercise dressed up as law.

2. The operative agreement governs; the code executes. Draft the agreement so that it controls in the event the code does something the parties did not intend. Identify the governing law, the dispute-resolution forum, the person against whom relief can be sought, and the mechanism by which an off-chain order will be implemented on-chain.

3. Treat VASP and CASP registration as a board-level question. The Central Bank's regime is not procedural compliance. It carries personal criminal exposure for directors and named compliance officers. The decision whether to register, restructure or exit a particular activity is a decision the board should record and the general counsel should advise on in writing.

4. Keep personal data off-chain. Architect deployments so that on-chain content is limited to hashes, pointers and pseudonymous identifiers. Run a Data Protection Impact Assessment before deployment and document the choices that minimise on-chain identifiability. The DPIA is the document a regulator will request.

5. Notarial acts attach to instruments, not to chains. When a digital-asset transaction requires notarisation for foreign use, draft the underlying instrument, notarise the instrument in the ordinary way, apostille through the Department of Foreign Affairs, and reference the on-chain state by hash. This is the practice that holds up at the receiving jurisdiction.

The vocabulary is new. The discipline — classification before action, agreement above code, registration before scale, data protection by design, notarial form preserved — is older than the technology and will outlast it.

For a related working note on the compound legal question raised when artificial intelligence, blockchain and quantum-resistant cryptography are taken together, see the legal impacts of AI, blockchain and quantum. To book a notarial appointment with Hugh Phelan, call (021) 489-7134 or visit phelansolicitors.com.