The blockchain phenomenon has been known mainly because of bitcoins, but it is reductive to qualify it solely in financial terms related to cryptocurrencies. The computer architecture of distributed ledger technologies (DLTs) is complex and the use cases are multiple: from supply chain traceability to digital identity management, from the tokenisation of real-world assets to decentralised governance models.
The European regulatory framework has become significantly more structured in recent years. Regulation (EU) 2023/1114 (MiCA), fully applicable since 30 December 2024, introduced the first harmonised framework for crypto-assets, requiring the authorisation of crypto-asset service providers (CASPs) and laying down specific rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs); implementation is completed by a national grandfathering transitional period that, in Italy, will run until 30 December 2025. In parallel, Regulation (EU) 2023/1113 (Transfer of Funds Regulation - Travel Rule) requires CASPs to exchange and retain identifying information on the originator and beneficiary of every crypto-asset transfer. Regulation (EU) 2022/858 (DLT Pilot Regime) allows the experimentation of DLT-based market infrastructures for trading and settlement of financial instruments, while Regulation (EU) 2024/1183 (eIDAS 2.0) introduces the European Digital Identity Wallet (EUDI Wallet), which by the end of 2026 must be made available by all Member States and which opens significant prospects also for architectures based on verifiable credentials.
Our interest remains focused on the intersection between blockchain and personal data protection, which is still one of the most delicate issues. The immutability typical of DLTs is structurally in tension with the rights granted by the GDPR — in particular erasure (Article 17), rectification (Article 16) and the storage limitation principle — and requires the adoption of specific technical solutions, from off-chain storage of personal data to the use of hashing, anonymisation and permissioned channels. The European Data Protection Board (EDPB) addressed the matter in a structured way through its Guidelines 02/2025 on the processing of personal data through blockchain technologies, providing an organised interpretative framework for those who design or use such architectures.
The firm provides advice on the regulatory compliance of DLT architectures, both with respect to the rules currently in force on personal data protection and privacy, and in relation to the specific obligations introduced by the European framework on crypto-assets, as well as in respect of any civil liability scenarios connected with the use of smart contracts and on-chain operations. Nicola Fabiano is an independent researcher on the intersection between blockchain and personal data protection, author of peer-reviewed international publications that have received Best Paper Awards (INTERNET 2018, Venice; IMCIC 2018, Orlando) and of recent contributions on the topic, including the article “Blockchain e GDPR: verso un nuovo paradigma per la gestione dei dati personali e lo sviluppo di modelli di business innovativi” (2024).