Bull Bitcoin, a MiCA-licensed exchange, has filed the first legal challenge against DAC8 before France's highest administrative court, arguing the directive threatens the physical safety of crypto holders, not just their privacy. The case targets Decree No. 2025-1276, the French implementing measure, and could set a precedent across all 27 EU member states.
The challenge doesn't contest taxes or reporting obligations. It contests the argument that the database itself may endanger people's lives.
TL;DR: Bull Bitcoin, a MiCA-authorized exchange, has filed suit before France's Conseil d'État to annul the DAC8 implementing decree, arguing the centralized crypto identity database creates a physical security risk. If the court agrees, the legal template applies to every EU country where CARF is being rolled out in 2026.
What Happened
Bull Bitcoin, one of the oldest Bitcoin-only, non-custodial exchanges and MiCA-authorized by the French regulator AMF, filed a challenge before the Conseil d'État, the highest administrative court in France, seeking the annulment of Decree No. 2025-1276, the measure that transposes DAC8 into French law. After an initial filing on February 24, 2026, the company submitted a full legal brief outlining its arguments. To support the campaign, Bull Bitcoin launched the dedicated site dac8.com.
In Europe, DAC8 has turned “Know Your Customer” into “Kill Your Customer.”
— BULLBITCOIN.COM (@BULLBITCOIN_) July 8, 2026
Today, Bull Bitcoin is officially opening the first legal front against DAC8.
We have brought a case before France's Conseil d'État, the country's highest administrative court, to strike down the decree… pic.twitter.com/e8ZXl6NVx0
The stated goal reaches beyond France. Bull Bitcoin aims to suspend, delay, annul, or amend both DAC8 and its global counterpart, the OECD's Crypto-Asset Reporting Framework (CARF), and the company says it's prepared to take the case all the way to the Court of Justice of the European Union.
What DAC8 Actually Requires
DAC8 is the eighth iteration of the EU's Directive on Administrative Cooperation. In force since January 1, 2026, it requires crypto-asset service providers to collect user identity and transaction data, transmit it to national tax authorities, and have it automatically exchanged across all 27 member states. The first reports, covering 2026 activity, are due by September 30, 2027.
DAC8 is the EU's implementation of the OECD's CARF standard. According to the OECD, 48 countries are implementing CARF in 2026 and 75 have committed to adoption. It is the framework that, as we have previously covered in our analysis of the post-MiCA European landscape, closes the era of fiscal opacity for good.
Why the Defense Argues Disproportionality
The core legal argument. Source: Bull Bitcoin filing before the Conseil d’État, 2026
- A bank account
reveals a balance and recent transactions. - A Bitcoin address
reveals a complete, permanent financial history that is publicly searchable by anyone.
Linking a Bitcoin address to a real identity and home address creates a complete dossier on every holder, including those with nothing to declare.
The Argument That Shifts the Debate: Not Privacy, Safety
The legal core of the challenge invokes Article 52 of the EU Charter of Fundamental Rights, which states that any limitation of a right must be necessary, appropriate, and proportionate. Bull Bitcoin argues that DAC8 fails all three criteria, because it centralizes sensitive data well beyond what legitimate tax verification would require.
The argument that makes this case unlike any previous challenge is a different one, though. A centralized database linking real identities to crypto addresses becomes a target. If the data leaks, criminals know who owns what and where they live. CEO Francis Pouliot captured this in a phrase that's circulating widely: “Know Your Customer” transformed into “Kill Your Customer.” This isn't a theoretical fear. According to Bull Bitcoin's legal brief before the Conseil d'État, France is among the countries hardest hit by physical attacks on crypto holders, and the filing cites concrete prior incidents involving breaches of French public databases. The shift from abstract civil liberties to the much harder-to-ignore terrain of public safety is deliberate.
Why This Matters Across the EU
France moved first because it already has an implementing decree in place. But the same DAC8 architecture applies to all 27 member states. Any legal precedent formed in Paris becomes the template for challenges wherever CARF lands, including in the UK, where the equivalent reporting standard is under active consultation.
In Europe, DAC8 has turned “Know Your Customer” into “Kill Your Customer.”
, BULLBITCOIN.COM (@BULLBITCOIN_) July 8, 2026
Today, Bull Bitcoin is officially opening the first legal front against DAC8.
We have brought a case before France's Conseil d'État, the country's highest administrative court, to strike down the decree… pic.twitter.com/e8ZXl6NVx0
There's a structural tension the case exposes. The EU built MiCA, DORA, and GDPR precisely to make regulated firms responsible for data security, with market incentives to protect it. DAC8 runs the opposite direction: it channels that same data into intergovernmental administrative networks, where market discipline is weaker and the security of the whole is only as strong as its weakest link, across dozens of tax administrations with uneven infrastructure. It's the same underlying logic that makes direct control of your own data the most resilient defense.
To be fair, annulling a fiscal cooperation directive is a rare outcome, and tax transparency serves legitimate objectives. But Bull Bitcoin's chosen angle puts something new on the record, something Brussels cannot dismiss as the standard libertarian objection. The outcome, either way, will redefine the balance between tax enforcement and the safety of the people whose data is being collected. Primary sources are available on the European Commission's tax portal and through the OECD's CARF documentation.
