- People
- Expertise
Our expertise
We are a team of more than 600 professionals, with the depth of experience which makes us genuine experts in our fields. Together, gunnercooke’s people have strength across just about every corporate discipline and sector. We provide legal, commercial and strategic advice that delivers real value to the clients we work with, which span from multinational enterprises through to not-for-profit organisations. Our breadth of expertise also covers specialist and emerging disciplines charity, crypto, sports and competition law.
Search by practice areaDispute ResolutionDispute Resolution OverviewMeet the Dispute Resolution TeamIntellectual Property DisputesFinancial Services & FinTech OverviewProceeds of CrimeEmployment TribunalTax InvestigationProperty Dispute ResolutionInsolvency DisputesMediationCivil Fraud & Asset TracingHealth & SafetyBusiness Crime & InvestigationsLitigation & ArbitrationInternational Arbitration - International
International Offices
The gunnercooke group has 16 main global offices across England, Scotland, the US, Germany and Austria, with further plans for growth in the coming years. These offices enhance the existing in-house capability of our dedicated international teams and dual-qualified experts that cover Spain, France, Italy, Portugal, Brazil, China, India, Poland and Hungary. Our team have clients across 126 jurisdictions, speak 46 languages and are dual-qualified in 22 jurisdictions. Our expertise means we can offer large teams to carry out complex cross-border matters for major international clients.
- Our story
Our story
gunnercooke is a top commercial law firm. We comprise a rapidly growing number of experts spanning legal and other disciplines. Clients benefit from flexible options on fees to suit their needs, access to a wider network of senior experts throughout the relationship, and legal advice which is complemented by an understanding of the commercial aspects of running a business.
- Reading Room
- News & Insights
This article is intended for readers with an interest in legal and regulatory matters and examines the regulatory distinction in greater detail, with reference to the relevant legal provisions and supporting sources. For a strategic overview of the financing logic, listing advantages and the dual model, please see our article, “Funding Through Token Issuance: How Companies Raise Capital – Without Bank Loans or Traditional Equity Financing.“
Key points at a glance
- Utility tokens are subject to MiCAR (Regulation (EU) 2023/1114), whereas security tokens fall within the scope of MiFID II (Directive 2014/65/EU) and the Prospectus Regulation (Regulation (EU) 2017/1129), supplemented in Germany by the German Securities Prospectus Act (Wertpapierprospektgesetz – WpPG).
- MiCAR does not apply to crypto-assets that qualify as financial instruments within the meaning of Article 4(1)(15) of MiFID II. The two regimes are mutually exclusive.
- Classification is determined by the token’s economic function (‘substance over form‘): In line with ESMA guidance and BaFin administrative practice, key factors include transferability, standardisation, tradability and investment characteristics.
- Marketing statements emphasising returns, capital appreciation or investment potential may, from a regulatory perspective, result in a utility token being classified as a security token, triggering prospectus and licensing requirements.
Regulatory framework: MiCAR, MiFID II and the prospectus regulation
Both regimes are derived from EU law but are subject to different regulatory frameworks. Security tokens fall within the scope of MiFID II (Directive 2014/65/EU) and the Prospectus Regulation (EU) 2017/ 1129, supplemented in Germany by the German Securities Prospectus Act (Wertpapierprospektgesetz – WpPG) . Utility tokens are generally governed by MiCAR, which has applied to utility tokens since 30 December 2024.[1]
Security tokens: prospectus requirements and exemptions
A prospectus is generally required for an initial issuance of security tokens and must be approved by the competent supervisory authority. In Germany, a Securities Information Document (WIB) or a Key Information Document (KID) under the PRIIPs Regulation is permitted as an alternative for offers up to €8 million (aggregated over a twelve-month period).[2]
Since 5 June 2026, EU law has generally established a prospectus exemption threshold of EUR 12 million per issuer or offeror over a 12-month period, unless a Member State opts to apply a lower threshold of at least EUR 5 million. Germany has repealed the previous national threshold under Section 3 of the German Prospectus Act (Wertpapierprospektgesetz – WpPG) and has not exercised the option to lower the threshold to EUR 5 million. As a result, the EUR 12 million threshold applies in Germany.[3] The WIB/PRIIPs KID regime continues to apply in principle. However, a PRIIPs Key Information Document (KID) does not constitute a separate ground for exemption from the prospectus requirement.
Once approved, the prospectus may generally be passported throughout the EU via the notification procedure (‘passporting’). This is not possible for a WIB.
The principal exemptions include:
- offers addressed exclusively to qualified investors;
- offers where the minimum investment amount or denomination is €100,000 per investor;
- offers made to fewer than 150 non-qualified investors per Member State; and
- offers with a total consideration in Germany of less than €100,000 over a twelve-month period.[4]
A security token is a financial instrument. Services relating to security tokens – including custody, brokerage, commission and portfolio management activities – are generally subject to licensing requirements. A breach of the applicable authorisation requirements may result in administrative sanctions and, in certain circumstances, criminal liability.[5]
Utility tokens: white paper procedure requirements and MiCAR exemptions
For an initial issuance, a crypto-asset white paper must be submitted to BaFin at least 20 working days before publication. The white paper is not subject to prior regulatory approval. However, the authority may intervene in the event of non-compliance, particularly in relation to marketing communications.[6]
MiCAR provides, inter alia, exemptions for offers addressed solely to qualified investors and for offers made to fewer than 150 persons per Member State. It also exempts offers with a total consideration not exceeding EUR 1 million over a 12-month period from the white pa-per requirement.
In addition, MiCAR provides a number of crypto-asset-specific exemptions:
- crypto-assets granted as a reward for maintaining a distributed ledger or validating transactions;
- crypto-assets providing access to an existing or operational good or service;
- crypto-assets exchanged for goods or services within a limited network of merchants that maintain contractual arrangements with the issuer; and
- crypto-assets distributed free of charge (airdrops), although the provision of personal data does not qualify as consideration-free distribution.
Reverse exception: where admission to trading on a crypto-asset trading platform is sought or intended, these exemptions will largely cease to apply.
Services relating to utility tokens are subject to licensing requirements under MiCAR in the same way as the corresponding activities under MiFID II. Non-compliance is subject to regulatory sanctions.
Utility tokens and security tokens: A legal comparison
| Criterion | Utility tokens (MiCAR) | Security tokens (MiFID II / Prospectus Regulation) |
| Disclosure document | White paper | Prospectus (alternatively WIB/KID up to €12 million) |
| Regulatory process | Notification to BaFin, no authorisation | Formal approval required |
| Time until sales launch | At least 20 working days before publication of the white paper | Typically 6–12 weeks until prospectus approval |
| Exemption threshold (12 months) | €1 million (Art. 4(2)(d) MiCAR) | EU threshold: EUR 1 million; Germany: exemption up to EUR 12 million |
| EU passporting | Yes, by notification | Yes for the prospectus; not for WIB/KID |
| Licence for ancillary services | MiCAR service provider authorisation required | Authorisation under the WpIG/KWG (depending on the activities carried out) |
Substance over form: determining the regulatory classification
MiCAR does not apply to crypto-assets that qualify as financial instruments within the meaning of Article 4(1)(15) of MiFID II. Accordingly, the MiCAR and MiFID II regimes are mutually exclusive.[7]
The classification exercise follows the substance-over-form principle reflected in ESMA guidance. The relevant assessment focuses on transferability, standardisation, tradability and investment characteristics rather than the label attached to the token.[8]
Typical indicators in the regulatory assessment
| Criterion | Indicator: Utility token | Indicator: Security token |
| Primary function | Use / access | Investment |
| Marketing | Functionality, membership, community | Ownership interest, returns, capital appreciation, scarcity |
| Economic rights | Usage rights, access rights | Profit participation, repayment rights |
| Transferability / tradability | Fungible instrument, tradable both on and off the exchange | Fungible instrument, tradable on and off exchange |
| Guarantees / mechanisms | No buy-back or exchange guarantees | Buy-back, guaranteed exchange ratios |
Marketing as a regulatory risk factor
Even a functionally well-designed utility token can be reclassified as a security token as a result of its marketing.
Statements emphasising capital appreciation, scarcity or return potential may create an expectation of profit from a regulatory perspective. Under the substance-over-form principle, this can be a significant factor supporting classification as a financial instrument.
Particularly sensitive from a regulatory perspective are statements such as “The token will increase in value”, “Early investors will benefit most”, “Passive income through token holding” or “Attractive upside potential”.
Hybrid structural features, such as fixed buy-back mechanisms, guaranteed exchange ratios, economic profit-sharing arrangements or promises of early exchange listings, further strengthen the investment character of a token and may lead to reclassification.
Structuring options: staged issuance process and dual-token model
Staged issuance process for security tokens
Where a token is intended to be marketed as an investment instrument from the outset, it should be structured and presented as a security token.
In practice, a staged issuance process may be used. During an initial phase, the offering can rely on the prospectus exemptions under Article 1(4) of the Prospectus Regulation (qualified investors, minimum denomination of €100,000, fewer than 150 offerees per Member State, or the applicable national threshold.[4] This enables the issuer to commence the offering without waiting for prospectus approval.
If the issuer subsequently wishes to target retail investors, a prospectus may be prepared in parallel and submitted to the competent EU supervisory authority for approval. Once approved, the prospectus may be passported throughout the EU, allowing distribution to retail investors across Member States.
Dual-token model: separation requirement, exchange ratios and price stabilisation
The dual-token model (security token for the investment component and utility token for use and community functions) is viable from a regulatory perspective only where the two functions are genuinely separated in practice. What matters is the economic reality rather than the formal structure.
Exchange mechanisms between utility tokens and security tokens are not prohibited. However, particular care must be taken where a guaranteed exchange ratio is provided, as this may place such emphasis on the investment function that the utility token itself could fall within the scope of the MiFID II regime.
Price stabilisation measures, including issuer buy-back programmes, are generally permissible provided that their purpose is limited to stabilising the market price rather than increasing it.
Conclusion
The regulatory classification of a token depends on its economic function and the manner in which it is marketed, rather than on its name.
Utility and investment functions should therefore be clearly separated both structurally and in communications. Failure to maintain this separation may result in prospectus requirements, MiFID-related regulatory obligations and licensing requirements becoming applicable, potentially giving rise to significant regulatory, civil and criminal consequences.
Q&A
When does a utility token become a security token for regulatory purposes?
Where its structure or marketing primarily creates expectations of returns or capital appreciation. The decisive factor is the token’s economic function under the substance-over-form principle, rather than the label attached to it.
What are the consequences of a subsequent reclassification as a security token?
Depending on the activities carried out, breaches of applicable authorisation or prospectus requirements may result in administrative sanctions or criminal liability (e.g. Section 54 of the German Banking Act (KWG) and Section 82 of the German Securities Institutions Act (WpIG), with criminal penalties of up to five years’ imprisonment). An incorrect regulatory classification may therefore have significant supervisory, liability and enforcement consequences. A clear allocation of functions is therefore essential not only for regulatory certainty, but also for effective risk management.
Is submitting the white paper sufficient for a utility token?
Yes. For utility tokens, it is sufficient to submit the white paper to BaFin at least 20 working days prior to publication (Art. 8(1) MiCAR). The white paper is not subject to regulatory approval (Art. 6(3) MiCAR); however, BaFin may intervene in the event of infringements.
Can tokens be distributed across the EU?
Both regimes provide for passporting: a prospectus approved in an EU Member State and a MiCAR white paper notified to an EU authority may generally be marketed throughout the EU. Exception: WIBs/KIDs are not eligible for passporting and are valid only in Germany.
What is the procedural difference between a white paper and a prospectus?
Under MiCAR, the crypto-asset white paper must be submitted to BaFin or another competent authority in the EU at least 20 working days before its publication. No formal approval is required. However, the offer may only commence once the white paper has been duly published. By contrast, a prospectus under the Prospectus Regulation must be formally approved by the competent supervisory authority of an EU Member State before the offer may commence, a process that typically takes 6–12 weeks. The disclosure requirements for a prospectus are significantly more extensive than those applicable to a MiCAR white paper.
References
- MiFID II (Directive 2014/65/EU); Prospectus Regulation (Regulation (EU) 2017/1129); German Securities Prospectus Act (WpPG); MiCAR (Regulation (EU) 2023/1114).
↩︎ - Sections 3(2) sentence 1 no. 6, 4 WpPG in conjunction with Article 3(2) Prospectus Regulation; PRIIPs Regulation (Regulation (EU) No 1286/2014).
↩︎ - Article 3(2), first and second subparagraphs, of Regulation (EU) 2017/1129 (Prospectus Regulation), as in force from 5 June 2026. For the repeal of the previous national threshold under Section 3 of the German Prospectus Act (Wertpapierprospektgesetz – WpPG), see the Standortfördergesetz (Loca-tion Promotion Act), Federal Law Gazette (Bundesgesetzblatt – BGBl.) 2026 I No. 33 of 9 February 2026.ectus Regulation (as amended); cf. draft ZuFinG II.
↩︎ - Art. 1(4)(a), (b), (c), (d) of the Prospectus Regulation; § 4 of the WpPG; Art. 1(3) of the Prospectus Regulation (EU de minimis threshold of €1 million, subject to national reduction).
↩︎ - Section 54 of the German Banking Act (KWG); Section 46 of the German Capital Markets Act (KMAG) (penalty of up to 5 years’ imprisonment); Section 47 of the German Capital Markets Act (KMAG) (fines).
↩︎ - Art. 8(1) MiCAR (duty to notify); Art. 6(3) MiCAR (no authorisation); Art. 12 MiCAR and Sections 16, 17 KMAG (supervisory powers of intervention).
↩︎ - Article 4(1)(15) MiFID II; Recitals 9 and 22 MiCAR (exclusivity between financial instruments and crypto-assets).
↩︎ - Article 4(1)(15) MiFID II; Recitals 9 and 22 MiCAR (exclusivity between financial instruments and crypto-assets).
↩︎
