Crypto-asset seizure and freezing: a CASP compliance guide

A crypto-asset service provider (CASP) can be ordered to freeze or hand over crypto-assets it holds, and crypto is expressly covered by the EU's asset recovery framework. The main EU instrument is a directive, so it binds CASPs only through each member state's national law, while a separate regulation applies directly for orders that cross a border. How an order reaches a CASP, and on what timeline, depends on which of these is in play. And because crypto can move in seconds, speed is the defining challenge.
What is the EU framework for freezing and confiscating crypto-assets?
Two main instruments sit at the EU level, and they do different jobs.
Directive (EU) 2024/1260 on asset recovery and confiscation sets EU-wide minimum rules for tracing, freezing, confiscating, and managing criminal property. It entered into force on 22 May 2024, and member states have until 23 November 2026 to transpose it into national law. It expressly includes crypto-assets in its definition of property, so a CASP holding crypto is clearly within reach of the regime.
Regulation (EU) 2018/1805 on the mutual recognition of freezing and confiscation orders handles the cross-border side. It has applied since 19 December 2020, and unlike the Directive it is directly applicable. It lets a freezing or confiscation order issued in one member state be recognised and enforced in another without further formalities.
The Directive harmonises what national regimes must be able to do. The Regulation makes orders travel across borders. Together they form the backbone of how criminal crypto-assets are frozen and confiscated in the EU.
What is the difference between freezing and confiscation?
They are two stages, and the distinction matters.
Freezing is temporary. In the words of the Directive, it is a temporary prohibition on transferring, destroying, converting, disposing of, or moving property, or temporarily taking custody or control of it. Its purpose is to preserve the assets so they cannot disappear while a case proceeds.
Confiscation is final. It is the permanent deprivation of property, ordered by a court in connection with a criminal offence. A freeze holds the assets in place; confiscation takes them for good.
For a CASP, the two create different obligations. A freeze means preventing movement of specified assets, fast. Confiscation means transferring or releasing them as directed once a court has ruled.
Does the framework apply directly to CASPs?
Not in the way it might first appear, and this is worth being precise about. Directive (EU) 2024/1260 is addressed to member states, not to companies. It does not, by itself, place an obligation on a CASP. What it does is require each member state to have laws that let its authorities freeze and confiscate property effectively.
So the obligation a CASP actually responds to comes from two places. The first is national criminal procedure, the local laws implementing the Directive, under which a national authority issues a freezing or confiscation order that the CASP must execute. The second is Regulation (EU) 2018/1805, which is directly applicable and so binds without national implementation, for orders that cross a border.
The practical takeaway: a CASP does not comply with the Directive directly. It complies with the national law built on it, and with the directly applicable Regulation. How an order looks, what deadline applies, and which authority issues it are determined largely by national law, so the experience varies between member states even though the floor is common.
How does a cross-border order reach a CASP?
Through the executing authority in the CASP's own country, not directly from the foreign authority. Regulation (EU) 2018/1805 works on mutual recognition: an order issued in one member state is sent, by means of a freezing or confiscation certificate, from the issuing authority to the executing authority in the state where the assets are held. The executing authority recognises it without further formalities and enforces it under its own national law.
One feature matters for speed. The executing authority must act on a freezing order with the same speed and priority as it would in a comparable domestic case. So a CASP can end up freezing assets on the basis of an order that originated in another member state, reaching it through its national authority, on a domestic timetable. Denmark and Ireland are not bound by the Regulation, so the older cooperation rules apply to them.
How is a sanctions freeze different?
It is a separate obligation, and a CASP should not confuse the two. EU restrictive measures, that is, sanctions, are adopted as directly applicable regulations, and they require a CASP to freeze the funds and crypto-assets of designated persons and entities. This duty is proactive: it is triggered by screening a CASP's own customer base against sanctions lists, not by an order arriving from an authority. No court order is involved, and the freeze must be applied immediately once a match is confirmed.
Criminal freezing and confiscation orders, by contrast, are reactive. They arrive from an authority, target specific assets tied to a specific case, and are executed under criminal procedure. A CASP needs processes for both, but they are not the same mechanism.
What does this mean operationally for a CASP?
The order obliges a CASP to act, but how well it acts is what decides whether the response holds up. In practice it comes down to four things.
- Confirm the order is genuine before acting. Forged and irregular orders do reach exchanges, and acting on a false one can mean freezing a customer's assets with no lawful basis. Because a real order carries a deadline, the verification has to be fast, which is why a reliable way to authenticate an incoming order matters more than it first appears.
- Freeze what the order covers. An order may name a specific amount, asset, or account. Read it too broadly and you risk locking lawful funds; too narrowly and you have not done what was asked. Translating the legal wording into the right action in your own system is a judgment call, not a single click.
- Act before the assets move. Crypto can leave the platform faster than a slow internal process can react, and once it is gone it is beyond reach. The deadline on the order is the outer limit; the real limit is however long it takes someone to move funds.
- Keep a clear record of what you did. Be able to show what you froze, when, and on what basis, so that if a supervisor or court asks later, the answer is a clean record rather than a reconstruction from inboxes and memory.
This is the same operational problem that runs through every authority order a CASP receives: verify, act within the deadline, and be able to show afterwards exactly what was done. With freezing orders, the cost of being slow or disorganised is simply more visible, because the assets can vanish.
When do the new rules take effect?
Parts of the framework are already live, and parts arrive over the next year.
Regulation (EU) 2018/1805 has applied since 19 December 2020, so cross-border recognition of freezing and confiscation orders is already in force. Sanctions obligations also already apply, through the relevant restrictive-measures regulations.
Directive (EU) 2024/1260 is the part still arriving. Member states must transpose it by 23 November 2026, and must adopt national asset recovery strategies by 24 May 2027. So the strengthened national rules, including broader confiscation powers, will land through national law over the course of 2026. A CASP operating across several member states should expect the detail to differ by country even after transposition, because the Directive sets a floor, not a uniform text.
---
Reqport replaces manual, unverified workflows for handling law enforcement orders with a purpose-built portal. Seizure and freeze orders can be managed securely, received and acted on via API, so a freeze can be applied automatically the moment it arrives. See how Reqport works.
---
This article is for informational purposes only and does not constitute legal advice. The rules are implemented through national law, which varies by member state. For how they apply to your specific situation, consult qualified legal counsel.

Reqport
Reqport is a platform for handling law enforcement and other authority data requests.
LinkedInRelated articles

Can the police request data from companies?
The police can ask a company for data, but a request isn't an order. When you have to comply, when you may share voluntarily, and how to stay within the GDPR.

Asset freezing and confiscation: how governments secure assets held by companies
What are asset freezing and confiscation, and what can government authorities do? Under new EU rules, property can be confiscated even without a conviction. A guide for companies.

What does AMLR Article 75 mean for CASPs?
From 10 July 2027, crypto-asset service providers (CASPs) become obliged entities under the AMLR. What Article 75 allows CASPs to share, who can take part, and what is still unsettled.