France’s top financial regulator has published new rules regarding the licensing of digital asset service providers (DASPs) as well as guidelines for firms applying for the non-mandatory license and informing the regulator about internal cybersecurity practices.

The Autorité des marchés financiers (AMF) or Financial Markets Authority released the rules on Wednesday and the guidelines on Thursday last week, opening up the opportunity for firms to apply. The rules and guidelines expand upon France’s PACTE law, one of the first crypto legislative packages passed in Europe. PACTE passed in May 2019.

To apply, each DASP has to send the AMF a two-year business plan, a list of digital assets the firm is going to service, the list of geographies the firm will operate in and the firm’s organizational chart among other things.

Licensed DASPs are required to have professional indemnity insurance or a minimum amount of reserve funds, at least one effective senior manager, resilient IT systems, an internal control system, a claims handling procedure, an organization enabling it to avoid conflicts of interests and procedures to prevent money laundering and terrorist financing.

The license is optional for crypto firms operating in France, however. The French government only mandates that crypto custodians and any firm dealing with fiat-to-crypto or crypto-to-fiat services register with the AMF for anti-money laundering and anti-terrorist financing reasons.

The French regulator also released specific rules for crypto custodians, crypto exchanges, crypto broker-dealers, and crypto custodians.

“To the best of my knowledge it’s the first time we’ve seen precisely how a custodian has to maintain the key to assets on blockchain, and what is the role and liability of the custodian,” said Hubert de Vauplane, a partner at law firm Kramer Levin Naftalis & Frankel.

The French government, with the help of the AMF, has defined crypto-asset custody service as “mastering” the “means of access” (cryptographic keys) for a third party’s digital assets and keeping track of their positions, said Emilien Bernard-Alzias, a partner at law firm Simmons & Simmons in Paris. New rules for licensed custodians under its general regulations include multi-validation for customers’ transactions and compensating clients if the custodian cannot restore control of those assets.

In its guidelines, the AMF notes the security risks that blockchain poses and asks crypto firms to provide the regulator with a detailed cybersecurity program that mitigates risks and complies with Europe’s general data protection regulation. Crypto firms are responsible for the cybersecurity of the digital asset service they provide and must undergo regular technical audits.