Introduction

‍

Regulation (EU) 2026/506, adopted on 23 April 2026, introduces a new Article 5bb into Regulation 833/2014.^[1] From 24 May 2026, EU persons are prohibited from engaging, directly or indirectly, in transactions with crypto-asset service providers that are established in Russia. The EU has introduced a parallel Belarus measure in the form of Article 1zf into Regulation 765/2006, aligning the Belarus regime more closely with the Russia framework.

‍

These measures build on the existing EU crypto and payment sanctions framework, including:

• Article 5b(2), prohibiting the direct or indirect provision of crypto-asset services to Russian nationals, residents, entities or arrangements, with Article 1u(2) of Regulation 765/2006 applying equivalent restrictions in respect of Belarus, and
• Article 5b(2a), prohibiting Russian nationals or natural persons residing in Russia from directly owning or controlling (including holding posts in the governing bodies of) CASPs incorporated in a Member State, with Article 1u(3) of Regulation 765/2006 applying equivalent restrictions in respect of Belarus.

‍
The Consolidated Financial Sanctions List (CFSL) will not contain the full population of prohibited Russian and Belarusian crypto-asset service providers (CASPs). Name-match screening alone is therefore not enough. Article 5bb expands sanctions compliance beyond traditional list screening. Firms now need to identify where CASPs are established, how they are connected, and whether they form part of a wider Russia or Belarus-linked infrastructure network. 



‍

This article uses the term CASP when referring to EU regulatory terminology and VASP when referring to FATF terminology or broader international frameworks.

‍

‍

Why the Council moved beyond entity-by-entity listings

‍

Russia has become increasingly reliant on crypto-assets and alternative payment mechanisms to support international transactions and circumvent financial restrictions. The 20th package therefore introduces what the Council described as a total sectoral ban on providers and platforms established in Russia that allow the transfer and exchange of crypto-assets. 

‍
The Garantex / Grinex / A7A5 migration helps explain why. Garantex, the Moscow-linked exchange, had already been subject to sanctions and law-enforcement action. But the activity did not simply disappear. After the Garantex disruption, former employees launched Grinex as a successor platform, and that A7A5 became central to the migration of value. 

‍
US Treasury later stated that Garantex carried out a scheme to move funds to Grinex and allow customers affected by the disruption to regain access to balances using A7A5, a rouble-backed digital asset issued by the Kyrgyzstani firm Old Vector.^[2] Treasury also stated that Old Vector worked with Garantex and others in the creation of A7A5. The Financial Times later reported that more than 80 per cent of A7A5 in circulation was destroyed and recreated following sanctions action against Grinex-linked infrastructure, with more than $6 billion subsequently moving through the new wallet structure. The FT also reported that activity patterns mirrored earlier wallet behaviour, including Moscow business-hour activity, and that Grinex denied any connection to Garantex.^[3] 

‍
The Garantex migration demonstrated how quickly crypto infrastructure can reorganise after sanctions action.

‍
By the time one platform is listed, activity may already have migrated to a new platform, new wallet structure, new issuer, new jurisdiction or new settlement arrangement. The 20th package responds by moving from entity-by-entity listing to a jurisdictional class prohibition.

‍
Under Article 5bb, exposure may arise even where a CASP has not been individually designated. This places greater emphasis on obliged entities determining whether their counterparty is established in Russia, or operates as a mirror or successor to a Russian CASP.

‍

‍

The Kyrgyzstan circumvention regime

‍

Kyrgyzstan matters because it shows how cross-border crypto infrastructure can sit outside Russia while still serving Russia-linked financial flows.

‍
The 20th package has a wider anti-circumvention architecture. The European Commission said the package activates the EU’s anti-circumvention tool for the first time, including measures linked to Kyrgyzstan. In the crypto context, Kyrgyzstan is relevant because of Grinex, Old Vector and A7A5. US Treasury identified Old Vector as the Kyrgyzstani issuer of A7A5 and stated that A7A5 was used within a scheme involving Garantex and Grinex.^[4]

‍
Article 5bb does not prohibit every Kyrgyzstani CASP. It does mean that Kyrgyzstan has become a documented sanctions-circumvention vector.

‍
That scrutiny is now becoming operationally visible. In May 2026, Kyrgyzstan’s Justice Ministry announced it had suspended 50 legal entities involved in operations considered to present “high sanctions risk,” describing the move as the first use of a new mechanism targeting high-risk operations amid increasing international scrutiny over sanctions circumvention. The announcement does not alter the broader compliance challenge: Russia-linked crypto infrastructure may still operate through entities established outside Russia itself.^[5]

‍
For compliance teams, a Kyrgyzstan-registered CASP should therefore trigger enhanced review where there are indicators such as:

• links to Russian users, founders, payment agents or liquidity providers
• A7A5, RUBx or digital rouble exposure
• successor or mirror-platform indicators
• use of Russian-language interfaces, Moscow business-hour activity or Russian OTC locations
• connection to netting, set-off, reconciliation or settlement structures designed to bypass restrictions
• common infrastructure, personnel or wallet flows with sanctioned Russian platforms

When read alongside the Financial Action Task Force’s (FATF’s) wider offshore VASP concerns, it’s clear that regulatory presence is not the same as operational presence. A provider may be registered in one country, operate from another, and serve users in a third.

‍
We explored this issue further in our earlier commentary paper, Registered somewhere, active everywhere: what the FATF’s oVASP report means for compliance teams.

‍

‍

Belarus alignment and HTP-registered entities

‍

The 20th package also extends the crypto sectoral ban to Belarus.

‍
The Belarus sanctions amendments prohibit transactions with Belarusian CASPs and extend transaction bans to the Belarusian digital rouble. The measures align the Belarus regime more closely with the Russia framework. 

‍
This matters for entities registered under Belarus’s High Technology Park (HTP) framework.

‍
An HTP registration may evidence that an entity has a formal legal or regulatory status in Belarus. After the 20th package, this is a key data point that establishes sanctions relevance. Obliged entities need to immediately reconsider their relationships with CASPs with Belarusian indicia.

‍

‍

What Articles 5bb and 1zf require in practice

‍

The operational burden now sits with the obliged entity. Article 5bb shifts the emphasis to the obliged entity to be more proactive in their identification of sanctioned CASPs. In practice, it requires four operational controls.

‍

1. A current inventory of CASP counterparties and customers by jurisdiction of establishment

Compliance teams need to know which customers and counterparties are CASPs, and where those entities are legally established.
Legal establishment, operational presence, and customer geography are no longer interchangeable concepts. The control needs to identify the legal entity, its home jurisdiction, and those of its affiliates.

That requires:

• corporate registry data
• supervisory register data
• business activity classification
• trading-name and brand mapping
• legal entity to platform mapping
• regulatory status and licence/registration data
• blockchain attribution data
  ‍

2. Group-level and successor-platform attribution

The package responds to migration and mirror-platform behaviour. It is therefore not enough to screen one legal entity in isolation.
‍

Compliance teams should ask:

• Does the group contain any entity established in Russia or Belarus?
• Does the group contain any entity established in Kyrgyzstan or another Commonwealth of Independent States (CIS) jurisdiction with documented Russia-linked flows?
• Are there shared directors, shareholders, founders, addresses, domains, apps, wallets or liquidity pools?
• Has the platform received users, balances, assets or operational infrastructure from a sanctioned or disrupted platform?
• Are there links to A7A5, RUBx, the digital rouble or the Belarusian digital rouble?

Compliance teams can no longer rely solely on counterparty self-identification.
‍

3. Detection of prohibited assets and settlement instruments

The 20th package expands the crypto-asset perimeter. The Council announced a ban on transactions involving RUBx and support for the development of the digital rouble. 
Compliance teams need controls to identify:

• A7A5
• RUBx
• the Russian digital rouble
• the Belarusian digital rouble
• whether their counterparties or intermediaries support those assets
• wrapping, burning, reminting or other techniques used to break asset traceability

Prohibited asset exposure may appear in several forms: direct token support, OTC settlement, liquidity provision, exchange listing, custody, transfer support, or indirect payment flows.

‍
4. Monitoring of the payment rails where breaches will occur

The likely breach points are not limited to on-chain transfers.
‍

They include ramping methods through payment rails including:

• SEPA
• SWIFT
• ACH
• FPS
• cards
• correspondent banking flows
• EMI and PSP accounts
• OTC desks
• payment agents
• netting and set-off structures

Exposure may arise entirely outside the blockchain transaction itself. If an EU financial institution processes a fiat payment for a Russia-established CASP, or for a third-country intermediary that it knows or should reasonably understand is routing funds to such a provider, the risk may emerge through the payment chain rather than the on-chain transfer.

‍
The 20th package also targets netting and similar arrangements. The Council said netting transactions with Russian agents are now forbidden to prevent circumvention.  

‍
A sanctions breach may look like a normal payment to a third-country company, while the underlying economic purpose is crypto settlement for a prohibited Russian or Belarusian platform.

‍
Annex XLV and the need for live update processes

‍
Article 5bb requires an ongoing monitoring and update process.

‍
Annexes and related listings will change. Compliance teams need a documented process to:

1. classify whether a counterparty is a CASP
2. map legal names to trading names, URLs, apps and group entities
3. refresh screening engines and risk-decisioning systems
4. identify historical and pending exposure
5. escalate matches with indicia pointing at Russia, Belarus, Kyrgyzstan, A7A5, RUBx or digital rouble indicators
6. record decisions for audit and supervisory review

Articles 5bb and 1zf require a maintained reference layer for crypto infrastructure.

‍

‍

How the VASPnet data layer maps to Articles 5bb and 1zf 

‍

Articles 5bb and 1zf require a data layer that identifies crypto providers, where they are established, how they are connected, and whether they sit within a Russia or Belarus circumvention ecosystem. This creates four practical data requirements.



‍
1. Business type

Is the entity a CASP?

‍
VASPnet identifies CASPs using regulatory and public-source data, including supervisory registers, enforcement notices, warnings, corporate records and verified public disclosures.



‍
2. Jurisdiction of establishment

Is the provider established in Russia or Belarus?

‍
This requires legal entity data, not just website or brand data. VASPnet maps trading names and platform names to legal entities and regulatory jurisdictions, helping firms distinguish between incorporation, licensing, operational presence and market-facing brand.




3. Group structure and successor indicators

Is the provider part of a group that includes Russian or Belarusian entities, or does it show successor/mirror indicators?

‍
VASPnet’s group relationship and trading-name data helps identify entities that may not be individually listed but may be connected through common ownership, branding, addresses, platform migration, regulatory history or enforcement signals.



‍
4. Operating and risk indicators

Does the CASP have exposure to prohibited assets, high-risk jurisdictions, sanctions warnings, enforcement actions, payment rails or third-country circumvention indicators?

‍
VASPnet supports screening and risk-decisioning by combining regulatory status, restrictions, remarks, permitted activities, country information, travel rule indicators, public-source risk signals and group-level context.
‍

Conclusion: the control has moved upstream

‍
Firms must be able to identify whether the counterparty is a CASP, where it is established, which group it belongs to, which assets and payment rails it supports, and whether it is part of a successor or circumvention network.

‍
For banks, PSPs, payment networks and even CASPs, the breach may not occur on-chain. It may occur through a wire, card payment, correspondent flow, OTC settlement, payment agent or netting arrangement.

‍
That is why the requirements posed in Articles 5bb and 1zf do not form a conventional sanctions-screening problem, but rather a crypto infrastructure identification problem.

‍
Such measures reinforce the principle that crypto-assets cannot be used to facilitate activity that would otherwise be prohibited under sanctions law.

‍
VASPnet helps compliance teams identify CASPs by jurisdiction of establishment, regulatory status, business type, group relationship and operating footprint. These are the data points firms need to assess exposure to Russia- and Belarus-linked crypto settlement infrastructure ahead of the 24 May 2026 implementation date.

‍

For access to more comprehensive data on the world’s regulated VASPs, please write to us at contact@vaspnet.com.

‍

‍

‍

‍

‍

‍

^{[1] Council Regulation (EU) 2026/506 of 23 April 2026 amending Regulation (EU) No 833/2014 concerning restrictive measures in view of Russia's actions destabilising the situation in Ukraine, OJ L 2026/506, 23.4.2026.}

^{[2] U.S. Department of the Treasury, "Treasury Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion and Cyber Criminals," 14 August 2025.}

^{[3] Financial Times, "Kremlin-backed crypto coin moves $6bn despite US sanctions," 6 October 2025.}

^{[4] U.S. Department of the Treasury, "Treasury Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion and Cyber Criminals," 14 August 2025.}

^{[5] Reuters, "Kyrgyzstan shutters dozens of companies over sanctions evasion concerns," 19 May 2026.}