Crypto Asset Storage: Laws & Regulations Around the World

Over the past two years, regulators have converged on a common playbook for crypto-asset safekeeping: strong key management, segregation of client assets, clear liability, and use of offline (“cold”) storage where appropriate. The Financial Stability Board has explicitly pitched a “global regulatory baseline,” urging authorities to implement consistent, risk-based frameworks while leaving room for local specifics.

We conducted a jurisdiction-by-jurisdiction review of the legal texts (and, in the U.S., formal statements) to determine their specific provisions regarding cold-wallet security and adjacent controls.

Türkiye (SPK — Communiqué III-35/B.1)

Türkiye is unusually explicit. The Communiqué defines a cold wallet as a wallet technology in which private keys are protected with physical, administrative and technical information-security controls, and where “transaction approval and transaction signing… are performed in internet-isolated environments with physical or technical air gaps, with intervention by authorized personnel.”

This is not merely descriptive; it embeds two core security mandates into law: air-gapped isolation for critical operations and human-in-the-loop authorization for signing. Together, these elements set a high bar for cold-wallet implementations in the Turkish market.

European Union (MiCA)

MiCA does not use the terms “cold” or “hot,” but it imposes concrete custody outcomes. Crypto-asset service providers (CASPs) that provide custody “shall establish a custody policy… to ensure the safekeeping or the control of such crypto-assets, or the means of access to the crypto-assets.” (Article 75(3)). MiCA also requires CASPs to “segregate holdings of crypto-assets on behalf of their clients from their own holdings and ensure that the means of access… is clearly identified as such,” and to ensure clients’ assets are held separately on-chain. (Article 75(7)). Finally, liability is explicit: CASPs are “liable to their clients for the loss of any crypto-assets or of the means of access”, capped at the asset’s market value at the time of loss (Article 75(8)).

In practice, these clauses push firms toward defensive key custody architectures (often cold or tiered storage) that demonstrably protect the means of access (i.e., private keys) and keep them segregated without prescribing a specific technology.

United States (Federal banking agencies; SEC RFI)

In July 2025, the OCC, Federal Reserve, and FDIC issued a joint Interagency Statement on Crypto-Asset Safekeeping for banking organizations. It emphasizes that the statement “does not create any new supervisory expectations” but clarifies how existing safety-and-soundness rules apply. Critically for wallets, customer agreements should address “the method of holding the assets (cold/hot/hybrid storage).” The statement also notes “wallets exist on a continuum between ‘cold’… and ‘hot’.”

Separately, the SEC is collecting input on custody issues. Commissioner Peirce’s 2025 request-for-information explicitly asks, “What clarifications are needed to address concerns about whether custody entails possession or control in the context of crypto assets involving cold or hot storage?” While not a binding rule, it signals active U.S. interest in how cold vs. hot custody maps to “possession or control” in federal securities contexts.

Regulated banks are expected to document storage models (including cold/hot/hybrid) and incorporate these into customer disclosures and agreements. Meanwhile, securities regulators are probing how custody definitions should treat cold storage.

Dubai (VARA — Custody Services Rulebook)

Dubai’s VARA is direct about wallet topology. Rule III.C.1 is titled “Hot and cold Virtual Asset storage.” It requires VASPs to use a risk-based analysis to determine storage methods and to document the methodologies and behavior for transfers between hot, cold, and warm wallets, subject to independent audit. VARA “reserves the right to require VASPs to use multi-signature approaches” (III.C.2.d).

On segregation, VARA mandates that custodians “segregate the Virtual Assets of each client in separate VA Wallets containing the Virtual Assets of that client only,” and requires “operational and physical segregation between individuals handling operations for Custody Services” and other business lines (III.B.3 and III.B.7–8).

VARA doesn’t dictate a cold percentage, but it forces formal governance, documentation, and segregation, and it explicitly centers hot vs. cold choices in a risk program that auditors can test.

Bahrain (CBB — Rulebook, Volume 4, Appendix AU-1)

Bahrain’s rules go deep on key management and wallet posture. They state: “Crypto assets that do not need to be immediately available must be held offline, in a ‘cold wallet’.” They further require multi-signature wallets and recommend cold-wallet key storage “where possible.” The guidance also recognizes air-gapped devices used to generate, sign, and export transactions, with cautions about infection through portable media. (Volume 4 > Part A > Appendix AU-1: Key Management and Wallet Storage,).

This is one of the clearest legal texts anywhere mandating cold storage for non-immediately-needed assets, plus multi-sig as a default control.

In Summary

Across jurisdictions, cold storage emerges as part of a broader control framework rather than a silver bullet. The legal texts consistently stress: documented custody policy and controls, segregation of client assets and of operations, robust key management (often including multi-sig and air-gapping), and clear liability if means of access are lost. That is the through-line that maps neatly onto the FSB’s call for a coherent global baseline.

Compliant Cold Wallet Technology with DataFlowX

Cold wallets only deliver their promise when two conditions hold at the same time. Keys and signing workflows remain offline, and nothing from higher-risk networks can reach the signing environment. That is the security gap our unidirectional isolation closes.

DataDiodeX enforces a one-way path from the cold enclave to an external broadcast or operations zone. Signed transactions, tamper-evident audit logs, and key ceremony evidence can leave the enclave. Nothing comes back. This aligns with regulatory language that expects internet-isolated and air-gapped operation for critical steps like verification and signature.

Cold workflows still need a controlled way to receive strictly defined inputs such as unsigned PSBTs, watch-only derivation paths, and policy updates. DataBrokerX provides that path without collapsing the gap. It pairs the physical one-way architecture with a brokered request-response design that allows only whitelisted message types and sizes, applies protocol-level parsing, and enforces human approvals and multi-party checks.

Contact our expert team now to learn how you can implement a robust and compliant framework for your crypto-asset storage.