# Research Note 05 — Regulatory and Governance Frameworks for Veritas Protocol v0.2 **Status**: Research whitepaper (draft). Agent: Juris. **Scope**: (A) Token regulatory posture. (B) Country-chapter governance. (C) DSA / AI-Act / content-moderation interplay. **Date prepared**: April 2026. --- ## 0. Executive Framing Veritas Protocol v0.2 proposes (i) a utility token with treasury buyback, burn, and multi-stream revenue, and (ii) a federated country-chapter network applying local filter rules on top of a shared global protocol. Both sit at the intersection of financial regulation, platform regulation, AI regulation, and the comparative constitutional law of expression. The legal posture is not a single jurisdictional choice; it is a stack. This note inventories the relevant frameworks as they stand in April 2026, maps the design space, and ends with three concrete recommendations: (a) a Phase II legal structure, (b) a minimum viable set of country chapters with timing, and (c) the top three risks with mitigations. A methodological caveat: regulatory interpretations move quickly, and several headline instruments (EU AI Act Article 50, MiCA CASP transition, UK OSA categorisation register, SEC "Regulation Crypto Assets") are either at first-draft stage or awaiting enforcement. Every time-sensitive claim is flagged; do not rely on this note as legal advice. --- ## Part A — Token Regulatory Research ### A.1 MiCA (Regulation (EU) 2023/1114) MiCA entered into force 29 June 2023. Titles III and IV (ARTs/EMTs) applied from 30 June 2024; the remainder applied from 30 December 2024. Incumbent CASPs operating under national regimes may continue under transitional provisions until 1 July 2026, subject to Member State reduction (EUR-Lex, CELEX:32023R1114; ESMA's MiCA portal). **Three primary categories (Titles II-IV).** MiCA distinguishes three classes of crypto-asset: 1. **Asset-Referenced Tokens (ARTs)** — crypto-assets that purport to maintain a stable value by referencing another value, right, or combination thereof. ARTs can only be issued by authorised credit institutions or entities holding an MiCA-specific authorisation, and require a reserve of assets. Redemption rights are explicit (redemption at market value of the referenced basket). 2. **E-Money Tokens (EMTs)** — crypto-assets that reference a single official currency. Only credit institutions or electronic-money institutions may issue. Redemption at par in the referenced currency is mandatory. 3. **Other Crypto-Assets** — the catch-all, which is where "utility tokens" sit. Under Article 3(1)(9), a utility token is "a type of crypto-asset that is only intended to provide access to a good or a service supplied by its issuer." Issuers do not require prior authorisation, but must (i) be a legal person, (ii) draft a MiCA-compliant white paper, (iii) notify the competent authority at least 20 working days before publication, and (iv) publish the white paper before the offer (Articles 4-14, MiCA; Paul Hastings, *MiCA Crypto White Papers — Comply or Be De-Listed*). **Mandatory MiCA white-paper disclosures.** The issuer's legal form and registered office; project description and milestones; token rights and obligations; underlying technology; sustainability disclosures (energy consumption, energy sources, consensus mechanism); risk factors; offer terms. If the utility token gives access to a service that does not yet exist, the public offer cannot exceed 12 months (Article 4). For Veritas, where the utility is "access to validator grounding work and certificate issuance," the services must be live at offer or the 12-month limit applies. **Small-offer exemptions (Article 4(2-3)).** Whitepaper obligations do not apply to offers: (i) to fewer than 150 persons per Member State; (ii) with total consideration over 12 months not exceeding EUR 1,000,000; (iii) to qualified investors only; (iv) to fewer than 150 persons at offer; or (v) as airdrops without consideration. These are narrow exits; a public sale raising more than EUR 1M does not qualify. **Limited-network exemption (Article 2(4)).** Utility tokens usable only within a "limited network" of merchants (the classic closed-loop exemption carried over from PSD2) are outside MiCA entirely. If closed-loop use is exceeded, notification to the competent authority is required. **CASP licensing.** A Crypto-Asset Service Provider is any entity offering one of ten enumerated services: custody, operation of a trading platform, exchange, order execution, placement, reception and transmission of orders, advice, portfolio management, transfer, and crypto-asset issuance services (Article 59). Authorisation requires a legal seat in the Union, a governance evaluation, minimum capital (EUR 50k, 125k or 150k depending on service), AML/CFT, ICT risk management, and a number of consumer-facing safeguards. CASP authorisation is passportable across the EU. **Veritas implication.** A utility token that grants access to Veritas protocol services, with burn-for-service paid to the protocol (not redemption-for-fiat by holders), fits the "other crypto-assets" (utility) path. The white-paper route is viable. A *burn-for-fiat redemption* would almost certainly re-classify the token as an ART (or functionally similar), triggering the credit-institution issuer requirement and the reserve regime — which is a non-starter for a protocol. See A.7(i). ### A.2 SEC / Howey applied to utility tokens The question under U.S. federal securities law is not whether a token is categorically a security but whether any given offer and sale is an "investment contract" under *SEC v. W. J. Howey Co.*, 328 U.S. 293 (1946). The four prongs: investment of money, in a common enterprise, with expectation of profit, derived from the efforts of others. **The four recent cases.** - **SEC v. Kik Interactive**, 492 F. Supp. 3d 169 (S.D.N.Y. 2020). Kik's Kin token sale met Howey: investors paid money; Kik pooled funds to build the Kin ecosystem; investors expected profit from Kik's efforts. Summary judgment for the SEC. - **SEC v. Telegram Group**, 448 F. Supp. 3d 352 (S.D.N.Y. 2020). Preliminary injunction against delivery of GRAM tokens. The court held the SAFT-plus-TON delivery was a single integrated offering that satisfied Howey — investors expected profit from Telegram's blockchain development. - **SEC v. LBRY, Inc.**, No. 21-cv-260 (D.N.H. 2022). Judge Barbadoro held that LBC — a utility token on a decentralised content platform — was offered as an investment contract notwithstanding genuine consumptive uses. Key dictum: "Nothing in the case law suggests that a token with both consumptive and speculative uses cannot be sold as an investment contract." The court declined to treat all secondary sales as securities. - **SEC v. Ripple Labs**, 682 F. Supp. 3d 308 (S.D.N.Y. 2023). Judge Torres split the assets by transaction type. Institutional sales of XRP under written contracts = investment contracts. Programmatic sales on exchanges — where buyers could not know their purchase money went to Ripple — failed Howey's third prong as applied. **2025-2026 shift.** The SEC Crypto Task Force, announced January 2025 under Commissioner Peirce, has reoriented toward safe harbours. On 17 March 2026, Chairman Paul Atkins outlined "Regulation Crypto Assets," a proposed framework that would include a time-limited (approximately four-year) startup exemption with principles-based disclosures and notice filings, explicitly drawing on Peirce's 2020 Token Safe Harbor (SEC press release, 17 March 2026; Greenberg Traurig analysis; Fenwick analysis). The SEC Divisions of Corporation Finance, Investment Management, and Trading and Markets issued a 28 January 2026 joint statement clarifying that "the technological format in which a security is issued, recorded, or transferred does not alter its legal characterization" — tokenised-equity tokens are securities irrespective of rails (SEC Statement on Tokenized Securities, 28 January 2026; Morgan Lewis; Norton Rose Fulbright analyses). **Secondary-market classification.** Under the Ripple/LBRY reasoning, secondary trading is not automatically a securities transaction; what matters is the specific counterparty relationship. Programmatic exchange sales sit in a greyer zone that favours issuers, though this is still contested. An offering that looks like a pre-sale to profit-seeking buyers remains the main risk locus. **Veritas implication.** Three factors raise SEC-style risk: (i) a marketed sale as opposed to organic earning by validators; (ii) token price appreciation marketed or implied as a benefit; (iii) the issuing entity retaining a large treasury that it actively manages. Three factors lower risk: (i) tokens accumulated as compensation for delivered work; (ii) immediate consumptive utility at launch; (iii) a credibly decentralised issuance path. A U.S. public sale is the single highest-risk avenue and should not be pursued at Phase I. ### A.3 Swiss FINMA FINMA published its *Guidelines for enquiries regarding the regulatory framework for ICOs* on 16 February 2018 and supplemented them in September 2019 for stablecoins. The classification framework has three economic categories: 1. **Payment tokens** — cryptocurrencies without additional functionality. Not securities. Subject to AMLA. 2. **Utility tokens** — confer digital access to an application or service. Not securities *if* the token is functional at issuance and the primary purpose is access. If the economic function is investment, treated as a security. 3. **Asset tokens** — represent economic rights (debt, equity, participation). Securities. FINMA explicitly applies substance over form: "same risks, same rules." A "utility" label does not immunise a token that functions economically as an investment (FINMA, *Guidelines on ICOs*, 2018; updated stablecoin supplement, 2019). **Swiss-law wrappers for token-issuing entities.** - **Verein (Swiss association)**: two founders, no minimum capital, rapid incorporation. Used by Ethereum Foundation, Dfinity, and others. Suitable for protocol foundations with community membership. - **Stiftung (Swiss foundation)**: endowment-based, purpose-locked, supervised by the Federal Supervisory Authority for Foundations. Used by Cardano Foundation, Tezos Foundation, Solana Foundation, and others. Higher compliance load but stronger institutional credibility. - **AG/GmbH**: for commercial arms needing equity structure. **MiCA interaction.** Switzerland is not an EEA member, so MiCA does not apply directly. Swiss issuers targeting EU residents, however, fall within MiCA's extraterritorial reach because an EU-resident offer triggers Article 4 regardless of the issuer's seat. Dual structuring (Swiss Verein + EU issuing entity for EU-facing offers) is common in 2026 practice (MME, *Switzerland Redefines the Foundation Era*, 2025; LegalNodes, *Swiss Foundation as a DAO Legal Wrapper*). ### A.4 Singapore MAS The Monetary Authority of Singapore operates three overlapping regimes depending on token economic function: - **Payment Services Act 2019 (PSA)** — digital payment tokens (DPTs) used as a medium of exchange. - **Securities and Futures Act 2001 (SFA)** — capital-market-product tokens. - **Financial Advisers Act 2001 (FAA)** — tokens falling within advisory scope. Utility and governance tokens fall outside all three. "Providers of services relating to utility and governance tokens are not subject to licensing or regulation under the new regime" (MAS, *MAS Clarifies Regulatory Regime for Digital Token Service Providers*, 30 May 2025). From 30 June 2025, DTSPs serving only non-Singapore customers require a licence under the Financial Services and Markets Act 2022 (MAS FSM Act Part 9). A genuinely utility/governance token project that neither issues DPTs nor capital-markets tokens, and restricts services to non-SG clients, can plausibly operate without a DTSP licence — though the burden of classification diligence sits on the issuer. Stablecoin legislation was announced in November 2025 for publication in 2026 (Signzy, *Singapore Crypto Regulations 2026*). [UNVERIFIED specific publication date]. ### A.5 UAE VARA, Abu Dhabi ADGM, Hong Kong SFC **Dubai VARA.** The Virtual Assets Regulatory Authority published an updated Virtual Asset Issuance Rulebook in April 2026 (Linklaters, *VARA issues updates to its Rulebooks*; VARA rulebooks.vara.ae). The framework splits issuances into three tracks: - Category 1 — fiat-referenced and asset-referenced virtual assets (stablecoin-like). - Category 2 — all others (catch-all including utility tokens). No licence required to issue, but distribution must be carried out by a VARA-licensed distributor. Governance, disclosure, and ongoing obligations apply. - Exempt — virtual assets with limited functionality (closed-loop, narrow use cases). Category 2 is the most realistic fit for a utility+burn token targeting retail. **Abu Dhabi Global Market (ADGM).** The Financial Services Regulatory Authority (FSRA) operates a separate, English-common-law-based crypto regime that pre-dates VARA. ADGM targets institutional-grade custody, brokerage, and asset management. Setup cost and timeline are higher than VARA; institutional trust is higher. A pure utility-token project gains less from ADGM than from VARA. **Hong Kong SFC.** The Virtual Asset Trading Platform (VATP) regime came into force on 1 June 2023. SFC-licensed VATPs may now serve retail for non-security tokens. November 2025 circulars permit expansion of services and integration with global affiliate order books (Davis Polk, *Hong Kong permits virtual asset exchanges to access global liquidity*; King & Wood Mallesons, *Hong Kong's Virtual Assets Licensing Regime: What lies ahead in 2026*). Issuers of non-security utility tokens are not themselves licensed by SFC, but listings on VATPs require diligence. ### A.6 U.S. state patchwork - **Wyoming (W.S. 17-31-101 to 17-31-116)**: DAO LLC Supplement plus a utility-token safe harbour that exempts certain consumptive tokens from state securities registration (subject to conditions). Wyoming has become the "Delaware of DAOs" for U.S. structuring (CSC Global overview; Legal Nodes, *Wyoming DAO LLC*; PRNewswire, *American CryptoFed DAO*). - **New York BitLicense (23 NYCRR Part 200)**: broad licensing requirement covering virtual-currency business activity with New York residents, including exchange, storage, issuance and transmission. $5M minimum capital; executive background checks; quarterly reporting. A utility-token issuer rarely triggers BitLicense directly; exchanges and custody partners do. - **Delaware**: traditional corporate home, blockchain-friendly statutory amendments (DGCL §§ 224, 232 covering blockchain-based stockholder records), but no specific token safe harbour. **Veritas implication.** A Wyoming DAO LLC + Wyoming utility-token posture is usable for a U.S. side-entity but does not cure SEC federal-law risk. Avoid New York retail distribution absent counsel. ### A.7 Specific design questions **(i) Is a burn-for-USDT mechanism a redemption right?** Under MiCA, yes — and it pushes the token toward ART classification. Under FINMA, yes — it re-classifies toward asset-token. Under SEC analysis, a redemption right strongly supports the "expectation of profit derived from the efforts of others" prong (the issuer maintains the redemption). **Recommendation:** treat burn as *protocol consumption* (burn-for-service, e.g., to anchor an attestation or pay for a certificate), not burn-for-fiat. The treasury can do protocol-funded *buybacks on secondary markets*, but holders should not have a right to redeem against the treasury. **(ii) Can the token be a "utility token" if holders accumulate it from service work?** Under FINMA and MiCA: yes, provided consumptive utility is live at issuance and the primary economic function is access, not return. Under the SEC post-Ripple: the programmatic-sale distinction suggests earned tokens that then trade on exchanges are lower-risk than marketed initial sales, but the LBRY ruling warns against overreading this. The safer design is validator compensation paid in token where the validator has a concrete, live use for the token inside the protocol (pay grounding fees, pay for certificate issuance). **(iii) Does secondary-market trading change classification?** In MiCA, no — the classification attaches to the token. In the U.S., yes, on a per-transaction basis under Ripple. The issuer is not directly exposed to retail secondary trades unless it controls or materially influences them (e.g., market-making programmes, undisclosed OTC). Listing a utility token on a regulated venue triggers the venue's diligence but does not re-classify the token itself. **(iv) Is there a clean model where the token is consumable at launch and burn activates later?** Yes, and precedent exists. Several projects (Filecoin, Arweave, The Graph) launched tokens with live consumptive utility and added deflationary mechanisms through governance-driven improvement proposals (FIPs / GIPs / AIPs). The pattern is: (1) launch with live access utility; (2) operate transparently for a defined period; (3) activate burn/buyback via on-chain governance. This staging preserves optionality and gives regulators an observed record of utility before deflationary mechanics amplify price-linkage (Filecoin Foundation community governance; Legal Nodes, *How Your Token Launch Strategy Impacts Your Token's Legal Status*). --- ## Part B — Country-Chapter Governance ### B.1 Wikimedia chapter model The Wikimedia Foundation (California 501(c)(3)) is legally separate from each national chapter. Chapters are locally incorporated, member-governed associations (Wikimedia Deutschland e.V., Wikimédia France as association loi 1901, Wikimedia UK as UK charity, etc.). Chapter agreements confirm trademark use rights and define fundraising-sharing arrangements. "Foundation and Chapter are, and intend to remain, separate legal and corporate entities. The relationship of Chapter and Foundation under this Agreement is that of independent contracting parties" (Wikimedia Foundation, *Chapter Agreements*, foundation.wikimedia.org). **Key design features:** - Local legal independence — each chapter incorporated under its own law. - Trademark licence — chapters use Wikimedia marks under a revocable licence. - Fundraising agreement — since 2009, chapters and the Foundation coordinate banner campaigns; fund-sharing is negotiated. - Chapters have no control over Foundation-run sites (content remains centrally governed). **The Wikimedia UK 2012 crisis.** Trustee Roger Bamkin was paid by the Gibraltar government while serving on the Wikimedia UK board and promoting Gibraltarpedia on Wikipedia's front page. Chair Ashley van Haeften resigned amid separate controversy. The Foundation and Wikimedia UK commissioned the Compass Partnership governance review (February 2013), which found conflict-of-interest management inadequate and recommended a governance committee and COI declarations pre-election (Third Sector; Nonprofit Quarterly; Meta, *Wikimedia UK/Governance Review*). **Lesson for Veritas:** chapters-with-autonomy require formal COI rules, disclosure-at-election, and a reserved power at the foundation level to de-recognise a chapter. The Wikimedia Movement Charter — the attempt to codify this at scale — was *not ratified* by the WMF Board in July 2024 despite 73% member approval, demonstrating that even well-intentioned federated governance reform can stall (Meta, *Movement Charter/Drafting Committee/Announcement - Results of the ratification vote*; Wikipedia Signpost, July 2024). ### B.2 Creative Commons jurisdictional porting CC began jurisdictional porting in 2002. Affiliates in 60+ jurisdictions translated and legally adapted the licence suite to local copyright law. With version 4.0 (released 25 November 2013), porting stopped. CC 4.0 was engineered to be jurisdiction-portable by design; only official linguistic translations are supported, not legal ports. "No new ports have been implemented in version 4.0 of the license. Version 4.0 discourages using ported versions and instead acts as a single global license" (Wikipedia, *Creative Commons jurisdiction ports*; wiki.creativecommons.org, *License Versions*). **Lesson for Veritas:** Start with ports if necessary; converge to a unified global core once you learn where local divergence actually mattered. Over-porting early fragments the protocol and burns affiliate hours that could build capacity. The Veritas equivalent: allow national filter-lists and UI localisations, but keep the attestation format, signature semantics, and dispute schema unified. ### B.3 ICANN regional structures ICANN has two relevant structures: - **Regional At-Large Organisations (RALOs)** — five bodies (AFRALO, APRALO, EURALO, LACRALO, NARALO) organising end-user input via At-Large Structures (ALSes). Each RALO has its own MoU with ICANN and internal rules. RALOs feed into the At-Large Advisory Committee (ALAC). - **ccNSO (Country Code Names Supporting Organization)** — policy body for country-code TLDs. Membership is open to any ccTLD manager; no fees. Three councillors per ICANN region; three chosen by NomCom; staggered three-year terms (18 total councillors). The RALO model shows that *regional* layers between a global body and national affiliates can add coherence without new legal personality — the RALOs themselves are not legal entities in most cases, they are structured fora. The ccNSO model shows how to give cross-jurisdictional operators (ccTLD managers) a policy role without folding them into the parent org (ICANNWiki, *ccNSO*; atlarge.icann.org). ### B.4 Internet Society chapters ISOC has 131+ chapters and SIGs globally. "Chapters are independent entities that work together with the Internet Society to advance its mission." Some chapters incorporate locally (Internet Society UK Limited); others operate as unincorporated bodies. Chapters elect part of the ISOC board via an electoral process that also includes organisation members and the IETF community (internetsociety.org/chapters; internetsociety.org/learning/chapter-management-essentials). ### B.5 IETF regional "interest groups" The IETF is a working-group-driven body; its geography is *functional* (by topic) rather than *regional*. There are no formal regional IETF structures. Lesson for Veritas: technical work does not need country chapters; policy, advocacy, and legal operations do. Keep the protocol working group jurisdiction-neutral. ### B.6 EDRi, Mozilla national affiliates **EDRi.** A Brussels-based international advocacy network of 45+ NGOs, with three membership tiers (Member, Affiliate, Observer). Members must demonstrate continuous independent digital-rights activity, national or European outreach, and civil-rights goals in their founding documents. Affiliates must be recommended by two existing Members and are expected to become full Members within two years. Governance sits with the Board and the General Assembly (edri.org/about-us). **Mozilla.** A hybrid structure: the 501(c)(3) Mozilla Foundation (California) is the sole shareholder of the taxable Mozilla Corporation, which produces Firefox. This structure lets a mission-driven foundation own a commercial product arm without losing non-profit status (Mozilla, *Organizations*; ProPublica Nonprofit Explorer, Mozilla Foundation EIN 20-0097189). The model is attractive for Veritas if a commercial-grade enterprise offering is contemplated alongside a public-good foundation. ### B.7 Specific design questions **(i) Who signs off on a country-chapter filter rule?** Under the Wikimedia model, local chapters do not set Wikipedia content policy; that is WMF-run. Under the CC model, there were no "filters" — licences were either present or ported. Under ICANN ccNSO, local ccTLD managers set their own TLD policies. For Veritas, the recommended posture is: *a chapter can petition for a local filter rule; the foundation's Policy Committee ratifies with a documented process and public reasoning; any suppressed-in-country content remains visible on the protocol and is flagged locally.* This mirrors the Wikimedia pattern (local editorial adaptation) without fragmenting the global record. **(ii) What if two chapters' filter rules conflict?** Example: Holocaust-denial attestations must be suppressed in Germany under Strafgesetzbuch § 130 but are protected speech in the United States under the First Amendment (*Brandenburg v. Ohio*, 395 U.S. 444 (1969); *R.A.V. v. City of St. Paul*, 505 U.S. 377 (1992)). The governing pattern is *geo-fenced rendering, global archival*. The attestation exists in the global store; the German chapter's public interface suppresses it; the U.S. chapter's interface displays it. Conflict is not resolved, it is *localised*. Wikipedia handles similar questions with country-specific "not available in" screens — but because Wikipedia is one content source, it cannot satisfy both. Veritas, being a protocol with a registry, can. **(iii) Does chapter membership imply board representation?** Wikimedia: two affiliate-selected Board seats. ISOC: chapters elect a portion of the Board. EDRi: member-elected Board and General Assembly. Recommendation for Veritas: yes, but with caps. One Foundation board seat per region (not per country), elected by regional chapter caucuses. This prevents fragmentation as chapters multiply. **(iv) Which jurisdictions need chapters day one?** Based on regulatory surface area and expected volume: - EU (needed for DSA Trusted Flagger applications; MiCA presence; AI Act enforcement). - U.S. (SEC/state patchwork; largest AI-lab customer base). - UK (Online Safety Act Category 1 services timing; separate regime from EU). - A civil-law non-EU anchor (Switzerland is the strong candidate; Liechtenstein the backup). The 4-chapter minimum is enough for initial operation. Brazil, India, Japan, Nigeria, South Korea are the next wave. **(v) How do chapter finances work?** Three models exist: - **Wikimedia model**: central fundraising (at one point 100% by WMF), chapter grants for local programmes, fundraising agreements for banner distribution. Tension over revenue sharing. - **ISOC model**: central endowment funds chapters; chapters also fundraise locally. - **EDRi model**: member dues + project grants; light central operation. Recommendation for Veritas: foundation receives treasury inflows (buyback-funded grants, donations, lab fees); chapters receive operating grants based on approved annual plans; chapters may raise locally for local programmes. Publish chapter-level financials annually; require audited accounts from chapters above a size threshold (EUR 250k annual budget). ### B.8 Legal-structure options for the foundation | Structure | Jurisdiction | Benefits | Drawbacks | |---|---|---|---| | **501(c)(3) public charity** | U.S. | Tax-deductible donations (U.S. donors); strong NGO recognition; used by Wikimedia, Mozilla, Signal | U.S. law scrutiny on political speech (*Citizens United* era not a structural issue, but 501(c)(3) political-campaign prohibition is); annual Form 990 public disclosure; U.S. nexus opens SEC-adjacent exposure | | **Swiss Stiftung** | Switzerland | Used by Ethereum, Cardano, Solana, Tezos; endowment-locked purpose; Federal Supervisory Authority oversight | Lower flexibility in changing purpose; endowment requirement | | **Swiss Verein** | Switzerland | Fast, low-cost, member-governed; used by Ethereum Foundation (original vehicle), IFRS Foundation | Less institutional gravitas than Stiftung for holding assets | | **German Stiftung (gemeinnützige)** | Germany | Used by Document Foundation (LibreOffice); strong German charitable status | Higher ongoing compliance; strict purpose-locking | | **Mozilla hybrid (501(c)(3) + taxable subsidiary)** | U.S. | Permits commercial arm without losing non-profit status | U.S. nexus; complex accounting | | **Joint Development Foundation (JDF) project** | Inside Linux Foundation | Rapid-start, standardised governance, neutral shelter, proven path for open standards | Reliance on parent org; less independent identity | | **Cayman foundation company + operating subsidiary** | Cayman Islands | Ownerless; tax-neutral; widely used by Web3 DAOs; supervisor model | Reputational optics; CARF reporting obligations from 1 January 2026 | | **Liechtenstein Stiftung + TVTG entity** | Liechtenstein | Token Container Model; TVTG civil-law clarity; EEA/MiCA reach | Small jurisdiction; less scale ecosystem | For Veritas, the combination that has the strongest precedent base for *protocol-foundation-plus-token* is **Swiss Stiftung (foundation) + Swiss Verein (membership/advocacy) + EU-based operating company (CASP-adjacent activities, MiCA passporting)**. The Mozilla model (501(c)(3) + taxable subsidiary) is the runner-up if the centre of gravity is the U.S. The JDF shelter is the lightest-weight option for Phase I if commercial activity is minimal. --- ## Part C — DSA / AI-Act / Content-Moderation Interplay ### C.1 DSA Article 22 Trusted Flagger Article 22 establishes the Trusted Flagger status. Three cumulative conditions (Article 22(2)): - Particular expertise and competence in detecting, identifying, and notifying illegal content in a specific area. - Independence from any online-platform provider. - Diligent, accurate, and objective notification activity. Status is awarded by the Digital Services Coordinator (DSC) of the Member State where the entity is *established*. Only EU-based entities can apply (eu-digital-services-act.com; digital-strategy.ec.europa.eu; DSA Library, Article 22). Obligations on awarded entities: - **Priority processing** of notices by platforms (Article 22(1)). - **Annual reporting** with numbers of notices by hosting-service provider and type of illegal content (Article 22(3)), published and sent to the awarding DSC. - **Suspension and de-recognition**: if a platform informs the DSC of a significant number of insufficient, inaccurate or inadequately substantiated notices, the DSC opens an investigation and suspends status during it (Article 22(6-7)). The Commission maintains a publicly available, machine-readable database of Trusted Flaggers (Article 22(5)). As of mid-2025, early appointments include the Central Bank of Ireland (awarded by Coimisiún na Meán, Ireland's DSC, May 2025) and a small Italian flagger; the system's uptake has been criticised as slow (TechPolicy.Press, *Europe's Digital Services Act: Where Are All The Trusted Flaggers?*, 2024; cnam.ie). **For a Veritas chapter applying**: need an EU legal entity (member-state-specific incorporation), a defined expertise area (AI-generated content attestation; source-corroboration; claim provenance), a track-record body of evidence, and a public methodology. Application to the Member State DSC. Ireland (Coimisiún na Meán) and the Netherlands (ACM) are active early DSCs; Germany (BNetzA) is the largest market. ### C.2 EU AI Act Article 50 Article 50 imposes transparency obligations that apply from **2 August 2026**. Two core duties: - **Provider duty** (Article 50(2)): providers of AI systems (including general-purpose AI systems) generating synthetic audio, image, video, or text content must ensure outputs are marked in a machine-readable format and detectable as AI-generated or manipulated. - **Deployer duty** (Article 50(4)): deployers of an AI system that generates or manipulates deep-fake image, audio, or video content must disclose that the content is artificially generated or manipulated. Where AI-generated text is published to inform the public on matters of public interest, deployers must disclose that the text is AI-generated (with exceptions where human editorial review accepts responsibility). A first draft Code of Practice on Transparency of AI-Generated Content was published by the AI Office on 17 December 2025; a further draft is expected March 2026; final Code anticipated June 2026 ahead of Article 50's entry into force (Jones Day, *European Commission Publishes Draft Code of Practice on AI Labelling and Transparency*, January 2026; Ashurst; Bird & Bird, *Taking the EU AI Act to Practice*, 2026). The Code anticipates a common icon; interim two-letter acronym ("AI", "KI", "IA") usable pending EU-wide symbol adoption. **Veritas interaction:** a Veritas attestation of "this claim was produced by an AI lab and grounded through Veritas" is complementary to Article 50 provider duties. The Veritas mark can function as a specific, protocol-issued marker satisfying part of the transparency requirement, *provided* the AI-lab deployer also meets the direct Article 50 labelling duty. Veritas does not substitute for the duty; it augments. ### C.3 High-risk content-moderation systems under AI Act Content-moderation systems affecting access to services plausibly sit within Annex III high-risk categories. Article 6 (high-risk classification rules) and Articles 8-15 (high-risk requirements — risk management, data governance, technical documentation, transparency, human oversight, accuracy/robustness/cybersecurity) apply from 2 August 2026; Article 6(1) for safety-component products becomes applicable 2 August 2027 (artificialintelligenceact.eu; Kennedys Law, *The EU AI Act implementation timeline*, 2026). A Veritas filter system that materially shapes what users in the EU see is in-scope as a *deployer* tooling; the legal obligations attach to the deployer using it, not Veritas itself as protocol, but design choices that facilitate compliance are a competitive feature. ### C.4 UK Online Safety Act 2023 The Online Safety Act 2023 (2023 c. 50) imposes tiered duties on user-to-user and search services. Category 1 services are the highest-risk subset. Under the OSA Category 1/2A/2B Threshold Conditions Regulations 2025, Category 1 thresholds are (i) over 34 million UK users, or (ii) 7 million UK users where content-recommender systems and forwarding/resharing functionality are present (Ofcom, *Categorisation of services*; Hansard, 24 February 2025). Estimates suggest 12-16 services qualify for Category 1. The additional Category 1 duties include transparent terms, user empowerment tools, protection of journalistic content, democratic-importance protections, and other requirements. The Ofcom categorisation register was pushed to Summer 2026; final policy statements on categorised duties expected mid-2027 (techUK; CMS LawNow; House of Commons Library briefing). Ancillary-services powers in s. 92 OSA extend to search engines and aggregators. A pure protocol layer probably sits below the Category 1 threshold in any foreseeable time frame, but UK-chapter-hosted interfaces (e.g. a Veritas UK consumer surface) need to monitor user numbers and functionality before Ofcom categorisation. ### C.5 Cross-framework interaction: the GDPR overlay GDPR Article 3 extraterritoriality applies if Veritas processes personal data in the context of EU-established activities (Article 3(1)), or offers services to EU individuals or monitors their behaviour (Article 3(2)). Verifying claims about real people inevitably triggers Article 3(2) monitoring; moving those assessments across borders triggers Chapter V international-transfer rules. Appoint an Article 27 representative in the EU; structure attestations so that the minimum necessary personal data is processed (gdpr-info.eu; EDPB Guidelines 3/2018 on the territorial scope of the GDPR). --- ## 1. Recommendations ### 1.1 Phase II legal structure **Core entity**: Swiss Stiftung ("Veritas Foundation") based in Zug or Zürich. - Purpose clause: operate and steward the Veritas Protocol, a neutral infrastructure for provenance, fact-checking, and attestation of claims. - Council of 5-7; rotating chair; Federal Supervisory Authority for Foundations oversight. - Holds treasury, IP, and trademark. **Token-issuing entity**: Swiss Verein ("Veritas Association") or a dedicated Stiftung subsidiary, depending on whether membership governance or endowment governance is preferred. Verein is faster and more flexible; Stiftung is more institutional. The Verein signs FINMA/MiCA white-paper declarations and owns the protocol side. **EU operating company**: a small GmbH or BV in Ireland, the Netherlands, or Malta. Handles MiCA CASP-adjacent activities if any, DSA Trusted Flagger applications, GDPR Article 27 representation, and is the contracting party for EU-facing customers. **U.S. arm (Phase II.b)**: a Wyoming DAO LLC as a grant-receiving entity for U.S.-focused work, plus a 501(c)(3) if tax-deductible donations from U.S. donors become meaningful. Defer U.S. entity formation until revenue or donor flow justifies the compliance cost. **Token design**: - Utility token, live consumptive use at launch (pay for grounding work, pay for certificates). - Validators earn tokens as compensation; holders consume tokens for services. - Burn-for-service only (not burn-for-fiat). - Treasury buyback via protocol governance, funded from diversified revenue (AI-lab grounding fees, certificate subscriptions, investigation commissions, NGO donations). Buyback *without* automatic burn at launch; governance-activated burn once 12-month operational record exists. - MiCA white paper notified through Liechtenstein FMA or Maltese MFSA or Irish Central Bank depending on operating-company seat. - No U.S. retail distribution at Phase I. ### 1.2 Minimum country chapters and timing **Day one (co-launch with Phase II)**: EU-level (Brussels-based coordinating entity affiliated with the Foundation); U.S. (Wyoming DAO LLC); UK (CIC or Ltd); Switzerland (subsidiary of the Foundation — effectively the home chapter). **+6 months (Phase II consolidation)**: Germany (separate affiliate for the DSA Trusted Flagger application and AI-lab commercial partnerships); France (for CNIL relationship and francophone coverage). **+12 months**: Japan; Brazil; India. Driven by AI-lab customer distribution and regulatory posture. **+24 months**: additional chapters triggered by either (a) local volume thresholds (e.g., 100k monthly active users in-country) or (b) a specific regulatory mandate (e.g., a national Digital Services Coordinator asking for a local presence). Chapter governance constants: revocable trademark licence, COI policy with pre-election disclosure (Wikimedia UK 2012 lesson), annual audited accounts above EUR 250k budget, Foundation-reserved power to de-recognise. ### 1.3 Top three legal risks, with mitigations **Risk 1 — Token re-classified as a security or ART.** A single drafting or marketing misstep (a white paper that emphasises investment returns; a marketing deck that frames buyback as a yield; a burn-for-fiat mechanism) could re-classify the token as an ART (MiCA) or an investment contract (U.S.). Exposure: issuer authorisation, reserve obligations, or SEC enforcement. *Mitigation*: (i) draft all offer documents with a FINMA/MiCA-experienced counsel; (ii) burn-for-service only at Phase I; (iii) all marketing material reviewed pre-publication; (iv) no U.S. retail sale; (v) treasury buybacks are executed transparently on-chain via an independent market-maker, never rebated to token-holders as a redemption right. **Risk 2 — DSA Trusted Flagger suspension or reputational chapter conflict.** A national chapter mishandles notices, or a local filter rule is challenged (e.g. Holocaust-denial takedown in Germany vs First-Amendment-protected display in the U.S.), producing either DSC-ordered suspension of Trusted Flagger status or a public conflict across chapters. *Mitigation*: (i) documented methodology published before application; (ii) all filter decisions reviewable by the Foundation's Policy Committee with a published reason; (iii) geo-fenced rendering with global archival so conflicting jurisdictional rules can coexist without data loss; (iv) reserve de-recognition power at the Foundation with a due-process procedure modelled on the Wikimedia Movement Charter draft; (v) public COI register for chapter boards (Wikimedia UK 2012 lesson). **Risk 3 — AI Act Article 50 / GDPR overlay miscompliance.** Veritas-issued marks functioning as provider-side labels without also carrying the required Article 50 labels; personal-data claims processed without a proper Article 27 representative; cross-border transfers under Chapter V without Standard Contractual Clauses or adequacy basis. *Mitigation*: (i) Article 50 Code of Practice compliance tracked from first Code draft (December 2025) through final Code (June 2026) and carried into production before 2 August 2026; (ii) GDPR Article 27 representative retained via the EU operating company; (iii) Data Protection Impact Assessment for each new attestation type; (iv) SCC-based transfer framework for non-EEA processors; (v) minimum-necessary design — attestations carry the smallest pointer to claim content that satisfies the verification purpose, not the full content. --- ## References ### Statutory and regulatory instruments - Regulation (EU) 2023/1114 (MiCA). EUR-Lex CELEX:32023R1114. - Regulation (EU) 2022/2065 (Digital Services Act). - Regulation (EU) 2024/1689 (AI Act). Article 50 (transparency); Article 6 (high-risk classification). - Regulation (EU) 2016/679 (GDPR). Article 3; Article 27. - Online Safety Act 2023 (UK 2023 c. 50). - Online Safety Act 2023 (Category 1, Category 2A and Category 2B Threshold Conditions) Regulations 2025 (UK SI 2025). - Wyoming DAO LLC Supplement, W.S. 17-31-101 through 17-31-116. - New York BitLicense, 23 NYCRR Part 200. - Singapore Payment Services Act 2019; Financial Services and Markets Act 2022. - Liechtenstein TVTG (Token and Trusted-Technology Service Providers Act). - FINMA, *Guidelines for enquiries regarding the regulatory framework for initial coin offerings* (16 February 2018) and stablecoin supplement (September 2019). ### Case law - *SEC v. W. J. Howey Co.*, 328 U.S. 293 (1946). - *SEC v. Kik Interactive Inc.*, 492 F. Supp. 3d 169 (S.D.N.Y. 2020). - *SEC v. Telegram Group Inc.*, 448 F. Supp. 3d 352 (S.D.N.Y. 2020). - *SEC v. LBRY, Inc.*, No. 21-cv-260 (D.N.H. 7 Nov 2022). - *SEC v. Ripple Labs, Inc.*, 682 F. Supp. 3d 308 (S.D.N.Y. 2023). - *Brandenburg v. Ohio*, 395 U.S. 444 (1969). - *R.A.V. v. City of St. Paul*, 505 U.S. 377 (1992). ### Regulatory guidance and commentary - SEC, *Statement on Tokenized Securities* (28 January 2026). - SEC, *Regulation Crypto Assets: A Token Safe Harbor* — Chair Atkins remarks (17 March 2026). - ESMA, *Markets in Crypto-Assets Regulation (MiCA)*. - European Commission, *Code of Practice on marking and labelling of AI-generated content*. - European Commission, *Trusted flaggers under the Digital Services Act*. - EDPB, *Guidelines 3/2018 on the territorial scope of the GDPR* (Article 3). - Ofcom, *Additional duties for categorised online services*. - Coimisiún na Meán, *Trusted flaggers* guidance. - MAS, *Guidelines on Licensing for Digital Token Service Providers*. - VARA (Dubai), *Virtual Asset Issuance Rulebook*. ### Chapter-governance precedents - Wikimedia Foundation, *Chapter Agreements*. - Wikimedia UK Governance Review (Compass Partnership, February 2013). - Wikimedia Movement Charter ratification result (Meta, July 2024). - Creative Commons, *License Versions*; *Porting Project*. - ICANN, At-Large and ccNSO documentation. - Internet Society, *Our Global Reach* and *Chapter Management Essentials*. - EDRi, *Who we are*; *Our Network*. ### Firm and academic analysis - White & Case, *MiCA Regulation: New regulatory framework for Crypto-Assets Issuers and Crypto-Asset Services Providers in the EEA*. - Paul Hastings, *MiCA Crypto White Papers — Comply or Be De-Listed*. - Morrison Foerster, *Court Rules LBRY Token Is a Security*. - Greenberg Traurig, *SEC v. LBRY, Inc.: The SEC's Latest Crypto Victory*; *SEC Clarifies Status of Crypto Assets Under Federal Securities Laws* (March 2026). - Wilson Sonsini, *The New SEC Crypto Task Force*. - Fenwick, *New SEC Crypto Task Force Led by Commissioner Hester Peirce*. - Morgan Lewis, *SEC Clarifies Federal Securities Law Treatment of Tokenized Securities* (2026). - Davis Polk, *Hong Kong permits virtual asset exchanges to access global liquidity* (2025). - King & Wood Mallesons, *Hong Kong's Virtual Assets Licensing Regime: What lies ahead in 2026*. - Linklaters, *Virtual Assets regulation in Dubai: VARA issues updates to its Rulebooks* (2026). - MME (Zürich), *Switzerland Redefines the Foundation Era in Crypto* (2025). - Legal Nodes, *Swiss Foundation as a DAO Legal Wrapper*; *Wyoming DAO LLC*; *Cayman Islands Foundation as a DAO Legal Wrapper*; *How Your Token Launch Strategy Impacts Your Token's Legal Status*. - Kennedys, *The EU AI Act implementation timeline: understanding the next deadline for compliance* (2026). - Jones Day, *European Commission Publishes Draft Code of Practice on AI Labelling and Transparency* (January 2026). - Ashurst, *Transparency of AI-generated content: the EU's first draft Code of Practice*. - Bird & Bird, *Taking the EU AI Act to Practice: Understanding the Draft Transparency Code of Practice* (2026). - Wiley Rein, *The GDPR's Reach: Material and Territorial Scope Under Articles 2 and 3*. - TechPolicy.Press, *Europe's Digital Services Act: Where Are All The Trusted Flaggers?* (2024). ### Unverified or fast-moving items flagged in text - [UNVERIFIED] exact publication date of Singapore's draft stablecoin legislation in 2026. - [UNVERIFIED] final EU-wide icon standard for AI-generated content disclosure (pending). - [UNVERIFIED] final Ofcom Category 1 list — registration pushed to Summer 2026.