DASP Compliance: What El Salvador's CNAD Requires From Digital Asset Service Providers

The CNAD Is No Longer a Permissive Regulator

El Salvador's National Commission of Digital Assets (Comisión Nacional de Activos Digitales, CNAD) was established to implement and supervise the Digital Asset Issuance Law (LEAD) of January 2023. In its first year of operation, the CNAD processed applications with relatively light scrutiny as the regulator built institutional capacity. That period is over.

By 2025, the CNAD had materially strengthened its supervisory posture. It now holds active powers to suspend or revoke licences for AML breaches, unapproved service changes, or failure to maintain required security and governance standards. Applications reviewed today face a different standard than applications submitted in 2023. Files that passed then would be returned now if the compliance programme documentation, cybersecurity evidence, and operational policies are not complete and verifiable at the point of submission.

This post covers what the DASP regime actually requires, what the two-stage CNAD process involves, what the security and compliance obligations are before and after registration, and where most applications fall short. It is written for operators building or preparing to obtain DASP registration and for international firms assessing El Salvador as part of a multi-jurisdictional licensing strategy.

The LEAD Framework: What It Established

The Digital Asset Issuance Law (LEAD) established El Salvador's legal framework for digital asset service providers, issuers, and certifiers. It defines who is a Digital Asset Service Provider (Proveedor de Servicios de Activos Digitales, PSAD), sets out the registration process and requirements, defines the services that require authorisation, and establishes the tax treatment applicable to registered entities.

The CNAD is the competent authority for DASP registration and ongoing supervision. It maintains a public registry of registered DASPs, certifiers, issuers, and issuance platforms. Operators providing digital asset services without valid CNAD registration risk enforcement action and inclusion in a non-compliant register, with corresponding consequences for banking relationships and institutional counterparty due diligence.

The LEAD framework survived the 2025 amendments to El Salvador's Bitcoin Law. Those amendments made Bitcoin acceptance voluntary for merchants, removed Bitcoin as an accepted method of paying taxes, and wound down the state-run Chivo wallet. They did not affect the DASP licensing framework, the CNAD's supervisory mandate, or the tax exemptions available to registered DASPs under Article 36 of the LEAD. The commercial infrastructure for digital asset operators remained intact.

DASP vs BSP: Which Registration You Actually Need

Before engaging with the CNAD process, an operator must determine which registration category applies. El Salvador operates two distinct licensing tracks for digital asset businesses:

• BSP (Bitcoin Service Provider): Regulated by the Central Reserve Bank (BCR). Applies to businesses operating exclusively with Bitcoin: BTC wallets, BTC payment processing, BTC remittance services. Scope is limited to Bitcoin only.
• DASP (Digital Asset Service Provider): Regulated by the CNAD under the LEAD. Applies to businesses operating with any digital asset beyond Bitcoin, including Ethereum, stablecoins (USDC, USDT), tokenised real-world assets, NFTs that re-qualify as digital assets, and any multi-asset exchange or custody offering.

The practical boundary is clear. The moment an operator touches any digital asset other than Bitcoin in a regulated service capacity, a DASP registration is required. A multi-asset exchange providing spot trading in BTC and ETH requires a DASP registration. An operator providing both Bitcoin-exclusive services and multi-asset services may need both registrations. This determination should be made before entity formation, not after, because the structure of the business and the documentation required differ between the two tracks.

What a DASP Registration Authorises

A DASP registration is an umbrella authorisation covering a meaningful range of digital asset services under a single licence. The activities authorised under the DASP framework include:

• Exchange operations: buying, selling, and trading digital assets for fiat currency or other digital assets
• Operation of trading platforms for digital assets, including spot, derivatives, and tokenised financial products
• Custody and asset management: safeguarding, managing, and transferring digital assets on behalf of clients
• Wallet services: managing digital asset wallets and providing clients access to digital asset platforms
• Transfer services: facilitating transfers and administration of digital assets between parties
• Reception and transmission of orders for digital assets on behalf of clients
• Placement of digital assets and structuring of digital asset investment products
• Digital asset issuance and tokenisation, including ICOs and tokenised real-world assets, subject to separate issuance authorisation from the CNAD

For operators building multi-service platforms, this breadth is structurally useful. A platform combining custody, exchange, and transfer services does not require separate applications for each service category. One DASP registration, scoped and documented correctly, covers the full stack.

The Two-Stage CNAD Registration Process

CNAD registration follows a defined two-stage process. Both stages have specific requirements and timeline implications. Understanding the sequence before beginning is essential, because executing the stages in the wrong order is one of the most common causes of delays in the overall timeline.

Stage One: Pre-Registration

The pre-registration stage is not optional. Operators must complete the CNAD pre-registration form before proceeding to the definitive registration application. The pre-registration form requires information about the applicant and the operational area they intend to register for.

After submission, the CNAD conducts an initial evaluation of the information provided. If additional information is required, the applicant is notified and must supply it. The CNAD then conducts a second evaluation and issues either a "no objection" or an "objection" with written justification. A no-objection result specifies the requirements and process for registration in the requested operational area. An objection is based on lack of territorial or material competence under Articles 2 and 4 of the LEAD.

A critical sequencing point that is frequently mishandled: the corporate bank account must be arranged before the CNAD registration submission, not after. Local Salvadoran banks remain cautious toward digital asset businesses, and banking arrangements take time. Operators who treat banking as a post-licensing task typically stall the process. International crypto-friendly EMIs with established Salvadoran market relationships are commonly used where local banking relationships cannot be established prior to registration.

Stage Two: Definitive Registration

Following a CNAD no-objection determination, the applicant proceeds to definitive registration. Documentation must be submitted in both digital and physical format at the CNAD offices.

The CNAD has a maximum of 20 business days to evaluate the application and issue a favorable or unfavorable resolution. If the application is incomplete, the CNAD notifies the applicant, who then has 10 business days to provide the missing information.

Upon a favorable resolution, the applicant must pay the initial registration fee of USD $5,475 within 10 days of the notification. The CNAD then issues a registration certificate and authorisation to operate as a Digital Asset Service Provider. Tax benefits under Article 36 of the LEAD activate from the notification of the definitive registration number. The CNAD also notifies the Financial Investigation Unit (FIU) of the new registration.

The realistic end-to-end timeline, from entity formation through pre-registration to definitive registration, runs three to six months for a well-prepared applicant. The annual supervision fee is USD $3,650. Operators who submit incomplete applications or whose compliance frameworks are not functional at submission add months to that timeline through information requests and resubmission cycles.

Entity and Personnel Requirements

A locally registered legal entity in El Salvador is required for DASP registration. The minimum authorised capital is USD $2,000. There is no mandatory minimum number of shareholders under the current LEAD regulations. Earlier guidance circulating online that required two shareholders reflected a previous version of the regulation. Foreign nationals and non-resident entities can hold shares in a Salvadoran DASP entity, provided shareholders have a tax identification number in El Salvador.

A registered business address in El Salvador is required. A virtual office address satisfies this requirement, though a physical office is preferable for banking relationships and CNAD supervisory contact.

Personnel requirements are specific and non-negotiable. The following roles must be appointed and documented before the CNAD registration submission:

• Head of Compliance and Deputy Head of Compliance: Both must have permanent residency in El Salvador. They are responsible for the AML/CFT programme and must be registered with the Financial Investigation Unit (FIU). These are not nominal appointments. CNAD reviewers examine the qualifications, responsibilities, and accountability structures of the compliance function.
• Computer Security Officer: Responsible for overseeing the ongoing integrity and security of the digital asset platform. This role must be appointed and functional before operations commence under the DASP registration.
• Director responsible for cybersecurity policy implementation: At least one director of the DASP entity must be designated as responsible for ensuring cybersecurity policies are implemented before the firm begins operations. This is a governance accountability requirement, not just an administrative one.

The AML/CFT Compliance Programme Requirement

The AML/CFT compliance programme requirement is where the majority of DASP applications fail or stall. The CNAD does not evaluate whether the applicant intends to build a compliance programme. It evaluates whether a functional compliance programme already exists at the time of application.

The programme must be operational, not theoretical. CNAD reviewers examine the transaction monitoring architecture, customer due diligence procedures, suspicious activity reporting mechanisms, and whether the documented processes reflect how the organisation actually operates. A well-formatted policy document that is not backed by working systems does not satisfy the requirement.

The required AML/CFT documentation includes:

• AML/CTF control measures and compliance programme documentation
• KYC and KYB policies, including due diligence procedures for politically exposed persons and high-risk clients
• Know Your Employee (KYE) policy
• Transaction monitoring system documentation, demonstrating that automated monitoring is in place and configured
• Suspicious activity reporting procedures, including FIU notification process
• Risk factors manual covering the specific risks of the digital asset services provided
• Internal and external audit policy
• Code of ethics
• Travel Rule compliance procedures, covering both CASP-to-CASP transfers and transfers involving unhosted wallets

From 30 December 2024, the FATF Travel Rule applies to digital asset transfers in El Salvador under the applicable regulatory framework. DASPs are required to collect and verify originator and beneficiary information for transfers. This is not a future planning item for DASP applicants. It must be implemented at the time of registration.

Post-registration, ongoing AML/CFT obligations include: monthly transaction reports to the CNAD covering trading volumes, user numbers, and incident disclosures; annual external compliance audits documenting AML/CFT procedures; suspicious activity reports filed with the FIU within 24 hours of a transaction being deemed suspicious; and customer fund segregation with quarterly reconciliation.

The Cybersecurity and Security Requirements

The technical infrastructure requirements for DASP registration are substantive. Applicants must demonstrate that their platform is secure, resilient, and capable of protecting client data and digital assets. This determination is made at the application stage, before the licence is granted. Cybersecurity documentation, an incident response plan, and an operational resilience framework must accompany the application.

The CNAD does not define these requirements in isolation. The Computer Security Officer role, the director accountability for cybersecurity policy implementation, and the requirement to document and test security procedures all reflect a regulatory framework that treats security as a continuing governance obligation, not a one-time pre-launch exercise.

Security Documentation Required at Application

The application package must include documentation of the digital asset operations and the security controls governing them. This covers:

• Documented security architecture covering the systems used to provide digital asset services, including trading infrastructure, custody systems, wallet infrastructure, and API security
• Access control policies: who has access to critical systems, at what privilege level, under what approval process, and how access rights are reviewed when personnel change
• Cryptographic key management procedures: how keys are generated, stored, accessed, rotated, and backed up; for custody operations, how multisig governance is structured and how single-point-of-failure risk is managed
• Incident response plan covering detection, classification, escalation, and resolution of security incidents; the plan must include the 24-hour reporting obligation to the CNAD for cybersecurity breaches and fraud events
• Business continuity and disaster recovery plan, demonstrating that critical services can continue through disruption and that client assets are protected

Ongoing Security Obligations After Registration

Post-registration, the security programme is a continuing compliance obligation, not a completed project. The requirements include:

• Regular updates to the disaster recovery plan and testing against documented procedures
• Ongoing maintenance and audit of access controls and privilege management
• Automated transaction monitoring system maintenance and configuration review
• Annual external security audits confirming the documented security posture remains accurate and effective
• Incident reporting to the CNAD within 24 hours for cybersecurity breaches or fraud events
• A five-year data retention policy for all customer identification and transaction data

The Computer Security Officer is accountable for the ongoing integrity of these controls. This is not a nominal role. When the CNAD conducts supervisory reviews, the security programme documentation and the officer responsible for it are subject to scrutiny. An officer who cannot evidence that the documented controls are operational and tested does not satisfy the ongoing compliance standard.

The Business Plan and Governance Documentation

A business plan covering a minimum of three years is required, including detailed financial projections with forecast profit and loss statements. The plan must describe the services to be provided, the target market, the operating model, and how the business will satisfy the ongoing CNAD reporting obligations.

Beyond the business plan, the governance documentation package must include an organisational chart with clear reporting lines, identification and CVs of key personnel in defined roles, a risk factors manual specific to the services and assets the DASP will handle, draft client contracts or terms and conditions, documentation of customer service and communication systems, and internal and external audit policies.

A common failure pattern is submitting organisational charts and governance documents that name roles without documenting the responsibilities, accountability structures, and decision-making processes behind them. CNAD reviewers are asking a specific question: if something goes wrong with this organisation's operations, who is accountable and through what documented process is that accountability exercised? Governance documentation that cannot answer that question does not satisfy the requirement.

The Tax Position for Registered DASPs

Registered DASPs in El Salvador benefit from the tax exemptions set out in Article 36 of the LEAD. These exemptions apply from the date the CNAD issues the definitive registration number:

• Zero corporate tax on digital asset transactions
• Zero capital gains tax on the purchase, sale, or transfer of digital assets
• Zero transfer tax and other fees on the nominal value of crypto assets
• Zero VAT on services related to the issuance, certification, or transfer of digital assets

These exemptions were not affected by the 2025 Bitcoin Law amendments. The political recalibration around Bitcoin's role in domestic commerce did not touch the commercial incentive structure for DASP-licensed operators.

Three tax positions that require careful planning regardless of the exemptions:

• Corporate income tax at 15% applies to non-digital-asset business activities conducted by the entity
• Dividend withholding tax sits at 5%, rising to 25% where the recipient is located in a tax haven or jurisdiction with a preferential tax regime. Shareholder structures that route dividends through Belize, the Cayman Islands, or similar jurisdictions trigger the higher rate
• Monthly payroll and VAT reporting obligations remain in place. Traditional commercial activities by the entity remain subject to the 13% VAT rate despite the digital asset exemptions

What CNAD Reviewers Actually Examine

The CNAD's evaluation framework has become more demanding as the regulator has accumulated supervisory experience. The most common reasons for applications being returned or refused reflect specific documentation problems rather than fundamental legal issues.

Applications are returned or refused for: business continuity and disaster recovery plans that describe processes without evidencing how those processes would function in a real disruption; AML/CFT programmes that exist as documents but cannot demonstrate that the monitoring systems, SAR procedures, and reporting mechanisms are operational; cybersecurity documentation that references generic frameworks without showing how those frameworks have been implemented and tested in the specific DASP's infrastructure; governance structures that name personnel without establishing the accountability and decision-making procedures those personnel operate within; and incomplete personnel documentation where compliance officer qualifications or residency requirements are not fully evidenced.

The CNAD also has active post-licensing supervisory powers. Registration is not the conclusion of regulatory scrutiny. Operators whose compliance programmes decay after registration, or who make material changes to their services or infrastructure without CNAD approval, risk licence suspension or revocation. The supervisory environment in 2026 is substantially more active than it was in 2023.

DASP in a Global Licensing Strategy

The DASP licence authorises digital asset service provision from and within El Salvador. It does not provide passporting rights to other jurisdictions. Operators targeting EU clients require separate MiCA CASP authorisation. Operators targeting UK clients require separate FCA registration. The DASP licence is a legitimate, tax-efficient base for global digital asset operations, particularly for operators targeting Latin American markets and international markets outside the EU and UK regulatory perimeter.

El Salvador's dollarised economy eliminates currency risk for USD-denominated operations. The capital requirement is low relative to comparable VASP authorisations in Estonia, Lithuania, or Germany. The CNAD is a functioning dedicated digital asset regulator with a clear mandate and a growing public registry that improves credibility with banking partners and institutional counterparties.

Against offshore jurisdictions with thin regulatory substance, the DASP licence carries meaningful regulatory credibility. Banking partners and institutional counterparties conducting due diligence on a DASP-registered operator are reviewing an entity authorised by a dedicated national regulator with published registration records, ongoing reporting obligations, and active supervisory oversight. That is a materially different profile from an entity registered in a jurisdiction with no dedicated crypto regulator and no ongoing supervisory relationship.

For operators building toward EU market access as a future objective, the DASP compliance programme provides a foundation for MiCA compliance. The governance, AML/CFT, cybersecurity, and incident response requirements overlap substantially with what MiCA and DORA require. A DASP-registered operator with a complete, documented, tested compliance programme is closer to MiCA CASP authorisation than one starting from an unregulated position.

Where Blockchain-Native Operators Typically Fall Short

Blockchain-native operators applying for DASP registration typically have better on-chain security practices than their governance documentation reflects. Smart contract audits have been completed. On-chain monitoring is in place. Key management practices are technically sound. What is typically absent is the operational security documentation layer the CNAD requires.

The documentation gap manifests in three ways. First, security procedures that exist in practice are not written down at the level of specificity the application requires. The monitoring system works, but its configuration, alert thresholds, escalation paths, and testing history are not documented. Second, governance accountability for security decisions exists operationally but is not formalised in the documents the CNAD reviews. The Computer Security Officer knows what they are responsible for; the CNAD does not, because the accountability structure is not written into the governance framework. Third, the incident response plan covers the technical response but does not address the 24-hour CNAD reporting obligation, the client notification procedures, or the documentation trail that must be maintained through a security event.

The underlying security posture is often adequate. The documented evidence trail is what is missing. Security reviews that produce reports written for internal technical audiences do not automatically produce the evidence a regulator can use to verify compliance. The scope, methodology, findings, and remediation status must be structured for a regulatory audience. Both the review and the regulatory documentation are required. One without the other does not satisfy the CNAD standard.

What We Provide

Security4Web3 provides independent security reviews and regulatory-grade documentation for DASP applicants preparing for CNAD submission and registered DASPs maintaining ongoing compliance. Our work covers the on-chain infrastructure layer and the operational security layer, and our reports are written for regulatory audiences rather than internal technical teams.

For DASP compliance specifically:

• Platform security review covering trading infrastructure, custody architecture, wallet systems, API security, and access control frameworks against the CNAD's technical infrastructure requirements
• Cryptographic key management assessment for DASP custody operations, covering key generation, storage, access controls, multisig governance, rotation procedures, disaster recovery, and single-point-of-failure analysis
• Smart contract and on-chain infrastructure audit structured as an independent third-party review, providing evidence of security review suitable for inclusion in the CNAD application package
• Incident response plan development and review producing documented, tested procedures that satisfy the CNAD's 24-hour reporting obligation and the ongoing security incident management requirements
• Business continuity and disaster recovery plan support covering the security architecture elements, including key recovery procedures, system redundancy, and data backup, that must be evidenced at the application stage and maintained post-registration
• Annual security audit for registered DASPs satisfying the ongoing external review requirement and producing documentation in the format CNAD supervisory reviews expect

Where a DASP operator also has EU operations or is planning toward MiCA CASP authorisation, our reviews are scoped to address both frameworks simultaneously. The governance, cybersecurity, and operational resilience requirements of DASP and MiCA (with DORA) overlap substantially. Building one evidence trail that satisfies both regulatory audiences is more efficient and produces a more coherent compliance programme than treating each jurisdiction as a separate project.