The rapid growth of the digital asset market has brought significant legal scrutiny, particularly regarding the civil liability of crypto trading platforms for customer losses. Central to this discussion is the platform’s duty of care – a legal obligation to protect its customers’ assets and provide a secure service. European courts are increasingly defining what constitutes a “reasonably competent and diligent service provider” in this nascent sector. As a contract for services is deemed to exist between the customer and the platform, some courts have established an enhanced duty of care, comparable to that of a payment service provider.
The following recent decisions across Europe help illustrate emerging standards: when platforms may be liable for security breaches or regulatory compliance failures, and when customer responsibility and the irreversibility of blockchain transactions limit liability.
Amsterdam District Court (8 September 2023): Establishing an Enhanced Duty of Care
The Amsterdam District Court’s ruling against the platform Coin Meester (ECLI:NL:RBAMS:2023:5425) established a high bar for account security, emphasizing the platform’s proactive responsibility.
The Case: A customer lost approximately €4,000 in cryptocurrency after their account was hacked via a compromised email, which was then used to request a password change and fund transfer. Crucially, the customer had ignored multiple warnings to enable multi-factor authentication (MFA).
Key Decision Points: The court found that the platform’s relationship with the customer constituted a contract for services, imposing an enhanced duty of care comparable to that of a payment service provider. This duty was breached because the platform allowed an account takeover and fund transfer through an easily exploitable method (email/password), despite knowing the risks. The platform was ultimately held liable and ordered to compensate the customer for the full loss.
Grenoble Court of Appeal (26 June 2025): Standalone Liability for Regulatory Failure
The Grenoble Court of Appeal in France issued a ruling against Bitstamp Europe, creating a significant new avenue for civil claims based purely on regulatory status.
The Case: A user lost €27,950 in digital assets due to fraudulent account access in November 2021. While Bitstamp had implemented 2FA and warned the user, the core issue was the platform’s regulatory status. Bitstamp was not registered as a PSAN (Digital Asset Service Provider) with the French financial regulator (AMF) at the time of the incident, a violation of the PACTE Law
Key Decision Points: The court determined that the purely regulatory violation—the lack of PSAN registration—was sufficient to establish standalone civil liability, independent of any technical or operational negligence. This is a powerful precedent for consumer protection. Bitstamp was ordered to pay the value of the assets at the time of the theft, although a claim for lost appreciation was rejected as “too speculative”.
Arbiter for Financial Services (3 November 2023): Limits on Platform Responsibility
The Maltese Arbiter for Financial Services (OAFS) decision in the case of EN vs. OKcoin Europe (ASF 030-2023) a clear boundary for a platform’s liability when customers are victims of external fraud.
The Case: A Complainant lost approximately €34,500 in cryptocurrency after being lured by fraudsters into transferring assets to a fake external trading platform. She had purchased the crypto on OKX but personally executed the transfer to the unknown external wallet.
Key Decision Points: The Arbiter rejected the complaint. The decision emphasized that a crypto platform cannot be held liable when a customer—even if deceived—personally authenticates and initiates a transaction to an external wallet. Responsibility for the recipient address lies squarely with the customer. The Arbiter also explicitly warned that the crypto-asset sector offered less consumer protection than established financial sectors at the time, underscoring the customer’s increased risk burden.
Amsterdam District Court (18 October 2024): The Defence of Adequate Security and Warning
In a later ruling involving Coin Meester, the Amsterdam District Court (ECLI:NL:RBAMS:2024:6458) provided a crucial counterpoint to the earlier decision, clarifying how a platform can meet its duty of care.
The Case: A customer lost €15,818 following a hack. In this instance, the platform had mandated 2FA upon registration and extensively warned the customer about the superior security of Google Authenticator (GA) over the less secure email-based 2FA. The customer chose the less secure option.
Key Decision Points: The court ruled in favour of the platform, finding it not liable. The court concluded that by enforcing 2FA and clearly communicating its security recommendations, the platform had fulfilled its duty of care and acted as a “reasonably competent and diligent service provider”. The customer’s decision to bypass the recommended, superior security measure shifted the responsibility for the loss back to the user
OLG Saarbrücken (16 October 2025): Defining Liability under General Civil Law
The Higher Regional Court (OLG Saarbrücken) (OLG Saarbrücken, Az.: 4 U 4/24) in Germany issued a significant decision that defined the appropriate legal framework for assessing crypto platform liability.
The Case: The case involved the loss of over €144,000 worth of Cardano (ADA) that was transferred without the investor’s consent. The OLG was reviewing an initial judgment that had dismissed the investor’s claim against the crypto trading platform.
Key Decision Points: The OLG rejected the application of the strict Payment Services Directive (PSD2), confirming that the legal relationship is not a simple payment service. Instead, the court defined it as a contract for services (Geschäftsbesorgungsvertrag), which subjects the platform to general civil law duty of care obligations. Citing essential procedural errors in the lower court’s handling of the complex technical facts, the OLG vacated the judgment and referred the dispute back for a new trial and evidence gathering.
Conclusion: A Dual Standard of Liability
The above decisions establish a critical framework for the future of crypto platform liability in Europe, setting a dual standard of accountability between crypto exchanges and their customers:
Technical & Contractual Duty: Like all service providers, crypto exchanges also have an enhanced duty of care to provide a secure service to their customers. They can be held liable for security lapses (Coin Meester I), but this liability is mitigated if they enforce reasonable security standards and the customer ignores clear warnings (Coin Meester II). The foundation for this liability is the contract for services (OLG Saarbrücken).
Regulatory Duty: Non-compliance with national regulatory requirements (like PSAN registration) can create standalone civil liability, even without technical negligence (Grenoble).
Crucially, while courts are protecting users from platform failures, they are simultaneously reinforcing the principle of user responsibility. Once a customer personally authenticates an irreversible transaction to an external wallet, the platform’s liability is generally extinguished. As MiCA solidifies regulatory standards, this combination of judicial oversight and regulatory clarity is essential to maturing the European digital asset market.
