a16z: Web3 regulation should focus on the application layer, not protocols
TechFlow Selected TechFlow Selected
a16z: Web3 regulation should focus on the application layer, not protocols
Regulations governing Web2 apply equally to Web3.
Author: Miles Jennings, General Counsel at a16z crypto
Translation: aididiaojp.eth, Foresight News
Many early supporters of the internet advocated for it to remain free and open forever, hoping it would serve as a borderless and unregulated tool. Over the past two decades, as governments have increased their regulation of the web, this vision has lost some adherents. Nevertheless, many of the underlying technologies of the internet—such as HTTP (for website data exchange), SMTP (for email), and FTP (for file transfer)—remain as freely available and open source as ever.
Governments around the world have likewise accepted maintaining the internet through these open-source, decentralized, autonomous, and standardized protocols and technologies. The U.S. Scientific and Advanced Technology Act of 1992 paved the way for the flourishing of e-commerce without requiring changes to the TCP/IP computer network protocol. The Telecommunications Act passed by Congress in 1996 did not restrict how data is transmitted over the network, while providing clear legal support that helped foster the rise of internet giants like Alphabet, Amazon, Apple, and Facebook. While legislation was imperfect, these legally protected spaces enabling innovation laid the foundation for many of today’s internet services.
One key factor behind the internet's success has been that governments chose not to regulate the foundational protocols, instead focusing on regulating applications—such as browsers, websites, and other user-facing software. These applications are commonly referred to as clients, which users rely on to access the network.
In Web3, new types of clients have emerged—including web applications and wallets—alongside advanced decentralized protocols such as blockchain-based settlement layers and smart contract-powered value exchange systems. The same regulatory principles that applied to Web2 should extend to Web3; the question isn't whether Web3 should be regulated.
Clearly, rules are necessary, welcome, and essential.
Rather, the real question is: at which layer of the technology stack does Web3 regulation make the most sense?

Today, internet users access web applications via regulated internet service providers and use regulated clients such as browsers, websites, and apps—many of which are built on top of free and open protocols. Governments can regulate by imposing access restrictions on website content or requiring compliance with privacy rules and copyright laws. For example, the U.S. can compel YouTube to remove terrorist recruitment videos, but it does not regulate DASH (the video streaming protocol).
There are three main reasons why regulating at the protocol layer doesn’t work:
- First, protocols are technically incapable of complying with regulations that require subjective judgment.
- Second, incorporating global regulations into protocols is impractical due to jurisdictional differences and potential conflicts among them.
- Third, requiring applications or clients to be rewritten to comply with regulations across the tech stack would be unnecessary and counterproductive.
Let us examine each of these reasons in greater detail.
Protocols Cannot Technically Comply With Subjective Rules
No matter how well-intentioned a regulation may be, requiring subjective assessments will be disastrous when applied to protocols underlying applications.
Take spam as an example. Clearly, there is near-universal disdain for spam—but what if authorities declared email protocols (like SMTP) illegal in order to prevent spam? What would the internet look like today?
Determining what constitutes spam is inherently subjective and evolves over time. Even large companies like Google, spending vast resources trying to eliminate spam within their email applications or clients (e.g., Gmail), still fail.
Moreover, even if an authority required SMTP to filter spam by default, malicious actors could simply reverse-engineer the filters and circumvent them. Therefore, banning SMTP would either be ineffective or amount to ending email altogether.
In Web3, we can analogize tokens to emails within decentralized exchange (DEX) protocols. If governments want to ban trading certain tokens they deem securities or derivatives via such protocols, they would need to clearly define technical criteria for such classifications—but no such standard could ever be sufficiently objective.
Whether an asset qualifies as a security or derivative is a subjective determination requiring factual and legal analysis—even the U.S. Securities and Exchange Commission struggles with this debate.
Attempting to embed high-level, subjective judgments into base-layer protocols is futile. Like SMTP, decentralized autonomous protocols such as DEXs cannot perform subjective analyses without human intervention. And if human intervention occurs, it undermines the very principles of decentralization and autonomy. Applying such regulations to ban protocols like DEXs would stifle emerging technological innovation and jeopardize the vitality of all Web3.
Protocols Cannot Comply With Global Regulations
Even if it were technically possible to build protocols capable of making complex and subjective decisions, enforcing them globally would still be impractical.
Imagine this: SMTP allows us to send emails to anyone in the world. But if the U.S. required SMTP to filter spam, foreign governments might impose conflicting requirements. Since defining spam is subjective, aligning all national standards would be extremely difficult.
Thus, even if technically feasible, building such decision-making capabilities into protocols contradicts the very idea of creating universally useful standard protocols. SMTP simply cannot incorporate the constantly changing spam-filtering demands of 195 countries and regions. Even if it could, the protocol wouldn’t know the user’s location or how to fairly prioritize conflicting regulatory decisions.
Similarly, in Web3, securities and derivatives laws vary significantly across jurisdictions—and these laws keep evolving. A DEX cannot establish a global standard for complying with such laws, and like SMTP, cannot geographically restrict access. Ultimately, no protocol can succeed if it must operate under the burden of ever-changing global regulations.
Regulate Applications or Clients
By now, it should be clear why regulation should target applications rather than protocols. Application-level regulation enables governments to achieve policy goals without endangering the underlying technology—and this approach has already proven effective.
Because early internet protocols were open-source, decentralized, autonomous, and standardized, they remain functional more than 30 years later. Yet governments can still regulate the information transmitted via these protocols by controlling applications. Or, as the U.S. did by upholding Section 230 of the 1996 Communications Decency Act, protect the free flow of information. Each country can set its own standards and require businesses within its jurisdiction to develop compliant applications.
The relationship between protocols and applications remains the same in Web3, so regulatory principles for Web3 should remain unchanged.
Users access Web3 applications such as wallets and DeFi platforms to deposit digital assets into liquidity pools, purchase NFTs on platform protocols, and trade assets on DEXs. When wallets, websites, and applications seek to provide access, it is reasonable for each jurisdiction to regulate them accordingly.
The first-generation internet’s data exchange, email, and file transfer protocols were incredible tools that made the information internet—transmitting information over networks—possible. Web3 makes the value internet—transmitting value over networks—possible. Lending and asset trading are now native functions of this new internet, representing an extraordinary public good.
As Web3 expands from DeFi into gaming, social media, creator economies, and gig economies, regulatory frameworks that ensure a level playing field will become increasingly important.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














