MiCA crypto

The Markets in Crypto-Assets Regulation (MiCA) represents the European Union’s comprehensive regulatory framework for crypto-assets, establishing harmonised rules for issuers and service providers across all Member States. This authoritative guide provides detailed analysis of MiCA’s requirements, application timelines, and practical compliance considerations for market participants.

Regulation (EU) 2023/1114 on markets in crypto-assets, commonly known as MiCA or MiCAR, entered into force in June 2023 and represents the first comprehensive regulatory framework for crypto-assets at the European Union level. The regulation establishes uniform rules for the issuance, offering to the public, admission to trading, and provision of services related to crypto-assets that do not qualify as financial instruments under existing EU financial services legislation.

The European Commission proposed MiCA in September 2020 as part of its Digital Finance Package, responding to the rapid growth of crypto-asset markets and the absence of harmonised regulatory treatment across Member States. Prior to MiCA, crypto-asset activities were subject to fragmented national regimes, creating regulatory arbitrage opportunities and inconsistent levels of investor protection. The regulation aims to address these challenges by establishing a single rulebook applicable across all EU Member States and the European Economic Area (EEA).

MiCA pursues multiple regulatory objectives: protecting investors and consumers from risks associated with crypto-assets, preserving market integrity and financial stability, and supporting innovation by providing legal certainty for crypto-asset issuers and service providers. The regulation introduces mandatory disclosure requirements through white papers, authorisation regimes for certain issuers and service providers, operational and prudential requirements, and rules preventing market abuse in crypto-asset markets.

The regulation covers crypto-assets not already regulated under existing EU financial services legislation, including the Markets in Financial Instruments Directive (MiFID II), the E-Money Directive, or the Securitisation Regulation. MiCA establishes three distinct categories of crypto-assets with differentiated regulatory treatment: asset-referenced tokens (ART), e-money tokens (EMT), and other crypto-assets. Additionally, the regulation creates a comprehensive framework for crypto-asset service providers (CASPs), entities offering services such as custody, trading, exchange, and advisory services related to crypto-assets.

MiCA crypto establishes a comprehensive regulatory framework designed to achieve multiple interconnected objectives that balance innovation with protection and stability:

• Investor and Consumer Protection: The regulation mandates extensive disclosure requirements through white papers, conduct of business rules for service providers, and safeguarding requirements for client assets. These provisions aim to ensure that investors and consumers receive adequate information about crypto-assets and services, understand associated risks, and benefit from protections comparable to those in traditional financial markets.
• Market Integrity: MiCA introduces market abuse provisions specifically tailored to crypto-asset markets, prohibiting insider dealing and market manipulation. The regulation requires suspicious transaction and order reporting (STOR) by service providers and establishes disclosure obligations for issuers regarding inside information. These measures aim to promote fair and transparent trading conditions.
• Financial Stability: The regulation imposes stringent requirements on issuers of asset-referenced tokens and e-money tokens, including reserve requirements, own funds requirements, and limitations on use as means of exchange. Additional requirements apply to significant tokens that could pose systemic risks. These provisions aim to prevent crypto-assets from threatening monetary sovereignty or financial stability.
• Regulatory Harmonisation: By establishing uniform rules applicable across all Member States, MiCA eliminates regulatory fragmentation and creates a level playing field for market participants. Authorised entities benefit from passporting rights, enabling cross-border provision of services throughout the EU based on a single authorisation. This harmonisation reduces compliance costs and regulatory arbitrage.
• Supporting Innovation: MiCA provides legal certainty for legitimate crypto-asset activities by clearly defining regulated activities, establishing transparent authorisation processes, and creating a predictable regulatory environment. The regulation aims to foster innovation in crypto-asset markets while ensuring appropriate safeguards are in place.

MiCA follows a phased implementation timeline, with different provisions becoming applicable at different dates. Understanding the distinction between “entry into force” and “application” is essential: entry into force refers to when the regulation becomes part of EU law, while application refers to when specific provisions become legally binding and must be complied with.

The regulation entered into force on 29 June 2023, twenty days after its publication in the Official Journal of the European Union. However, most substantive provisions have delayed application dates to allow market participants and supervisors time to prepare. Provisions relating to asset-referenced tokens and e-money tokens became applicable on 30 June 2024, eighteen months after entry into force. All remaining provisions, including those governing other crypto-assets and crypto-asset service providers, become applicable on 30 December 2024, eighteen months after the earlier provisions.

The regulation includes mandates for numerous Level 2 measures (regulatory technical standards and implementing technical standards) and Level 3 measures (guidelines) to be developed by ESMA and EBA. These technical standards provide detailed operational requirements essential for compliance. Most mandates required submission of draft standards to the European Commission within 12 to 18 months after entry into force, with adoption and publication following thereafter.

MiCA defines a crypto-asset as “a digital representation of a value or a right which may be transferred and stored electronically, using distributed ledger technology or similar technology.” This broad definition encompasses a wide range of digital assets, but the regulation explicitly excludes certain categories already regulated under existing EU financial services legislation.

Crypto-assets that qualify as financial instruments under MiFID II fall outside MiCA’s scope and remain subject to the existing regulatory framework for securities and derivatives. This includes tokenised securities, security tokens, and crypto-assets that meet the definition of transferable securities, money market instruments, or derivatives. Similarly, deposits as defined in Directive 2014/49/EU, structured deposits under MiFID II, securitisation positions under Regulation (EU) 2017/2402, and insurance products are excluded from MiCA’s scope.

Non-fungible tokens (NFTs) are generally excluded from MiCA’s scope, provided they represent unique and non-fungible digital assets such as art, collectibles, or in-game assets. However, the regulation includes an anti-avoidance provision: crypto-assets that appear to be unique or non-fungible may be classified as crypto-assets subject to MiCA if their features or functions create interchangeability or fungibility. The European Commission must submit a report on the treatment of NFTs by 30 December 2024, potentially leading to future regulatory proposals.

MiCA establishes three distinct categories of crypto-assets, each subject to differentiated regulatory requirements reflecting their specific characteristics and potential risks. This categorisation determines the applicable disclosure, authorisation, and operational requirements for issuers.

Asset-referenced tokens (ART) are crypto-assets that purport to maintain a stable value by referencing another value or right, or a combination thereof, including one or more official currencies. These tokens, commonly known as stablecoins, are typically backed by a reserve of assets. E-money tokens (EMT) are a specific subset of asset-referenced tokens that purport to maintain a stable value by referencing the value of only one official currency. Other crypto-assets encompass all crypto-assets that do not fall within the ART or EMT categories and are not financial instruments, including utility tokens, payment tokens, and governance tokens.

The classification of a crypto-asset as either a MiCA crypto-asset or a MiFID II financial instrument represents a critical threshold determination with significant regulatory consequences. This classification is not based on terminology or labels used by issuers but on the substantive characteristics and rights embodied in the crypto-asset. ESMA has published guidelines to assist competent authorities and market participants in applying the definitions of financial instruments under MiFID II to crypto-assets.

Crypto-assets that qualify as transferable securities under MiFID II typically share characteristics with traditional equity or debt instruments, such as representing ownership rights in an entity, entitlement to profit distributions, or creditor rights. Tokenised securities, security token offerings (STOs), and tokens providing equity-like or debt-like rights generally fall within MiFID II scope. Similarly, crypto-assets that constitute derivatives, such as those deriving their value from underlying financial instruments or commodities, are regulated under MiFID II rather than MiCA. The classification analysis must consider the rights and obligations attached to the crypto-asset, the economic substance of the arrangement, and the reasonable expectations of holders.

MiCA establishes comprehensive requirements for persons seeking to offer crypto-assets to the public in the EU or seeking admission to trading of crypto-assets on a trading platform. The specific requirements vary significantly depending on the category of crypto-asset being issued, with asset-referenced tokens and e-money tokens subject to substantially more stringent requirements than other crypto-assets.

All issuers must prepare and publish a white paper containing detailed information about the crypto-asset, the issuer, the offer, and associated risks. For asset-referenced tokens and e-money tokens, the white paper must be approved by the relevant national competent authority before publication. For other crypto-assets, the white paper must be notified to the competent authority but does not require prior approval. Issuers of asset-referenced tokens must obtain authorisation from a national competent authority before offering tokens to the public or seeking admission to trading. E-money tokens may only be issued by credit institutions or electronic money institutions already authorised under existing EU legislation.

The crypto-asset white paper serves as the primary disclosure document providing prospective holders with information necessary to make informed investment decisions. MiCA prescribes detailed content requirements for white papers, varying by category of crypto-asset. The white paper must be written in a clear, comprehensible manner and must not contain information that is unfair, unclear, or misleading.

For asset-referenced tokens, the white paper must include information about the issuer, the token, the offer or admission to trading, rights and obligations attached to the token, underlying technology, and risks. Specific requirements include disclosure of the reserve assets, their composition, custody arrangements, and the mechanism for maintaining stable value. The white paper must clearly describe the redemption rights, if any, and any limitations on such rights. For e-money tokens, similar content requirements apply, with particular emphasis on redemption rights at par value and the claim on the issuer.

For other crypto-assets, the white paper must contain information about the issuer, the crypto-asset project, the offer or admission to trading, rights and obligations, underlying technology, and risks. The level of detail required is less extensive than for asset-referenced tokens and e-money tokens, reflecting the lower systemic risk profile. Issuers must publish the white paper on their website and make it available free of charge. The white paper must be notified to the competent authority of the Member State where the issuer is established at least 20 working days before publication, unless the competent authority requests changes or additional information.

White Paper Must Include:

• Information about the issuer (identity, legal form, contact details)
• Description of the crypto-asset and its main features
• Rights and obligations attached to the crypto-asset
• Information about the underlying technology
• Comprehensive risk disclosures
• Details of the offer or admission to trading
• Information about the project and its development
• Environmental and climate-related impact (for proof-of-work consensus mechanisms)

Additional Requirements for ART/EMT:

• Reserve assets: composition, custody, valuation
• Stabilisation mechanism and its functioning
• Redemption rights and procedures
• Own funds of the issuer
• Governance arrangements
• Complaint procedures
• White paper approval by competent authority required

Asset-referenced tokens, commonly known as stablecoins when they reference fiat currencies or other stable assets, are subject to the most comprehensive regulatory requirements under MiCA due to their potential to be widely used as means of exchange and their implications for monetary policy and financial stability. The regulation distinguishes between asset-referenced tokens that reference a single asset and those that reference multiple assets or a basket of assets.

Persons seeking to issue asset-referenced tokens must obtain authorisation from the competent authority of the Member State where they are established. Only legal persons established in the EU may be authorised as issuers of asset-referenced tokens. Credit institutions authorised under Directive 2013/36/EU are not required to obtain separate authorisation for issuing asset-referenced tokens but must notify the competent authority and comply with specific MiCA requirements. The authorisation process requires submission of detailed information about the issuer, its management, the token, the white paper, reserve assets, and operational arrangements.

Issuers of asset-referenced tokens must hold own funds equal to at least the higher of EUR 350,000 or 2% of the average amount of reserve assets. These own funds must be held in addition to the reserve assets and serve as a buffer against operational risks and losses. The reserve assets must be composed of highly liquid financial instruments with minimal market risk and credit risk. At least 30% of reserve assets must be held as deposits with credit institutions. Reserve assets must be legally segregated from the issuer’s own assets and must be held in custody with authorised custodians. The composition of reserve assets must correspond to the assets or rights referenced by the token.

MiCA imposes quantitative limits on the use of asset-referenced tokens as means of exchange to prevent them from threatening monetary sovereignty. Asset-referenced tokens may not be used for more than one million transactions per day or for transactions exceeding EUR 200 million per day in the EU. If these thresholds are exceeded, the issuer must submit a plan to ensure compliance, which may include limiting issuance or redemptions. These limitations do not apply to asset-referenced tokens classified as significant, which are subject to additional requirements but not quantitative transaction limits.

E-money tokens represent a specific category of asset-referenced tokens that reference only one official currency and purport to maintain a stable value by referencing that currency. These tokens function similarly to electronic money under Directive 2009/110/EC but are issued using distributed ledger technology. The regulatory framework for e-money tokens combines elements of the E-Money Directive with specific MiCA requirements.

Only credit institutions authorised under Directive 2013/36/EU or electronic money institutions authorised under Directive 2009/110/EC may issue e-money tokens. This restriction ensures that issuers are subject to prudential supervision and meet minimum capital requirements. Persons not already authorised as credit institutions or e-money institutions must obtain such authorisation before issuing e-money tokens; MiCA does not create a separate authorisation regime for e-money token issuers.

Issuers of e-money tokens must draft a white paper in accordance with MiCA requirements and notify it to the competent authority at least 40 working days before publication. The white paper must clearly describe the redemption rights attached to e-money tokens, which must allow holders to redeem the tokens at any time and at par value for the referenced official currency. Issuers must hold reserve assets corresponding to the amount of e-money tokens in circulation, invested in secure, low-risk assets as prescribed by the E-Money Directive. The application of both the E-Money Directive and MiCA to e-money tokens creates a comprehensive regulatory framework addressing both prudential and conduct aspects.

MiCA introduces the concept of significant asset-referenced tokens and significant e-money tokens to address tokens that, due to their size, user base, or interconnectedness, could pose risks to financial stability or monetary policy. The classification as significant triggers additional requirements and enhanced supervision by European authorities.

The competent authority must classify an asset-referenced token or e-money token as significant if at least three of the following criteria are met: the number of holders exceeds 10 million, the value of the tokens or the market capitalisation exceeds EUR 5 billion, the number and value of transactions per day exceed specified thresholds, the issuer is significant in terms of cross-border activities, the issuer belongs to a group providing financial services, or the issuer has been designated as a gatekeeper under the Digital Markets Act (Regulation (EU) 2022/1925). Additionally, the competent authority may classify a token as significant based on other criteria indicating systemic importance.

Issuers of significant asset-referenced tokens must meet enhanced requirements including higher own funds (at least 3% of average reserve assets or EUR 5 million, whichever is higher), liquidity management policies ensuring ability to meet redemption requests, interoperability arrangements to prevent lock-in effects, and business continuity arrangements. Supervision of significant asset-referenced token issuers involves the European Banking Authority (EBA) through supervisory colleges. For significant e-money tokens, EBA assumes direct supervisory responsibilities in cooperation with national competent authorities. The classification as significant may be withdrawn if the criteria are no longer met for at least 18 consecutive months.

MiCA establishes a comprehensive regulatory framework for crypto-asset service providers (CASPs), defined as legal persons or other undertakings whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis. From 30 December 2024, the provision of crypto-asset services in the EU requires authorisation from a national competent authority, subject to limited exemptions.

The authorisation requirement applies to all legal persons seeking to provide crypto-asset services professionally in the EU. Natural persons may not be authorised as CASPs. Credit institutions authorised under Directive 2013/36/EU and investment firms authorised under MiFID II may provide crypto-asset services within the scope of their existing authorisation without obtaining separate MiCA authorisation, provided they notify their competent authority. However, these entities must comply with certain MiCA requirements, including conduct of business rules and conflicts of interest provisions.

Persons providing crypto-asset services without the required authorisation may be included in the register of non-compliant crypto-asset service providers maintained by ESMA. This public register serves as a warning to consumers and may trigger enforcement actions by competent authorities. The provision of unauthorised crypto-asset services constitutes a breach of MiCA and may result in administrative penalties, criminal sanctions under national law, and civil liability.

MiCA defines ten distinct types of crypto-asset services, each constituting a regulated activity requiring authorisation. These services encompass the full spectrum of crypto-asset intermediation activities, from custody and trading to advisory services. The provision of any one or more of these services on a professional basis triggers the authorisation requirement.

Custody and Trading Services:

1. Custody and administration of crypto-assets on behalf of clients: Safekeeping and administration of crypto-assets or means of access to crypto-assets on behalf of clients, including custodial wallet services.
2. Operation of a trading platform for crypto-assets: Operating a multilateral system that brings together multiple third-party buying and selling interests in crypto-assets in a way that results in a contract.
3. Exchange of crypto-assets for funds or other crypto-assets: Concluding contracts to buy or sell crypto-assets against funds or other crypto-assets on own account by making firm quotes.
4. Execution of orders for crypto-assets on behalf of clients: Concluding agreements to buy or sell crypto-assets on behalf of clients.
5. Placing of crypto-assets: Marketing newly issued crypto-assets on behalf of the issuer to purchasers, including underwriting or initial placement without firm commitment basis.

Advisory and Other Services:

6. Reception and transmission of orders for crypto-assets on behalf of clients: Receiving and transmitting orders from clients to buy or sell crypto-assets and transmitting those orders to other entities for execution.
7. Providing advice on crypto-assets: Offering, giving, or agreeing to give personalised recommendations to clients concerning crypto-asset transactions.
8. Portfolio management on crypto-assets: Managing portfolios of crypto-assets on behalf of clients on a discretionary, client-by-client basis.
9. Providing transfer services for crypto-assets on behalf of clients: Conducting transfers of crypto-assets on behalf of clients, including operating transfer systems.
10. Providing other crypto-asset services: Any service related to crypto-assets that the European Commission may designate through delegated acts.

The authorisation process for crypto-asset service providers requires submission of a comprehensive application to the competent authority of the Member State where the applicant is established or intends to establish its head office. The application must demonstrate that the applicant meets all requirements set out in MiCA and provide detailed information about the proposed services, governance arrangements, and operational framework.

The application must include the programme of operations, specifying the crypto-asset services to be provided and the organisational structure; a description of the governance arrangements, including the organisational structure, internal control mechanisms, and risk management procedures; information on the identity of shareholders or members holding qualifying holdings and the amounts of those holdings; evidence of initial capital and own funds; information on the identity and relevant experience of members of the management body; a description of the systems and security access protocols; a description of business continuity arrangements; a description of procedures for safeguarding client assets; and evidence of professional indemnity insurance or comparable guarantee.

The competent authority must assess the application within 25 working days of receipt to determine completeness. If the application is incomplete, the authority must request additional information, suspending the assessment period. Once the application is deemed complete, the competent authority must make a decision within 40 working days, which may be extended by an additional 20 working days in complex cases. The authority may refuse authorisation if the applicant does not meet the requirements, if the information provided is incomplete or incorrect, or if there are objective and demonstrable grounds for believing that the management body poses a threat to effective supervision or financial stability.

Upon granting authorisation, the competent authority must notify ESMA, which includes the CASP in the MiCA register. The authorisation is valid throughout the EU and EEA, enabling the CASP to provide services on a cross-border basis through passporting rights. The authorisation specifies the crypto-asset services the CASP is authorised to provide; any change in the scope of authorisation requires prior approval from the competent authority.

Key Documents Required for CASP Authorisation:

• Programme of operations (services, organisational structure)
• Governance arrangements and internal controls
• Shareholder information and qualifying holdings
• Evidence of initial capital and own funds
• Management body information and fit and proper documentation
• IT systems and security protocols description
• Business continuity and disaster recovery plans
• Client asset safeguarding procedures
• Professional indemnity insurance or comparable guarantee
• Policies and procedures (AML, conflicts of interest, complaints handling)
• Outsourcing agreements and arrangements
• Financial projections and business plan

MiCA imposes extensive organisational and operational requirements on authorised crypto-asset service providers to ensure sound management, adequate internal controls, and protection of client interests. These requirements address governance, risk management, operational resilience, outsourcing, and complaints handling.

CASPs must establish robust governance arrangements including a clear organisational structure with well-defined, transparent, and consistent lines of responsibility; effective procedures for identifying, managing, monitoring, and reporting risks; adequate internal control mechanisms including sound administrative and accounting procedures; and remuneration policies promoting sound and effective risk management. The management body must possess adequate collective knowledge, skills, and experience to understand the CASP’s activities and main risks. Members of the management body must be of sufficiently good repute and possess sufficient knowledge, skills, and experience.

Client asset protection constitutes a core requirement. CASPs providing custody services must implement arrangements to safeguard ownership rights of clients and prevent use of client crypto-assets for their own account. Client crypto-assets and funds must be segregated from the CASP’s own assets through appropriate arrangements with third parties, such as holding client crypto-assets in separate accounts or using multi-signature wallets. In the event of the CASP’s insolvency, client assets must be protected from claims of the CASP’s creditors. CASPs must maintain records enabling immediate identification of client positions and must conduct regular reconciliations.

Outsourcing of critical or important operational functions requires careful management to ensure the CASP retains full responsibility and control. The CASP must ensure that outsourcing does not result in delegation of responsibility to the service provider, materially impair the quality of internal control and the ability of the competent authority to supervise compliance, or undermine continuity and quality of services to clients. Outsourcing agreements must be documented in writing and must provide for termination rights. The competent authority must be notified of material outsourcing arrangements, and the CASP must ensure the authority has effective access to information and premises of the service provider.

CASPs must establish and implement effective and transparent complaints handling procedures for receiving, handling, and responding to complaints from clients. These procedures must be easily accessible, free of charge, and available in the official languages of the Member States where services are provided. The CASP must investigate complaints diligently and impartially, communicate the outcome to the complainant in a clear manner, and maintain records of complaints and measures taken. Competent authorities may require CASPs to provide regular reports on complaints received and their handling.

MiCA establishes prudential requirements for crypto-asset service providers to ensure they maintain adequate financial resources to support their activities and absorb losses. These requirements include minimum initial capital, ongoing own funds requirements, and professional indemnity insurance or comparable guarantee.

The initial capital requirement varies depending on the crypto-asset services provided. CASPs providing only reception and transmission of orders or advice must hold initial capital of at least EUR 50,000. CASPs providing execution of orders, placement, or operation of a trading platform must hold at least EUR 125,000. CASPs providing custody and administration, portfolio management, exchange services, or transfer services must hold at least EUR 150,000. These amounts represent minimum thresholds; competent authorities may require higher initial capital based on the nature, scale, and complexity of the CASP’s activities.

On an ongoing basis, CASPs must hold own funds equal to at least the higher of the initial capital requirement or one quarter of the fixed overheads of the preceding year. This requirement ensures that CASPs maintain sufficient resources relative to their operational scale. Own funds must be composed of Common Equity Tier 1 items as defined in Regulation (EU) No 575/2013, subject to certain adjustments. CASPs must notify the competent authority immediately if own funds fall below the required level and must submit a plan to restore compliance.

CASPs must hold professional indemnity insurance covering liability arising from professional negligence, errors, or omissions in the provision of crypto-asset services, or hold an amount of own funds equivalent to the insurance coverage. The insurance must cover the entire territory of the EU and must have a minimum coverage amount determined by the competent authority based on the nature and scale of services. CASPs may use a combination of insurance and additional own funds to meet this requirement. The insurance policy must be appropriate to the risks covered and must provide for coverage on a per-claim and annual aggregate basis.

MiCA establishes comprehensive conduct of business rules requiring CASPs to act honestly, fairly, and professionally in accordance with the best interests of their clients. These rules address information disclosure, conflicts of interest, best execution, and suitability and appropriateness assessments.

CASPs must provide clients with clear, comprehensive, and non-misleading information in good time before the provision of services. This pre-contractual information must include a description of the nature and risks of crypto-asset services and crypto-assets, information about the CASP including its authorisation status, a description of costs and associated charges, and information about safeguarding of client assets and applicable investor protection schemes. The information must be provided in a durable medium or on a website, in a clear and comprehensible manner, and in an official language of the Member State where services are provided or in another language agreed with the client.

CASPs must establish and maintain effective arrangements to identify, prevent, manage, and disclose conflicts of interest between the CASP and its clients, between different clients, or between members of staff and clients. Where organisational or administrative arrangements are not sufficient to ensure with reasonable confidence that risks of damage to client interests will be prevented, the CASP must clearly disclose the nature and sources of conflicts to the client before undertaking business. CASPs must maintain and operate effective organisational and administrative arrangements with a view to taking all reasonable steps to prevent conflicts from adversely affecting client interests.

CASPs executing orders on behalf of clients or providing portfolio management services must take all sufficient steps to obtain the best possible result for clients, taking into account price, costs, speed, likelihood of execution and settlement, size, nature, and any other consideration relevant to the execution of the order. CASPs must establish and implement an order execution policy that identifies for each class of crypto-assets the different venues where orders may be executed and the factors affecting choice of venue. The execution policy must be reviewed regularly and whenever a material change occurs affecting the CASP’s ability to obtain the best possible result.

CASPs providing advice on crypto-assets or portfolio management services must obtain information from clients regarding their knowledge and experience in crypto-asset investments, financial situation including ability to bear losses, and investment objectives including risk tolerance. This information enables the CASP to assess whether the recommended service or crypto-asset is suitable for the client. For execution or reception and transmission of orders, CASPs must assess whether the client has the necessary knowledge and experience to understand the risks involved (appropriateness assessment). If the service or crypto-asset is not suitable or appropriate, the CASP must warn the client accordingly. These requirements do not apply where services are provided at the client’s initiative (execution-only services) and concern non-complex crypto-assets.

MiCA introduces the concept of significant crypto-asset service providers to address CASPs whose size, user base, or systemic importance warrant enhanced supervision and additional requirements. The classification as significant triggers heightened regulatory expectations and closer supervisory scrutiny.

A CASP is classified as significant if it has at least 15 million active users annually in the EU. Active users are defined as natural or legal persons who have held crypto-assets with the CASP or have executed at least one transaction through the CASP during the relevant period. The competent authority must notify ESMA when a CASP under its supervision meets this threshold. ESMA maintains a list of significant CASPs and coordinates supervisory activities related to these entities.

Significant CASPs are subject to enhanced requirements including more stringent governance arrangements, enhanced risk management frameworks, robust business continuity and disaster recovery arrangements, and regular independent audits of systems and controls. National competent authorities must report to ESMA on supervisory developments concerning significant CASPs, and ESMA may participate in supervisory activities, including on-site inspections, in cooperation with the relevant competent authority. The classification as significant may be withdrawn if the CASP no longer meets the threshold for at least 18 consecutive months.

One of the fundamental features of MiCA is the introduction of passporting rights for authorised crypto-asset service providers and issuers of asset-referenced tokens, enabling them to provide services or offer tokens throughout the EU and EEA based on a single authorisation. This passport mechanism promotes market integration and reduces regulatory fragmentation.

A CASP authorised in one Member State (the home Member State) may provide crypto-asset services in other Member States (host Member States) either through establishment of a branch or on a cross-border basis through freedom to provide services. To exercise passporting rights, the CASP must notify its home competent authority of its intention to provide services in another Member State, specifying the services to be provided and, in the case of establishment of a branch, the organisational structure of the branch. The home competent authority must, within one month of receiving complete notification, communicate the information to the competent authority of the host Member State.

The CASP may commence activities in the host Member State upon receipt of notification from the home competent authority that the information has been communicated to the host authority, or if no notification is received, one month after the home authority received the complete notification. The passport is valid for all crypto-asset services specified in the authorisation; the CASP need not limit its activities in the host Member State to a subset of authorised services. Supervision of the CASP remains primarily the responsibility of the home competent authority, but the host authority retains certain powers, particularly regarding conduct of business and marketing practices in its territory.

Similarly, issuers of asset-referenced tokens authorised in one Member State may offer their tokens to the public or seek admission to trading throughout the EU based on their home authorisation. The issuer must notify the home competent authority of its intention to offer tokens in another Member State, and the home authority must communicate the white paper and relevant information to the host authority. This passport mechanism for issuers facilitates pan-European token offerings while maintaining supervision by the home authority.

MiCA does not establish a third-country regime or equivalence framework comparable to those existing under MiFID II or other EU financial services legislation. Consequently, crypto-asset service providers established in third countries (non-EU jurisdictions) cannot obtain authorisation to provide services in the EU on a cross-border basis without establishing a legal entity in an EU Member State.

The absence of a third-country regime means that non-EU firms seeking to actively provide crypto-asset services to EU clients must establish an EU entity and obtain MiCA authorisation from a Member State competent authority. This requirement applies regardless of whether the firm is authorised or regulated in its home jurisdiction. The EU entity must meet all MiCA requirements, including initial capital, governance, operational, and conduct requirements.

The concept of reverse solicitation provides a limited exception to the authorisation requirement. Reverse solicitation occurs when a client takes the initiative to request services from a non-authorised provider without any prior solicitation by the provider. In such cases, the provider may provide services to that client without MiCA authorisation, provided the provision of services results entirely from the client’s own initiative and the provider has not undertaken any marketing, advertising, or promotional activities in the EU.

ESMA has published guidelines on reverse solicitation providing a strict interpretation of this concept. Any form of marketing, advertising, or promotion directed at EU clients, including through websites accessible in the EU, social media, or other channels, constitutes solicitation and precludes reliance on the reverse solicitation exemption. Non-EU firms must implement robust procedures to ensure that services are provided only following genuine client initiative and must maintain documentation evidencing the client’s initiative. Given the narrow scope of the reverse solicitation exemption and the risks of non-compliance, non-EU firms planning to provide crypto-asset services to EU clients on more than an occasional basis are well advised to establish an EU entity and obtain MiCA authorisation.

Recognising that market participants require time to adapt to the new regulatory framework, MiCA includes transitional provisions allowing certain existing crypto-asset service providers to continue their activities for a limited period while seeking MiCA authorisation. These provisions aim to prevent disruption to existing services while ensuring an orderly transition to the MiCA regime.

The transitional measures are optional for Member States; each Member State may decide whether to apply them and must notify ESMA of its decision by the end of June 2024. Member States that choose to apply transitional measures must notify ESMA of the entities benefiting from these measures and the applicable conditions. The transitional period provides existing market participants with additional time to prepare and submit authorisation applications, but does not exempt them from the obligation to obtain MiCA authorisation.

Article 143(3) of MiCA establishes a grandfathering clause allowing crypto-asset service providers that were providing services in accordance with national law before 30 December 2024 to continue providing those services until 1 July 2026 or until they are granted or refused MiCA authorisation, whichever occurs first. This provision applies only in Member States that have chosen to implement the transitional measures.

To benefit from grandfathering, an entity must have been lawfully providing crypto-asset services under the national law of a Member State before 30 December 2024. The entity must have complied with any applicable national authorisation, registration, or notification requirements. Entities operating without any regulatory status or in breach of national law cannot benefit from grandfathering. The grandfathering clause allows the entity to continue providing the same services to the same categories of clients during the transitional period.

It is important to bear in mind that grandfathered entities do not have MiCA authorisation status and therefore do not benefit from passporting rights. A grandfathered entity may only continue to provide services in the Member State(s) where it was previously authorised or operating under national law. The entity cannot expand its activities to new Member States or new services beyond those previously provided. Additionally, grandfathered entities must submit an application for MiCA authorisation; failure to do so before 1 July 2026 results in the obligation to cease providing crypto-asset services.

Member States applying the grandfathering clause must establish procedures for entities to notify their intention to rely on the transitional measures and must maintain a list of grandfathered entities. National competent authorities must communicate information about grandfathered entities to ESMA for inclusion in the interim MiCA register. Grandfathered entities remain subject to national supervision during the transitional period and must comply with any applicable national requirements, which may include certain MiCA-derived requirements that Member States have implemented in advance.

Article 143(6) of MiCA provides for a simplified authorisation procedure for crypto-asset service providers that were authorised or registered under national law on or before 30 December 2024. This provision aims to streamline the transition to MiCA authorisation for entities that have already been subject to regulatory oversight under national regimes.

Under the simplified procedure, the competent authority may take into account information and documentation already provided by the applicant in connection with its national authorisation or registration. This avoids duplication of information requests and reduces the administrative burden on both the applicant and the authority. However, the simplified procedure does not lower the substantive requirements for MiCA authorisation; the applicant must still demonstrate compliance with all MiCA requirements, and the competent authority must assess whether the entity meets these requirements.

The simplified procedure may result in shorter processing times if the competent authority is satisfied that information previously provided remains current and accurate and that the entity’s operations, governance, and controls meet MiCA standards. Applicants should clearly indicate in their application that they are seeking to benefit from the simplified procedure and should reference previously submitted information where relevant. Nevertheless, applicants must be prepared to provide additional information or documentation where the competent authority determines that previously submitted materials are insufficient to assess compliance with MiCA requirements.

Entities considering reliance on transitional measures should carefully evaluate the benefits and limitations of grandfathering. While grandfathering provides additional time to prepare for MiCA compliance, it also entails significant constraints. Grandfathered entities cannot expand their activities to new Member States, limiting growth opportunities. The absence of passporting rights places grandfathered entities at a competitive disadvantage compared to MiCA-authorised competitors who can operate throughout the EU.

There is a risk of regulatory bottlenecks as the transitional period progresses. Many entities may delay submitting authorisation applications until closer to the 1 July 2026 deadline, potentially overwhelming national competent authorities with simultaneous applications. Processing delays could result in entities being unable to obtain authorisation before the deadline, forcing them to cease operations. To mitigate this risk, entities are well advised to commence preparation of authorisation applications as early as possible and to submit applications well in advance of the deadline.

Entities should also consider strategic questions regarding the jurisdiction in which to seek authorisation. Factors to consider include the location of existing operations, the regulatory approach and capacity of different national competent authorities, the business environment and market access in different Member States, and the availability of service providers and infrastructure. Some entities may determine that restructuring or relocating operations to a different Member State is advantageous before seeking authorisation. Such restructuring should be completed sufficiently in advance to allow time for the authorisation process.

Preparation for MiCA authorisation typically requires six to twelve months or more, depending on the complexity of the entity’s operations and the extent of gaps between current practices and MiCA requirements. Entities should conduct a comprehensive gap analysis, develop and implement necessary policies and procedures, enhance governance and control frameworks, ensure adequate capital and insurance, and prepare detailed documentation for the authorisation application. Engaging external advisors with expertise in MiCA compliance can accelerate preparation and improve the quality of the application.

MiCA introduces a comprehensive market abuse regime for crypto-assets admitted to trading on a trading platform or for which a request for admission to trading has been made. This regime mirrors the Market Abuse Regulation (Regulation (EU) No 596/2014) applicable to financial instruments, adapted to the specific characteristics of crypto-asset markets. The market abuse provisions aim to ensure market integrity, protect investors, and promote fair and transparent trading conditions.

The market abuse regime applies to crypto-assets admitted to trading on trading platforms operated by authorised CASPs or for which admission has been requested. It covers insider dealing, unlawful disclosure of inside information, market manipulation, and related conduct. The provisions apply to any person engaging in such conduct, regardless of whether they are authorised under MiCA or located in the EU. National competent authorities are responsible for supervising compliance with market abuse provisions and investigating suspected violations.

MiCA prohibits insider dealing in relation to crypto-assets admitted to trading. Inside information is defined as information of a precise nature, which has not been made public, relating directly or indirectly to one or more issuers or to one or more crypto-assets, and which, if it were made public, would be likely to have a significant effect on the prices of those crypto-assets. Information is considered precise if it indicates circumstances that exist or may reasonably be expected to come into existence, or an event that has occurred or may reasonably be expected to occur, and is specific enough to enable a conclusion to be drawn as to the possible effect on prices.

Persons possessing inside information are prohibited from using that information by acquiring or disposing of, for their own account or for the account of a third party, crypto-assets to which that information relates. This prohibition applies both to direct trading and to cancelling or amending orders concerning crypto-assets to which the inside information relates. Additionally, persons possessing inside information are prohibited from recommending or inducing another person to engage in insider dealing, and from unlawfully disclosing inside information to another person.

Certain exceptions apply to the prohibition on insider dealing. Transactions conducted in the discharge of an obligation that has become due to acquire or dispose of crypto-assets where that obligation results from an agreement concluded before the person possessed inside information are permitted. Market sounding activities conducted in accordance with MiCA provisions are also permitted. Furthermore, the prohibition does not apply to transactions conducted in the discharge of good faith obligations or to buy-back programmes and stabilisation measures conducted in accordance with MiCA requirements.

MiCA prohibits market manipulation, defined broadly to encompass transaction-based manipulation, information-based manipulation, and other conduct that distorts or is likely to distort the market. Market manipulation includes entering into transactions or placing orders that give or are likely to give false or misleading signals as to the supply, demand, or price of crypto-assets, or that secure the price at an abnormal or artificial level.

Common forms of transaction-based manipulation in crypto-asset markets include wash trading, where an entity simultaneously or nearly simultaneously buys and sells the same crypto-asset to create the appearance of trading activity; spoofing, where orders are placed with the intent to cancel them before execution to manipulate prices; layering, where multiple orders at different price levels are placed to create a false impression of market depth; and pump and dump schemes, where the price of a crypto-asset is artificially inflated through misleading statements or coordinated buying, followed by selling at the inflated price.

Information-based manipulation includes disseminating information through media, including the internet and social media, which gives or is likely to give false or misleading signals as to crypto-assets, where the person disseminating the information knew or ought to have known that the information was false or misleading. This prohibition addresses the spread of false rumors, misleading statements, or deceptive information designed to influence crypto-asset prices. The use of social media and online forums to manipulate crypto-asset markets has been a significant concern, and MiCA’s market manipulation provisions apply to such conduct.

Examples of Transaction-Based Manipulation:

• Wash Trading: Simultaneous buy and sell orders creating false trading volume
• Spoofing: Placing orders with intent to cancel before execution
• Layering: Multiple orders at different levels to create false market depth
• Pump and Dump: Artificially inflating price through coordinated buying and misleading promotion

Examples of Information-Based Manipulation:

• False Rumors: Spreading false information about projects or partnerships
• Misleading Statements: Exaggerating capabilities or prospects of crypto-assets
• Social Media Manipulation: Coordinated campaigns to influence sentiment
• Fake News: Publishing fabricated news or announcements

Issuers of crypto-assets admitted to trading on a trading platform must inform the public as soon as possible of inside information which directly concerns the issuer or the crypto-asset. The information must be disclosed in a manner that enables fast access and complete, correct, and timely assessment of the information by the public. Issuers must post and maintain the information on their website for a period of at least five years.

An issuer may delay disclosure of inside information if immediate disclosure is likely to prejudice the legitimate interests of the issuer, the delay is not likely to mislead the public, and the issuer is able to ensure the confidentiality of the information. Legitimate interests may include ongoing negotiations where disclosure would be likely to affect the outcome, decisions taken or contracts made by the management body requiring approval by another body and where disclosure would jeopardise the correct assessment of the information by the public. When disclosure is delayed, the issuer must notify the competent authority immediately after the information is disclosed and provide a written explanation of how the conditions for delay were met.

Crypto-asset service providers must establish and maintain effective arrangements, systems, and procedures to detect and report suspicious transactions or orders that might constitute insider dealing, unlawful disclosure of inside information, or market manipulation. When a CASP reasonably suspects that a transaction or order might constitute market abuse, it must notify the competent authority without delay.

The suspicious transaction or order report (STOR) must contain detailed information about the transaction or order, including the crypto-assets concerned, the persons involved, the reasons for suspicion, and any other relevant information. CASPs must implement systems to identify patterns of trading or orders that may indicate market abuse, taking into account the specific characteristics of crypto-asset markets such as high volatility and 24/7 trading. Staff members must be trained to recognise indicators of market abuse and to escalate suspicious activity.

Persons who report suspicious transactions or orders in good faith are protected from liability. The report does not constitute a breach of any restriction on disclosure of information and does not expose the reporting person to liability of any kind. This protection encourages CASPs and their employees to report suspicions without fear of legal consequences. Competent authorities must ensure the confidentiality of the identity of persons reporting suspicious transactions, subject to legal obligations to disclose information in the context of investigations or judicial proceedings.

MiCA establishes a supervisory architecture combining national supervision by competent authorities in each Member State with coordination and convergence mechanisms at the European level through ESMA and EBA. This structure aims to ensure consistent application of MiCA across the EU while respecting the primary role of national authorities in day-to-day supervision.

Each Member State must designate one or more national competent authorities responsible for carrying out duties under MiCA and must notify ESMA of the designated authorities. National competent authorities are responsible for authorising and supervising crypto-asset service providers and issuers within their jurisdiction, investigating potential violations, and imposing sanctions. ESMA coordinates supervisory activities, promotes supervisory convergence through guidelines and recommendations, and maintains the centralised MiCA register. EBA has specific responsibilities regarding significant e-money token issuers and contributes to the development of technical standards.

National competent authorities are vested with extensive powers to carry out their supervisory functions under MiCA. These powers include the authority to access documents and information, conduct on-site inspections, require information from any person, require the cessation of conduct constituting a violation, impose periodic penalty payments, suspend or prohibit offerings or admissions to trading, and impose administrative sanctions.

NCAs must have the power to require CASPs, issuers, and other persons to provide all information necessary to carry out their duties, including access to premises, systems, and records. They may conduct investigations into potential violations of MiCA, including unannounced on-site inspections. NCAs must cooperate with each other and with ESMA in carrying out their duties, including in cross-border situations where a CASP operates in multiple Member States through passporting.

Each Member State must establish a single point of contact for cooperation with other competent authorities and with ESMA. This single point of contact facilitates information exchange, coordination of supervisory activities, and resolution of disputes between authorities. NCAs must respond to requests for information or assistance from other NCAs without undue delay. Where an NCA identifies conduct by a CASP operating in its territory under passporting rights that violates MiCA requirements, it must notify the home NCA and may take protective measures if the home NCA does not take adequate action.

ESMA plays a central coordinating role in the MiCA framework, promoting supervisory convergence and facilitating cooperation among national competent authorities. ESMA’s responsibilities include developing draft regulatory technical standards and implementing technical standards, issuing guidelines and recommendations, maintaining the centralised MiCA register, coordinating supervision of significant CASPs, and monitoring market developments.

The MiCA register is a centralised database maintained by ESMA containing information about authorised CASPs, issuers of asset-referenced tokens and e-money tokens, white papers notified or approved by competent authorities, and persons providing services without authorisation (non-compliant entities). The register enhances transparency and enables market participants and consumers to verify the regulatory status of entities offering crypto-asset services or issuing tokens.

During the transitional period until mid-2026, ESMA operates an interim MiCA register consisting of five CSV files updated weekly: white papers for other crypto-assets, issuers of asset-referenced tokens, issuers of e-money tokens, authorised CASPs, and non-compliant crypto-asset service providers. National competent authorities submit information to ESMA for inclusion in the register. The interim register is available on ESMA’s website as downloadable CSV files. From mid-2026, the register will be integrated into ESMA’s IT systems and will provide enhanced search and filtering capabilities.

ESMA also develops Level 2 and Level 3 measures essential for the implementation of MiCA. These include regulatory technical standards specifying detailed requirements on white paper content, authorisation procedures, own funds calculation, cooperation arrangements, and market abuse detection. ESMA has published consultation papers on three packages of technical standards, received public feedback, and submitted final reports to the European Commission for adoption. Additionally, ESMA issues guidelines on topics such as reverse solicitation, marketing communications, and supervisory practices to promote consistent application of MiCA.

MiCA requires Member States to establish rules on administrative penalties and other measures applicable to violations of the regulation and to ensure their effective implementation. Competent authorities must have the power to impose administrative penalties and other measures that are effective, proportionate, and dissuasive. The regulation specifies minimum maximum levels of administrative pecuniary penalties for certain violations.

For natural persons, the maximum administrative pecuniary penalty must be at least EUR 5 million or, in Member States whose currency is not the euro, the corresponding value in the national currency. For legal persons, the maximum penalty must be at least EUR 5 million or 3% of the total annual turnover according to the last available accounts approved by the management body, or in the case of issuers, 12.5% of the total annual turnover, whichever is higher. These amounts represent minimum thresholds; Member States may establish higher maximum penalties.

In determining the type and level of administrative penalties, competent authorities must take into account all relevant circumstances, including the gravity and duration of the violation, the degree of responsibility of the person responsible, the financial strength of the person responsible, the level of cooperation with the authority, and previous violations by the person responsible. Competent authorities must publish decisions imposing administrative penalties on their websites immediately after the person sanctioned has been informed, including information about the type and nature of the violation and the identity of the person sanctioned. However, publication may be delayed, published on an anonymous basis, or omitted where publication would cause disproportionate damage to the person or jeopardise ongoing investigations.

Member States may provide for criminal sanctions for violations of MiCA in addition to or instead of administrative penalties. Where both administrative and criminal penalties are applicable to the same conduct, the principle of ne bis in idem (prohibition of double jeopardy) must be respected. Persons subject to penalties have the right to an effective remedy and to a fair trial, including the right to appeal decisions imposing penalties.

MiCA requires national competent authorities to establish procedures for receiving and handling complaints from clients of CASPs, holders of crypto-assets, and consumer associations concerning alleged violations of MiCA. These procedures must be easily accessible, transparent, and free of charge for complainants. Competent authorities must publish information about the complaints procedures on their websites, including contact details and the process for submitting complaints.

CASPs and issuers of asset-referenced tokens and e-money tokens must establish and implement effective and transparent complaints handling procedures for receiving, investigating, and responding to complaints from clients and holders. These procedures must be available in the official languages of the Member States where services are provided or tokens are offered. Complaints must be handled fairly, consistently, and promptly. The CASP or issuer must communicate the outcome of the investigation to the complainant in a clear and comprehensible manner.

National competent authorities may require CASPs and issuers to provide regular reports on complaints received, the subject matter of complaints, and the measures taken to address them. This information enables authorities to identify systemic issues, assess compliance with conduct requirements, and take supervisory action where necessary. Complainants who are not satisfied with the outcome of the complaints procedure may have recourse to alternative dispute resolution mechanisms or judicial proceedings, depending on the applicable national law.

MiCA does not operate in isolation but forms part of a broader EU regulatory framework for financial services and digital finance. Crypto-asset service providers and issuers must comply not only with MiCA but also with other applicable EU and national legislation. Understanding the interaction between MiCA and other regulatory frameworks is essential for comprehensive compliance.

Key regulations interacting with MiCA include the Digital Operational Resilience Act (DORA), which establishes requirements for ICT risk management and operational resilience; the Transfer of Funds Regulation, which implements the travel rule for crypto-asset transfers; anti-money laundering directives and regulations; the General Data Protection Regulation (GDPR); and sectoral regulations such as MiFID II where crypto-assets qualify as financial instruments. Entities subject to MiCA must adopt a holistic approach to compliance, ensuring that their frameworks address all applicable requirements.

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) becomes applicable on 17 January 2025, shortly after MiCA’s full application date. DORA establishes a comprehensive framework for managing ICT risks and ensuring operational resilience of financial entities, including crypto-asset service providers authorised under MiCA.

DORA imposes requirements across five key pillars: ICT risk management, requiring financial entities to establish comprehensive frameworks for identifying, protecting against, detecting, responding to, and recovering from ICT-related incidents; ICT-related incident reporting, requiring notification of major incidents to competent authorities within specified timeframes; digital operational resilience testing, requiring regular testing of systems, including advanced penetration testing for significant entities; ICT third-party risk management, requiring oversight of risks arising from use of ICT services provided by third parties; and information sharing arrangements, facilitating exchange of cyber threat information among financial entities.

For CASPs, DORA requirements complement and extend MiCA’s operational requirements. While MiCA requires CASPs to have systems and security access protocols and business continuity arrangements, DORA provides detailed specifications for ICT risk management frameworks, incident response procedures, and testing methodologies. CASPs must ensure their ICT governance, risk management, and control frameworks meet both MiCA and DORA requirements. The overlap between the two regulations necessitates integrated compliance approaches rather than separate siloed frameworks.

DORA also introduces oversight of critical ICT third-party service providers, such as cloud service providers, by the European Supervisory Authorities. CASPs using services from designated critical ICT third-party providers must ensure their contracts include provisions enabling compliance with DORA requirements and facilitating supervisory oversight. The combined effect of MiCA and DORA is to establish a robust framework for operational resilience and cyber security in crypto-asset markets.

Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (the Transfer of Funds Regulation or TFR) becomes applicable on 30 December 2024, the same date as MiCA’s full application. The regulation implements the Financial Action Task Force (FATF) recommendation on the travel rule, requiring transmission of information about the originator and beneficiary of transfers.

The travel rule requires crypto-asset service providers to collect, verify, and transmit information about the originator and beneficiary when conducting transfers of crypto-assets on behalf of clients. The information required includes the name of the originator and beneficiary, the crypto-asset account number (wallet address) or unique transaction identifier, and the address, official personal document number, customer identification number, or date and place of birth of the originator and beneficiary.

The CASP of the originator must ensure that transfers of crypto-assets are accompanied by the required information about the originator and beneficiary. This information must be made immediately available to the CASP of the beneficiary. The CASP of the originator must verify the accuracy of the information about the originator based on documents, data, or information obtained from a reliable and independent source. The CASP of the beneficiary must implement effective procedures to detect whether information about the originator or beneficiary is missing or incomplete.

A significant challenge posed by the travel rule concerns transfers to or from unhosted wallets (self-hosted wallets not held with a CASP). The Transfer of Funds Regulation imposes specific requirements on CASPs when conducting transfers to unhosted wallets. For transfers exceeding EUR 1,000 to an unhosted wallet, the CASP must verify that the originator or beneficiary (as applicable) is the owner of the unhosted wallet. This verification requirement raises practical and technical challenges, as verifying ownership of an unhosted wallet is not straightforward. Industry participants are developing technical solutions to facilitate compliance, including the use of cryptographic proofs and attestations, but implementation remains complex.

The application of the travel rule to crypto-asset transfers without a de minimis threshold (unlike traditional funds transfers, which have a EUR 1,000 threshold for certain requirements) reflects the heightened AML/CFT risks associated with crypto-assets. CASPs must implement systems and procedures to collect, verify, store, and transmit the required information for every transfer. Interoperability between different CASPs’ systems is essential to enable seamless transmission of information. Industry initiatives such as the Travel Rule Universal Solution Technology (TRUST) and other protocols aim to facilitate compliance, but adoption varies.

Crypto-asset service providers are designated as obliged entities under EU anti-money laundering and counter-terrorist financing (AML/CFT) legislation, including the Fourth, Fifth, and Sixth Anti-Money Laundering Directives (4AMLD, 5AMLD, 6AMLD). CASPs must implement comprehensive AML/CFT frameworks including customer due diligence, ongoing monitoring, suspicious activity reporting, and record keeping.

Customer due diligence (CDD) requires CASPs to identify and verify the identity of customers before establishing a business relationship or conducting occasional transactions exceeding EUR 1,000. CDD measures include identifying the customer and verifying identity using reliable, independent source documents, data, or information; identifying the beneficial owner and taking reasonable measures to verify identity; and understanding and obtaining information on the purpose and intended nature of the business relationship. Enhanced due diligence measures must be applied in high-risk situations, such as where the customer is a politically exposed person, the customer is established in a high-risk third country, or the transaction or business relationship presents higher risks.

CASPs must implement ongoing monitoring of business relationships, scrutinising transactions to ensure they are consistent with the CASP’s knowledge of the customer, business, and risk profile. Unusual or suspicious transactions must trigger enhanced scrutiny and, where appropriate, filing of suspicious activity reports (SARs) to the financial intelligence unit (FIU). The threshold for suspicion is relatively low; CASPs must report where they know, suspect, or have reasonable grounds to suspect that funds are the proceeds of criminal activity or are related to terrorist financing.

The EU is in the process of adopting a new AML/CFT framework, including an AML Regulation (AMLR) that will be directly applicable in all Member States without need for transposition. The AMLR will harmonise AML/CFT requirements across the EU and will establish a new EU Anti-Money Laundering Authority (AMLA) responsible for supervisory convergence and direct supervision of certain high-risk entities. CASPs must monitor developments in EU AML/CFT legislation and prepare for the application of the new framework.

The boundary between MiCA and MiFID II is determined by the classification of crypto-assets as either crypto-assets not qualifying as financial instruments (MiCA scope) or financial instruments (MiFID II scope). This classification is critical because it determines the applicable regulatory framework, authorisation requirements, and conduct rules.

Crypto-assets that qualify as transferable securities, money market instruments, units in collective investment undertakings, derivatives, or other financial instruments under MiFID II are excluded from MiCA’s scope and remain subject to MiFID II and related legislation. Tokenised securities, security tokens representing equity or debt instruments, and crypto-assets providing rights similar to those of financial instruments typically fall within MiFID II scope. The classification requires case-by-case analysis considering the rights and obligations attached to the crypto-asset, the economic substance, and the reasonable expectations of holders.

Investment firms authorised under MiFID II may provide crypto-asset services without obtaining separate MiCA authorisation, provided they notify their competent authority of their intention to provide such services. However, these investment firms must comply with certain MiCA requirements, including conduct of business rules, conflicts of interest provisions, and safeguarding of client crypto-assets. This hybrid regime recognises that investment firms already subject to comprehensive regulation under MiFID II do not require full MiCA authorisation but should comply with crypto-asset-specific requirements.

ESMA has published guidelines to assist competent authorities and market participants in determining whether crypto-assets qualify as financial instruments. These guidelines analyse the application of MiFID II definitions to various types of crypto-assets and provide examples of classification. Market participants developing or issuing crypto-assets should carefully consider classification questions at the design stage, as classification determines the applicable regulatory framework and may significantly impact the feasibility and structure of the project.

MiCA, as Level 1 legislation, establishes the overarching regulatory framework and principles but delegates numerous detailed requirements to Level 2 measures (regulatory technical standards and implementing technical standards) and Level 3 measures (guidelines and recommendations). These measures are essential for understanding the practical application of MiCA and for achieving compliance.

Level 2 measures are adopted by the European Commission based on draft standards developed by ESMA or EBA. Regulatory technical standards (RTS) specify technical details of MiCA requirements and have binding legal effect. Implementing technical standards (ITS) establish uniform conditions for implementation and also have binding effect. Level 3 measures, including guidelines and recommendations issued by ESMA or EBA, do not have binding legal effect but establish best practices and promote supervisory convergence. Competent authorities and market participants are expected to comply with guidelines on a comply-or-explain basis.

MiCA contains over 50 mandates for ESMA and EBA to develop technical standards covering topics such as white paper content, authorisation procedures, own funds calculation, cooperation between competent authorities, market abuse detection, and many others. The development of these standards follows a structured process: ESMA or EBA publishes a consultation paper seeking stakeholder input, analyses responses, and publishes a final report containing the draft standards. The draft standards are submitted to the European Commission, which may adopt them with or without amendments. Adopted standards are published in the Official Journal and become legally binding.

ESMA has organised the development of MiCA technical standards into three consultation packages, each addressing a cluster of related mandates. This approach facilitates stakeholder engagement and enables coherent development of interrelated standards.

Package 1, published in May 2023, addressed mandates related to white papers, authorisation of CASPs and ART issuers, and operational requirements. This package included draft standards on the content and format of white papers, the procedure for approval of white papers, the content of notifications for passporting, and the procedure for authorisation of CASPs. ESMA published the final report on Package 1 in December 2023 and submitted the draft standards to the Commission.

Package 2, published in November 2023, addressed mandates related to cooperation between competent authorities, information exchange, and supervisory reporting. This package included draft standards on the information to be exchanged between competent authorities, the procedures for cooperation in authorisation and supervision, and the content and format of notifications to ESMA. ESMA published the final report on Package 2 in July 2024.

Package 3, addressing mandates related to market abuse, investor protection, and conduct of business, was published for consultation in 2024. This package includes draft standards on suspicious transaction reporting, disclosure of inside information, and conflicts of interest. The final reports on Package 3 are expected in late 2024 or early 2025, with adoption by the Commission following thereafter.

The adoption and publication of technical standards is ongoing, with different standards becoming applicable at different times. Some standards apply from the date MiCA becomes applicable (30 December 2024), while others may have later application dates. Market participants must monitor the publication of adopted standards in the Official Journal and ensure compliance by the applicable dates.

Among the numerous technical standards under development, certain standards are particularly important for market participants due to their practical impact on compliance obligations. Understanding the content and status of these standards is essential for preparation.

Authorisation and White Papers:

• RTS on white paper content: Specifies detailed information to be included in white papers for different categories of crypto-assets, templates, and format requirements
• ITS on white paper format: Establishes standard forms and templates for white papers to facilitate comparability
• RTS on authorisation procedures: Details the information to be provided in authorisation applications for CASPs and ART issuers
• ITS on cooperation in authorisation: Establishes procedures for cooperation between competent authorities in cross-border authorisation scenarios

Operational and Prudential Requirements:

• RTS on own funds calculation: Specifies methods for calculating ongoing own funds requirements for CASPs
• RTS on reserve assets: Details requirements for composition, custody, and valuation of reserve assets for ART issuers
• RTS on conflicts of interest: Establishes criteria for identifying conflicts and measures for managing them
• Guidelines on reverse solicitation: Clarifies when services are provided at client’s initiative without prior solicitation

Market Abuse and Supervision:

• ITS on suspicious transaction reporting: Establishes standard forms and procedures for CASPs to report suspicious transactions to competent authorities
• RTS on market soundings: Specifies procedures for conducting market soundings in compliance with insider dealing prohibitions
• RTS on disclosure of inside information: Details requirements for issuers to disclose inside information to the public
• ITS on cooperation between competent authorities: Establishes procedures for information exchange and coordination in supervision and enforcement

Achieving compliance with MiCA requires a systematic, structured approach involving assessment of current status, identification of gaps, development of implementation plans, and execution of necessary changes. Given the complexity and comprehensiveness of MiCA requirements, entities are well advised to commence preparation as early as possible to ensure readiness by the applicable dates.

The compliance process typically spans six to twelve months or more, depending on the entity’s current regulatory status, the scope of services or activities, and the extent of gaps between current practices and MiCA requirements. Entities that are already subject to regulatory oversight under national regimes may have shorter preparation timelines if their existing frameworks substantially align with MiCA requirements. Entities operating without prior regulatory authorisation or those expanding into new services will require more extensive preparation.

The first step in MiCA compliance preparation is to conduct a comprehensive assessment of your current regulatory status and determine whether MiCA authorisation is required. This assessment involves analysing your activities, the crypto-assets involved, your geographic scope of operations, and your current authorisations.

Key questions to address include: Do you issue crypto-assets to the public or seek admission to trading? If so, what category of crypto-assets (ART, EMT, or other)? Do you provide services related to crypto-assets on a professional basis? If so, which of the ten defined crypto-asset services? In which jurisdictions do you operate or intend to operate? Do you currently hold any regulatory authorisations or registrations under national law? Are you a credit institution, e-money institution, or investment firm already authorised under other EU legislation?

Classification of crypto-assets is a critical component of this assessment. Determine whether your tokens qualify as crypto-assets under MiCA or as financial instruments under MiFID II. If they are crypto-assets, determine whether they are asset-referenced tokens, e-money tokens, or other crypto-assets. This classification determines the applicable requirements and authorisation procedures. For entities providing services, identify which of the ten crypto-asset services you provide or intend to provide, as this determines the scope of authorisation required and the applicable prudential and operational requirements.

Once you have determined that MiCA authorisation is required, conduct a detailed gap analysis comparing your current state against MiCA requirements. This analysis should cover all relevant areas including governance, policies and procedures, systems and controls, capital and insurance, client asset protection, AML/CFT, and documentation.

For governance, assess whether your management body has the required collective knowledge, skills, and experience; whether members of the management body meet fit and proper criteria; whether your organisational structure has clear lines of responsibility; and whether you have adequate risk management, compliance, and internal audit functions. For policies and procedures, review existing policies against MiCA requirements and identify areas where new policies must be developed or existing policies must be enhanced. Key policy areas include conflicts of interest, complaints handling, best execution, outsourcing, business continuity, ICT security, and market abuse detection.

For systems and controls, assess whether your IT systems and security protocols meet MiCA and DORA requirements; whether you have adequate systems for safeguarding client assets, including segregation and custody arrangements; whether you have systems for monitoring transactions and detecting suspicious activity; and whether you have systems for record keeping and reporting to competent authorities. For prudential requirements, calculate your initial capital and ongoing own funds requirements based on the services you intend to provide and assess whether you meet these requirements. Determine whether you need professional indemnity insurance and, if so, the required coverage amount.

Document the results of the gap analysis in a structured format, identifying each requirement, your current state, the gap, the actions needed to close the gap, the responsible person or team, and the target completion date. Prioritise gaps based on their criticality, complexity, and the time required to address them. This gap analysis serves as the foundation for your implementation plan.

Based on the gap analysis, develop a comprehensive implementation plan detailing the actions required to achieve MiCA compliance, responsibilities, timelines, and resource requirements. The plan should be structured around workstreams corresponding to major areas of compliance, such as legal and regulatory, operational, IT and systems, human resources, and finance.

For each workstream, define specific activities, assign responsibility to individuals or teams, establish target completion dates, and identify dependencies between activities. Establish a governance structure for the implementation project, including a steering committee with senior management representation, regular progress reviews, and escalation procedures for issues and delays. Allocate sufficient resources, including internal staff time and external advisors where necessary, to execute the plan.

Work backwards from your target authorisation date to establish a realistic timeline. If you intend to apply for authorisation as early as possible to avoid potential bottlenecks, your target application date might be in the first half of 2025. Allow sufficient time for preparation of the authorisation application (typically 2-4 months), implementation of policies and procedures (3-6 months), and any necessary structural changes or capital raising (variable depending on circumstances). Build buffer time into the schedule to accommodate unforeseen delays or issues identified during implementation.

Preparation of the authorisation application is a critical phase requiring careful attention to detail and completeness. The application must demonstrate that you meet all MiCA requirements and must provide the competent authority with sufficient information to assess your suitability for authorisation.

The application must include a programme of operations specifying the crypto-asset services to be provided, the organisational structure, and the business model. The programme should describe your target markets, projected volumes, revenue model, and growth plans. Include a detailed description of governance arrangements, including the composition and responsibilities of the management body, the organisational structure showing reporting lines and functions, and the roles and responsibilities of key personnel including compliance, risk management, and internal audit functions.

Provide comprehensive policies and procedures covering all areas required by MiCA, including conflicts of interest, complaints handling, best execution, safeguarding of client assets, outsourcing, business continuity, AML/CFT, and market abuse detection. These policies should be tailored to your specific activities and risks, not generic templates. Include evidence of initial capital and ongoing own funds, such as audited financial statements, bank statements, or capital commitment letters. Provide fit and proper documentation for all members of the management body, including CVs, criminal record checks, references, and declarations of good repute.

Describe your IT systems and security protocols, including system architecture diagrams, security measures, access controls, and business continuity and disaster recovery arrangements. If you use third-party service providers for critical functions, provide copies of outsourcing agreements and describe your oversight arrangements. Include evidence of professional indemnity insurance or comparable guarantee, such as insurance certificates or policy documents. Ensure all documentation is clear, complete, and consistent. Inconsistencies or gaps will result in requests for additional information, delaying the authorisation process.

Implementation involves putting in place the systems, procedures, and controls described in your policies and authorisation application. This phase includes configuring IT systems, training staff, establishing governance committees, and operationalising procedures. Implementation should be completed before submitting the authorisation application to ensure that you can demonstrate operational readiness.

Conduct testing to validate that systems and controls function as intended. Testing should cover IT systems (functionality, security, performance), operational procedures (execution of processes, escalation procedures), and controls (effectiveness of monitoring, detection of anomalies). Conduct dry runs of critical processes such as client onboarding, transaction monitoring, suspicious transaction reporting, and incident response. Document the results of testing and address any issues or deficiencies identified.

Provide training to all staff on MiCA requirements, your policies and procedures, and their roles and responsibilities. Training should be tailored to different roles; for example, front-office staff need training on conduct of business rules and client interactions, while operations staff need training on transaction monitoring and reporting procedures. Maintain records of training provided, including attendance records and training materials, as competent authorities may request evidence of staff training during the authorisation process or ongoing supervision.

Achieving MiCA authorisation is not the end of the compliance journey but the beginning of ongoing obligations. Authorised entities must maintain compliance with all MiCA requirements on a continuous basis and must adapt to evolving regulatory expectations and market developments.

Ongoing obligations include regular reporting to the competent authority, such as financial statements, own funds calculations, and information on significant events or changes; maintaining adequate own funds and professional indemnity insurance at all times; updating policies and procedures to reflect changes in activities, risks, or regulatory requirements; conducting regular reviews and audits of compliance frameworks and controls; and responding to supervisory requests and inspections by the competent authority.

Establish a compliance monitoring programme to ensure ongoing adherence to MiCA requirements. This programme should include regular compliance reviews covering key areas such as capital adequacy, client asset protection, conflicts of interest, and conduct of business; periodic audits by internal audit or external auditors; and key risk indicators and metrics to identify emerging compliance issues. Implement a process for tracking regulatory developments, including adoption of new technical standards, publication of ESMA guidelines, and supervisory communications. Assess the impact of regulatory changes on your activities and implement necessary adaptations.

Foster a culture of compliance within the organisation, with tone from the top emphasising the importance of regulatory compliance and ethical conduct. Ensure that compliance is integrated into business processes and decision-making, not treated as a separate or secondary consideration. Provide ongoing training and communication to staff on compliance matters and encourage reporting of compliance concerns or incidents without fear of retaliation.

MiCA represents a landmark development in the regulation of crypto-assets, establishing the first comprehensive, harmonised regulatory framework at the European Union level. The regulation becomes fully applicable on 30 December 2024, with provisions for asset-referenced tokens and e-money tokens having applied since 30 June 2024. MiCA affects a broad range of market participants, including issuers of crypto-assets, crypto-asset service providers, trading platforms, and persons providing advisory or custody services.

Key features of MiCA include mandatory white paper disclosure for all crypto-assets offered to the public or admitted to trading; authorisation requirements for issuers of asset-referenced tokens and all crypto-asset service providers; comprehensive operational, prudential, and conduct requirements for authorised entities; passporting rights enabling cross-border provision of services throughout the EU; market abuse provisions prohibiting insider dealing and market manipulation; and a supervisory framework combining national supervision with European coordination.

Entities subject to MiCA are well advised to commence compliance preparation immediately. The regulation’s requirements are extensive and implementation requires significant time and resources. Delaying preparation increases the risk of being unable to obtain authorisation by required deadlines, potentially forcing cessation of operations. Key recommendations include conducting a comprehensive assessment of your regulatory status and classification of crypto-assets or services; performing a detailed gap analysis comparing current practices against MiCA requirements; developing and executing a structured implementation plan with clear timelines and responsibilities; preparing a complete and high-quality authorisation application; and engaging external advisors with MiCA expertise where necessary to accelerate preparation and ensure compliance.

Do not rely solely on transitional measures or grandfathering provisions. While these provisions provide additional time, they also impose significant limitations, including the absence of passporting rights and competitive disadvantages compared to MiCA-authorised entities. Regulatory bottlenecks are likely as the transitional period progresses, with many entities submitting applications simultaneously. Early preparation and application submission mitigate this risk and position you for competitive advantage.

Adopt a holistic approach to compliance, recognising that MiCA does not operate in isolation. Entities must also comply with DORA, the Transfer of Funds Regulation, AML/CFT requirements, GDPR, and other applicable legislation. Integrated compliance frameworks addressing all relevant requirements are more efficient and effective than siloed approaches. Monitor ongoing regulatory developments, including adoption of Level 2 and Level 3 measures, ESMA Q&As, and supervisory communications. The regulatory landscape continues to evolve, and entities must adapt to new requirements and expectations.

The following resources provide authoritative information on MiCA and related regulatory developments. Market participants are encouraged to consult these sources regularly to stay informed of the latest developments.

Official Texts and Legislation:

• Regulation (EU) 2023/1114 on markets in crypto-assets (MiCA) – Full text available on EUR-Lex
• Directive 2014/65/EU (MiFID II) – Markets in Financial Instruments Directive
• Regulation (EU) 2022/2554 (DORA) – Digital Operational Resilience Act
• Regulation (EU) 2023/1113 – Transfer of Funds Regulation
• Directive 2009/110/EC – E-Money Directive

ESMA Resources:

• ESMA MiCA webpage – Comprehensive information on MiCA implementation
• MiCA Register – Database of authorised entities and white papers
• Consultation Papers – Packages 1, 2, and 3 on technical standards
• Final Reports – Adopted technical standards submitted to Commission
• Q&As on MiCA – Answers to frequently asked questions
• Guidelines on classification of crypto-assets as financial instruments

EBA Resources:

• EBA webpage on crypto-assets and MiCA
• Consultation papers on technical standards (EMT-related mandates)
• Guidelines on AML/CFT for crypto-asset service providers

National Competent Authorities:

• List of designated NCAs by Member State – Available on ESMA website
• National authority websites – Information on authorisation procedures and transitional measures
• Complaints procedures – Contact details for filing complaints

Industry Guidance:

• Industry association publications on MiCA compliance
• Legal and compliance guidance from law firms and consultancies
• Technical solutions for travel rule compliance (TRUST, other protocols)
• Training and educational resources on MiCA requirements