MiCA Licence in Germany

On 20 April 2023, the European Parliament adopted Regulation ( EU ) 2023/1114 on the regulation of markets in cryptoassets (MiCA). The Council of the European Union approved it on 16 May 2023. The Regulation was published in the Official Journal of the European Union on 9 June 2023 and entered into force on 29 June 2023.
The European Commission presented a legislative proposal for MiCA on 24 September 2020 as part of the financial sector digitalisation package. In addition to the MiCA proposal, the package includes the Digital Operational Resilience Act (DORA), a proposal for a pilot regime for market infrastructures based on distributed ledger technology (DLT) and a digital finance strategy. MiCA aims to create a harmonised European regulatory framework for cryptoassets that will foster innovation and enable the realisation of the potential of cryptoassets, while ensuring financial stability and investor protection.

MiCA distinguishes between primary market activities, i.e. the issuance of cryptoassets, and secondary market services, so-called cryptoasset-related services. In particular, MiCA regulates transparency and disclosure requirements for the issuance and trading of cryptoassets, licensing and supervision requirements for cryptoasset service providers (CASPs) and cryptoasset issuers, the proper organisation of the business of cryptoasset issuers and service providers, rules to protect investors and consumers in the issuance, trading and custody of cryptoassets, and rules against abuse on crypto trading venues.

Different MiCA rules apply at different times.

The provisions on asset-backed tokens (“ARTs”) and electronic money tokens (“EMTs”) in Title III and Title IV apply from 30 June 2024.

The provisions relating to the authorisation and ongoing supervision of CASPs in Section V apply from 30 December 2024. All other MiCA provisions (in particular Title II and Title VI) that do not apply directly under Article 149(4) MiCA also come into force from 30 December 2024. In addition, certain articles have already entered into force as of 29 June 2023.

The Cryptocurrency Market Surveillance Act, which is a national supplement to the MiCA, was published in the Federal Legislative bulletin on 27 December 2024. In parallel, the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) are developing regulatory and technical standards, implementation standards and guidelines to further clarify the application of MiCA.

Markets in crypto assets regulations from 30 June 2024 in Germany

Part 1: Asset-Related Tokens (ART) and Electronic Money Tokens (EMT)

The responsible authority for the authorisation procedures under Articles 16 et seq. of the MiCA , as well as for the reviews of official documents under Article 17(1)(a) of the MiCA, is Unit ZK 1 of the BaFin Banking Supervision Authority and the relevant regional office of Deutsche Bundesbank, as published in the Federal Gazette on 22 March 2024, with respect to the specific provisions on the ongoing supervision of certain undertakings by the regional offices of Deutsche Bundesbank .

Part 2: Cryptocurrencies other than asset-backed tokens (ART) and electronic money tokens (EMT)

Providers of cryptoassets other than ART or EMT , as well as persons applying for admission to trading in such cryptoassets, must prepare a white paper at least 20 business days before the publication of the white paper of the cryptoasset in accordance with Article 8(5) MiCA and submit it to BaFin as competent authority in accordance with Article 8(1) MiCA . Possible exceptions are governed by Article 4 of the MiCA. At the request of BaFin, marketing communications must be submitted in accordance with Article 8(2). In addition, the submitted white paper must include an explanation in accordance with Article 8(4) MiCA explaining why the cryptoasset is excluded from the scope of Article 2(4) MiCA and why it is not an ART or EMT . In addition, a list of all EU Member States in which the cryptoasset is publicly offered or requested to be admitted to trading must be provided.

Division ZK 1 of the Banking Supervision Department of the Federal Financial Supervisory Authority (BaFin) is responsible for the approval procedures and review of official documents.

Part 3: Crypto Asset Service Provider (CASP)

For institutions already providing cryptoasset-related financial services or for firms planning to provide cryptoasset-related services, the application of MiCA will entail a number of changes. In particular, MiCA authorisation will be required to provide crypto-asset-related services.

Institutions authorised to provide cryptocurrency custody services or other financial services related to cryptoassets

Institutions that held a licence for cryptocustodial business or other financial services related to cryptoassets as at 29 December 2024 and are not CRR credit institutions may use the simplified procedure under Article 143 (6) MiCA in conjunction with section 50 ( 3 ) KMAG – Draft . For these institutions, the procedure is based on a draft regulation implementing the simplified procedure under Article 143(6) of Regulation ( EU ) 2023/1114 . The draft Regulation regulates, inter alia, the content of the application. Until they receive MiCA authorisation, these institutions may continue to provide activities previously covered by a licence under the Banking Act at national level on a temporary basis (i.e. limited to no later than 31 December 2025) under a transitional arrangement.

Existing institutions that intend to make notifications under Article 60 of MiCA

Existing institutions that are permitted to provide cryptoasset services under Article 60 MiCA, i.e. CRR credit institutions, authorised central securities depositories, securities institutions, e-money institutions, UCITS management companies, alternative investment fund managers or authorised trading venue market operators, must provide BaFin with the information required by Article 60(7 ) MiCA at least 40 business days before the initial provision of the cryptoasset service. The timing of the notification procedure is governed by Article 60 MiCA. If you are an institution under Articles 60(1) to (6) MiCA and have questions about the notification procedure under Article 60 MiCA, please contact your responsible institution manager at BaFin or the Deutsche Bundesbank regional office responsible for the institution.  If your institution wishes to submit a notification under Article 60 MiCA, please send the template together with information to the Deutsche Bundesbank regional office responsible for the institution in accordance with the information published in the Federal Gazette of 22 March 2024 on the special conditions for the ongoing supervision of certain undertakings by the Deutsche Bundesbank regional offices.

Applicants pending applications under section 32 of the German Banking Act (KWG) relating to cryptoasset services

From 30 December 2024, MiCA authorisation is required for the provision of crypto asset management services. Applicants should therefore adapt their organisation, processes and related documentation to MiCA requirements at an early stage. An application for authorisation must be made in accordance with Article 62 of MiCA. Reference may be made to information or documents already submitted, provided that the information and documents available remain up to date. The timing of the authorisation procedure is governed by Article 63 MiCA. An application for the current authorisation procedure under section 32 of the German Banking Act (KWG) must be withdrawn unless the company intends to provide qualified cryptocurrency custody services in accordance with section 1 ( 1a ) sentence 2 no. 6 KWG. The application procedure for the authorisation itself is subject to a fee and also entails an obligation to pay a fee in case of revocation.

New applicants (non-existing organisations) intending to provide cryptoasset services under MiCA

Companies intending to provide cryptoasset services under MiCA require authorisation under Article 59(1) ( a) in conjunction with Article 63 of MiCA.

ESMA Register

ESMA regularly publishes the following information:

• • Cryptocurrency white papers for cryptocurrencies other than asset-linked tokens or e-money tokens,
  • Issuers of asset-linked tokens,
  • Issuers of e-money tokens and
  • Cryptoasset service provider

Companies that have obtained a MiCA licence in Germany

MiCA market in crypto assets in Germany 2025

BaFin declares that the following guidelines of the European Supervisory Authorities (“ESAs”) in relation to MiCA are directly applicable.

Germany is finalising the institutionalisation of the transition to a single European regulatory regime for cryptoassets under Regulation (EU) 2023/1114 (MiCA) through the development of accompanying secondary legislation governing the admission of cryptocurrency service providers. The draft of this transition contains rules to ensure technical and procedural enforcement of MiCA provisions through national legislation Kryptomärkteaufsichtsgesetz (KMAG), which comes into force on 30 December 2024. The main objective of the regulation is to organise a smooth and legally secure integration of existing cryptocurrency market operators into the new EU supervisory framework. In this context, two key tools are envisaged: firstly, the creation of a simplified licensing procedure for companies already holding national authorisations; secondly, the early opening of applications for European licences before the MiCA application date. The simplified licensing procedure is intended for entities which, at the time of the commencement of the MiCA, hold a valid licence to provide cryptocurrency services in accordance with § 1a KWG, but do not have other financial authorisations allowing them to undergo the so-called notification procedure. On the basis of Article 143 paragraph 6 MiCA and § 50 KMAG, a mechanism is being introduced whereby such companies can submit a simplified set of documents and move into the new licence environment without having to undergo a full assessment of all aspects of their business again. The simplified procedure requires the firm to confirm that there are no changes to its business model, submit an updated business plan, documentation on risk management and internal controls, and information on key functions ranging from compliance with cybersecurity and client protection standards to asset handling and order execution rules. It is possible to submit a simplified application until 31 August 2025. However, a licence issued under this procedure may not take effect until 30 December 2024, the MiCA commencement date. Companies that do not fulfil the criteria of the simplified procedure must go through the full authorisation procedure provided for in Articles 62 and 63 of MiCA.

The second part of the regulation deals with the submission of applications before MiCA comes into force. This provision has important practical implications as it allows both existing companies and new market entrants to initiate the licensing process in advance. As a result, BaFin and Deutsche Bundesbank will be able to analyse the submitted documents and enter into a dialogue with applicants before MiCA becomes legally enforceable. This decision aims to minimise delays in the start of operations and ensure a smooth launch of cross-border crypto services across the European Union. The draft focuses on the division of competences between BaFin and the Bundesbank, including in terms of data exchange, reporting processing, verification of compliance conditions, internal audit controls and assessing the adequacy of management decisions. It emphasises the need to submit information electronically and in accordance with the procedures approved by the supervisory authorities on their official platforms. The draft also sets out provisions to amend existing regulations governing BaFin’s powers, including the power of to issue by-laws on accounting, notifications, settlement procedures and internal controls. Such changes represent a technical implementation of the legal rules laid down in KMAG and complement the institutional framework for the transition to MiCA.

Notably, the draft law does not imply a significant additional burden for businesses. According to the regulator’s assessment, the administrative costs for companies do not go beyond standard reporting, and the scope of the new duties is in the nature of adjustments to already existing mechanisms. There are also no social, demographic or gender implications, as the regulation regulates only business processes and licensing of crypto market entities. The draft emphasises the role of sustainability and transparency as pillars of the legal and technological development of the sector. In particular, it draws attention to the fact that MiCA establishes preferences for environmentally friendly transaction validation models, which is part of Germany’s sustainability strategy. The legal transformation of the cryptocurrency infrastructure is seen as an opportunity to strengthen investor confidence and enhance systemic stability at the level of the entire EU internal market. The proposed regulations thus ensure legal continuity, transparency and predictability for all participants in the cryptocurrency sector in Germany. They avoid a legal gap when MiCA comes into force and ensure that regulation is not based on a mechanical transposition of provisions, but on adapted procedures that ensure compliance with the specificities of the German legal and financial system. This will further strengthen Germany’s position as one of the key cryptocurrency centres in the EU with a high degree of legal certainty, a developed supervisory system and a favourable environment for technological growth in virtual assets.

Cryptocurrency regulation in Germany 2025

The German Federal Parliament has approved the Financial Market Digitalisation Act (Finanzmarktdigitalisierungsgesetz – FinmadiG), initiating a structural reform of the supervision of the cryptocurrency sector. The new law establishes a legal framework for the application and integration of European legislation, primarily Regulation (EU) 2023/1114 (MiCA), into the German national regulatory system. In addition to MiCA, the law covers the provisions of Regulation (EU) 2023/1113 on data transfer in cryptocurrency transfers and Regulation (EU) 2022/2554 on digital operational resilience (DORA – Digital Operational Resilience Act), as well as Directive (EU) 2022/2556, to be transposed into national law by the beginning of 2025. The aim of the reform is not only to simplify access to cryptocurrency and tokenised financial products, but also to create uniform and transparent rules for market participants across the EU. Germany, following this course, is introducing a special legal instrument, the Kryptomärkteaufsichtsgesetz (KMAG), which replaces previously fragmented regulation under separate laws, including the credit law (KWG) and financial services regulations. The fundamental difference in the new legislation is the replacement of national licensing of cryptocurrency services with a system of directly applicable European law. The law enshrines BaFin’s legal status as an authorised supervisory authority in relation to the activities of cryptocurrency service providers, trading platforms and issuers of tokens. For the first time, a holistic system of procedures for issuing, revoking and monitoring licences, harmonised with MiCA, is introduced. The federal agency has been given enhanced supervisory powers, including the right to order the immediate cessation of illegal activities, publish information on violators, block domains and restrict access to online platforms if necessary to protect token holders or prevent systemic risks. One of the significant aspects of the law is the redefinition of the role of the traditional concepts of banking and financial activities in relation to cryptoassets. KMAG establishes a special regime for issuers of stablecoins and electronic money tokens and clearly distinguishes their legal position in comparison to classical financial instruments. The law takes into account the cross-border nature of crypto-services and allows for supervision by other authorities, including the Deutsche Bundesbank, market supervisors, competition authorities and cybersecurity services.

The law enshrines the need for digital operational resilience requirements, including obligations on IT risk management, data protection, business continuity, stress testing of digital infrastructure and outsourcing controls. These provisions are in line with the DORA Regulation and affect not only cryptocurrency platforms but all financial institutions providing digital services. An important change is also the inclusion of cryptocurrency service providers among the entities obliged to comply with anti-money laundering (GwG) legislation. This includes customer identification, keeping records of transactions, transferring transaction data in accordance with the updated European mechanism (provisions of Regulation 2023/1113), and controlling transfers involving non-custodial wallets.

The law provides for adaptation mechanisms for existing market participants. The transition period is intended to provide a simplified process for reauthorisation or bringing activities into compliance with the new standards. A temporary exemption from certain restrictions on financial products and services is also provided to ensure business continuity during the period of structural transformation. Additionally, a number of changes are made to existing sector-specific regulations: the Securities Act (WpHG), the Credit Institutions Act (KWG), the Regulation of Investment Funds (KAGB), the Insurance Supervision Regulations (VAG), and the laws governing trading, accounting and crisis management. These changes ensure that KMAG is harmonised with other parts of German financial legislation and eliminate duplication.

In the financial and economic part, the law fixes moderate additional administrative costs for both supervisory authorities and market participants. For businesses, the estimated increase in the costs of complying with the new duties is around EUR 600 thousand per year, of which almost half is related to the fulfilment of the new information duties. For the state, there are also costs for organising supervision, including one-off costs for staff training, IT infrastructure and administrative procedures. Thus, the Financial Act on Market Digitalisation is a systemic legal reform that ensures the transition from partial national regulation to full legal embedding of the crypto-economy in the institutional framework of European Union financial supervision. It aims to increase transparency, legal certainty, operational reliability and investor protection in the face of the rapid growth of transactions in virtual assets. The law strengthens Germany’s position as one of the leading legal centres for crypto regulation in the EU and serves as a model for other jurisdictions in integrating MiCA and related regulations.

Guidance on the content requirements for internal governance mechanisms for issuers of asset-linked tokens in Germany

From 20 December 2024, the European Banking Authority’s binding European Union-wide guidelines governing the internal governance framework for issuers of asset-referenced tokens (asset-referenced tokens, or ARTs) will come into force. These provisions are a development of the provisions of Regulation (EU) 2023/1114 (MiCA) and are aimed at establishing common standards for organisational structure, internal controls, risk management, operational stability and ethical principles of issuers’ activities. The most important basis of the new requirements is the principle of proportionality. It implies that an issuer’s internal procedures should be appropriate to the nature, scale and complexity of its activities, taking into account the volume of assets, number of users, legal form, cross-border operations, participation in secondary markets, and the degree of significance of the ARTs to be issued. Even where the issuer is a legal entity managed by a single individual, a system of mutual restrictions should be in place to avoid concentration of decisions and minimise institutional risks. Critical risk analysis should cover both the risks of the issuer itself and possible consequences for third parties, the environment and the financial system as a whole.

The issuer’s management bodies shall ensure the formation and effective implementation of procedures ensuring reliable corporate governance. The functions of strategic management and control shall be differentiated. The competences of each member of the management body shall be clearly defined and formalised in approved regulations. Internal management cannot be concentrated in the hands of one person or a limited circle of managers. All strategic decisions must be taken collegially and the authority structure must be transparent. The management bodies are required to define the business strategy, internal organisation, risk appetite, reserve asset management system, as well as remuneration policies and procedures for identifying and managing conflicts of interest.

Particular attention is paid to the functioning of the internal control mechanism. It should include an independent compliance function, a risk management system and, where appropriate, an internal audit function. These functions can be implemented either by internal departments or by external specialised counterparties, but the responsibility for their functioning remains with the issuer. Control functions should have the necessary resources, authority and independence. Management bodies should receive regular reports reflecting vulnerabilities and material deviations from established standards and take corrective action. The entire internal control system should be documented, updated and appropriate to the level of regulatory complexity of the issuer’s operations.

The company structure may not be overly convoluted or legally unjustifiable. It is prohibited to use schemes that complicate oversight or could be interpreted as a means of circumventing regulatory requirements. The issuer must have a good understanding of its business structure and be able to justify its economic feasibility. Any structure involving risks must be assessed for compliance with anti-money laundering standards, international tax transparency standards and good business practices. It is unacceptable to create companies or nominal structures without their own substance. All actions must have a transparent legal basis and be understandable both to the company’s employees and external stakeholders.

Outsourcing of certain functions, such as management of reserve assets, their storage or placement, is allowed only under strict control of the issuer itself. All arrangements with third parties must be subject to internal analysis, verification of the counterparty’s reliability, assessment of legal and operational risks, and inclusion in a unified monitoring system. Outsourcing does not relieve the issuer of responsibility for compliance with regulatory requirements. The company must have an exit plan, procedures in case of supplier failure, and clear criteria for assessing the reliability of the outsourcer. The transfer of functions is not allowed if it leads to reduced transparency, increased dependence on geopolitical factors or inability to ensure operational control.

A key element of governance is the creation of a unified risk culture that encompasses the entire organisation. Every employee, regardless of level and position, must understand their responsibility for risk acceptance and control. Risk management can no longer be seen as an auxiliary or technical function. It is integrated into strategy, staff training, recruitment policy, motivation and appraisal systems. The company must establish a clear code of conduct covering compliance, anti-fraud, ethics, anti-corruption, consumer protection and avoidance of manipulation. Not only is formal compliance important, but it is also important to reinforce ethical guidelines within the team.

Given the digital nature of cryptoassets and the high dependence on technological infrastructure, special attention is paid to IT risk management and operational resilience. The issuer is required to have contingency plans, vulnerability analysis systems, regular testing and incident remediation mechanisms in place. All critical functions must be clearly identified, documented and protected against failure. The relationships between key processes, vendors, locations and data should be described within the digital resilience framework envisaged by DORA. Controls should not only be preventive but also adaptive, capable of providing a rapid response to incidents.

For all new products and procedures, the issuer must carry out a risk assessment prior to implementation, including legal, IT and operational risks, the impact on reserve assets, dependencies on third-party suppliers and the potential impact on retail users. New tools cannot be developed and launched without a formalised approval process that must consider not only business objectives, but also regulatory compliance, internal system stability and reputational implications.

The Guidelines require issuers to significantly transform internal processes, strengthen the role of the board of directors, develop internal controls and reject simplistic forms of governance typical of the start-up environment. Operational sustainability, transparency, respect for investor rights and completeness of procedures become a prerequisite for the admission of ARTs to the market. All deviations from standards must be justified, recorded and controlled. These principles create the basis not just for regulatory compliance, but also for the formation of a mature infrastructure in the cryptocurrency segment, integrated into the pan-European financial stability system. Violations of the established requirements, insufficient attention to internal governance or attempts to formally enforce them without substance will be perceived as a threat to market stability and the interests of token holders. Thus, the new standards do not just set a framework, but form a new model of trust in the digital finance ecosystem.

Key requirements for asset-backed token (ART) issuers and electronic money token (EMT) issuers in Germany

From 13 November 2024, European Banking Authority guidelines will come into force requiring ART and EMT issuers to develop and maintain recovery plans compliant with Articles 46 and 55 of the MiCA Regulation. These plans constitute a mandatory part of the issuer’s resilience management system and are a tool for preventive intervention in the event of situations that threaten compliance or token stability. The recovery plan should be drawn up taking into account the principle of proportionality, based on the size, complexity, risks and nature of the issuer’s business. Particular attention is paid to issuers whose tokens are recognised as signifikant in accordance with MiCA criteria. In such cases, the plan must be updated at least annually and its structure must meet higher standards of risk control, monitoring and escalation. In particular, the plan should include a detailed framework of indicators indicating potential threats to asset reserve, liquidity, market confidence and operational resilience.

The plan consists of several key blocks: an executive summary indicating changes from the previous version, a description of governance and escalation arrangements, a list of remediation measures, an information and communication strategy, and crisis scenarios. The management component specifies the personal and functional responsibilities of those responsible for developing, updating, and implementing the plan, and describes procedural aspects, including update timelines, approval procedures, and conditions for activating recovery measures. One of the central elements of the plan is an indicator system (Sanierungsplanindikatoren), which enables the issuer to identify deviations from regulatory parameters in a timely manner and initiate internal response procedures. The indicators are developed at both token and company level and cover the following categories: liquidity, operational risks, credit quality of assets, volatility and reserve structure, concentration risks, market confidence, as well as specific indicators reflecting possible risks of deviation of the token’s market price from its fair value (so-called “Abkopplungsrisiko”). All indicators are calibrated according to the internal risk profile and are reviewed in case of any change in the issuer’s risk appetite.

The recovery plan should contain not only a list of indicators and their thresholds, but also a description of the procedures activated if they are exceeded. This includes internal escalation within 24 hours, notifying the competent supervisory authority, analysing the circumstances and submitting a corrective action plan. The issuer is required to justify the choice of measures and, in the event of failure to implement them, to prove the ability to restore compliance without intervention. In some cases, it is permissible to temporarily suspend token redemption obligations or impose restrictions on token circulation, but only under conditions of extreme necessity and with a pre-approved strategy. Each measure in the plan should be accompanied by an assessment of its feasibility, a description of potential obstacles, application scenarios, foreseeable consequences and interoperability with other functions of the issuer. The impact on service providers involved in the issuance, storage and maintenance of tokens, as well as compliance with digital resilience requirements under DORA, should be considered. If the issuer uses third-party IT solutions, DLT infrastructure or custodial services, the plan must include a mechanism for immediate communication between parties to trigger internal escalation if thresholds are exceeded.

The issuer must model both systemic and individual stress situations, including sudden fluctuations in token redemption demand, failures in key infrastructures, massive technical or legal risks. Scenarios should be relevant to the scale, complexity of the business and type of tokens being issued. The purpose of the modelling is to determine the issuer’s preparedness to manage the consequences and ensure an adequate set of responses to potential challenges. An integral part of the recovery plan is a communications strategy. The issuer must determine how it will communicate to token holders, partners, regulators and the public in the event of a crisis situation. The communication should be differentiated by recipient category and adapted to the stage of the crisis. It should take into account possible negative market effects, ensure transparency of actions and minimise reputational risks. Particular attention shall be paid to notifying clients of the status of their assets, changes in the service regime and prospects for recovery.

Where the same token is issued by multiple issuers or where one issuer issues multiple tokens, the plan must provide for coordinated actions, harmonised indicators, identical thresholds and synchronised measures. It also establishes a rule to avoid situations in which the actions of one issuer could compromise the effectiveness or legal certainty of the recovery strategy of the others. Similarly, issuers combining token issuance with other activities must ensure that their ART and EMT recovery measures are independent of risks in other business segments.

The EBA’s guidance also allows for the possibility of integrating the recovery plan required under MiCA into already existing plans based on the BRRD directive (e.g. for banks and investment firms). This is possible provided that the documents are harmonised with the supervisory authority and fully cover all the components required by these guidelines. The development and maintenance of a recovery plan thus becomes a mandatory and strategically important element of the internal governance system of ART and EMT issuers. This tool not only provides early warning and prompt response in a crisis, but is also a criterion for the maturity of corporate governance and the confidence of regulators and clients. Its untimely activation or formal fulfilment without actual readiness will be regarded as a breach of the issuer’s material obligations and may result in administrative or regulatory liability. Full compliance with these requirements is an integral part of the MiCA legal landscape and a prerequisite for the long-term sustainability of the virtual asset business in the European Union.

Mandatory liquidity stress testing requirements for issuers of asset-backed tokens (ART) and electronic money tokens (EMT) in Germany

From 30 September 2024, guidelines will come into force setting out the general parameters of the stress scenarios to be applied by ART and EMT issuers when conducting mandatory liquidity stress testing. These measures aim to establish a robust mechanism for assessing issuers’ ability to fulfil token redemption obligations under extreme market conditions and prevent systemic risks associated with a sudden decline in investor confidence, denial of access to reserve assets or sharp fluctuations in token values. Liquidity stress tests are mandatory for all issuers of significant ARTs and EMTs, as well as for other issuers if the relevant instruction is issued by the supervisory authority of the home member state. The methodology of stress testing is based on the principle of using unified parameters and assumes adaptation to the issuer’s specifics, issue scale, investor category, reserve asset structure and type of reference property.

One of the key tasks of stress testing is to assess the so-called risk of mass simultaneous redemption of tokens. The issuer must model scenarios in which a significant proportion of token holders initiate a buyback procedure, including scenarios with different reserve maturities. The assessment takes into account the profile of investors (retail or institutional), the type of token (whether significant or not), the structure and liquidity of reserves, the historical repurchase dynamics, and the legal characteristics of the issuer. Based on this data, the issuer is required to apply a confidential 99% level to observed stressed redemptions and estimate the amount of liquidity required. Particular attention is paid to the risk associated with the inability to immediately access deposits placed with credit institutions. The issuer must take into account the credit quality of the counterparty, the degree of concentration of assets with a single bank, the availability of collateral, the term of the placement and territorial risks. This is particularly relevant if funds are held outside the jurisdiction of incorporation or in institutions prone to instability.

In addition to banking risks, the testing covers market and currency fluctuations of reserve assets. If the assets are not denominated in the official EU currency, the issuer must assess the risks of revaluation, volatility, correlation and the need for additional liquidity requirements. The issuer must also consider how possible exchange rate deviations, token price corrections from fair value (depegging) or derivatives disruptions could affect the ability to make timely redemptions. The testing methodology is based on a comparison of the value of reserves under stress to the valuation of redemption liabilities. The value of assets is adjusted by applying stress factors dependent on liquidity, market sensitivity, country risk, consolidation at the issuer and custody. The issuer is required to calibrate the parameters not only based on historical data, but also using stress hypotheses covering both systemic and individual risks. Parameters are adjusted depending on the time horizon: daily, weekly, monthly or annual. If the referenced asset is an unofficial currency or commodity, additional risks related to delivery, physical storage and variability in market conditions need to be considered.

The stress factors applied to the assets in the reserve should be below 100 per cent, while those applied to the referenced assets may exceed 100 per cent, particularly where there is no peg to the euro or other stable currency. This reflects the possibility of underestimating the value of reserves and overestimating liabilities to token holders in a crisis volatility environment. Assets such as deposits, bonds, highly liquid securities, collateralised debt obligations and other financial instruments that meet MiCA criteria are included in the stress analysis. For each asset type, the issuer must consider credit quality, withdrawability, liquidity, systemic importance and concentration risks. It is expected that the data and calculations will be documented, verifiable and justified from an independent audit or peer review perspective.

Thus, stress tests become a mandatory element of operational supervision, forming a continuous process of control over the sustainability of ART and EMT issuers. The results of the tests must be used in strategic management, in adjusting the composition of reserves, in planning redemptions and in preparing recovery plans under Article 46 of MiCA. Failure to conduct or insufficient depth of analysis will be considered a systemic breach with administrative consequences, including restriction of issuance rights or withdrawal of authorisation. Issuers are required to integrate the results of stress tests into their overall risk management system, regularly reviewing the parameters depending on changes in market conditions, updates to regulatory standards and the transformation of their business model. Thus, the liquidity stress testing guidelines form a technical and methodological foundation to ensure the reliability and sustainability of the digital financial ecosystem in the context of the full implementation of MiCA in the European Union.

Assessment of members of governing bodies and holders of qualifying interests in ART and CASP issuers in accordance with MiCA requirements.

On 4 February 2025, joint guidelines of the European Banking Authority and the European Securities and Markets Authority will enter into force in the European Union setting out requirements for assessing the personal and collective suitability of members of governing bodies and for assessing the suitability of holders of qualifying interests in entities acting as asset-backed token issuers (ARTs) or cryptocurrency service providers (CASPs). These principles develop the provisions of Articles 21, 34, 42, 63, 68 and 84 of Regulation (EU) 2023/1114 and set out the minimum standards that both companies themselves and supervisory authorities are required to apply when assessing the compliance of key persons and entities. Both members of the executive and supervisory body and individuals who actually manage the business, as well as legal entities represented in the management body through delegated representatives, are subject to assessment. The evaluation criteria are personal reliability, professional competence, experience, understanding of the business model, and the ability to allocate sufficient time to fulfil management responsibilities. Special attention is paid to individual and collective suitability: the management body as a whole is required to have a sufficient set of competences to manage all aspects of the company’s activities. A key element is security clearance. Members of the governing body must not have been convicted of offences related to money laundering, terrorism, corporate fraud, financial irregularities or breaches of professional ethics. Any other circumstances, including sanctions, embargoes, restrictions by international organisations that may call into question the integrity and reputation of the candidate are also assessed. In case of inclusion in the sanctions lists, the person shall be immediately removed from management. Competences are assessed taking into account education, previous professional experience, management roles and company profile. Knowledge of cryptoeconomics, digital finance, regulatory, accounting, IT security, DLT technology, cyber risk and consumer rights is mandatory. An assessment based solely on formal attributes (diploma, position) without analysing the actual level of participation and content of the candidate’s activities in previous structures is not permitted. Members of governing bodies are required to allocate sufficient time to fulfil their functions, especially in times of change, stress or the introduction of new products. When assessing time availability, the number of mandates, geographical load, other professional or political responsibilities, and participation in committees and meetings are analysed. Each company is required to develop and implement an internal suitability assessment policy. It sets out procedures for selection, reassessment, succession planning, principles of diversification and alignment of the management body with the company’s objectives. The policy should also include provisions for regular suitability verification in the event of changes in structure, strategy or business model, or if there are doubts about the competence of an individual member. Additionally, all individuals and entities holding direct or indirect qualifying equity interests in the issuer or CASP are subject to assessment. The supervisor must be satisfied that they are reliable, that there is no reason to believe that they are involved in money laundering or terrorist financing schemes, and that the ownership and control structure is transparent. Such persons are subject to a methodology similar to that used for the examination of bank shareholders under CRD IV. If the assessment identifies deficiencies in qualifications, knowledge, experience or time availability, companies are required to take corrective measures. This may include internal reshuffles, additional training, recruiting new members or even replacing candidates. If the deficiencies cannot be remedied, the person’s appointment must be rejected. Similarly, in the case of inconclusive documentation on the trustworthiness of a potential shareholder, the supervisory authority may block the transaction or revoke the company’s licence. The assessment procedure is mandatory not only when obtaining a licence, but also during ongoing supervision. The regulator has the right to initiate an unscheduled suitability review in case of significant changes in management, corporate structure or identification of risks of unscrupulous behaviour. In such situations, the assessment period is limited to four months, renewable if additional information is requested. The guidelines thus form a detailed system for the assessment and admission of management in the EU cryptocurrency market, focused on protecting the sustainability of the system, the integrity of participants and respecting the interests of customers. They create a new norm of regulatory responsibility that goes beyond formal licensing and emphasises the institutional maturity of each market participant. Full implementation of these principles will be key to obtaining and maintaining authorisations under MiCA.

Requirements for redemption plans for issuers of asset-backed tokens (ARTs) and electronic money tokens (EMTs) in Germany

The European Banking Authority has approved regulations governing the establishment and application of redemption plans for issuers of cryptocurrency tokens with a redemption obligation in 2024. These regulations apply to all ART and EMT issuers, including in cases where tokens are issued by multiple issuers simultaneously or cover cross-border infrastructure. A redemption plan must be prepared by the issuer in advance under normal conditions (going concern) and is activated by a supervisory decision if the issuer is deemed unable or likely to be unable to fulfil its obligations to token holders. The basis of such a plan is an asset reserve formed by the issuer in accordance with MiCA provisions and placed with custodians.

The document strictly requires the principle of proportionality in the development of the plan. It must take into account the scale of the issue, multiple issues, number of participants, amount and liquidity of reserves, liability structure and type of issuer. If a token is deemed significant, the plan must be reviewed annually, be extremely detailed, include a governance mechanism, a liquidation strategy, a description of critical functions and a mechanism for communicating with stakeholders. EMT issuers that are not legally required to establish an asset reserve are permitted to prepare a plan with a different level of detail, if this is consistent with the decision of the national authority.

The key objective of the plan is to organise a fair, timely and simultaneous settlement of the claims of all token holders without disrupting market stability and without causing economic harm. The plan should provide for the suspension of individual redemption and transition to a collective mechanism based on a procedure approved by the competent authority. The distribution of funds from the liquidation of the reserve shall be made on a pari passu basis, and the costs associated with the implementation of the plan (e.g. consultants’ fees, legal fees, intermediaries’ commissions) may be covered from the reserve only after token holders’ claims have been satisfied.

If an issuer issues several tokens or participates in a joint issuance, the plan should contain a common part agreed upon by all issuers and an individual part for each of them. The common part reflects the key principles, liquidation procedures, communication strategy, internal control system and coordination mechanism. Coordination between issuers is mandatory and involves designating one of them as a coordinator with experience, sufficient infrastructure and access to reserves. The individualised part of the plan should cover internal procedures, personal responsibility, maintenance of critical functions, interaction with custodians and intermediaries, and AML/CFT measures in accordance with the AMLD and Regulation 2023/1113.

In describing the procedure, the plan should cover all steps from the decision to launch to the finalisation of settlement with holders. The issuer must specify how it will identify holders, accept redemption applications, evaluate claims, organise settlements and ensure that tokens are removed from circulation. Standards for processing personal data, a list of required documents, methods of AML checks and the procedure for delivery of funds must be specified.

A communication strategy is a mandatory part of the plan and should include a pre-prepared public notice, contacts for token holders, deadlines for submitting claims and technical means of communication. The communication channels used should be familiar to the issuer’s audience and not discriminate against holders based on territoriality.

The document also establishes the criteria by which the supervisory authority may conclude that the issuer is unable to fulfil its obligations. In addition to formal grounds (bankruptcy, revocation of licence), systemic factors such as insufficient capitalisation, lack of liquidity, reduced value of reserves, deterioration of reputation, market price deviations from the peg, mass withdrawal of tokens or market instability are assessed. The decision is made based on an aggregate assessment of factors using professional judgement, rather than automatically.

Particular attention is paid to harmonising the redemption plan with other documents – in particular recovery plans and, where available, BRRD settlement plans. The issuer must ensure consistency between these documents and, if the implementation of the plan may affect the company’s resolvability, the issuer must inform the resolution authority.

Thus, the redemption plan becomes an essential element of customer protection and financial stability, guaranteeing an orderly exit from the market even in the case of severe crisis scenarios. Its timely compilation, approval and updating is a prerequisite for confidence in the issuer on the part of regulators, clients and financial intermediaries. Failure to comply with the content, timing or execution of the plan may be considered a serious breach of regulatory obligations and may result in sanctions up to and including a ban on operations. Full integration of these procedures into an issuer’s business model confirms the maturity of its internal governance and compliance with MiCA requirements.

Mechanism for assessing the legal status of cryptocurrency tokens in Germany.

As of May 2025, pan-European guidelines will come into force requiring all issuers of cryptoassets and cryptocurrency market participants to use uniform approaches when classifying tokens, providing explanations and preparing legal opinions required as part of procedures related to authorisations, publishing whitepapers and placing tokens on the market. The main objective of these principles is to eliminate legal uncertainty in distinguishing between different categories of digital assets and to avoid the situation where the same assets are differently qualified in different EU Member States.

The Guidelines provide for the mandatory use of harmonised templates in the following cases: when submitting a declaration of exclusion of a token from MiCA regulation, when preparing a legal opinion on the legal status of the issued asset (in particular ART or EMT), as well as when passing a standardised test designed to assess whether a token meets the concept of crypto-asset within the meaning of Article 3 of MiCA.

The standardised approach requires issuers and applicants to demonstrate that the token they issue is not an exempted item, e.g. it does not constitute a financial instrument, electronic money, structured or classic deposit position, insurance or pension product. For this purpose, the legal opinion should provide, for each type of exemption, an analysis of applicable legislation, case law, national or EU-wide regulatory clarifications, as well as a reasoned justification as to why a particular token does not fall under the relevant category.

Where a cryptoasset is not a financial instrument but falls within the definition of a digital representation of a property right or value transferable and stored using distributed ledger technology (DLT), it is recognised as a cryptocurrency asset within the meaning of MiCA. For this purpose, the issuer must provide a full characterisation of the digital code, indicate how the rights are stored and transferred, explain the technology used and confirm that the token is transferable to third parties or, on the contrary, non-transferable according to the technical implementation and terms of circulation.

The form also requires an indication of the regulated jurisdiction, the date and version of the whitepaper, the issuer’s contact details and the legal status of the applicant (e.g. CASP, credit institution, other financial institution). Particular attention is paid to confirming that the persons drafting the legal opinion have no conflicts of interest. Both internal and external counsel may act as legal counsel, but they must be formally registered with the relevant professional organisation and have a demonstrable qualification to prepare such an opinion.

The most significant part of the guidance is the standardised test, a logic model used by both the regulator and the applicant to consistently assess whether a token is subject to MiCA. Three sets of conditions are sequentially tested: the existence of digital asset attributes (value/right), the use of DLT or similar technology, and the absence of indications of exclusion from regulation. The checks relate to the issuer status, the uniqueness of the token (fungibility), the legal nature, the link to the underlying assets and the purpose of the issuance. Exemptions include, for example, NFTs granting individual rights to specific assets (e.g. real estate), as well as tokens representing recognised financial or pension instruments or issued by public authorities and international organisations.

If, after applying the test, it is determined that the crypto-asset is not an exception and meets the criteria of a digital representation of value or a right created using a distributed ledger, it is classified as a crypto-asset under MiCA. Further distinction is made: if the token is linked to the value of a single fiat currency, it is classified as an EMT; if it is linked to multiple currencies, indices or commodities, it is classified as an ART; and if there is no such link, it is classified as a utility-token or other crypto-asset.

The new guidelines thus provide a legal basis for a harmonised and transparent procedure for identifying cryptocurrency assets under MiCA regulation, eliminating the possibility of arbitrary or fragmented interpretation. They introduce mandatory legal discipline in the process of entering the cryptoasset market, establish the liability of both the issuer and its advisers, and promote legal certainty in supervisory practices. This is particularly important for cross-border activity, including as part of applications for admission to trading, listing on platforms or whitepaper registration in multiple jurisdictions simultaneously.

Classification of crypto assets as financial instruments under MiFID II and MiCA

According to the position of the European Securities and Markets Authority, the qualification of cryptocurrency tokens as financial instruments is not based on the technical realisation of the asset, but rather on its economic nature and the set of inherent rights. This means that tokens created using distributed ledger technology (DLT) are subject to the same principles as traditional securities if they confer rights similar to those inherent in shares, bonds, derivatives or shares in investment funds.

First of all, the possibility of qualifying a token as a transferable security is analysed. For this purpose, it is necessary to establish that the token: is not a payment instrument, belongs to a certain class (a class of homogeneous tokens of the same issuer with the same rights), and can be freely traded on the market. It is not required that the asset has an organised market or listing – an abstract transferability between parties is sufficient. Particular attention is paid to the content of the token – if it provides dividend rights, voting on corporate matters or a share in liquidation profits, it can be equated to a share. Similarly, if the token represents a fixed obligation to pay interest or return capital, it may be recognised as a bond.

If a cryptoasset does not fulfil the criteria of a transferable security, it may qualify as another type of financial instrument, such as a money market, a share in a UCITS or AIF, or a derivative contract. A token is recognised as a money market instrument if it is a short-term debt obligation (e.g. commercial paper, certificate of deposit) that has a certain liquidity and tradability. The key criteria are a maturity of up to 397 days and the ability to accurately determine the price.

To be classified as a share in an investment fund, the token must be part of a collective investment scheme, in which the funds of several investors are consolidated and managed according to a predetermined policy in order to obtain a common profit. The management structure may be centralised (through a legal entity) or algorithmically implemented (e.g. through smart contracts), provided that there is no ongoing control by investors.

Tokens structured as derivatives are considered separately. If a token creates an obligation or right to buy/sell an underlying asset in the future, its value depends on the change in the price of the underlying asset (e.g., stock, index, rate, raw materials), and there is a settlement (in cash or cryptocurrency), it can be classified as a derivative. Perpetual futures, synthetic assets, options and swaps fall into this category. The focus here is on the functionality of the contract rather than the name of the instrument.

If a token is linked to an emissions trading system and grants the right to emit a certain amount of CO₂, it can be recognised as a financial instrument as an emissions certificate. The mandatory criterion is compliance with the requirements of Directive 2003/87/EC and recognition of the token as an eligible settlement instrument under the ETS.

Alongside this, ESMA formulates principles for tokens that do not constitute financial instruments to remain within MiCA. In particular, utility-tokens that grant access rights to digital services or discounts do not equate to securities, even if they have speculative appeal. Similarly, NFTs are recognised as exceptions to MiCA provided they are unique and not interchangeable. To assess uniqueness, it is necessary to consider not only technical attributes (ID, metadata) but also the presence of individual economic and functional characteristics. Fractionated NFTs (F-NFTs) are evaluated separately and are not automatically excluded.

Hybrid tokens that combine features of multiple categories (e.g., payment, investment and service functions) are analysed primarily in terms of the predominant function. If a token provides yield, capital protection or other attributes of an investment instrument, it will qualify as a financial instrument regardless of the other components.

ESMA’s guidelines thus provide a unified methodological framework for assessing the legal nature of cryptocurrency tokens and distinguishing between the objects of MiCA and MiFID II regulation. They aim to eliminate fragmentation in asset qualification between EU countries, protect investors’ rights, ensure legal certainty and respect the principle of technological neutrality. Issuers, payment operators, exchanges and custodians are required to take these criteria into account when issuing tokens, drafting whitepapers, obtaining CASP licences, and preparing legal opinions and prospectuses for market entry.