MiCA Licence in Malta

In March 2025, the Malta Financial Services Authority (MFSA) formally promulgated the MiCA Rulebook and approved amendments to Section 3 of the Financial Institutions Regulation governing payment institutions and electronic money issuers. These amendments form part of the national strategy for the phased implementation of the provisions of the Markets in Cryptoassets Regulation (EU) 2023/1114 (MiCA) into the legal system of the Republic of Malta and are aimed at creating a harmonised and aligned regulatory regime for digital asset transactions. The MiCA Rulebook applies to entities covered by the Markets in Crypto-Assets Act 2024 (Markets in Crypto-Assets Act, Cap. 647) and is to be interpreted in a systemic relationship with the provisions of the MiCA Regulation itself, as well as with the relevant regulatory and technical acts (regulatory and technical standards – RTS and ITS) approved at the European Union level, including the conclusions and recommendations of the European Supervisory Authorities (ESAs). The Rulebook covers both procedural and substantive aspects of the regulation, including the procedure for granting licences to crypto asset linked service providers (CASPs) and asset referenced token issuers (ARTs). The Rulebook sets out requirements for the submission of whitepaper notices, establishes procedures for voluntary surrender of a licence, and provides a set of applicable regulatory standards and supervisory practices. Additionally, the document includes requirements to maintain ongoing compliance with regulatory requirements for all authorised entities operating under MiCA.

In order to ensure a uniform and harmonised supervisory and reporting regime, the MFSA has also approved supporting material including regulatory reporting forms for CASPs and technical guidance to assist in the practical implementation of the new reporting obligations. These materials are the result of a consultation process initiated by the MFSA in January 2025 and form an integral part of the methodological support for the implementation of MiCA in Malta’s jurisdictions. Additionally, the Malta Financial Services Authority has made targeted amendments to Section 3 of the Financial Institutions Regulations (FIR/03) governing legal persons issuing electronic monetary tokens (EMTs). The amended section sets out a list of regulations, statutory provisions, technical standards and guidance documents that are mandatory for relevant issuers to ensure that their activities are harmonised with the overall regulatory framework set out in the MiCA Regulations. It also forms a bridge between the regulation of payment institutions and the new pan-European cryptoasset regime aimed at harmonising approaches and eliminating fragmentation in supervision.

As part of the approved changes, the notification regime for outsourcing and client asset protection has been revised. It is mandatory to submit all documentation related to such transactions exclusively through the electronic LH Portal. Furthermore, for all changes to outsourcing agreements or client asset management protocols, a minimum advance notice period of at least 60 calendar days prior to the expected effective date of the change has been established. Such measures are aimed at increasing the predictability, transparency and overall manageability of operational risks associated with the activities of EMT issuers. The said regulatory provisions entered into legal force from the date of official publication and are directly enforceable. They are considered either as a direct consequence of the Republic of Malta’s obligations to implement European Union law or as a clarification of previously existing rules binding on authorised entities carrying out regulated activities. The MFSA emphasises that all relevant regulatory information, including subsequent amendments and additions, is available to interested parties on the regulator’s official website. Questions related to the enforcement and interpretation of the MiCA Rulebook are to be directed to the specialised FinTech Policy unit of the MFSA through the established communication channels. These actions demonstrate the Maltese regulator’s systematic and consistent stance towards the implementation of a pan-European legal policy on digital finance, as well as its endeavour to ensure a predictable and sustainable regulatory regime for all persons conducting professional activities with cryptoassets in Malta in accordance with the requirements of the MiCA Rulebook.

Markets in Crypto Assets Regulation in Malta

As of 2025, the Markets in Cryptoassets Regulation (EU) 2023/1114 (MiCA) has entered the direct implementation phase, marking the beginning of a new phase in the legal regulation of digital assets within the European Union. MiCA forms a comprehensive regulatory regime covering all key aspects of the crypto-economy, including rules for the issuance, public offering and admission of tokens on trading platforms, as well as the licensing and supervision of cryptoasset service providers (CASPs). There is a particular focus on asset-backed tokens (ARTs) and electronic money tokens (EMTs), for which there are separate categories of requirements. The regulation covers types of cryptoassets that were previously outside the scope of current EU financial services legislation. The main objective of the new regulation is to strike a balance between supporting technological innovation and ensuring financial stability, legal predictability and market integrity. Special emphasis is placed on consumer protection, which is reflected in the provisions stipulating the obligation of service providers to act in good faith, fairly and in the best interests of customers by ensuring that they are informed about the nature and risks of cryptoasset transactions. Disclosure must be complete, accurate and conducive to informed decision-making. Prior to the implementation of MiCA, the Republic of Malta had its own unique regulatory architecture for digital assets. In 2018, the Virtual Financial Assets Act (VFA, Chapter 590 of the Laws of Malta) – was enacted, marking the first EU attempt to create specialised regulation for crypto-assets. The Act introduced a four-category licence system for Virtual Financial Assets Service Providers (VFASPs) and also provided for supervision by the MFSA, the competent authority for financial regulation.

However, with the introduction of MiCA, the national legal framework has undergone a transformation. The new regulation is embedded in the Maltese legal system as a directly applicable EU act, which requires harmonisation of the former VFA regime with the provisions of MiCA. This transformation is aimed at aligning all existing mechanisms with pan-European standards and eliminating overlap between national and supranational sources of crypto market regulation. In order to ensure full compliance with the MiCA Regulation, the Republic of Malta has amended the Virtual Financial Assets (VFA) Act through the enactment of Act No. XIV of 2024, and has also enacted a new Crypto Asset Markets Act. In addition, the Malta Financial Services Authority (MFSA) has published a specialised regulatory document, the MiCA Rulebook, aimed at providing guidance and support for existing and potential cryptocurrency market participants operating in Malta under the new pan-European legal architecture. For companies already registered as service providers under the VFA regime, there is a simplified transition mechanism to MiCA requirements. This mechanism allows for a smooth and expeditious completion of the adaptation process while maintaining the legality of the business during the transition period. MiCA establishes a single classification system for cryptoassets subject to regulation, including asset reference tokens (ARTs), electronic money tokens (EMTs), and all other cryptoassets that do not fall into these categories. The latter include, among others, utility tokens and cryptocurrencies such as bitcoin. Under MiCA, cryptoassets are defined as digital expressions of value or rights that are designed to be traded and stored using distributed ledger technology and that can provide market or investment returns to their holders, including retail users.

Among the key changes introduced into the Maltese legal system in connection with the implementation of the MiCA, particular attention has been paid to the simplification of the permit application process. Amendments to the VFA Act, which came into force following the adoption of MiCA, removed the obligation to appoint a VFA agent. From now on, any person intending to register a technical documentation (white paper) or apply to provide regulated services under the VFA regime is entitled to send documents directly to the MFSA without the need for an authorised agent. MiCA also introduces enhanced content requirements for technical documentation submitted by cryptoasset issuers. White papers must contain detailed information about the issuer, the nature of the token, the terms of the offering, and the investment and operational risks. The content of the white paper varies depending on the asset category (ART, EMT or utility token) and is subject to regulatory approval. Obtaining a licence under MiCA provides the applicant with so-called “passporting rights”, allowing the applicant to provide licensed services related to cryptoassets throughout the European Union without the need to obtain additional authorisations in other member states. This provision is a significant incentive for choosing Malta as a licensing jurisdiction. In addition to technical and structural requirements, MiCA contains provisions relating to fair marketing, consumer protection and anti-money laundering compliance. All marketing materials, including advertising messages and descriptions of services, must be objective, truthful and not misleading. These materials are subject to mandatory disclosure to the MFSA and publication in a form accessible to customers. Companies are required to comply with AML/CFT requirements in accordance with EU regulations and guidance issued by the Malta Financial Intelligence Unit (FIAU).

The new legal framework thus provides an institutionally stable and integrated regulatory regime for crypto assets, while simplifying transition processes for existing participants and enhancing transparency and protection for end-users in the Maltese crypto market.

Market in crypto assets requirements in Malta

In order to comply with the new regulatory regime established by the MiCA Regulation, organisations operating under Malta’s Virtual Financial Assets (VFA) legislation, as well as companies planning to enter the Maltese market, are required to undertake internal regulatory adaptation and align their activities with the requirements of European regulation. Initially, a legal and compliance assessment of the impact of MiCA on the structure and nature of the services provided should be carried out. As part of this assessment, it is recommended to categorise the tokens issued or services offered according to the MiCA taxonomy of cryptoassets – including asset reference tokens (ARTs), electronic money tokens (EMTs) and other cryptoassets that do not fall into these categories. Based on the classification made, it should be determined whether an entity’s activities fall under the Crypto Asset Service Provider (CASP) licence status and whether appropriate authorisation is required. For companies already operating under the VFA regime, transitional provisions are in place to allow for a phased integration into the new regulatory system. In order to ensure an effective transition, it is advisable to engage in communication with the Malta Financial Services Authority (MFSA) to seek clarification on the timelines and requirements in place for the transition period. It is also required to conduct an internal audit of the corporate structure, review licence conditions and adapt internal regulations to take into account MiCA and CASP requirements.

Entities intending to initiate cryptoasset activities in Malta in accordance with MiCA must apply to the MFSA for a licence. The application must be accompanied by a full documentation package including a business plan, a description of the management structure, risk management, information security and customer data protection policies. In addition, the applicant is required to confirm the existence of an internal anti-money laundering (AML) system, compliance with prudential standards and fulfilment of obligations relating to customer protection. Thus, the transition to the MiCA regime requires all participants in the Maltese crypto market to take a proactive approach to regulatory adaptation and timely legal transformation of their business processes in line with the new pan-European legal architecture. In the context of active implementation of the MiCA Regulation’s provisions, it is of particular importance to update the internal regulatory documentation of organisations operating in the cryptoasset market. Given the Maltese regulator’s increased focus on compliance, companies are advised to review and modernise their compliance policies, develop internal monitoring procedures, implement risk management mechanisms and ensure systematic training of staff on the MiCA regulatory framework. Such measures should be aimed at making organisations more resilient to regulatory scrutiny and mitigating legal and operational risks.

An important element of MiCA compliance is ensuring that consumer rights are fully protected. In this regard, companies should conduct a comprehensive review of their terms of service, marketing communications and user agreements to ensure that they are transparent, fair and accurate. The information disclosed should be presented in an understandable manner and allow consumers to make informed decisions when interacting with cryptoassets and related services. MiCA also presents significant strategic opportunities for business growth and expansion. With a uniform legal framework, companies registered in Malta are able to access cross-border service provision through a passporting mechanism. This provides organisations with the opportunity to implement scalable business models and strengthen their presence in the European Union market without the need to obtain separate licences in each jurisdiction. The MiCA Regulation represents an important milestone in the development of a single digital financial space in the EU, promoting legal certainty, standardisation of approaches and harmonisation of requirements for all participants in the cryptoecosystem. Malta, one of the first countries to establish a national regulatory infrastructure for digital assets, seamlessly integrates its system into the pan-European legal context. This allows existing Maltese market participants to benefit from a transitional regime and new players to access a mature regulatory infrastructure and the competences of the local supervisory authority. MiCA compliance goes beyond the formal fulfilment of regulatory requirements. It lays the foundation for sustainable and legitimate operations in the cross-border cryptoasset market, building trust with regulators, investors and customers, and creating a favourable environment for long-term business development in an environment of legal stability and operational consistency.

MiCA EU regulation on cryptoassets

The European Union Regulation 2023/1114 on Markets in Cryptoassets (MiCA) establishes a harmonised EU-wide legal regime governing the issuance, offering and maintenance of cryptoassets, as well as the activities of related service providers. The main objective of this regulation is to ensure legal certainty, protect the interests of investors and strengthen the resilience of the financial system in a digitised environment. From 30 December 2024, the MiCA will be directly applicable in all Member States of the European Union, including the Republic of Malta, where the regulation has been fully integrated into the national legal system. MiCA applies to all issuers of crypto-assets as well as digital asset related service providers (CASPs), regardless of their country of incorporation, provided that such activities are centred on residents of the European Union. The regulation covers legal persons offering crypto-assets to the public or seeking their admission to trading platforms, as well as those providing custody, exchange, execution of client orders, trading system management, asset transfer, investment advisory and portfolio management services based on crypto-assets. Issuers of asset-linked tokens (ARTs) and electronic money tokens (EMTs) are subject to separate regulation, with additional prudential and operational requirements. However, central bank digital currencies (CBDCs), most non- fungible tokens (NFTs), cryptoassets qualifying as financial instruments under the MiFID II Directive, and decentralised applications (DeFi), provided there are no centrally identifiable intermediaries, are excluded from the scope of MiCA. However, the possibility of future regulation of these forms of digital activity at EU level is not excluded.

Violations of MiCA will result in administrative sanctions by supervisory authorities. Possible measures include suspension or revocation of a licence, fines of up to €15 million or up to 15% of the annual global turnover of the offending legal entity. In certain cases, public disclosure of the violation is permitted in order to protect the interests of consumers and market participants. Cryptoasset issuers and CASP service providers are required to undergo a pre-licensing procedure with the competent authority of the relevant EU Member State. The licensing package includes a description of the organisational structure, internal control and risk management system, confirmation of sufficient financial resources, and information on compliance with AML/CFT requirements. Issuers, in turn, are required to prepare technical documentation (white paper), which discloses the objectives of the cryptoasset issue, a description of its circulation model, operating principles and measures to protect holders, as well as investment and operational risks. Depending on the category of cryptoasset, such a document is either subject to prior regulatory approval or is sent as an official notification.

The MiCA Regulation thus creates a detailed and binding regulatory environment aimed at enhancing transparency and trust in the European crypto market, as well as eliminating the fragmentation of national approaches previously applied in individual jurisdictions. For issuers of stablecoins, in particular asset reference tokens (ARTs) and electronic money tokens (EMTs), the MiCA Regulation provides for enhanced regulatory obligations. These issuers are required to maintain full collateralised reserves, provide token holders with an unconditional right to redeem them in cash, and disclose information on the composition of reserves, their liquidity, concentration risks and their management arrangements. In addition, there is an obligation for regular disclosure and an independent audit of financial statements and collateral arrangements. The purpose of these requirements is to minimise systemic risks associated with the possible simultaneous withdrawal of tokens from the market, to ensure the rights of holders to protection in case of incomplete or distorted disclosure of information, and to maintain transparency and sustainability of transactions with secured digital assets. ART and EMT issuers are subject to ongoing supervision by a competent regulator and are required to comply with prudential, operational and reporting standards in accordance with MiCA and related European Union acts. In the Maltese context, the legal integration of MiCA has been realised through the enactment of the Markets in Crypto-Assets Act as well as secondary legislation, including the MiCA Fees Regulations. At the same time, amendments were made to the previously effective provisions under the Virtual Financial Assets Regulations, providing for the termination of rules that were no longer relevant due to the implementation of the new pan-European legal framework. The supervisory and licensing functions under MiCA in Malta are vested in the Malta Financial Services Authority (MFSA) – which acts as the competent authority under the provisions of the Regulation.

Malta, one of the first jurisdictions in the EU to introduce specialised cryptoasset legislation back in 2018, provides applicants with a stable legal environment with a high level of regulatory transparency. The jurisdiction’s advantages include a predictable and structured licensing process, a well-developed blockchain ecosystem, the ability to use the passporting mechanism to provide services across the European Union once authorised in Malta, as well as a favourable geographical location, a favourable tax regime and a network of double tax treaties with over 70 countries. Obtaining a licence under MiCA requires the submission of a comprehensive package of documents including a sound business plan, a description of the ownership structure, corporate governance arrangements, IT strategy and information security plans, internal anti-money laundering and consumer protection procedures. At the assessment stage, the regulator analyses not only the applicant’s legal and organisational suitability, but also its ability for long-term sustainable operation, financial stability, transparency of processes and proper risk management. The internal control system, compliance with disclosure requirements and technical verification of documentation, including white papers, are also reviewed. Due to the complex nature of the licensing procedure and the need to comply with a wide range of regulatory requirements, including MiCA provisions as well as parallel EU acts (in particular DORA, AML and GDPR), applicants are advised to engage qualified legal and regulatory advisors with experience in dealing with the MFSA and specialised knowledge of European financial and cryptocurrency law.

MiCA regulations in Malta

In March 2025, the Malta Financial Services Authority (MFSA) approved and implemented a regulatory framework called MiCA Rulebook, a comprehensive regulatory document governing cryptoasset issuers and related service providers in the Republic of Malta. The said act is enacted pursuant to section 38 of the Cryptoasset Markets Act 2024 (Cap. 647 of the Laws of Malta) and implements the provisions of the Markets in Cryptoassets Regulation (EU) 2023/1114 (MiCA). The Rulebook aims to establish uniform and predictable licensing procedures, maintain legal certainty and formalise the requirements for persons operating as CASPs and asset reference token (ART) issuers. The document is structured in four main areas: general regulatory principles, licensing procedures, ongoing compliance requirements, and specialised regulatory standards applicable to CASPs and ART issuers. On the licensing side, clear application procedures are established for both cryptoasset service providers and asset-linked stablecoin issuers. The Rulebook also contains provisions regarding whitepaper notification obligations, which must comply with the requirements of transparency, reliability and exhaustive disclosure of information about the digital asset. The Rulebook pays particular attention to the correct classification of cryptoassets according to their legal nature, as determined through tests and methodologies recommended by the European Securities and Markets Authority (ESMA), as well as joint guidelines prepared by European supervisory authorities (ESAs). This ensures uniform interpretation and minimises the risks of regulatory uncertainty.

As part of the licensing procedure, due diligence is carried out on persons subject to pre-approval by the MFSA. This vetting covers board members, persons holding qualifying interests, key management personnel, and compliance officers, including the MLRO (responsible for AML/CFT) and Compliance Officer. These individuals are subject to fit and proper criteria and independence from executive management. The latter must not be involved in operational activities and must ensure ongoing compliance with legal requirements. In addition, applicants are required to demonstrate that they have sufficient levels of regulatory capital, in accordance with Article 67 of the MiCA for CASPs and Article 35 of the MiCA for ART issuers. Internal governance systems, risk controls, corporate governance and internal control procedures that ensure the applicant’s ability to operate in accordance with regulatory standards and protect the rights of clients are also subject to review and assessment. The procedure for obtaining a licence under MiCA in Malta consists of three stages: in-principle approval, fulfilment of pre-licence conditions and final authorisation to carry on regulated activities. The pre-licence stage includes the submission of up-to-date incorporation documents, financial confirmations, certificates of appointment of key officers, outsourcing agreements and other documents required by the MFSA. After granting the final authorisation, the regulator has the right to impose additional conditions to be fulfilled already in the course of operational activities, including requirements to submit exit plans, restructuring, internal audit and other obligations aimed at ensuring the sustainability and reliability of the licensed entity.

Separate regulation has been established with respect to the notification of technical documentation (whitepapers) accompanying the issuance of cryptoassets. Under MiCA, such documents must be submitted to the supervisory authority solely on a notification basis – without a pre-approval procedure. The MiCA Rulebook differentiates the notification procedure depending on the category of cryptoasset (ART, EMT, utility tokens), defines requirements for the structure and content of the whitepaper, including disclosure of information on sustainability, climate risks, token functionality, holders’ rights and operating model. If changes are made to an already submitted whitepaper, the applicant is required to notify the MFSA again, specifying the modifications made and justifying their impact on consumer rights and project stability. The regulatory framework also provides for a procedure for voluntary surrender of a licence. An entity intending to cease regulated activities must notify the MFSA, provide the minutes of the corporate resolution, confirm the complete cessation of activities, fulfil all obligations to customers, no open legal or administrative proceedings, and remove any reference to licensing in public and marketing materials. In case of liquidation of the company – supporting documents shall be submitted in accordance with the corporate law of the Republic of Malta. In terms of fulfilling CASP’s ongoing obligations, the MiCA Rulebook refers to a wide range of supranational technical standards covering key areas of activity. These include disclosure of the climate impact of consensus algorithms, sustainability of IT infrastructure and business processes, record keeping and accounting, handling of consumer complaints, management of conflicts of interest, transparency of trading platforms, and standards for advisory and payment services.

Cross-border provision of services is further regulated: companies are required to notify the MFSA in advance if they intend to expand their geographic reach, as well as in the event of cyber incidents, customer complaints, structural or legal changes affecting the rights of participants, owners or customers. Such provisions aim to ensure the stable operation of CASPs in a cross-border environment, the timely reporting of information to the regulator and the protection of consumer rights across the EU. Particular attention is paid to internal governance and organisational controls within the regulatory requirements set out in the MiCA Rulebook. Cryptoasset service providers (CASPs) are required to maintain a dual control system, a physical presence and operational centre in Malta, sufficient human resources commensurate with the volume and complexity of the services provided, and a corporate governance structure that complies with the established regulatory criteria. The corporate structure requires an independent internal audit function, a risk management function and compliance monitoring procedures. Governance bodies must approve strategic and operational policies covering key business areas, including remuneration policy, IT risk management, breach detection mechanism, internal control system, and prevention and management of conflicts of interest. The corporate governance requirements apply to both board members and senior executives, with a focus on ensuring independence, segregation of duties, formalisation of accountability procedures and proper control over the implementation of corporate decisions. The MiCA Rulebook developed by the Malta Financial Services Authority is thus not only an implementation tool for the provisions of Regulation (EU) 2023/1114, but also an enhanced regulatory platform aimed at ensuring a high degree of transparency, legal certainty and sustainability compliance in the cryptocurrency ecosystem. This document enshrines a standardised approach to the regulation of CASPs and token issuers, ensuring predictability and uniformity of regulatory practices at the national level.

In April 2025, the European Securities and Markets Authority (ESMA) published the results of a peer review conducted on the MFSA’s activities related to the authorisation of CASPs under MiCA implementation. The review was part of a pan-European supervisory mechanism and aimed at assessing the consistency and effectiveness of the licensing procedures applied in Member States. According to the report published by ESMA, the MFSA has the necessary human, institutional and organisational resources to perform its functions in the area of CASP supervision and regulation. However, as part of a case study relating to the licensing of a service provider (whose name was not disclosed), ESMA identified certain shortcomings in terms of compliance with formal procedures. As a result, the Maltese regulator was qualified as “partially compliant” with the established standards and expectations of the supranational level. This assessment emphasises the need to continue to strengthen regulatory practices and harmonise approaches between national and European frameworks.

ESMA’s dedicated Peer Review Committee, the PRC, recommended that the Maltese regulator take corrective action in relation to unresolved issues that existed at the time of licensing. In particular, emphasis was placed on the need to review the approaches to the pre-application assessment, including the completeness of the business model analysis, the adequacy of the internal control system, the maturity of the compliance function and the adequacy of measures to prevent money laundering and terrorist financing risks. ESMA’s report emphasises that its content is not exclusively directed against the MFSA, but serves as a model for the development of converged supervisory practices by all national competent authorities (NCAs) of EU Member States. Given the novelty of the MiCA and the inherently high level of risks in the crypto sector, including the cross-border nature of transactions, the complexity of the technical architecture and the specific characteristics of tokenised models, the European Supervisory Architecture insists on a strict and uniform application of authorisation procedures.According to the MFSA database, the body has so far issued licences to four CASP providers under MiCA, including internationally recognised entities such as Bitpanda (BP23), Crypto.com (Foris Dax), OKX (Okcoin Europe) and ZBX (Zillion Bits). Despite this, OKX’s situation has come under particular scrutiny after the Malta Financial Intelligence Unit (FIAU) fined the company $1.2 million in April 2025 for breaches dating back to 2023 – well before it was granted a licence under MiCA. This case highlights the need for proper retrospective assessment of applicants’ compliance prior to authorisation.

The industry community’s reaction to ESMA’s report has been reserved. Representatives of international legal and regulatory advisors do not predict the cancellation of previously issued licences, noting that the report rather points to the need for a more rigorous ex-ante assessment of applicants than to the existence of legally fatal breaches. It is also pointed out that ESMA, as a supranational body, does not have the power to revoke licences issued at national regulator level. From a legal perspective, the situation emphasises the importance of the proper implementation of the principles enshrined in Articles 60-64 of MiCA regarding authorisation procedures and Articles 82-87 regarding CASP supervision. The MFSA, in turn, is obliged, in the exercise of its powers, to comply with both MiCA and the supervisory expectations of European bodies, including ESMA and EBA, which becomes particularly relevant in the context of the active supervisory coordination under the Single Supervisory Mechanism for Digital Assets. The published report therefore records the first steps towards developing case law on the application of MiCA in the EU and highlights the need for a coordinated and strictly legally sound approach to the assessment of applicants and monitoring of their post-licence activities. The Maltese regulator will have to take into account the comments made to strengthen the institutional robustness of its supervisory process and reaffirm its reputation as one of the leading cryptocurrency jurisdictions in the European Union.

ESMA strengthens supervision of MiCA implementation

In July 2025, the European Securities and Markets Authority (ESMA) published two fundamental documents aimed at ensuring the effective and coordinated implementation of Regulation (EU) 2023/1114 on markets in cryptoassets (MiCA) at European Union level. One document provides guidelines for assessing the knowledge and competence of cryptoasset service provider (CASP) personnel, while the other presents the outcome of an in-depth peer review of the CASP licensing process by the Malta Financial Services Authority (MFSA). Both documents illustrate ESMA’s commitment not only to harmonising supervisory standards, but also to proactive supervision that eliminates a formal approach to licensing. Published on 11 July 2025, the ESMA Guidelines define minimum standards of knowledge and competence for CASP personnel involved in providing information or advisory services in relation to cryptoassets. The guidelines are based on Article 81(7) MiCA and are subject to the regulatory practice of EU national competent authorities (NCAs). It sets out a two-tier differentiation of requirements: for personnel providing information only and personnel providing advice. The expected level of training for advisers is significantly higher, including requirements for education, experience, continuing professional development and understanding of the specific risks of the crypto market. ESMA emphasises that advisers should have a comprehensive understanding of distributed ledger technology, the volatility of cryptoassets, the features of valuation models and the differences between MiCA and MiFID II regimes. Mandatory training hours (between 80 and 160), experience requirements (between 6 months and 2 years depending on the profile) and the mandatory annual internal competence assessment are set. ESMA has deliberately opted out of mandatory external certification, citing its limited applicability, but has encouraged the use of accredited CPD (continuing professional development) providers. In parallel, on 10 July 2025, ESMA published a Peer Review Committee (PRC) opinion on the quality of the implementation of CASP licensing procedures by the Malta Financial Services Authority. The assessment was prompted by an increase in licence applications and signalled potential deviations from the uniform supervisory practices required by MiCA. The PRC expressed concern about the issuance of a CASP licence for which there were outstanding issues relating to IT infrastructure, data and key storage, KYC/AML mechanisms, business model assessment and conflict of interest management.

ESMA’s findings point to insufficient depth of analysis, limited use of supervisory powers at the pre-authorisation stage and untimeliness of certain supervisory actions. The regulator explicitly stated that the MFSA should have applied a more rigorous licensing clearance rather than relying on ex post monitoring after authorisation. In doing so, ESMA emphasised that the problem is not only jurisdictional but also systemic: it affects all NCAs subject to the obligation to properly implement MiCA. The report presents recommendations for all European supervisory authorities, including the need to review approaches to assessing applicants’ business plans, a particular focus on IT architecture (in line with DORA), analysing customer interaction interfaces and identifying risks associated with unregulated services and DeFi protocols. ESMA also recommends active engagement through the Digital Finance Standing Committee (DFSC) to harmonise practices and strengthen information sharing. In response to the report, the MFSA stated its readiness to take the recommendations into account, emphasising its commitment to transparency and its leadership position in crypto regulation in the EU. At the same time, the Maltese regulator expressed its intention to continue co-operating with ESMA and other supervisory authorities to achieve the goals of regulatory convergence. ESMA’s July 2025 publications confirm that uniform application of MiCA requires not only legislative compliance but also maturity of institutional practice. New standards for CASP staff competence and critical licensing oversight in individual jurisdictions raise the bar for crypto market regulation in the EU, strengthening investor protection and the long-term sustainability of the financial system.

MiCA implementation in Malta

Since the entry into force of the Markets in Cryptoassets Regulation (EU) 2023/1114 (MiCA), the Republic of Malta has positioned itself as a leading jurisdiction in the licensing process for cryptoasset-related service providers (CASPs). However, despite the rapid adaptation of the regulatory framework and the rapid granting of licences to leading cryptocurrency operators, the approach of Malta’s regulator, the Malta Financial Services Authority (MFSA), has raised concerns from European supervisory authorities and market participants regarding the rigour and soundness of the authorisation procedures. The criticism is centred around the accelerated authorisation process, particularly in relation to certain CASPs that have received pre-authorisation status in a matter of days. For example, cryptocurrency platform OKX received pre-authorisation on 23 January 2025, and a final licence on 27 January, just four days later. Notably, shortly before that, the company paid $500 million to the US Department of Justice as part of a settlement for violations related to unregistered crypto-services activities. Additionally, in April 2025, the MFSA fined OKX $1.2 million for failing to comply with national anti-money laundering laws. This speed of licensing has caused a number of European regulators to question the completeness of due diligence and the compliance of procedures with the principles of integrity and professional reliability enshrined in Articles 60-64 of the MiCA. In particular, concerns have been raised about the extent to which the MFSA assesses in detail applicants’ IT infrastructure, digital asset storage models, risk management mechanisms, AML/CFT compliance measures, and policies for identifying and addressing conflicts of interest.

Fundamental to Malta’s fast-track practice is the Virtual Financial Assets (VFA) regulatory framework introduced in 2018, which allows existing VFA licence holders to qualify for a simplified transition to the MiCA regime. According to the MFSA’s positioning, holding a valid VFA licence until 30 December 2024 entitles the holder to an expedited application process and pre-authorisation status. This model has drawn criticism from other National Competent Authorities (NCAs) as it implies a different standard of review compared to jurisdictions that did not have local regulation of the crypto market prior to MiCA. A number of industry representatives and European regulators have raised concerns about the sustainability of such a model. The AMF has called for increased coordination with ESMA and more transparent information sharing on CASP licensing practices across the EU, emphasising the need to minimise regulatory arbitrage. The actual difference in the speed and depth of licensing between France, Germany, the Netherlands and Malta was also highlighted in the analytical comments of a number of legal practitioners. In particular, it was noted that some countries, including Malta and Cyprus, granted pre-authorisation status before final approval of all regulatory technical standards, while France followed more rigorous procedures based on PACTE and ESMA compliance checks. Despite the criticism, the MFSA insists on a proportionate approach to assessing applicants based on the principle of risk-based regulation. In a published statement, the regulator stresses that authorisation is only granted after a comprehensive check of all information submitted, and the decisions taken strike a balance between procedural efficiency and depth of analysis. However, observers point out that there is no public disclosure of the criteria by which the decision to grant pre-authorisation status is made, which reduces the transparency of the practice. A number of statements by cryptocurrency companies confirm the choice of Malta as a jurisdiction with an accessible and elaborate legal environment. For example, Crypto.com, which has an international licensing history, including instances of sanctions for operating without a licence (notably a €2.85 million fine from the Dutch Central Bank), has also received approval in Malta for early 2025. The company emphasises that its presence on the island is long-term and the Maltese licence is part of its strategic positioning.

This situation raises a broader question for the European institutions – how effectively the pan-European regulatory system can function if the approaches to MiCA implementation in the member states are strikingly different. The precedents of “golden passports” and the permanent residence programme found by the EU Court of Justice to be contrary to Union law undermine confidence in a regulatory model based on inter-state mutual recognition. In the context of observed supervisory arbitrage and varying degrees of maturity of supervisory mechanisms in the EU, achieving real convergence and transparency, especially in the CASP licensing process, becomes a key challenge. The European Commission, ESMA and the EBA must develop a sustainable monitoring, comparability and mutual evaluation framework capable of minimising the risks of cryptocurrencies “spilling over” to the least demanding jurisdictions. Otherwise, the reliability and perceived value of the MiCA licence could be called into question not only within the EU, but also beyond.