MiCA Compliance

The Markets in Crypto-Assets Regulation (MiCA), Regulation (EU) 2023/1114, is the EU's harmonized licensing framework for crypto-asset service providers and issuers. Title V on CASPs has been fully applicable since 30 December 2024. Titles III and IV, covering asset-referenced tokens (ARTs) and e-money tokens (EMTs), came into force on 30 June 2024. The transitional regime under Article 143(3) runs to 1 July 2026, although several Member States, including Germany, the Netherlands, Austria, and Lithuania, closed their national windows earlier.

As of December 2025, ESMA's register listed roughly 103 MiCA-authorized CASPs across the EU. Germany's BaFin leads with 27 authorizations, followed by the Netherlands and Malta. France's AMF has issued 10, Austria's FMA 6, and Italy's CONSOB zero. Against an estimated 1,200+ legacy VASPs that needed to migrate, most of the field is still in the mid-application phase.

Any legal entity that provides one or more of the ten regulated crypto-asset services to EU clients on a professional basis requires CASP authorization. The ten services under Article 60 are: custody and administration, operation of a trading platform, exchange of fiat for crypto, execution of orders, placing, reception, and transmission of orders, advice, portfolio management, and transfer services. ART and EMT issuance requires separate stablecoin authorization under Titles III and IV.

Non-EU firms are reached if they actively target EU clients. Reverse solicitation is a narrow exception, not a loophole.

Existing regulated firms (MiFID investment firms, credit institutions, EMIs, PIs, UCITS managers, AIFMs) can use the simplified notification route under Article 60(2) instead of full authorization, which usually collapses the timeline to a few months.

The first is reactive. A previous consultant's file has been rejected, the NCA has come back with multiple rounds of RFIs, the grandfathering deadline is closing in, or a stablecoin partner or banking counterparty has asked for evidence of MiCA readiness.

The second is structural. A scaled crypto firm is moving from a national VASP regime into full CASP life, but doesn't have a senior compliance hire on the team yet and needs a named expert on file before the NCA will engage seriously.

I work with both.

An assessment of your current state against MiCA Articles 62, 67, and 68, and the relevant Regulatory Technical Standards on application content, governance, prudential, and operational requirements. Output is a remediation plan ranked by what the NCA will block on first, not what's easiest to fix.

The compliance components of the application file: programme of operations, internal governance framework, AML/CFT policy set, business continuity and ICT risk management documentation aligned to DORA, conflict of interest and outsourcing policies, fit-and-proper documentation packs, and the prudential calculation backing your Article 67 capital. I work alongside your legal counsel on corporate, capital, and contractual workstreams.

A diagnostic on why the file stalled, which almost always traces to one of five issues: weak AML/CFT without evidence of real enforcement, governance or fit-and-proper gaps, unverified or insufficient capital, no genuine EU substance (virtual addresses, nominee directors), or a business model the NCA can't map cleanly to MiCA's service categories. Then a focused rebuild of the affected sections and a structured RFI response plan.

MiCA's operational resilience expectations are explicitly aligned to DORA. The ICT risk management framework, third-party register, and incident handling that your CASP file needs are the same controls DORA will hold you to after authorisation. I build them once, for both.

Annual reporting, Register of Information maintenance, AML reviews, board reporting, and the ongoing supervisory engagement that starts the day after authorisation. Most firms underestimate this and have to scramble in year one.

The statutory timeline is 25 + 40 working days for the NCA to check completeness and then review the file. In practice, expect 6 to 12 months from a clean submission, longer if the file triggers multiple rounds of RFIs.

Three classes apply under Article 67. Class 1 (reception and transmission of orders, advice, execution, placing, portfolio management) requires €50,000. Class 2 (Class 1 plus custody, transfer, exchange) requires €125,000. Class 3 (Class 2 plus operation of a trading platform) requires €150,000. On top of the floor, you must hold own funds covering at least 25% of the prior year's fixed overheads in cash.

The five most common rejection drivers in 2025-2026: weak AML/CFT controls without evidence of real enforcement, governance and fit-and-proper gaps, unverified or insufficient capital, no genuine EU substance (virtual offices, nominee directors), and business models the NCA struggles to map to MiCA's service categories. Operational mistakes that kill files include slow RFI responses and last-minute filings into a closing grandfathering window.

After the EU-wide grandfathering backstop expires, firms operating without CASP authorisation in a Member State where the window has closed have three options: withdraw from that market, passport in from a Member State where they already hold a CASP, or use the Article 60(2) simplified notification if they hold a compatible EU licence (MiFID, EMI, PI, credit institution). Continued unauthorised activity exposes the firm to fines of up to €5 million or 12.5% of annual turnover under Article 111.

Yes, when they actively target EU clients. Marketing into the EU, accepting EU retail orders, or providing regulated crypto services to EU residents triggers MiCA, regardless of where the entity is incorporated. The reverse-solicitation exception applies only when services are provided exclusively at the client's own initiative, with no targeting or marketing into the EU.

It depends on your business model, tax position, and substance capacity. As of December 2025, Germany (BaFin, 27 authorisations) and the Netherlands led on volume, with Malta strong for leaner Class 2 setups and Lithuania popular for tech-forward Class 1-2 operators. France has been measured. Italy issued zero through the end of 2025. I include a jurisdiction comparison in the Readiness Assessment.

If your CASP application has stalled at the NCA, you're heading into the final grandfathering window without a complete file, or you need to stand up a compliance program that survives day one of CASP life, get in touch. First-call diagnostic is free.