EU MiCA Regulation: A Compliance Guide for Crypto Firms

The Markets in Crypto-Assets Regulation (MiCA) is now the single most comprehensive crypto-asset regulatory framework in the world. Fully applicable since 30 December 2024, MiCA establishes harmonised rules across all 27 EU member states for crypto-asset issuers and service providers.

If you operate in the EU crypto market — or serve EU customers — MiCA compliance is no longer optional. This guide covers the key requirements, who they apply to, and what compliance looks like in practice.

What MiCA covers

MiCA (Regulation (EU) 2023/1114) regulates three categories of crypto-assets and the service providers that deal in them:

Crypto-asset categories

Asset-Referenced Tokens (ARTs): Crypto-assets that reference multiple currencies, commodities, or other assets to stabilise their value. Think multi-collateral stablecoins. Issuers must be authorised by their national competent authority.

E-Money Tokens (EMTs): Crypto-assets referencing a single official currency. These are the single-currency stablecoins (USDC, EURT). Issuers must be authorised as credit institutions or e-money institutions under existing EU financial services law.

Other crypto-assets: Everything else — utility tokens, payment tokens not classified as ARTs or EMTs, and other crypto-assets. These have lighter requirements: a white paper must be published and notified to the competent authority, but no pre-authorisation is needed.

MiCA explicitly excludes NFTs that are “unique and not fungible,” security tokens (covered by MiFID II), and central bank digital currencies.

CASP licensing: the core requirement

Crypto-Asset Service Providers (CASPs) are the primary regulated entities under MiCA. A CASP is any entity that provides one or more of the following services professionally:

• Custody and administration of crypto-assets on behalf of clients
• Operation of a trading platform for crypto-assets
• Exchange of crypto-assets for funds or other crypto-assets
• Execution of orders for crypto-assets on behalf of clients
• Placing of crypto-assets (marketing newly issued tokens)
• Reception and transmission of orders on behalf of clients
• Providing advice on crypto-assets
• Providing portfolio management of crypto-assets
• Providing transfer services for crypto-assets on behalf of clients

Authorisation requirements

To obtain CASP authorisation, entities must demonstrate:

• Legal entity establishment: Must be established in an EU member state with registered office and effective management in the EU
• Governance: Fit and proper management, adequate internal controls, risk management framework, and business continuity planning
• Prudential requirements: Minimum capital requirements — the higher of a fixed amount (EUR 50,000 to EUR 150,000 depending on services) or one quarter of fixed overheads of the preceding year
• Client asset safeguarding: Segregation of client funds and crypto-assets, adequate custody arrangements, and clear liability rules
• Complaints handling: Documented procedures for receiving and processing client complaints free of charge
• Conflicts of interest: Policies to identify, prevent, manage, and disclose conflicts of interest
• Outsourcing: Rules on outsourcing arrangements, including that outsourcing cannot impair the quality of internal controls or the competent authority’s ability to supervise

The passporting advantage

Once authorised in one EU member state, a CASP can passport its services across all 27 member states without additional authorisation. This is the major advantage of MiCA’s harmonised approach — one licence, one set of rules, access to 450 million consumers.

Stablecoin requirements

MiCA imposes particularly detailed requirements on stablecoin issuers, reflecting the systemic risk concerns that drove much of the regulation.

Asset-Referenced Tokens (ARTs)

ART issuers must:

• Obtain authorisation from their national competent authority
• Publish and maintain a detailed crypto-asset white paper
• Maintain a reserve of assets backing the token at all times, with prudent management policies
• Have the reserve held in custody by credit institutions or authorised crypto-asset custodians
• Grant holders a permanent right of redemption against the issuer at market value
• Maintain own funds equal to at least the higher of EUR 350,000 or 2% of the reserve
• Conduct regular stress testing of the reserve
• Have an orderly wind-down plan

E-Money Tokens (EMTs)

EMT issuers must be authorised as credit institutions or e-money institutions and additionally:

• Issue EMTs at par value on receipt of funds
• Redeem at par value at any time upon request
• Invest reserve funds only in secure, low-risk assets denominated in the reference currency
• Not grant interest or any benefit related to the length of time the holder holds the EMT

Significant stablecoins

The European Banking Authority (EBA) can designate ARTs or EMTs as “significant” based on criteria including customer base size, market capitalisation (exceeding EUR 5 billion), transaction volume, and interconnectedness with the financial system. Significant token issuers face enhanced requirements including higher own funds (3% of reserve), more detailed liquidity management, and direct EBA supervision.

Market abuse rules

MiCA introduces a market abuse framework specifically for crypto-assets, modelled on the Market Abuse Regulation (MAR) for securities. Key prohibitions:

• Insider dealing: Trading on material non-public information relating to crypto-assets
• Unlawful disclosure of inside information: Sharing inside information outside the normal course of business
• Market manipulation: Wash trading, spoofing, layering, pump-and-dump schemes, and disseminating false or misleading information

CASPs operating trading platforms have specific obligations to detect and report suspected market abuse. All persons professionally arranging or executing crypto-asset transactions must have systems to detect and report suspicious orders and transactions.

Penalties for market abuse are significant: up to EUR 5 million for natural persons and up to EUR 15 million or 15% of annual turnover for legal persons.

Ongoing compliance obligations

Beyond initial authorisation, CASPs face continuous obligations:

Disclosure and transparency

• Publish and keep updated the terms and conditions of service
• Provide clear, fair, and not misleading information to clients
• Disclose pricing, costs, and fees before transactions
• Publish order execution policies and demonstrate best execution

Operational requirements

• Maintain adequate ICT security systems (aligned with DORA for financial entities)
• Implement anti-money laundering procedures compliant with AMLD/EU AML frameworks
• Maintain records of all services, activities, and transactions for five years
• Report to competent authorities as required

Client protection

• Conduct appropriateness assessments for advisory and portfolio management services
• Segregate client assets and maintain clear records of entitlements
• Maintain adequate insurance or comparable guarantee against loss of client crypto-assets

The compliance timeline

MiCA’s implementation followed a phased approach:

• June 2024: Title III (ARTs) and Title IV (EMTs) applicable — stablecoin rules in force
• December 2024: Remaining provisions applicable, including CASP licensing requirements
• Transitional period: Member states could grant existing crypto firms a transitional period of up to 18 months (until 1 July 2026) to obtain full CASP authorisation

The transitional period is closing. Firms relying on the grandfathering provision must have their CASP authorisation applications well advanced. After the transitional period expires, unauthorised provision of crypto-asset services in the EU becomes a regulatory offence.

Navigating MiCA alongside other frameworks

MiCA doesn’t exist in isolation. Crypto firms operating globally face a patchwork of regulatory frameworks:

• EU AMLD / AML Regulation: AML obligations apply independently of MiCA
• DORA: CASPs authorised under MiCA are financial entities under DORA, triggering ICT resilience requirements
• National frameworks: Non-EU jurisdictions have their own crypto regulations (Australia’s ASIC guidance, Singapore’s Payment Services Act, Hong Kong’s VASP regime)

The challenge is mapping obligations across frameworks, identifying overlaps, and ensuring gaps between jurisdictions don’t create compliance blind spots.

---

AuditDSS covers MiCA alongside 12 other crypto-asset regulatory frameworks globally, with obligation-level decomposition and cross-jurisdictional mapping. Assess your compliance posture across the EU and every jurisdiction you operate in. Start your assessment.