Crypto License MiCA Study

Study: “We Have an EU Office” Is Not Enough: Here’s What MiCA Regulators Actually Want to See

You have the entity. You have the address. You even have the capital. So why is the regulator still not satisfied? Because under MiCA, substance is an empirical test of whether your business genuinely operates from within the EU, and most applicants underestimate what that actually demands.

Study: “We Have an EU Office” Is Not Enough: Here’s What MiCA Regulators Actually Want to See image
Krystian Lapka photo
Krystian Lapka Lawyer at LegalBison
Aaron Glauberman photo
Aaron Glauberman Partner at LegalBison
Sabir Alijev photo
Sabir Alijev Partner at LegalBison
Viktor Juskin photo
Viktor Juskin Partner at LegalBison
May, 08 2026 9 minutes

Key Findings

  • Substance Over Presence: A registered address and nominal staff are insufficient; MiCA requires “genuine establishment” demonstrated through operational capabilities in personnel, technology, and financial resilience.

  • Mandatory Local Management: CASPs must have at least two senior executives overseeing operations, with an expectation that at least one executive board member is a permanent resident in the licensing jurisdiction.

  • Autonomous Technical Control: Under DORA and MiCA, EU personnel must maintain actual administrative control, encryption key management, and data access rights, ensuring the entity can operate independently of a global parent company.

  • Dynamic Financial Safeguards: Beyond initial capital requirements (ranging from 50,000 EUR to 150,000 EUR), CASPs must maintain prudential safeguards that automatically transition to a fixed overheads framework as the business scales.

The Myth: Registering a Company in the EU Fulfills the Substance Requirement

The regulatory landscape for digital assets within the European Union is undergoing a vast structural metamorphosis. The transition from the fractal, state-by-state registration regimes to the unified framework of Regulation (EU) 2023/1114 on markets in crypto-assets (MiCAR) introduces new common substance requirements. 

These requirements are aimed at providing empirical evidence of a firm’s operational capabilities in responding to regulatory burdens, managing risks, and serving both retail and institutional clients.

But what are these mystical substance requirements exactly?

Think of substance as the skeletal pillars upon which the business model rests to keep running. It refers to the engines, the wheels, and the steering devices in the moving vehicle that is the modern Crypto-Asset Service Provider (CASP).

MiCAR strictly codifies these foundational requirements primarily within Title V (Authorization and Operating Conditions for CASPs), establishing a minimal baseline across three main categories: 1) personnel, 2) technological facilities, and 3) financial resilience.

Substance is Determined on Three Aspects

  • Personnel

There must be at least two senior executives who jointly oversee daily operations. This provides a mutual check on executive power, mitigating the risk of rogue decision-making and ensuring that critical operational control remains onshore.

Reporting lines must demonstrate that strategic and operational control sits firmly within the EU, rather than being dictated by a parent company in a third country.

The management body must be of “sufficiently good repute and possess sufficient knowledge, skills and experience”. Accordingly, this is not merely a criminal background check.

To satisfy this advisory requirement, ESMA explicitly states that there must be at least one executive management board member permanently located in the home National Competent Authority’s (NCA) jurisdiction.

For instance, if you aim for a Polish license, be ready to have at least one executive management board member who is a resident of Poland.

Noteworthy! Supervisory briefings explicitly foresee the possibility of the executive management board not being resident as an exception; however, in those restrictive cases, this person should be obligated and ready to attend in-person meetings within two business days’ notice!

As may be read from the same briefings, the expectation of ESMA is that a board member will dedicate 100% of their professional time to their executive position, in this manner ensuring their diligence and unwavering duties towards the CASP (only in exceptional cases may “double-hatting” be allowed)!

  • Technical

Technological substance is deeply intertwined with the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554), which authoritatively applies to all CASPs. CASPs must demonstrate robust information and communication technology (ICT) systems. This requires the implementation of comprehensive business continuity policies, disaster recovery plans, and stringent cybersecurity protocols. Let’s not forget GDPR, and other staple regulations for those who are not familiar with EU data protection.

In human-readable terms, regulators are asking: “If the global parent company goes bankrupt or severs access, can the EU entity continue to operate and return client funds?” When assessing substance, advisory interpretations dictate that regulators evaluate whether the firm’s ICT infrastructure is under the actual control of the EU management team.

While leveraging global cloud computing infrastructure (like AWS or Azure) is permissible, the ultimate administrative control, encryption key management, and data access rights must firmly reside with the authorized EU personnel.

  • Financial

Substance fundamentally requires capitalization commensurate with the risks undertaken, because undercapitalized entities are viewed as hollow structures prone to collapse during market volatility. 

Besides the widely recognized and generally known paid in capital levels (presented in the table below) Article 67 additionally requires CASPs to maintain prudential safeguards:

CASP Classification Permitted Crypto-Asset Services Minimum Initial Capital
Class 1 Reception and transmission of orders; Investment advice; Portfolio management. 50,000 EUR
Class 2 Class 1 services plus: Exchange of crypto-assets for fiat currency or other crypto-assets; Execution of orders; Placing of crypto-assets. 125,000 EUR
Class 3 Class 1 and 2 services plus: Operation of a trading platform; Custody and administration of crypto-assets on behalf of clients. 150,000 EUR

These prudential safeguards are to be satisfied via paid-in capital or insurance coverage and equal to the higher of either their permanent share capital or one-quarter of the previous year’s fixed overheads.

As operations scale and overheads exceed four times the initial paid-in capital, CASPs must immediately transition to the fixed overheads framework! 

Proactive monitoring is critical here; firms must anticipate this inflection point and demonstrate they can raise their prudential safeguards in a timely manner to mitigate regulatory risk. 

Ultimately, the annual calculation of these overheads must rely on accounting figures from financial statements duly audited or validated by national regulatory authorities.

Regarding outsourcing

Article 73 permits CASPs to outsource operational functions, but the advisory briefings outline that extensive outsourcing may have the effect of shelling the company.

The metric presented by ESMA for the NCAs to assess this: the percentage of total costs spent on functions outside the EU.

Negative Scope: The Letterbox Company

To fully grasp the concept of substance, one must define its antithesis: the “letterbox” or “shell” company. 

A letterbox company is a legal entity that exists primarily on paper, registered at an address in a favorable jurisdiction, but devoid of any meaningful economic activity, human capital, or operational capacity within that jurisdiction.

While the freedom of establishment under EU law presupposes that operating a company within the EU should be seamless, the prevention of “wholly artificial arrangements” is a legal imperative. In the landmark Cadbury Schweppes ruling (Case C-196/04), the CJEU explicitly stated that a restriction on the freedom of establishment could only be justified to prevent such artificial arrangements. 

Accordingly, EU-based applicants will be heavily scrutinized to ensure their operational setup is designed to achieve a genuine business purpose, rather than acting exclusively as a regulatory workaround to acquire a MiCA passport.

Accordingly, one should ask why these stringent rules are in place? This is because undeniably, the assessments on whether substance is satisfied will be made through the lens of regulatory motives.

Subjective interpretation

Subjective interpretation- as it might be referred to in legal settings, aims at construing what is the motive of the regulator. This is important to keep in mind, because undeniably assessments on whether substance is satisfied will be made through this lens, keep it in mind!

Therefore, keep in mind the remarks made in this article, especially that related to “wholly artificial arrangements” but also these concrete points to keep in mind:

  • Crypto-asset markets have historically been plagued by high volatility and platform failures. Consequently, advisory guidance from ESMA establishes that regulators view the entire sector through a lens of elevated risk, ensuring the individuals safeguarding retail assets are physically within the reach of EU law enforcement.
  • Crypto-assets inherently facilitate rapid, cross-border transfers of value, making them highly susceptible to money laundering. Substance ensures that the individual responsible for filing suspicious activity reports (the MLRO) is physically present, holds genuine authority, and can interact directly with the local Financial Intelligence Unit.
    • In addition, one should consider broader measures; a prime example is the FATF and OECD. This is a global tide, not merely a grimace of the EU, especially with the recent reporting standard for crypto-assets the so-called CARF. In this sense, the developments are not standalone but operate on a mutually complementary basis.
  • Ultimately, a national competent authority cannot effectively supervise a postbox. If a cyber-attack or liquidity run occurs, the NCA must be able to summon executive leadership immediately and access physical servers or ledgers to execute recovery plans.

Accordingly, based upon the motives, it is likely that the regulators will scrutinize empirical evidence, in addition to physical facilities where possible. This includes both the application itself, but also subsequent compliance and unannounced inspections.

Noteworthy mention: “Gold-plating”

As a concluding remark to warn those pending authorization, firms must be acutely aware of “gold-plating”—that is, adopting a more stringent standard under national law than that which is foreseen by MiCAR.

While the authoritative regulatory framework is harmonized at the EU level, execution remains the prerogative of the NCAs. For example, Poland recently experienced a legislative veto crisis driven by proposed domestic laws granting the local regulator domain-blocking powers and imposing high supervisory fees.

Estonia previously served as the epicenter of accessible EU crypto licensing under its Financial Intelligence Unit (FIU) Virtual Asset Service Provider (VASP) registry. However, the implementation of MiCAR resulted in the Estonian Financial Supervision and Resolution Authority (FSA, or Finantsinspektsioon) taking over as the competent authority which may be perceived as having a more meticulous institutional practice towards regulation. 

Finally, Cyprus (CySEC) explicitly demands that the majority of a CASP’s board of directors be physical residents of Cyprus (out of two executive and two non-executive directors), layering national AML directives heavily on top of EU law.

Although MiCAR aims to demystify the rules across the Union, certain nuances in law, practice, and application will inevitably remain localized. Accordingly, it is highly advisable to reach out to competent legal counsel to ensure your firm’s substance stands up to the specific scrutiny of your chosen jurisdiction.

Key Takeaways

  • Anti-Shell Company Mandate: Regulators are strictly screening for “letterbox” companies. Any setup deemed a “wholly artificial arrangement” designed solely for regulatory workarounds will likely face license rejection.

  • The “Two-Day” Rule: If an executive board member is not a resident, they must be contractually obligated and ready to attend in-person regulatory meetings within two business days’ notice.

  • Operational Independence is Vital: Technical substance is tested by whether the EU entity can continue to function and return client funds if the global parent company severs access or enters bankruptcy.

  • Proactive Financial Monitoring: Firms must monitor the “inflection point” where their fixed overheads exceed four times their initial paid-in capital, as they are required to immediately increase prudential safeguards at that stage.

  • Beware of National “Gold-Plating”: While MiCA provides a unified framework, individual nations like Cyprus, Poland, and Estonia may impose more stringent local requirements regarding board residency and supervisory fees.

Other sources:

 

Share this article on