MiCA Compliance: Requirements, Authorisation & Service Support

A MiCA-compliant entity is one that has obtained CASP authorisation under MiCA Title V, operates within its authorised scope, maintains required own funds, applies MiCA-mandated AML/KYC procedures, and meets ongoing reporting and governance obligations.

There is an important distinction here: being MiCA compliant means operating within the framework as a whole. Being MiCA authorised is a more specific status, referring to an entity that holds a CASP licence granted by a competent authority in an EU member state. An operator can be working toward compliance without yet holding the authorisation. The two terms are not interchangeable.

MiCA applies broadly across the EU crypto industry. The three main categories are:

• Crypto-Asset Service Providers (CASPs). Any entity providing services such as operating a trading platform for crypto-assets, exchanging crypto for funds or other crypto, executing orders, providing custody and administration of crypto-assets on behalf of clients, placing crypto-assets, receiving and transmitting orders, providing portfolio management, and giving investment advice on crypto-assets;
• Crypto-asset issuers. Entities issuing Asset-Referenced Tokens (ARTs), E-Money Tokens (EMTs), or other crypto-assets subject to whitepaper requirements under MiCA Titles III and IV;
• VASP operators adapting from national registrations. Businesses that held a nationally-issued VASP registration before December 30, 2024, may continue to operate under grandfathering provisions while upgrading to full CASP authorisation (see the Transitional Provisions section below).

MiCA does not apply to fully decentralised protocols with no identifiable central service provider, nor to crypto-asset services where no intermediary is involved. The DeFi carve-out is narrow: if there is an entity providing a service, even if the underlying infrastructure is decentralised, MiCA’s scope will typically apply.

The passing of the MiCA regulation represents a watershed moment for the European financial landscape, fundamentally designed to move the crypto-asset sector from a “wild west” environment into a structured, digital-age economy.

The primary objective is to replace the current patchwork of national rules with a dedicated, harmonized Union framework that provides legal certainty for all market participants.

MiCA introduces critical improvements in three distinct areas:

• Market Integrity and Stability: By establishing uniform requirements for the issuance and trading of crypto-assets, the regulation mitigates risks to financial stability and ensures the smooth operation of payment systems.

• Consumer and Investor Protection: MiCA mandates rigorous transparency through standardized information documents, known as “crypto-asset white papers,” which must disclose characteristics, risks, and environmental impacts of the assets. Furthermore, it grants retail holders specific rights, such as a 14-day right of withdrawal for certain acquisitions.

• Technological Neutrality and Innovation: The regulation is guided by the principle of “same activities, same risks, same rules,” ensuring that innovation is supported without imposing disproportionate burdens on the underlying technology itself.

Additionally, MiCA specifically addresses the emergence of stablecoins by classifying them into asset-referenced tokens (ARTs) and e-money tokens (EMTs), subjecting them to more stringent requirements due to their potential impact on monetary sovereignty.

The following items represent the core compliance obligations for a CASP under MiCA Title V. This is not an exhaustive list (specific requirements vary by service type and competent authority), but these are the areas every operator must address.

1. CASP authorisation. Obtain authorisation from a competent authority in an EU member state before providing crypto-asset services to clients in the EU.
2. EU legal entity domicile. The applicant must be a legal entity established in the EU. Non-EU entities cannot hold a CASP authorisation directly.
3. Minimum own funds / capital. Maintain the required capital level for the services offered (see the capital requirements table below).
4. Fit-and-proper management body. All members of the management body must pass a fit-and-proper assessment, demonstrating good repute, no prior criminal convictions, adequate knowledge, and sufficient time to carry out their duties.
5. Governance framework. Establish internal controls, risk management procedures, conflict of interest policies, outsourcing arrangements, and a business continuity plan.
6. AML/KYC programme. Implement a written AML/CFT policy aligned with EU Anti-Money Laundering Directives (AMLD5/AMLD6) and applicable national law, including customer due diligence (CDD), enhanced due diligence (EDD), and transaction monitoring (see the AML/KYC section below).
7. Travel Rule compliance. Apply FATF Recommendation 16 obligations as transposed through the Transfer of Funds Regulation (TFR): for transfers of EUR 1,000 or more, transmitting and receiving service providers must exchange originator and beneficiary information.
8. MLRO / AML officer appointment. Designate a qualified Money Laundering Reporting Officer responsible for the AML programme and regulator reporting.
9. ICT and operational resilience. Maintain secure ICT systems with documented security arrangements. Where applicable, comply with DORA (Digital Operational Resilience Act) requirements that run alongside MiCA for financial sector entities.
10. Whitepaper obligations. Publish a MiCA-compliant crypto-asset whitepaper where required. This obligation is applicable to issuers of ARTs, EMTs, and other crypto-assets not otherwise excluded (see the Whitepaper Requirements section below).

CASPs must implement a written AML/CFT policy aligned with the EU Anti-Money Laundering Directives (AMLD5/AMLD6) and each member state’s national transposition. In practice, this means the following:

• Customer Due Diligence (CDD). Verify the identity of all clients at onboarding. Apply enhanced due diligence (EDD) for higher-risk clients, including politically exposed persons and clients from high-risk jurisdictions identified by FATF;
• Travel Rule compliance. For crypto-asset transfers of EUR 1,000 or more, the originator’s CASP must transmit identifying information (name, account identifier, address, or identifier) to the beneficiary’s CASP. Both sides of the transaction have obligations under the Transfer of Funds Regulation;
• MLRO appointment. Every CASP must appoint a qualified Money Laundering Reporting Officer who owns the AML programme, handles suspicious transaction reporting, and maintains the regulator relationship;
• Transaction monitoring. Deploy a transaction monitoring system capable of detecting unusual patterns and generating alerts for review. The system’s parameters must be documented and periodically reviewed against the CASP’s risk matrix;
• Record-keeping. Maintain records of client due diligence documentation, transactions, and monitoring for a minimum of five years.

LegalBison’s compliance team designs AML/CTF programmes that meet both MiCA requirements and the standards of the specific competent authority in the chosen jurisdiction. Learn more about FATF standards and AML compliance frameworks.

Issuers of ARTs, EMTs, and other crypto-assets: those ARTs, EMTs, and other crypto-assets not falling within MiCA’s excluded categories must publish a crypto-asset whitepaper before offering tokens to the public or seeking admission to trading.

• Who must publish a whitepaper? Issuers of ARTs and EMTs; issuers of other crypto-assets where the offering is directed to the public or trading admission is sought; CASPs offering crypto-assets on behalf of third parties where no whitepaper exists;
• Mandatory disclosures. The whitepaper must include: identity and contact details of the issuer; description of the project and the crypto-asset; rights and obligations attached to the token; underlying technology description; environmental impact of the consensus mechanism used to issue the crypto-asset; applicable risk factors; and details of the offering;
• Right of withdrawal. Retail purchasers of crypto-assets (other than ARTs and EMTs) have a 14-day right of withdrawal from the date of purchase, with no penalty. This right must be disclosed in the whitepaper and in marketing communications;
• Notification requirements. The whitepaper must be notified to the competent authority before publication. For ARTs and EMTs, the whitepaper must receive formal approval. For other crypto-assets, notification without formal prior approval is the standard procedure, though the authority may require changes.

Operators who held a national VASP registration or equivalent crypto-asset authorisation before December 30, 2024, may continue providing services under existing national law during the transitional period, without immediately requiring full CASP authorisation.

The grandfathering window runs until July 1, 2026, or until the operator receives its MiCA CASP authorisation, whichever is earlier. Member states may reduce this period: several have already shortened the transitional window for operators under frameworks that the regulators consider significantly less stringent than MiCA.

For most EU member states, the grandfathering window has ended or is in its final phase. Operators who have not yet submitted a CASP authorisation application are at material risk of having to suspend services.

The adaptation process involves upgrading from a national registration to full CASP authorisation. This is not an automatic conversion. The operator must submit a full application to the competent authority in the chosen member state, meeting all documentation, capital, governance, and AML requirements as if applying from scratch, with the benefit that some documentation from the existing registration may be reused or updated rather than created entirely new.

LegalBison manages the full adaptation process. Contact the team to assess your timeline and scope.

LegalBison provides MiCA compliance support for established crypto exchanges and CASP operators who need practical, managed assistance. This covers more than regulatory guidance: it is end-to-end process management.

The scope of support covers the full compliance lifecycle:

• MiCA readiness assessment. Map the operator’s existing activities against MiCA’s service categories, identify the applicable CASP authorisation tier, and run a gap analysis against capital, governance, and AML requirements. This is the starting point for every engagement;
• CASP application management. Prepare and submit the full authorisation application to the competent authority in the chosen EU jurisdiction. LegalBison manages all regulator communications before, during, and after submission;
• AML/CTF programme design. Draft or update the written AML/KYC policy, risk matrices, transaction monitoring framework, and Travel Rule compliance procedures to meet MiCA and member state requirements;
• Whitepaper review and structuring. Assess existing whitepapers for MiCA compliance, draft new whitepapers for token issuers, and manage the notification or approval process with the competent authority;
• Governance framework setup. Design the internal control framework, outsourcing policies, conflict of interest procedures, and business continuity documentation required for a complete application;
• MLRO sourcing. Where the operator does not have a qualified MLRO in place, LegalBison’s talent sourcing team identifies and places appropriate candidates;
• Jurisdiction selection for CASP authorisation. For operators who have not yet selected an EU member state, LegalBison assesses the regulatory environment, timeline, and operational fit across jurisdictions, including Poland, Estonia, Czech Republic, Malta, Latvia, Slovakia, and Romania.

For the full CASP licensing pathway, see the CASP License page.