MiCA Regulation
Updates and Implementation Status of EU MiCAR
The Markets in Crypto-Assets Regulation (MiCA) is the EU’s comprehensive licensing and disclosure framework for crypto-asset issuers and service providers. It applies across all 27 member states and has been fully in force since December 30, 2024. LegalBison advises crypto founders, exchanges, stablecoin issuers, and payment platforms on CASP authorization, MiCA licensing, and jurisdiction selection across the EU.
This page tracks MiCA’s implementation status by member state, explains which activities fall inside and outside scope, and outlines what a complete CASP application requires.
Background of the MiCA Regulation
The MiCA regulation is the new unified set of rules prepared by the EU to manage and control the use and spread of crypto assets across all its Member States. The main objective of MiCA is to regulate all crypto-related businesses that fall into its scope according to one clearly defined rulebook. Here is what crypto business owners can expect from MiCA once it comes into force.
MiCA is EU Regulation 2023/1114, published in the Official Journal of the European Union on June 9, 2023 and fully applicable from December 30, 2024. It is the first comprehensive EU-level framework governing the issuance and trading of crypto-assets, the operation of crypto-asset service providers, and the public offering of asset-referenced and e-money tokens.
Before MiCA, crypto regulation in the EU was fragmented: national regimes varied widely in scope, authorization requirements, and enforcement intensity. Some member states operated VASP registration frameworks aligned with FATF standards; others had minimal dedicated crypto rules. MiCA replaced this patchwork with a single harmonized framework that operates directly in each member state without requiring national transposition.
The core outputs of MiCA authorization are passportability and credibility. A CASP authorization issued by one national competent authority (NCA) gives the holder the right to provide the authorized services across all 27 EU member states and the European Economic Area, without requiring separate authorization in each country. That single-authorization passport is the primary commercial reason most crypto businesses pursue MiCA licensing. See crypto licensing in Europe for a full jurisdictional overview.
The full MiCA text is available at EUR-Lex: EU Regulation 2023/1114.
MiCA was adopted by the European Parliament on April 20, 2023 and entered into force on June 29, 2023, twenty days after publication in the Official Journal. Application was phased:
June 30, 2024: Titles III and IV of MiCA took effect, covering asset-referenced token (ART) issuers and e-money token (EMT) issuers. Stablecoin issuers operating in the EU were required to comply with authorization, reserve, and disclosure requirements from this date.
December 30, 2024: The full MiCA framework became applicable, covering all crypto-asset service providers (CASPs) and crypto-asset issuers making public offerings. This is the date from which operating as a CASP in the EU without authorization became a regulatory infringement.
Grandfathering period: Member states were permitted to allow VASPs already registered under national law before December 30, 2024 to continue operating for up to 18 months from that date, subject to national discretion. The maximum grandfathering period runs to July 1, 2026. After that date, all CASPs operating in the EU must hold a valid MiCA authorization regardless of prior national registration status.
The grandfathering window has largely closed for planning purposes. Businesses that had not applied before mid-2025 face a narrow timeline to achieve authorization before enforcement becomes universal.
MiCA defines its scope precisely. The distinction between in-scope and out-of-scope matters because it determines whether a business requires CASP authorization, token issuance authorization, or neither.
In scope
- Stablecoin issuers: Issuers of asset-referenced tokens (ARTs), which maintain stable value by referencing a basket of assets, fiat currencies, or commodities, and issuers of e-money tokens (EMTs), which maintain stable value by referencing a single fiat currency. Both categories carry authorization and reserve requirements under MiCA Titles III and IV;
- CASP operators: Any legal entity providing one or more of the regulated crypto-asset services defined in MiCA Article 3(1)(16), operating on a professional basis in or to EU clients. The full CASP service categories are covered in the next section;
- Crypto-asset issuers making public offerings: Projects issuing crypto-assets other than ARTs or EMTs and offering them to the public in the EU must publish a MiCA-compliant whitepaper and comply with the disclosure obligations in MiCA Title II.
Out of scope
- Fully decentralized DeFi protocols: Where no identifiable legal entity controls the protocol or provides services on the basis of that protocol, MiCA does not apply. The decentralization threshold is not precisely defined in the regulation, and ESMA has acknowledged that most DeFi protocols have some degree of centralized governance that may bring them within scope. Each DeFi project requires legal analysis against its specific architecture;
- Most NFT platforms: MiCA excludes unique and non-fungible crypto-assets from its scope where they are not interchangeable. However, fractional NFT collections, large-batch NFT issuances, and NFT platforms that also custody or exchange fungible tokens may fall partially within scope;
- Central bank digital currencies (CBDCs): CBDCs issued by EU central banks are explicitly excluded;
- Financial instruments already regulated under MiFID II: Securities tokens and instruments that qualify as financial instruments under MiFID II are regulated under that framework, not MiCA. The boundaries between MiCA and MiFID II require careful analysis for tokenized securities and hybrid instruments.
MiCA authorization is activity-specific. A CASP holding authorization for one service category is not automatically authorized for others. A business operating across multiple categories must obtain authorization for each, and the authorization scope must match the actual services provided.
MiCA defines the following regulated CASP activities:
- Custody and administration of crypto-assets on behalf of clients;
- Operation of a trading platform for crypto-assets;
- Exchange of crypto-assets for fiat funds;
- Exchange of crypto-assets for other crypto-assets;
- Execution of orders for crypto-assets on behalf of clients;
- Placing of crypto-assets;
- Reception and transmission of orders for crypto-assets on behalf of clients;
- Providing advice on crypto-assets;
- Providing portfolio management of crypto-assets;
- Providing transfer services for crypto-assets to clients.
Passport-eligible activities: All ten CASP service categories are passport-eligible. Authorization in one EU member state covers provision of the same authorized services across all 27 member states and the EEA, subject to standard passporting notification to the host NCA.
Activities that may trigger dual licensing: Transfer services and the placing of crypto-assets can overlap with payment services regulated under PSD2. Businesses whose crypto transfer architecture involves the movement of fiat funds, the initiation of payment transactions, or the holding of client fiat balances may require an Electronic Money Institution (EMI) or Payment Institution (PI) authorization in addition to their CASP license. The dual-licensing question is business-model-specific and should be analyzed before application.
The table below reflects the implementation status and relative positioning of key member states as of early 2026. ESMA maintains the public register of authorized CASPs at esma.europa.eu.
| Country | NCA | MiCA Adopted | Key Notes |
| Poland | N/A | No | High volume; English-language engagement; strong crypto licensing track record |
| Lithuania | Bank of Lithuania | Yes | Recognized fintech hub; EMI infrastructure well-developed for crypto businesses |
| Germany | BaFin | Yes | Thorough review process; established crypto custodian authorization track record pre-MiCA |
| France | AMF | Yes | PSAN regime preceded MiCA; transitioning to full CASP authorization |
| Netherlands | AFM | Yes | DNB held VASP responsibilities pre-MiCA; transition to AFM CASP authorization ongoing |
| Malta | MFSA | Yes | Early EU crypto regulator; established licensing infrastructure |
| Cyprus | CySEC | Yes | Active fintech licensing history; attractive for mid-size operators |
| Czech Republic | CNB | Yes | Pro-innovation regulator; English-language process; strong operational cost advantage |
| Estonia | EFSA | Yes | Legacy VASP regime replaced by MiCA CASP process |
| Luxembourg | CSSF | Yes | Financial center with institutional-grade infrastructure |
| Austria | FMA | Yes | Stable regulatory environment; German-language primary |
Which EU member states have issued the most CASP authorizations
Lithuania has processed the highest volumes of CASP applications in the early phases of MiCA implementation, reflecting its established fintech licensing infrastructure and English-language regulatory engagement. Germany, France, and the Netherlands follow in terms of institutional application volumes. Malta and Cyprus attract mid-size operators with established legal service ecosystems. Czech Republic and Estonia are gaining ground among early-stage applicants for whom operational cost and regulatory accessibility are primary selection criteria.
The optimal jurisdiction for any specific applicant depends on business model, target markets, operational footprint, and banking requirements. LegalBison conducts jurisdiction assessments as the first step in every CASP engagement. See crypto licensing in Europe for full jurisdiction-by-jurisdiction analysis.
They reached success and shared it with us:
As a result of the fruitful cooperation with LegalBison, Yellow Card obtained a VASP registration, fast and without any legal complications.
LegalBison excels at adapting to challenges and demonstrates a perfect understanding of our business needs.
Quick set-up and straightforward process. It was a smooth process, we are happy to have chosen LegalBison as our Partner for incorporations, globally.
How to get a European crypto license under MiCA
A complete MiCA application is not a form submission. It is a structured dossier that addresses regulatory, governance, and financial requirements defined by both MiCA itself and ESMA’s delegated technical standards. The documents that most frequently cause delays when missing or underspecified are listed below.
- Requirements for the MiCA license
Legal opinion on business model classification
Required before the NCA can assess which CASP categories apply. The opinion must map the applicant's specific technical and commercial model, including token types, custody arrangements, and client-facing flows, to the MiCA activity definitions. Generic whitepapers do not satisfy this requirement. NCAs return applications that lack a precise classification analysis.
Minimum own funds by activity category
| Capital Tier | Min. Own Funds | Applicable CASP Activities |
| Tier 1 | EUR 50,000 | Advice on crypto-assets, reception and transmission of orders, placing of crypto-assets |
| Tier 2 | EUR 125,000 | Exchange for fiat funds, exchange for other crypto-assets, execution of orders, operation of a trading platform |
| Tier 3 | EUR 150,000 | Custody and administration, portfolio management, transfer services to clients |
Capital must be fully paid up and maintained on an ongoing basis. For businesses operating across multiple categories, the highest applicable threshold applies.
Fit and Proper assessment for key function holders
Directors, the MLRO, and beneficial owners holding more than 10% of the applicant must each be individually assessed and documented against the Fit and Proper criteria in MiCA Article 31. The assessment covers professional qualifications, regulatory history, criminal record, and reputational standing. NCAs verify these individually and any gap in the Fit and Proper package triggers a request for information that pauses the review.
AML/CFT program tailored to the business model
The AML/CFT program must map to the applicant's specific user flows, product architecture, and risk profile. A generic AML policy template does not satisfy ESMA's technical standards. The program must address customer risk categorization, transaction monitoring thresholds, Travel Rule implementation, and the MLRO's escalation procedures in the context of the applicant's actual service.
Client asset safeguarding arrangements
CASPs that hold crypto-assets or fiat funds on behalf of clients must demonstrate segregation arrangements before authorization is granted. This includes custody agreements, sub-custody arrangements where applicable, and documented client fund reconciliation procedures. Many first-time applicants attempt to address this requirement after submission; NCAs expect it to be resolved before the application is filed.
IT security framework and DORA alignment
From January 17, 2025, the Digital Operational Resilience Act (DORA) applies to all regulated financial entities in the EU, including licensed CASPs. The MiCA application must address ICT risk management, incident reporting procedures, third-party provider oversight, and operational resilience testing.
Business plan and three-year financial projections
The business plan must demonstrate a credible path to regulatory capital maintenance, describe the governance structure in detail, and project financial performance over three years. Projections that assume unrealistic growth curves or revenue trajectories are flagged during review.
Common MiCA application mistakes
The following patterns consistently extend review timelines or result in rejection at the preliminary assessment stage.
Underspecified AML/CFT program
A generic AML policy template does not satisfy ESMA's Level 2 technical standards. The program must map directly to the applicant's specific user flows and risk profile. An exchange serving retail clients across 15 countries with on-ramp services has a materially different risk profile from an OTC desk serving institutional counterparties. The AML documentation must reflect that difference. Submissions that arrive with the same generic framework used for a different jurisdiction or a different business type are returned.
Missing client asset safeguarding arrangements
CASPs that hold client assets must demonstrate segregation arrangements before authorization. Many first-time applicants treat this as a post-authorization operational matter. NCAs treat it as a pre-authorization documentation requirement. The result is a request for information that pauses the review clock at the point when the applicant expected approval.
Vague business model descriptions
The NCA cannot assess the scope without a precise technical description of the service. An application that describes the business as a crypto exchange without specifying token types, custody model, order book architecture, and client-facing fund flows gives the NCA nothing to assess against the MiCA activity definitions. The model must be described with enough precision that the authorization scope can be drawn exactly.
Mismatched capital and activity scope
Applicants sometimes underestimate their capital requirement by excluding service categories from their activity description. If the operational reality includes custodying client assets (EUR 150,000 threshold), but the application describes the business as a simple exchange (EUR 125,000 threshold), the NCA will identify the discrepancy during review and require a revised application and capital plan.
Inadequate Fit and Proper preparation
Beneficial owners, directors, and MLROs who have not prepared their Fit and Proper documentation in advance create the most common single-point delay in MiCA applications. NCA requests for Fit and Proper supplementary information are among the slowest to resolve because they depend on individuals gathering personal documentation, sometimes across multiple jurisdictions.
How LegalBison helps your business to be MiCA-compliant
LegalBison maps each client's business model to its specific MiCA obligations and identifies the optimal EU jurisdiction for CASP authorization before the application process begins. That upfront analysis determines the correct CASP activity categories, the applicable capital threshold, the passporting strategy, and the NCA most suited to the client's operational profile and timeline.
The most common CASP models and their MiCA positions:
- Centralized exchange operators (CEX). Authorization for exchange for fiat funds, exchange for crypto-assets, and operation of a trading platform. Capital threshold: EUR 125,000 to EUR 150,000 depending on trading model. Optimal jurisdictions: Poland, Lithuania, Czech Republic. See crypto licensing in Europe;
- OTC desks and brokerage platforms. Authorization for exchange for fiat funds and execution of orders. Capital threshold: EUR 125,000. Dual licensing required if client fiat balances are held between settlement cycles. Related: VASP license and DASP license frameworks for non-EU jurisdictions;
- Portfolio managers. Authorization for portfolio management of crypto-assets. Capital threshold: EUR 150,000. MiCA governance obligations apply, including segregated mandate documentation and client reporting. Optimal jurisdictions: Luxembourg, Germany, France;
- Crypto payment processors and on/off-ramp providers. Authorization for transfer services, combined with EMI or PI licensing where fiat payment initiation or settlement is involved. Dual-licensing analysis is mandatory before application. Optimal jurisdictions: Lithuania, Poland, Malta;
- Token issuance projects. Public offering of crypto-assets under MiCA Title II requires a compliant whitepaper and, where the token qualifies as an ART or EMT, full stablecoin authorization. Legal classification of the token precedes any regulatory filing.
LegalBison manages the complete application lifecycle: business model classification, jurisdiction selection, legal opinion production, compliance program design, NCA engagement, application drafting, submission, and post-authorization compliance support.
For MiCA CASP authorization, stablecoin licensing, and MiCA compliance infrastructure, contact LegalBison at legalbison.com.
MiCA jurisdictions for your crypto business
LegalBison provides all-encompassing advice and practical help in navigating the regulatory frameworks of different EU jurisdictions for effective and transparent CASP licensing.
Estonia CASP License: MiCA Regulation (EU Framework)
from 1.420 €-
0% Corporate Income Tax
-
Cheap and fast process
-
No travel needed
-
Reputed Central European hub
-
Experienced crypto regulator
-
Straightforward operations
-
Low tax CASP license
-
Reputed FinTech hub
-
Easy remote operation
-
Leading MiCA jurisdiction
-
Business incentives
-
English speaking country
-
Top EU country for crypto
-
Business friendly jurisdiction
-
Formerly most popular license
Get ready for MiCA
Is your crypto business ready for MiCA? Do not leave this matter to chance, as the ESMA has announced heavy sanctions to non-compliant crypto-asset service providers.
Request an assessment and order the complementary compliance elements from our dedicated team, and ensure a smooth transition.
FAQ about the MiCA license and regulation
No. MiCA is EU law and does not apply in the United Kingdom. The UK operates its own crypto-asset regulatory framework under the Financial Services and Markets Act 2000 (as amended), with the FCA as the supervising authority. UK-based businesses that provide crypto-asset services to EU clients, however, must assess whether their activities constitute provision of regulated services inside the EU, which can trigger MiCA obligations regardless of where the entity is incorporated. Cross-border service analysis is required for UK operators targeting EU retail or institutional clients.
MiCA entered into force on June 29, 2023. Stablecoin-specific provisions (Titles III and IV covering ART and EMT issuers) became applicable on June 30, 2024. The full framework, covering all CASPs and crypto-asset issuers, became applicable on December 30, 2024. The grandfathering period for previously registered VASPs runs until July 1, 2026 at the latest, subject to individual member state discretion. From that date, all CASPs operating in the EU must hold a valid MiCA CASP authorization.
MiCA (Markets in Crypto-Assets Regulation, EU Regulation 2023/1114) is the EU’s comprehensive legal framework for crypto-asset issuers and service providers. It establishes authorization requirements for crypto-asset service providers, disclosure and reserve obligations for stablecoin issuers, and public offering rules for crypto-asset projects. MiCA creates a single EU-wide licensing regime: a CASP authorization issued by one member state NCA passports across all 27 EU member states and the EEA.
Any legal entity providing regulated crypto-asset services on a professional basis in or to EU clients must hold a MiCA CASP authorization. The regulated services are: custody and administration, operation of a trading platform, exchange for fiat or crypto, execution of orders, placing, reception and transmission of orders, advice, portfolio management, and transfer services. Entities issuing ARTs or EMTs require separate stablecoin authorization. Crypto-asset issuers making public offerings to EU investors must publish a compliant MiCA whitepaper.
MiCA establishes compliance requirements for coin issuers rather than categorizing existing coins as compliant or non-compliant. Asset-referenced tokens (ARTs) and e-money tokens (EMTs) whose issuers hold valid MiCA authorization and maintain required reserves are MiCA-compliant stablecoins. Crypto-assets other than ARTs and EMTs that are publicly offered in the EU under a compliant MiCA whitepaper are MiCA-compliant for issuance purposes. The compliance status of any specific token depends on the issuer’s authorization position and disclosure documentation, not on the token’s technical characteristics.
MiCA applies on a services basis, not solely on an establishment basis. A company incorporated outside the EU that actively provides regulated crypto-asset services to EU-based clients is likely within MiCA’s scope. The regulation does not require physical presence in the EU to trigger its obligations: active targeting of EU clients, accepting EU retail orders, or marketing regulated services into the EU can be sufficient. Non-EU businesses serving EU clients should obtain a legal assessment of their MiCA exposure before the full enforcement environment is established.
Yes. MiCA does not restrict the nationality of shareholders or beneficial owners. A company incorporated in an EU member state and governed by a management board that meets Fit and Proper criteria can apply for CASP authorization regardless of where its shareholders are based. The company must meet the local substance requirements of the chosen member state, including genuine physical presence and appropriate governance, but foreign ownership is not a disqualifying factor.
A VASP registration was a national-level registration under member state law, typically aligned with FATF virtual asset service provider standards. It did not grant EU passporting rights and the requirements differed markedly by country. A MiCA CASP authorization is an EU-level financial services license granted under directly applicable EU regulation. It grants EU-wide passporting rights, carries materially higher governance and capital requirements than legacy VASP regimes, and is issued by a national competent authority applying harmonized EU standards. From December 30, 2024, VASP registrations no longer satisfy the legal requirements for operating crypto-asset services in the EU. The MiCA CASP authorization has replaced them.
MiCA sets a 25 working-day deadline for the NCA to assess whether an application is complete, and a 60 working-day assessment period from the date the application is deemed complete. In practice, the completeness check often surfaces requests for supplementary information that restart or pause the clock. Total time from submission to authorization decision, for a well-prepared application, typically runs three to six months. Applications with gaps in Fit and Proper documentation, AML programs, or client asset safeguarding arrangements take longer. LegalBison designs the application package to minimize RFI risk and manages NCA engagement throughout the review.
Get in touch with our MiCA experts
Do not stay in the dark. Whether you run a VASP in a EU member state or are planning to form a crypto company in Europe, we welcome your questions and requests!
Our team of legal experts has mastered the MiCA regulation to ensure flawless services to our clients.
Leave a request now for more information and a personalized consultation for your project.
Experts in fintech and crypto licensing worldwide.
Aaron Glauberman specializes in crypto and FinTech licensing, MiCA and PSD2 frameworks, and cross-border corporate structuring.
