Crypto regulation in the European Union (MiCA) – A 2025 playbook for CASPs

This article is a practical guide for founders, compliance leaders and boards preparing for authorisation under the EU Markets in Crypto-assets Regulation (MiCA). It reflects the position as of 13 September 2025 and is not a substitute for formal legal advice.

1) Executive snapshot – what’s in force and when

• MiCA (Regulation (EU) 2023/1114) is live in two phases: (i) stablecoin rules for asset-referenced tokens (ARTs) and e-money tokens (EMTs) apply since 30 June 2024; and (ii) the rest, incl. CASP (crypto-asset service provider) authorisation and conduct, has applied since 30 December 2024.
  
• Transitional relief: Member States may allow previously registered/regulated crypto firms to continue services temporarily, but sunset dates vary. Example: Luxembourg allows incumbents to operate until 1 July 2026 or until they’re granted/refused MiCA authorisation – whichever is sooner. Plan to comply with the shortest transition across your footprint.
  
• Adjacent frameworks: expect interplay with the EU Travel Rule (Transfer of Funds Regulation, TFR: Reg. 2023/1113) and DORA (digital operational resilience) from January 2025.

2) Who regulates what?

• Day-to-day supervision: your Home Member State NCA (national competent authority) authorises and supervises CASPs; passporting then unlocks EU-wide access. ESMA maintains EU-level guidance/RTS and the public register; EBA leads on significant ART/EMT issuers and related fees/RTS.
  
• Timeline discipline: NCAs follow MiCA time limits (acknowledge, completeness, decision), and a convergent approach is reinforced by ESMA/EBA Level-2/3 measures.

3) What is regulated under MiCA?

Crypto-asset = a digital representation of value/right transferable and storable electronically using DLT or similar. MiCA distinguishes ARTs, EMTs, and all other crypto-assets (e.g., utility tokens). MiCA applies to persons issuing, offering to the public/admitting to trading such assets, and to CASPs that provide services in the Union. 

CASP services (authorisation required before go-live)

MiCA lists regulated services broadly mirroring MiFID-style categories – for example: custody & administration, operation of a trading platform, exchange (VA/fiat or VA/VA), execution of orders, placing, reception & transmission of orders, transfer of crypto-assets, advice, and portfolio management on crypto-assets. 

Practical perimeter check: incidental or occasional provision still triggers authorisation; only specific MiCA carve-outs (e.g., certain already-licensed EU financial institutions under Article 60 after notification) avoid a full CASP authorisation for equivalent services. 

4) Marketing crypto services in Europe (and the reverse-solicitation trap)

• Marketing communications connected to an offer/admission must be clearly identifiable, fair, clear and not misleading, and consistent with the crypto-asset white paper, including a clear statement that a white paper has been published and the website address. Treat website/app copy, performance claims and influencer content as regulated communications.
  
• Reverse solicitation is narrow under ESMA’s 2025 Guidelines: the client’s exclusive initiative must be real and evidenced; disclaimers cannot override facts; any subsequent marketing or use of lead-gen funnels resets the analysis. In short, don’t rely on “RS” as a growth strategy.
  
• Travel Rule alignment (TFR): for transfers to/from EU-regulated CASPs, originator/beneficiary data must accompany the transfer; treat self-hosted wallets and sub-€1,000 scenarios under EBA’s convergent guidance. Build end-to-end data capture, screening and exception handling. 

5) Prudential requirements, paid-up capital & fees

CASP own funds (“prudential safeguards”): hold at least the higher of (a) the relevant permanent minimum capital in Annex IV or (b) ¼ of prior-year fixed overheads (reviewed annually). Typical Annex IV thresholds:

• €50,000 – advisory, reception/transmission, execution, placing, transfer, portfolio management;
• €125,000 – custody and exchange services;
• €150,000 – operation of a trading platform.

ART/EMT issuers face separate own-funds minima (e.g., ARTs: €350k / 2% of reserves / ¼ FOH, whichever higher), with uplifts possible for significant tokens via EBA RTS. 

Supervisory fees: CASP application/ongoing fees are set nationally by each NCA; EBA fees target significant ART/EMT issuers via a Commission Delegated Regulation adopted in 2024. Budget for NCA filing + ESMA/EBA levies where applicable. 

Board tip: your treasury should model both tests (Annex IV vs ¼ FOH) across growth scenarios; for custodians/trading platforms, complement capital with insurance and safeguarding controls to align with supervisory expectations.

6) Mandatory licensing standards (what NCAs scrutinise)

Governance & fit-and-proper. Management must be of good repute and demonstrably competent; boards need clear lines of responsibility, risk/compliance independence, and conflict management. Article 68 empowers ESMA to detail governance RTS – expect convergence on skills matrices and time-commitment standards. 

Safeguarding client assets & funds. Segregate client crypto-assets/funds; no use for own account; reconciliation and wallet-governance (hot/cold, key ceremony, access controls) must be robust and auditable. 

Complaints, conflicts, outsourcing, wind-down. Maintain transparent complaint handling; identify/prevent/manage conflicts of interest; take all reasonable steps to avoid risk when outsourcing (including ICT/critical third parties consistent with DORA); keep an orderly wind-down plan current. 

Market integrity. MiCA imports a crypto-specific market-abuse regime – embed surveillance, insider-list controls and disclosure procedures proportionate to your business model. 

AML/CTF (TFR). Build end-to-end Travel Rule compliance (data fields, thresholds, self-hosted wallet procedures), sanctions screening and SAR escalation consistent with EBA guidance.

Operational resilience (DORA). ICT risk governance, incident reporting, testing and third-party risk management under DORA are now part of the baseline for financial entities, including authorised CASPs. Ensure your MiCA pack maps to DORA controls. 

7) Authorisation pathway & timelines (what to expect)

Where you file: with your Home NCA via its portal (pre-application meetings encouraged). A typical process looks like this:

1. Acknowledgement of receipt (~5 working days);
2. Completeness check (≤ 25 working days);
3. Decision within ~40 working days of a complete file (pauses possible while responding to RFIs);
4. Passport post-authorisation via notification. 

Application content (Article 62). Expect to submit: programme of operations; governance map; internal control framework; prudential safeguards and FOH calculation; AML/CTF policies incl. Travel Rule runbook; ICT/cyber & BCP/DR; outsourcing; complaints and conflicts policies; draft client agreements and disclosures; and fitness/propriety files for qualifying holders and managers. NCAs must not duplicate information already held under other EU regimes for the same entity. 

Issuers (Title II). Where you offer crypto-assets other than ART/EMT to the public or seek admission to trading, publish a white paper and ensure marketing is consistent and clearly identified. White papers are notified, not approved – liability attached to their content. 

8) Documents you’ll be asked for (CASP pack)

• Corporate: constitutional documents; group structure; ownership/control map; fitness & propriety evidence (controllers, directors, key function holders).
• Business & prudential: programme of operations; Annex IV capital mapping; ¼ FOH computation methodology; liquidity runway. 
• Conduct & client protection: client asset safeguarding policy; order-handling/best-execution (if relevant); complaints policy; conflicts matrix.
• AML/TFR: CDD/KYC standards; Travel Rule vendor and fall-back procedures; sanctions controls; SAR runbooks.
• Tech & resilience: wallet architecture (HSMs, key management, segregation), security testing, incident response, BCP/DR; DORA mapping.
• Marketing & disclosures: communication governance, risk warnings, consistency with any white paper, influencer/affiliate controls.

9) Costs & timelines – what to budget

• Authorisation fees: national (vary by NCA). Build in: pre-application time, filing fee, annual supervision fee, and passport notifications.
• EBA fees: relevant only for significant ART/EMT issuers, per the Delegated Regulation adopted in 2024.
• Duration: complete, well-argued files often run 3–4 months end-to-end; complex models or multi-service footprints can take longer (statutory decision clock starts at complete file).

10) Common trip-ups (so you can avoid them)

• Treating reverse solicitation as a go-to market plan (it isn’t); relying on banners/SEO funnels while claiming “own initiative”.
  
• Under-resourcing safeguarding (segregation, reconciliations, incident reporting) and wallet governance for custody/exchange models.
  
• Marketing claims not aligned with white-paper and risk warnings (especially for yield/staking-like features).
  
• Forgetting TFR: missing or poor-quality originator/beneficiary data blocks straight-through processing and creates SAR exposure.

11) How CRYPTOVERSE Legal gets you authorised – cleanly and fast

• Regulatory mapping & strategy. We benchmark your model against MiCA’s service definitions and Title II issuance triggers; if you’re an EU-licensed institution under Article 60, we structure the notification path to avoid duplicative authorisations.
  
• CASP dossier build. We drafted a Home-NCA-ready pack aligned to Article 62 (operations, governance, prudential, AML/TFR, ICT/DORA). We also tailor Annex IV vs ¼ FOH prudential modelling and board attestations.
  
• Marketing compliance & RS. We pre-clear communications, implement approval logs and train teams on ESMA reverse-solicitation red flags.
  
• Operationalisation. From Travel Rule vendor selection to wallet-governance and market-abuse surveillance, we convert policy into daily controls supervisors expect to see live.

12) Quick reference (MiCA essentials)

• Dates: ART/EMT rules 30-Jun-2024; full MiCA (incl. CASPs) 30-Dec-2024.
• Capital: €50k/€125k/€150k, or ¼ FOH – whichever is higher (Annex IV / Art. 67).
• Marketing: “fair, clear, not misleading”; consistent with white paper; RS applied narrowly. 
• Application timing: ≤25 wd completeness; ~40 wd decision after complete file; passporting thereafter.
• Travel Rule: Regulation 2023/1113 – build data capture, screening and exception workflows.

Legal notice

This publication is for general information only and does not constitute legal advice. Decisions should be taken with reference to the MiCA text, Level-2/3 measures and local NCA practice. Key sources: EUR-Lex (MiCA & TFR), ESMA reverse-solicitation Guidelines (Feb 2025), EBA MiCA technical standards/fees for significant tokens.

FAQs: