This article is for existing CASPs and crypto business owners, those starting or thinking about starting a CASP or crypto business, and anyone seeking guidance on MiCAR.

What is the MiCAR?

The Markets in Crypto-Assets Regulation ((EU) 2023/1114) (MiCAR) establishes uniform European Union (EU) market rules for crypto-assets, primarily aiming to regulate assets not covered by existing financial services legislation. This includes cryptocurrencies and stablecoins that fall outside other regulatory frameworks. MiCAR also has specific provisions for Asset-Referenced Tokens (ARTs) and Electronic Money Tokens (EMTs), which are also partly regulated under the Electronic Money Directive (EMD).

For crypto-asset issuers and traders, the regulation focuses on these key areas: Transparency, disclosure, authorization, and supervision of transactions. The ultimate goal is to deliver a consistent and joined-up framework that works across EU member states.

MiCAR forms part of the EU’s Digital Finance Package, designed to foster innovative financial products while establishing rules for their responsible development, harmonization, and transformation within the EU financial services sector. MiCAR entered into force on 29 June 2023. Provisions related to ARTs and EMTs became applicable on 30 June 2024, while the full regulation applies across the EU as of 30 December 2024.

MiCAR applies to any natural or legal person in the EU involved in the issuance, public offering, admission to trading, and provision of services related to crypto-assets. It also applies to entities outside the EU that target EU residents with such activities.

Authorization and compliance under the MiCAR

Achieving MiCAR authorization allows Crypto-Asset Service Providers (CASPs) to access EU markets, comply with harmonized regulatory standards, and build customer trust.

Issuers of ARTs must be authorized under MiCAR, while EMTs may only be issued by licensed electronic money institutions or credit institutions under the EMD, and are subject to additional obligations under MiCAR, including white paper publication and enhanced transparency requirements.

Issuers of crypto-assets that aren’t classified as ARTs or EMTs must also comply with MiCAR. Actual requirements depend on the type of crypto-assets, and whether they’re classified as financial instruments under MiFID II.

What does MiCAR exclude?

The European Securities and Markets Authority (ESMA) has issued guidelines and criteria to help distinguish between crypto-assets that fall under the MiCAR and those that qualify as financial instruments under existing EU financial legislation, particularly MiFID II.

  • Crypto-assets classified as financial instruments under MiFID II: These include crypto-assets that are similar to traditional financial instruments, such as shares or bonds. Because they fall under MiFID II, they’re excluded from MiCAR.
  • Fully decentralized crypto-asset services: Services that are fully decentralized (not operated by any identifiable intermediary) don’t fall under MiCAR’s scope. However, partially decentralized services, where identifiable persons have some form of control or governance, remain within MiCAR’s scope.
  • Unique and non-fungible crypto-assets: Most non-fungible tokens (NFTs) that are unique and not interchangeable with other crypto-assets may fall outside MiCAR. However, how ‘unique and non-fungible’ is legally classified is something to be assessed on a case-by-case basis. That’s why parties should speak to qualified legal advisers for guidance.

While these definitions aim to promote regulatory consistency, ESMA has noted that the term ‘financial instrument’ is not ‘fully harmonized’ (pdf) across the EU. As a result, market participants should speak to their relevant National Competent Authority (NCA), to get jurisdiction-specific interpretations and guidance.

Which crypto-assets are covered by MiCAR?

 According to MiCAR, a crypto-asset is defined as: ‘Anyone in the EU involved in issuing, public offering, and trading of crypto assets or services’

According to the European Commission, crypto-assets are defined as: ‘A digital representation of value or a right that can be transferred or stored electronically using distributed ledger technology or similar technology.’ Source: European Commission

This is consistent with the European Commission’s interpretation, and acts as a base for MiCAR’s regulatory framework.

MiCAR further categorizes crypto-assets into three main types:

  • ARTs: Defined as ‘a type of crypto-asset that is not an electronic money token and that purports to maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies.’
  • EMTs: Defined as ‘a type of crypto-asset that purports to maintain a stable value by referencing the value of one official currency.’ EMTs resemble e-money and are subject to additional requirements under the Electronic Money Directive (EMD2).
  • Other Crypto-Assets: This category covers crypto-assets that aren’t classified as ARTs or EMTs, including utility tokens and cryptocurrencies that don’t seek value stability.

Early MiCAR License Approvals by EU Regulators (May 2025)

Some companies have been approved but are awaiting to be issued their MiCAR licenses. Others are currently applying. Several firms have received licenses.

In Germany, the Federal Financial Supervisory Authority (BaFin) has granted MiCAr licenses to Crypto Finance and Bitpanda.

Malta’s Financial Services Authority (MFSA) has issued licenses to Bitpanda, OkCoin Europe Ltd, and Zillion Bits Ltd.

In Austria, the Financial Market Authority (FMA) has also licensed Bitpanda, making it one of the few companies licensed across multiple EU jurisdictions.

The Dutch Authority for the Financial Markets (AFM) has approved Hidden Road Partners CIV NL BV, ZBD, and MoonPay.

VeChain, with headquarters in San Marino and operations across multiple regions, has received a MiCAr license under the oversight of the European Securities and Markets Authority (ESMA).

These early approvals show that some jurisdictions are moving quicker than others to implement the MiCAR framework, and in turn supporting regulated crypto services within the EU.

Key regulatory standards and interpretative guidance under MiCAR

Market abuse detection and prevention: general MiCAR standards

Under the MiCAR, the European Union has introduced stringent rules to prevent and detect market abuse in crypto-asset markets. These provisions prohibit insider dealing, unlawful disclosure of inside information, and market manipulation. To ensure consistent enforcement across the EU, the ESMA published on 29 April 2025 a final report containing guidelines for NCAs on supervisory practices.

The guidelines aim to harmonize supervisory approaches across member states, promote a common supervisory culture, and encourage a risk-based, proportionate response aligned with the scale and complexity of crypto-asset services. ESMA uses experience under the Market Abuse Regulation (MAR) while tailoring practices to the unique features of crypto-asset markets — including their technological architecture and the significant influence of social media. Cross-border cooperation among NCAs is emphasized to address crypto trading’s global nature, with engagement with third-country authorities encouraged.

MiCAR requires that entities professionally arranging or executing transactions in crypto-assets (PPAETs), including CASPs operating trading platforms, implement real-time surveillance systems capable of analyzing every order and transaction. These systems must detect unlawful manipulations such as order book spoofing or the dissemination of false or misleading information. ESMA’s guidelines act as a reminder that monitoring should be based on risk, yet also match the profile of a firm’s operations.

Apart from trading platforms, CASPs offering other crypto-asset services will come under MiCAR’s market abuse rules. They must have strong arrangements, systems, and procedures to both prevent and detect abuse. This includes regularly updating internal policies, ensuring the right type of staff training, and making sure operations align with MiCAR. MiCAR also gives guidelines on how NCAs should work together across borders, so that there can be consistent and unified enforcement across the EU.

Reverse solicitation and staying compliant

To protect EU-based clients and ensure that CASPs operate on a level regulatory footing, MiCAR sets out clear limitations on who may offer crypto-asset services within the Union. Under the MiCAR regulation, no person may provide crypto-asset services in the EU unless they are either:

  • authorized as a CASP; or
  • a regulated entity permitted to do so under Article 60 (such as a credit institution, investment firm, or electronic money institution)

The regulation introduces a narrowly framed exemption, commonly referred to as reverse solicitation, which allows a third-country firm to provide a crypto-asset service to an EU client. But they can only do this if the service is provided after the client requests it. This exemption applies solely to the specific service requested and does not cover subsequent services or broader business relationships.

In its Final Report of December 2024 (guidelines for solicitation, pdf), ESMA sets out detailed guidance interpreting this exemption strictly. Any form of direct or indirect marketing or solicitation, may mean the CASP can’t rely on the exemption. This includes passive marketing methods, such as promotional websites, advertising, or social media content that targets or is accessible to EU clients. In assessing compliance, NCAs will take a facts-based approach, examining all relevant circumstances to determine whether a service was genuinely initiated by the client.

ESMA underscores that CASPs must not misuse the exemption, and should carry out adequate due diligence on any introducers or third parties involved in client acquisition or promotion. This includes ensuring that no indirect solicitation occurs via affiliates, referrers, or unauthorized cross-border marketing strategies.

The reverse solicitation exemption is not a loophole and must not be relied upon as a substitute for proper MiCAR authorization. CASPs serving EU clients must be prepared to demonstrate that a request for service was unsolicited, and must keep appropriate documentation to that effect.

Investor protection

The ESMA has issued report guidelines for investor protection (pdf) under MiCAR, emphasizing the need to assess suitability when CASPs offer investment advice or portfolio management services. CASPs are required to get information from clients and prospective clients before they make recommendations. This information focuses on:

  • Clients’ knowledge and experience in investing
  • Investment objectives, including their appetite and tolerance for risk
  • Financial situation, including how much they’re able to bear losses
  • Understanding of the risks around investing in crypto-assets

CASPs managing client portfolios must provide statements at least quarterly. Alternatively, they can offer online access to portfolio information, as long as clients login and review their portfolios at least once every quarter.

For CASPs offering crypto-asset transfer services, the advice is to put in place detailed policies and procedures. There’s also plenty to do before executing any transfers. CASPs need to give their clients adequate information about the crypto-asset’s essential features, conditions, and execution details. This pre-contractual information should include:

  • CASP’s identity
  • Distributed Ledger Technology (DLT) network used
  • Associated costs
  • Instructions on initiating transfers

Post-transfer, CASPs are expected to furnish clients with specific information, such as identification references, the amount and type of crypto-assets transferred, and all related costs. In cases of transfer rejection, return, or suspension, CASPs should provide reasons, remediation steps, and any incurred costs. ASPs should also define criteria for transfer execution, including maximum execution times and the number of block confirmations required for transfers to be considered irreversible or sufficiently irreversible for each DLT network. Clear policies regarding liability, especially concerning unauthorized or incorrect transfers, are also emphasized.

ESMA highlights that it is essential for CASPs to define clear and reliable methods of communication with clients. This includes outlining any technical requirements necessary for sending and receiving messages, whether via websites, mobile applications, or other digital channels.

For handling complaints, MiCAR requires transparency, fairness, and freedom for procedures. Clients and token holders must be told how to submit complaints. CASPs and ART issuers must investigate and respond in a timely and impartial manner while keeping internal records to show how they’re responding.

Qualification of crypto-assets as financial instruments

The ESMA has issued guidelines to assist NCAs and market participants in determining whether a crypto-asset qualifies as a financial instrument under MiFID II. These guidelines emphasize a ‘substance over form’ approach, focusing on the actual features and rights conferred by the crypto-asset rather than its label or technological form.

It’s up to CASPs to assess whether their crypto-assets are financial instruments that would come under MiFID II. Because it’s up to NCAs to interpret and enforce guidelines, they will be given ‘structured conditions and criteria to determine whether a crypto-asset can be classified as a financial instrument.’ This will include assessing based on the crypto-assets actual features, rather than the label given by the CASP.

The guidelines also note potential differences on the approaches of each member state’s NCA. CASPs may also be asked to identify ‘the origin of large buy and sell crypto asset orders or transactions’, as a way to monitor for potential illegal or anomalous activity.

The guidelines also recommend to ‘carefully consider’ how settlement, whether cash or crypto-asset, may affect classification and fall under MiFID II regulations. If the crypto-asset is non-transferable to other holders and is ‘only accepted either by the issuer or offeror’, it won’t fall under the scope of MiCAR.

For a comprehensive understanding, view the full ESMA Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments.

Supervisory Standards and Technical Implementation under MiCAR

ESMA Final Report on Systems and Security Protocols under MiCAR

On 17 December 2024, the ESMA published its Final Report setting out guidelines for offerors and applicants seeking admission to trading of crypto-assets, excluding asset-referenced tokens and e-money tokens. The guidelines aim to ensure the security and resilience of ICT systems and access controls, in line with the Digital Operational Resilience Act (DORA) and the NIS2 Directive.

Key areas covered include:

  • Proportionality – Measures must be tailored to the size and complexity of the entity
  • Governance – Clear internal responsibilities and adequate staff training are required
  • Physical Security – Entities should prevent unauthorized access and maintain logs of authorized entries
  • IT Access Controls – Access must follow a ‘need-to-know and least privilege’ approach, with regular reviews and revocations
  • Cryptographic Key Management – While no standalone provisions are set, key handling is expected to align with DORA standards

Technical Standards for Crypto-Asset Service Providers

A series of Regulatory Technical Standards (RTS) have been developed by ESMA to ensure consistent and harmonized implementation of the regulation and adopted as legally binding instruments by the European Commission.

It is important to distinguish RTS from Implementing Technical Standards (ITS). While RTS specify the content of rules (the ‘what’), ITS focus on the procedural or operational aspects of implementing those rules (the ‘how’) — for example, formats, templates, and submission procedures. Like RTS, ITS are also drafted by ESMA and adopted by the Commission, and are legally binding.

In the context of MiCAR, RTS and ITS play a critical role in operationalizing the regulation. Compliance with these standards helps firms meet their regulatory obligations, both currently and in preparation for MiCAR’s full implementation.

A final package of MiCAR-specific policy documents was published in December 2024. These measures entered into force 20 days after their publication in the Official Journal on 31 March 2025. The package builds on more than 30 technical standards issued by ESMA — many developed in cooperation with the European Banking Authority (EBA) — and includes draft RTS, guidelines, and consultation materials reflecting stakeholder input and feedback.

CASP Regulatory Requirements under MiCAR

What are CASPs under MiCAR?

CASPS are defined in MiCAR as:

‘a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset

MiCAR defines ‘crypto-asset service’ as ‘any of the following services and activities relating to any crypto-asset’:

  1. Providing custody and administration of crypto-assets on behalf of clients
  2. Operation of a trading platform for crypto-assets
  3. Exchange of crypto-assets for funds
  4. Exchange of crypto-assets for other crypto-assets
  5. Execution of orders for crypto-assets on behalf of clients
  6. Placing of crypto-assets
  7. Reception and transmission of orders for crypto-assets on behalf of clients
  8. Providing advice on crypto-assets
  9. Providing portfolio management on crypto-assets
  10. Providing transfer services for crypto-assets on behalf of clients

Replacing existing Virtual Asset Service Provider (VASP) license

MiCAR will replace VASP licenses with CASP licenses. Existing VASP license holders will need to transition to a CASP license.  A transition period has been established, allowing VASP license holders until 1 July 2026 to obtain CASP authorization, or until their CASP application is granted, whichever comes first. During this transition, VASP holders can benefit from a simplified application procedure for CASP authorization.

Substance and Local Presence Requirements

Under the MiCAR, CASPs authorized by appointed NCAs must have a registered office in an EU Member State where they conduct at least part of their crypto-asset services. CASPs must also have their ‘place of effective management’ located within the EU, and at least one director must be an EU resident. Bear in mind that individual EU NCAs may impose other conditions alongside these.

For an example, look toward the Malta Financial Services Authority (MFSA),and its ‘The Markets in MiCA Rulebook – Rules Applicable to Entities within the Scope of the Markets in Crypto-Assets Act,’ which mandates that a CASP has to ensure it has sufficient substance in Malta. In practice, this means having a sufficient number of key function holders and personnel, with at least one Executive Director based in Malta. That number, local directors or key function holders,  depends on the size, scale, and complexity of the License Holder’s activities.

Suitability Requirements for CASPs and ART Issuers

Under MiCAR, and as detailed in the Joint EBA and ESMA Guidelines, CASPs and issuers of ARTs must adhere to stringent fitness and probity standards.

  1. Management Body Members

Members of the management body of CASPs and ART issuers are required to:

  1. Possess sufficiently good repute, integrity, and honesty
  2. Demonstrate appropriate knowledge, skills, and experience, both individually and collectively
  3. Commit adequate time to fulfill their responsibilities effectively
  1. Shareholders and Qualifying Holders

Individuals or entities holding, directly or indirectly, qualifying holdings in CASPs or ART issuers must:

  1. Be of sufficiently good repute and not have convictions related to money laundering, terrorist financing, or other serious offences
  2. Not exert influence that could compromise the sound and prudent management of the entity
  3. Demonstrate financial soundness and the absence of risks related to money laundering or terrorist financing

These assessments apply during the authorization process and on an ongoing basis, including in cases of proposed acquisitions.

Capitalization requirements

Capitalization requirements for stability are divided into three classes of CASP, based on different services:

  1. Class 1 CASP services: EUR50,000

This is the capital required for basic services, including executing orders, transferring and placing crypto-asset orders, and advising or managing crypto-asset portfolio

  • Class 2 CASP services: EUR125,000

This includes the capital required under Class 1, with additional services that include custody and administration of crypto-assets for clients, as well as the exchange of crypto-assets (funds and other crypto-assets)

  • Class 3 CASP services: EUR150,000

This includes the capital required under Class 2, with an additional service that includes the operation of a crypto-asset trading platform

White Paper Requirements and Exemptions

Under the Markets in Crypto-Assets Regulation, issuers of all crypto-assets — including general crypto-assets, ARTs, and EMTs — must prepare and publish a white paper. This document must include detailed information on the crypto-asset’s essential characteristics, the rights and obligations it confers, its underlying technology and governance, associated risks (market, liquidity, cybersecurity, etc.), trading and liquidity mechanisms, AML/CFT compliance, fees and charges, and environmental impact where applicable. While issuers of general crypto-assets are only required to notify the NCA before publication, issuers of ARTs and EMTs must seek prior approval and obtain authorization. There are applicable white paper exemptions, such as where the crypto-asset is offered free of charge or used exclusively within a limited network under the Limited Network Exemption.

Reporting obligations

ESMA highlights the risks associated with permissionless Distributed Ledger Technology (DLT), while acknowledging that it is up to individual CASPs to determine how best to manage potential threats to their business as usual (BAU) operations.

Under MiCAR, CASPs remain accountable even if they do not have control over a permissionless DLT or the wallet-holders using it. This lack of control, particularly the absence of Know Your Customer (KYC) processes, means that CASPs must take care to ensure compliance with the EU’s AML and CFT legislation. The regulatory landscape is evolving rapidly, as seen in the European Banking Authority (EBA) consultation on four new draft RTS, following the introduction of enhanced AML and CFT standards.

What’s more, CASPs are accountable in the context of MiCAR, despite not having control over a permissionless DLT, or any of the wallet-holders. This lack of KYC means CASPs must be careful that they stay compliant under the EU’s AML legislation. This is evolving fast, with an following on from the introduction of new AML and CFT standards.

Anti-Money Laundering Directives

The EBA has issued guidelines under the evolving EU AML framework that extend to CASPs, even if they are not yet classified as ‘‘obliged entities’’ under the current EU AML Directives (such as AMLD5 or AMLD6). These expectations, particularly relevant in light of MiCAR and the forthcoming EU AML Regulation, include customer due diligence (CDD) measures such as verifying customer and beneficial owner identities and screening for EU targeted financial sanctions. It’s worth noting that EU Sanctions Regulations are directly applicable, with all entities operating in the EU, including CASPs, must comply with them, regardless of their AMLD status.

While these EBA guidelines establish a baseline across the EU,Malta has gone a step further. Under Regulation 2(1) of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR), CASPs are explicitly listed as subject persons. That means they’re fully subject to AML/CFT obligations, including CDD, suspicious transaction reporting, and sanctions screening, and are directly supervised by the FIAU.

Market manipulation obligations for CASPs

The MiCAR introduces a dedicated market abuse regime applicable to Crypto-Asset Service Providers CASPs and crypto-asset issuers, to make sure they follow standards broadly aligned with those under the EU Market Abuse Regulation (MAR). Under MiCAR, CASPs are prohibited from activities such as insider dealing, unlawful disclosure of inside information, and market manipulation.

To comply with these obligations, CASPs are required to implement effective internal systems and controls. This includes putting in place trade surveillance tools and whistleblowing frameworks, designed to detect and prevent illicit conduct in the crypto markets. These measures are part of the EU’s overall effort to enhance market integrity in crypto-asset markets and align their regulatory framework more closely with traditional financial markets, and ultimately improving investor protection.

Environmental Disclosure Requirements

Under the MiCAR, CASPs are required to publish environmental information in a prominent location on their websites. In particular, MiCAR mandates that CASPs must make publicly available information concerning the principal adverse impacts on the climate and other environmental effects arising from the consensus mechanism used to issue each crypto-asset for which they provide services.

In addition, CASPs are bound by general conduct of business obligations to ensure that all information provided to clients, including environmental data, is fair, clear, and not misleading.

Such disclosures should cover, at a minimum:

  • Energy consumption related to the consensus mechanism
  • The use of renewable energy sources
  • Impact on natural resources
  • Waste management practices
  • Greenhouse gas emissions

These measures aim to promote sustainability transparency and allow users to make more informed choices about the crypto-assets they engage with.

Preparing Your Business for MiCAR in Malta

Transitional Period for CASPs under MiCAR: Malta’s 18-Month Window and Key Readiness Steps

CASPs that were lawfully providing services under national law before 30 December 2024 may continue operating during a transitional period that ends on 1 July 2026, or upon receipt of MiCAR authorization, whichever occurs sooner.

In Malta, the Malta Financial Services Authority (MFSA) has confirmed that it will offer the full 18-month transitional period, aligning with the maximum allowed under MiCAR. By contrast, some Member States such as Lithuania have opted for shorter transitional windows (as little as five months), reflecting different national supervisory approaches.

To benefit from the transitional regime in Malta, a CASP must:

  • Have been authorized or registered under the Virtual Financial Assets (VFA) regime before 30 December 2024
  • Continue to comply with applicable national law
  • Submit an application for MiCAR authorization by a deadline to be announced by the MFSA (expected in early 2025)

It’s important to note that while operations may continue during the transitional period, firms must begin aligning their systems, controls, and governance frameworks with MiCAR obligations from the outset. In other words, transitional relief doesn’t mean an exemption from preparatory work.

To operate beyond 1 July 2026, CASPs must obtain authorization from their relevant national competent authority (NCA), which in Malta’s case is the MFSA. The authorization process reflects a structure similar to that of MiFID II investment firms, including requirements around governance, compliance, internal controls, and ICT risk management.

After receiving a complete application, the NCA has:

  • 25 working days to assess completeness
  • 60 working days to make an authorization decision
  • The power to request further information, to which the applicant must respond within 20 working days

Applicants must also demonstrate the ability to safeguard client assets, implement ICT security policies, and maintain appropriate complaint-handling procedures. If a CASP provides custody or execution services, its operational resilience and transparency will be closely looked at by regulators and auditors.

Preparing for MiCAR isn’t just about legal compliance; it’s a strategic governance exercise. Crypto firms must begin now to:

  • Conduct legal classification of crypto-assets in line with MiCAR definitions
  • Prepare the environmental disclosures
  • Build internal systems capable of satisfying the operational, prudential, and reporting obligations
  • Appoint qualified persons to act as Compliance Officer, MLRO, and ICT Risk Manager, where applicable
  • Review any outsourcing arrangements, particularly where reliance is placed on group entities for critical services

Finally, CASPs must be aware that the EU’s approach to crypto regulation is dynamic. Compliance with MiCAR may soon need to be integrated with adjacent regulatory regimes, such as the Transfer of Funds Regulation (TFR) for AML obligations and DORA for digital operational resilience.

Proven CASP Expertise in Malta’s MiCAR Framework

For businesses that want support with a license for crypto business, there is support available. Advapay offers end-to-end assistance for gaining and maintaining a CASP license for operating in Malta. Companies choose Advapay for many reasons including:

  • Malta-specific regulatory expertise

Give your business instant access to localized knowledge and experience across financial services and fintech

  • Licensing guidance and support

Get answers for everything from setting up and incorporating, to corporate structure and business infrastructure, through to tax and compliance

  • Regulated and compliant

Gain expert help on crypto-asset solutions that meet your licensing requirements

For more information on growing your crypto business with crypto license in Malta, visit and contact us with any questions about CASPs, MiCAR and the licensing processes involved.

Advapay at stake:

How can Advapay can assist you in launching your fintech business?

Share this post