.webp)
What is MiCA in the EU?
Quick answer
MiCA (Regulation (EU) 2023/1114) is the EU's regulatory framework for crypto-assets. It sets authorization, capital, disclosure, and market abuse rules for crypto-asset issuers and service providers across all 27 member states. Full application for crypto-asset service providers began December 30, 2024.
The full answer
MiCA (Regulation (EU) 2023/1114) is the EU's regulatory framework for crypto-assets. Published in the Official Journal on June 9, 2023, it covers both issuers and service providers, sets minimum capital and disclosure standards, and creates a single authorization regime valid across all 27 member states. Full application for crypto-asset service providers (CASPs) began December 30, 2024.
Why MiCA was needed
Before MiCA, the EU had no unified crypto framework. Each member state ran its own rules, or none. France had PSAN registration. Germany had BaFin crypto custody licensing. Most other states had nothing. A crypto exchange could register in Malta under VFAA and passport services theoretically, but rules were inconsistent and enforcement was uneven.
The collapse of FTX in November 2022 accelerated political will. The European Parliament adopted MiCA in April 2023. It's no coincidence the regulation arrived when it did.
Who MiCA covers
Two groups.
Crypto-asset issuers must publish a white paper before offering tokens publicly. Issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs) face the strictest rules, including reserve requirements and direct EBA oversight for significant issuers.
Crypto-asset service providers (CASPs) include exchanges, custodians, portfolio managers, transfer service operators, brokers, and advisors. They must be authorized by a national competent authority (NCA) and meet ongoing capital, governance, and conduct requirements.
CASPs with fewer than 15 employees and annual turnover under €5 million qualify for a simplified authorization procedure. Fewer forms, same obligations.
Authorization timeline
| Milestone | Date |
|---|---|
| ART and EMT issuer rules | June 30, 2024 |
| Full CASP authorization required | December 30, 2024 |
| National transitional period ends (latest) | July 1, 2026 |
CASPs already operating under national regimes (France's PSAN, Germany's BaFin licenses) had transitional relief to continue operating while applying for MiCA authorization. That window closes no later than July 1, 2026.
AML and Travel Rule obligations
CASPs are obligated entities under the EU AML framework. Full customer due diligence and enhanced due diligence obligations apply. CASPs must verify beneficial ownership, run sanctions screening, and file suspicious transaction reports with their national FIU.
The companion Transfer of Funds Regulation (EU) 2023/1113 extends the FATF Travel Rule to crypto: CASPs must collect and transmit originator and beneficiary data on every transfer, with no minimum threshold. That differs from the €1,000 floor under traditional wire rules and makes perpetual KYC infrastructure practically necessary for high-volume operators.
Supervision and penalties
ESMA has primary supervisory authority over CASPs and ART issuers. EBA oversees EMT issuers. For significant issuers, ESMA exercises direct supervision rather than delegating to NCAs. ESMA has published 14 binding technical standards under MiCA covering authorization, operational resilience, disclosure formats, and marketing communications.
Penalties for CASPs: up to 12.5% of annual global turnover or €2.5 million. For significant ART and EMT issuers: up to 5% of annual turnover or €5 million. For natural persons: up to €700,000. The penalty structure is comparable to GDPR, and EU regulators have shown they use it.
Why this matters
For compliance teams at traditional financial institutions, MiCA changes counterparty risk assessment directly. CASPs without valid MiCA authorization after the grace period are operating illegally in the EU. That's a relationship you need to flag and potentially exit.
Onboarding CASP clients now means checking MiCA authorization status, the supervising NCA, and the CASP's AML program maturity. The FATF grey list status of the CASP's authorization jurisdiction matters for your own risk exposure. Customer risk ratings need updating to capture whether counterparty CASPs are authorized and in which regime.
For institutions that are themselves CASPs, the Travel Rule is the most operationally demanding change. You need technical infrastructure to transmit originator and beneficiary data at the point of transfer, not just at reporting. AI-driven transaction monitoring is no longer optional at scale. The combination of no-threshold Travel Rule compliance and real-time monitoring requirements creates volume that manual processes can't absorb.
MiCA also intersects with the EU AI Act. CASPs using automated decision-making in transaction monitoring or credit scoring need to assess whether those systems qualify as high-risk under the AI Act. The compliance calendar for EU crypto operators now has two major regulatory deadlines running in parallel.
The difference between AML and CFT obligations matters here too. MiCA's AML framework covers both, but the practical controls for countering terrorist financing in crypto, particularly around travel-rule data quality, are still being stress-tested by supervisors.
Related questions
- What is the FATF Travel Rule?
- What is the difference between CDD and EDD?
- Can AI be used for AML transaction monitoring?
- Who needs to comply with the EU AI Act?
- How does sanctions screening work?