MiCA: What It Requires and Who It Applies To

What is MiCA?

MiCA (Regulation (EU) 2023/1114) is the EU's first comprehensive legal framework for crypto-assets, published in the Official Journal of the European Union on 9 June 2023. It replaced a patchwork of national crypto rules across member states with a single authorization regime and EU-wide passporting rights.

The regulation covers three categories of crypto-asset. Asset-referenced tokens (ARTs) track the value of multiple assets or currencies. E-money tokens (EMTs) track a single fiat currency. Everything else, including most cryptocurrencies and utility tokens, falls under the generic "other crypto-assets" classification. Issuers of ARTs and EMTs faced obligations from 30 June 2024. Full application for CASPs across all 27 EU member states began 30 December 2024.

Two agencies share supervisory authority. The European Banking Authority (EBA) leads on AML, prudential standards for stablecoin issuers, and technical standards. The European Securities and Markets Authority (ESMA) handles market conduct, investor protection, and trading rules for crypto-assets that resemble financial instruments. Day-to-day supervision sits with national competent authorities (NCAs) in each member state.

MiCA is a directly applicable regulation, not a directive. It didn't need transposition into national law; it applied automatically on its effective dates across the EU. That eliminated the jurisdictional arbitrage that previously let crypto firms select the lightest-touch member state without losing EU market access.

The driving logic was straightforward. Crypto market capitalization had repeatedly exceeded $1 trillion, yet the firms facilitating that trading operated without a coherent EU licensing framework. Financial crime risk was the primary prompt, alongside consumer protection failures made politically undeniable by several high-profile retail collapses.

Who does MiCA apply to?

MiCA applies to any legal or natural person that issues crypto-assets or provides crypto-asset services to persons in the EU, regardless of where the firm is incorporated.

Covered entity types:

• Crypto-asset exchanges: Firms operating trading platforms where clients buy, sell, or exchange crypto-assets, including centralized order-book models and firms acting as counterparty to trades.
• Custodians: Entities that hold crypto-assets or private keys on behalf of clients. This is one of the highest-risk CASP categories for AML purposes and carries the greatest liability exposure.
• Crypto-asset brokers: Firms that execute orders for crypto-assets on behalf of clients without operating their own platform.
• Portfolio managers: Firms managing discretionary crypto-asset portfolios under client mandate.
• Transfer services: Firms that move crypto-assets from one address to another on behalf of clients.
• Advice-only CASPs: Firms providing crypto-asset recommendations without executing or holding assets. These face the lowest capital floor but still require full AML compliance.
• Issuers of ARTs and EMTs: Entities creating tokens that reference baskets of assets or track a fiat currency. Banks and e-money institutions may issue EMTs under their existing authorization provided they notify their NCA in advance.
• Issuers of other crypto-assets: Including most cryptocurrencies by market cap. A whitepaper is required unless the offering stays below €1 million over 12 months, targets fewer than 150 persons per member state, or is directed exclusively at qualified investors.

Geographic scope: MiCA extends to firms without EU establishment if they actively solicit EU customers. The reverse solicitation exemption, which permits non-EU firms to serve EU clients who approach them first without authorization, is narrow. ESMA has confirmed that app-store listings, targeted digital advertising, and referral links directed at EU users are incompatible with relying on that exemption.

Exemptions: Central bank digital currencies, security tokens regulated under MiFID II, and genuinely unique NFTs are generally outside MiCA's scope. Fractionalized NFTs or NFTs issued in large identical series may fall within scope depending on their economic characteristics.

What does MiCA require?

Core obligations span authorization, financial crime controls, prudential rules, and market conduct. Here's what CASPs and token issuers actually have to do:

1. Obtain a CASP license: Apply to the NCA in your home member state with a program of operations, governance arrangements, AMLCO appointment documentation, and an AML compliance program. Approval grants passporting rights across the full EU without further authorization.

2. Run a risk-based AML/CFT program: CASPs are obliged entities under EU AML law. They must conduct Customer Due Diligence (CDD) on all customers, apply Enhanced Due Diligence (EDD) to high-risk relationships and PEPs, and file suspicious transaction reports with the relevant financial intelligence unit. The EU AMLR (EU) single rulebook, published in 2024, provides the detailed requirements that layer on top of MiCA's authorization regime.

3. Comply with the Travel Rule: The EU TFR (EU) (Transfer of Funds Regulation, updated in 2023) requires CASPs to collect and transmit originator and beneficiary data for all crypto transfers. There's no de minimis threshold for crypto: a €5 transfer carries the same data requirements as a €5 million one.

4. Publish a whitepaper: Issuers of ARTs, EMTs, and most other crypto-assets must publish a mandatory whitepaper with standardized fields covering the project, the team, technology risks, and investor rights. NCAs must be notified at least 20 working days before publication.

5. Meet capital requirements: CASPs must hold own funds equal to the higher of a fixed minimum or one-quarter of fixed overheads. Fixed minimums range from €50,000 for advice-only services to €150,000 for custodians and exchanges. ART issuers face higher floors based on the size of the reserve.

6. Segregate client assets: Client funds and crypto-assets must be kept separate from firm assets. Custodians are liable for loss of client crypto unless they prove it arose from an external event beyond their control.

7. Comply with market abuse prohibitions: MiCA extended insider trading and market manipulation rules to crypto-assets for the first time in EU law, applying standards similar to those under MAR for equities.

8. Retain records for five years: All CDD records, transaction data, and communications relevant to orders and trades must be retained and producible on regulator request within that window.

What evidence do regulators expect?

On examination day, NCAs will look for documentation across four areas: governance, customer risk, transaction monitoring, and Travel Rule controls.

Governance documentation:

• Board-approved AML policy with a documented annual review cycle and board sign-off in the minutes
• AMLCO appointment letter confirming seniority, independence, and resource adequacy
• AML training records for all client-facing and compliance staff, dated within the past 12 months
• Business risk assessment (BRA) reviewed at least annually, or following any material product launch, market entry, or structural change

Customer risk records:

• Know Your Customer (KYC) and CDD procedures documented and consistently applied across the customer base
• Evidence that EDD is triggered for high-risk customers, PEPs, and customers in high-risk jurisdictions, in line with FATF Rec 12 (FATF)
• Beneficial ownership verification records for corporate customers, including the Ultimate Beneficial Owner (UBO) chain documented to natural person level
• A written procedure for handling transfers to and from unhosted wallets, including the risk criteria applied and the escalation path for flagged addresses

Transaction monitoring:

• System configuration logs showing the rules or models in use, with version history and change records
• Alert disposition records with documented rationale for closure or escalation
• Suspicious Transaction Report (STR) log with dates and FIU submission confirmations
• Evidence of periodic rule review, including false positive rates and threshold adjustment decisions

Travel Rule compliance:

• Operational records showing originator and beneficiary data is collected for every transfer, with no de minimis exceptions
• Documented process for transfers involving unhosted wallets, including the risk assessment framework applied
• Testing records demonstrating VASP-to-VASP Travel Rule message exchange works correctly with counterparties

Common failure modes

Most MiCA-related AML deficiencies fall into predictable patterns. Here's what authorization refusals and NCA supervisory reviews have flagged:

• Generic AML policies: Firms submit template policies that don't reflect their actual crypto risk typologies. An exchange processing high volumes of DeFi-sourced funds needs controls specifically designed for on-chain provenance risk, not a policy written for a fiat brokerage with no blockchain exposure.
• Unhosted wallet gaps: ESMA's supervisory guidance makes clear that specific due diligence is required when transacting with unhosted wallets. Many applicants have no documented procedure at all, or rely on blockchain analytics tools without any human escalation workflow for wallets that come back flagged.
• Travel Rule data quality: CASPs transmit originator data fields with placeholders, truncated names, or incomplete addresses. Under the EU TFR, incomplete data must be suspended or returned to the sending CASP, not processed and monitored retroactively.
• Stale business risk assessments: NCAs have cited firms for BRAs written at authorization and never updated, despite product launches, new geographies, and market events that materially changed the risk profile. Annual review is the minimum; material events require immediate reassessment.
• Governance without substance: Senior management involvement in AML oversight must be real, not nominal. Examiners look for board minutes that reference AML reporting, AMLCO escalation logs, and management information packs, not just a policy document signed once by a director with no evidence of ongoing review.
• Reverse solicitation overreach: Several firms initially claimed exemptions while running EU-facing marketing campaigns. NCAs have moved against this, with some applicants facing authorization conditions or outright refusals as a result.

Germany's BaFin and France's AMF have been the most active early enforcers, using the authorization process itself as a supervisory tool by attaching remediation conditions before granting licenses.

Penalties for non-compliance

MiCA sets out a tiered penalty framework, calibrated by violation type and whether the subject is a legal or natural person.

For legal persons:

• Operating without CASP authorization: up to €5 million or 3% of total annual turnover, whichever is higher
• Breach of AML obligations, disclosure requirements, whitepaper rules, or prudential standards: up to €2.5 million or 2.5% of annual turnover
• Market abuse violations (insider trading, market manipulation): up to €15 million or 15% of annual turnover

For natural persons:

• Operating without authorization: up to €700,000
• AML, prudential, or disclosure breaches: up to €500,000

Beyond fines, NCAs can issue public warnings, suspend or revoke authorization, and bar individuals from management roles. The firm and the responsible individuals can be sanctioned simultaneously, which matters significantly for senior management accountability frameworks in regulated jurisdictions.

The AMLA (EU) authority, coming into operational supervision from 2026, will assume direct responsibility for the largest CASPs. That centralizes enforcement for the highest-volume firms and removes any residual softness in NCA-level supervision.

Early enforcement has been unambiguous. BaFin required substantial AML remediation from multiple firms before granting German authorizations. France's AMF enforcement under the predecessor PSAN regime showed that inadequate KYC records and undocumented transaction monitoring processes are the two most consistently cited deficiencies. The FATF VA Guidance (FATF) also creates reputational pressure at the jurisdictional level: countries with weak VASP supervision receive adverse mutual evaluation ratings, which gives NCAs a political incentive to enforce robustly.

Related regulations and frameworks

MiCA sits within a wider regulatory stack. Treating it in isolation will create compliance gaps.

FATF standards: The FATF VA Guidance (updated 2021) sets the global baseline for VASP AML regulation that MiCA implements at EU level. FATF Rec 15 (FATF) requires member countries to regulate VASPs for AML/CFT, which MiCA delivers. FATF Rec 16 (FATF) is the Travel Rule that the EU TFR operationalizes for crypto transfers.

EU AML Package: MiCA makes CASPs obliged entities, but the detailed AML rulebook is in the EU AMLR (EU) single rulebook. The 6AMLD (EU) predicate offenses list applies to any STR filed by a CASP. AMLA supervision for the largest CASPs adds a further layer of centralized enforcement from 2026.

EU TFR: The EU TFR (EU) is technically separate from MiCA but operationally inseparable. Every MiCA-licensed CASP is automatically in TFR scope, with no de minimis threshold for crypto transfers.

DORA: Most MiCA-licensed CASPs rely on third-party technology infrastructure. The DORA (EU) digital operational resilience requirements apply alongside MiCA for ICT risk management, incident reporting, and third-party provider oversight. Firms subject to both MiCA and DORA need compliance programs that address both regimes without creating gaps at the boundary.

EU AI Act: CASPs using algorithmic trading systems, transaction monitoring models, or automated fraud detection may fall under EU AI Act (EU) high-risk AI classification criteria. That adds model governance, documentation, and human oversight requirements on top of MiCA's financial crime controls.

Non-EU equivalents: The UK's FCA operates its own crypto registration regime under the UK MLR 2017 (UK-FCA). Singapore's SG PSA (SG-MAS) covers digital payment token services. Neither confers EU passporting rights; firms serving multiple jurisdictions need parallel compliance programs for each.

How FluxForce supports MiCA compliance

FluxForce's AI agents automate the transaction monitoring, Travel Rule data validation, and CDD workflows that MiCA requires CASPs to maintain. Nova Sentinel monitors crypto transfers in real time and flags unhosted wallet interactions for immediate analyst review. Aiden Flux runs continuous CDD and sanctions screening across CASP customer bases, with full audit trails and decision explanations for every alert. Both agents operate within configurable autonomy limits, with a kill switch for immediate human override, so compliance teams stay in control. Request a demo to see how FluxForce maps to your MiCA authorization requirements.