MiCA: What It Requires and Who It Applies To

What is MiCA?

MiCA (Markets in Crypto-Assets Regulation), formally Regulation (EU) 2023/1114 of the European Parliament and of the Council, is the EU's first comprehensive regulatory framework governing the issuance, trading, and custody of crypto-assets. It was adopted on 31 May 2023 and published in the Official Journal on 9 June 2023.

The regulation was a direct response to the absence of any harmonised EU-level crypto rulebook. Before MiCA, crypto-assets occupied a legal grey zone: some jurisdictions regulated exchange services as money service businesses, others did nothing. The collapse of FTX in November 2022, which wiped out billions in customer funds and exposed catastrophic AML failures, accelerated political consensus that the sector needed binding rules.

MiCA creates three distinct regulated asset classes. Asset-Referenced Tokens (ARTs) are stablecoins that reference a basket of assets such as currencies or commodities. E-Money Tokens (EMTs) are pegged to a single fiat currency. Everything else (utility tokens, governance tokens, most exchange tokens) falls into a general category with lighter disclosure requirements.

Oversight is split. ESMA coordinates national competent authority (NCA) supervision of CASPs across all 27 member states. The EBA takes direct supervisory responsibility for issuers of significant ARTs and EMTs, defined by thresholds including more than 10 million holders or issuance value exceeding €5 billion.

Stablecoin rules under Titles III and IV applied from 30 June 2024. Full MiCA application covering all crypto-asset services began 30 December 2024.

Who does MiCA apply to?

MiCA applies to any legal person offering crypto-asset services in the EU or issuing crypto-assets to EU-based clients, regardless of where the firm is headquartered.

Crypto-Asset Service Providers (CASPs):

• Spot crypto exchanges (trading Bitcoin, Ether, and all non-ART/EMT tokens)
• Custodian wallet providers holding private keys on behalf of clients
• Crypto-to-fiat and crypto-to-crypto conversion services
• Operators of multilateral trading platforms for crypto-assets
• Execution of orders on behalf of clients
• Portfolio management services for crypto-asset portfolios
• Advisory services for crypto-asset investments
• Transfer services (governed primarily by the EU Travel Rule Regulation 2023/1113)

Issuers:

• Companies issuing Asset-Referenced Tokens (stablecoins backed by baskets of currencies, commodities, or other crypto-assets)
• Credit institutions and e-money institutions issuing E-Money Tokens (only these entity types may issue EMTs)

Jurisdictional scope: Any firm targeting EU-based clients needs authorisation under MiCA. The regulation provides a single-market passport, so authorisation in one member state allows service across all 27 without separate national licences. This reverses the pre-MiCA patchwork where Malta, Germany, France, and others operated entirely different regimes.

Exemptions: Fully decentralised protocols with no identifiable issuer or intermediary are outside MiCA's scope. Most NFTs are exempt, provided they function as genuinely unique assets rather than fractional fungible holdings. Intragroup transactions are also excluded.

Grandfathering provisions allowed firms operating under national crypto regimes as of 30 December 2024 to continue under existing authorisations until 1 July 2026, at NCA discretion.

What does MiCA require?

Here are MiCA's core obligations, with the specific provisions compliance officers need to know:

1. Authorisation (Article 59): CASPs must obtain a licence from their home member state's NCA before offering any service. Applications require governance arrangements, AML/CFT policies, organisational charts, capital adequacy proof, and fit-and-proper assessments for senior management.

2. Minimum capital requirements (Article 67): CASPs must hold minimum own funds ranging from €50,000 (advisory and transfer services) to €150,000 (trading platform operators and custodians), or hold professional indemnity insurance covering equivalent risk.

3. AML/CFT program (Article 92): CASPs are obliged entities under EU AML law. They must perform Customer Due Diligence (CDD) on all clients, apply Enhanced Due Diligence (EDD) for high-risk counterparties, maintain a documented business-wide ML/TF risk assessment, and file suspicious transaction reports with the national FIU.

4. Travel Rule compliance: Under the EU Transfer of Funds Regulation (EU TFR) (Regulation 2023/1113, which runs in parallel with MiCA), CASPs must attach originator and beneficiary data to all crypto-asset transfers. There is no de minimis threshold; the rule applies from the first euro.

5. Crypto-asset whitepaper (Articles 5-21): Issuers must publish a detailed whitepaper before any public offer. The whitepaper must describe rights and risks attached to the asset, the underlying technology, governance structure, and conflict-of-interest disclosures. Misleading whitepapers create direct civil liability to investors.

6. Record retention: All transaction records and client files must be retained for a minimum of five years, consistent with EU AML obligations.

7. Market abuse prevention (Title VI): CASPs operating trading platforms must maintain market surveillance systems capable of detecting insider dealing and market manipulation, and must report suspicious patterns to NCAs.

8. Segregation of client assets (Article 70): Client crypto-assets must be held separately from firm assets in segregated accounts, with daily reconciliation.

9. Conflicts of interest management (Article 72): All material conflicts must be identified, managed, and disclosed in writing to clients before services are provided.

10. Complaint handling (Article 71): CASPs must operate an accessible, free-of-charge complaints procedure and respond within 15 business days of receipt.

What evidence do regulators expect?

ESMA's June 2024 guidelines on authorisation requirements under MiCA give the clearest picture of examiner expectations. On inspection day, NCAs will look for:

• Authorisation file, current and accurate: The active licence must reflect the services actually offered. Any material change since authorisation must have been notified to the NCA in advance.
• Written AML/CFT policies and procedures: Documented Know Your Customer (KYC) processes, CDD standards, and escalation paths. Generic templates that don't reflect the firm's actual customer base are a red flag.
• Business-wide ML/TF risk assessment: Updated at minimum annually and after any material change to the business model. The assessment must be signed off by senior management.
• EDD case files: For every high-risk client or transaction where enhanced measures were applied, examiners want the full file: what triggered EDD, what additional information was collected, and what the outcome was.
• Travel Rule system logs: Evidence that originator and beneficiary data was attached to outgoing transfers. For transfers involving unhosted wallets, a documented ownership verification process and risk-based decisions on whether to proceed.
• Suspicious transaction report records: Filing logs and, critically, documented decisions where suspicion was considered but reporting declined. The rationale for non-reporting must be recorded.
• Transaction monitoring calibration records: Threshold settings, tuning history, alert volumes, false positive rates, and review of rule effectiveness at defined intervals.
• Staff training completion records: Names, dates, content covered, and pass scores where tested. Regulators increasingly follow up training records with staff interviews.
• Market surveillance logs: Records of flagged trading patterns, escalation decisions, and NCA reports where made.
• Daily reconciliation reports: Client ledger balances versus actual custody holdings, reconciled daily per Article 70.

Common failure modes

We've seen crypto firms cited for a consistent set of failures, many of which predated MiCA but are now directly enforceable.

• Superficial UBO identification: Firms onboard a corporate client and stop at the registered director. Know Your Business (KYB) processes need to identify the Ultimate Beneficial Owner (UBO) at the 25% ownership threshold, including through complex trust and fund structures.
• No documented process for unhosted wallet transfers: Many CASPs had ad hoc approaches. Under EU TFR, the process for assessing self-hosted wallet risk must be written, applied consistently, and evidenced.
• Static transaction monitoring: Firms set alert thresholds in 2022 and left them unchanged. Regulators expect documented tuning reviews, particularly when business volumes or customer risk profiles shift materially.
• Whitepaper deficiencies for ART issuers: Projects issued tokens before publishing compliant whitepapers, or published whitepapers with incomplete risk disclosures. France's AMF has historically been the most active pre-MiCA enforcer in this area; it now acts within MiCA's framework.
• Training records that don't match staff knowledge: On inspection, front-line staff can't describe the firm's AML escalation path. Training completion records are necessary but not sufficient; regulators test comprehension.
• No dedicated AML officer: MiCA Article 92 requires a designated AML compliance officer with appropriate seniority and authority. Listing a junior analyst in the role is a common trigger for remediation requirements.
• Missing market surveillance function: Smaller CASPs assumed market manipulation rules only applied to equities. MiCA's Title VI applies the same insider dealing and manipulation prohibitions to crypto trading, with the same reporting obligations to NCAs.

Germany's BaFin and France's AMF have both issued public cease-and-desist orders against unregistered crypto firms under their respective national laws, and are among the most active NCAs under MiCA's unified framework.

Penalties for non-compliance

MiCA's penalty regime is tiered and calibrated by violation type and entity size. Enforcement authority sits with NCAs for most CASPs; the EBA has direct powers over significant ART and EMT issuers.

For CASPs (under Article 111):

• Market abuse violations (insider dealing, market manipulation): up to €15 million or 15% of total annual turnover, whichever is higher.
• Other material breaches (AML failures, whitepaper defects, client asset violations): up to €5 million or 3% of annual turnover, whichever is higher.
• Offering services without authorisation: up to €500,000 for legal persons, up to €700,000 for natural persons (or percentage-of-turnover equivalent where calculable).

For significant ART/EMT issuers (EBA-supervised): The EBA may impose periodic penalty payments of up to 3% of average daily turnover, calculated per day of the ongoing breach.

Non-monetary sanctions include public warnings, mandatory corrective measures, suspension of services, withdrawal of authorisation, and temporary or permanent bans on senior management from financial services roles.

MiCA itself does not create criminal offences, but Article 111 requires member states to ensure that criminal sanctions are available for market manipulation and insider dealing, with penalties including imprisonment under national law. Several member states have already enacted implementing legislation.

The 6AMLD adds criminal liability for AML breaches that run alongside MiCA. Regulators combining both instruments can pursue a CASP simultaneously for MiCA licensing failures and AML criminal liability, creating compounding enforcement risk.

Related regulations and frameworks

MiCA sits at the intersection of several other EU regulatory instruments, and compliance programs need to account for the interactions.

EU AML package: The EU AMLR 2024 directly designates CASPs as obliged entities for AML/CFT purposes and runs in parallel with MiCA Article 92. The EU AMLA, the new EU-level AML supervisory authority, will take on direct supervision of higher-risk CASPs from 2027, adding a supranational supervisory layer that currently only the EBA provides for significant token issuers.

EU Transfer of Funds Regulation: The EU TFR is MiCA's operational partner for Travel Rule implementation. It applies directly to CASPs authorised under MiCA with no de minimis threshold and no exemption for peer-to-peer transfers.

FATF Virtual Assets Guidance: The FATF guidance on virtual assets and VASPs (updated 2021, with red flag indicators published 2020) is the global standard that MiCA's AML framework reflects. FATF Recommendation 20 on suspicious transaction reporting applies to CASPs in the same way it applies to traditional financial institutions.

DORA: The Digital Operational Resilience Act applies to CASPs that qualify as financial entities under its scope. ICT risk management, incident reporting, and third-party risk requirements under DORA overlap with MiCA's operational resilience obligations.

EU AI Act: CASPs using AI for transaction monitoring, credit scoring, or fraud detection may be deploying high-risk AI systems under EU AI Act Article 6. Compliance teams should check whether AI tools used in CDD or sanctions screening trigger the Act's conformity assessment requirements.

GDPR: Personal data collected during KYC and Travel Rule compliance is subject to GDPR data minimisation and storage limitation principles. The EDPB issued guidance in 2023 recommending data protection impact assessments specifically for Travel Rule implementations.

How FluxForce supports MiCA compliance

FluxForce's AI agents automate the core compliance workflows MiCA demands. Aiden Flux handles real-time transaction monitoring and Travel Rule data attachment. Nova Sentinel runs continuous sanctions screening across EU and UN consolidated lists. The platform generates full decision trails for every alert, giving compliance teams the auditable evidence examiners expect on inspection day. All outputs include plain-language explanations, which addresses regulators' increasing scrutiny of black-box AI in financial compliance. Request a demo to see how FluxForce maps to your MiCA programme.