Skip to main content

At a Glance

The EU provides a single passport under MiCA for Crypto-Asset Service Provider (CASPs) and token issuers with detailed, prescriptive rules. Stablecoins (Asset-Referenced Tokens (ARTs)/E-Money Tokens (EMTs)) were the first phase (mid-2024); CASP obligations (authorisation, conduct, prudential, governance) apply from 2024-12-30. Expect strict AML “travel rule” enforcement and DORA-grade operational resilience for in-scope entities.
Key Effective Dates:
  • ART/EMT rules: 2024-06-30
  • CASP authorization requirements: 2024-12-30
  • Travel Rule for crypto transfers: 2024-12-31
  • DORA ICT risk requirements: 2025-01-17
Region: European Union
Scope:
  • Entities: Financial institutions, custodians, CASPs, issuers (ART/EMT/other), trading venues
  • Activities: Issuance, custody, trading/venue operations, payments/stablecoins, staking, data/oracles
Key Regulations:
  • MiCA (Regulation (EU) 2023/1114)
  • EU Transfer of Funds Regulation “Travel Rule”
  • DORA (Digital Operational Resilience Act, EU 2022/2554)

Core Compliance Expectations

Registration / Licensing

Obtain CASP authorisation with your National Competent Authority (NCA); issuers of ART/EMT require authorisation/approval under MiCA (with EBA/ESMA RTS/ITS). Passport across EU once authorised.

KYC/AML

Apply EU “travel rule” for crypto transfers (originator/beneficiary data) and screen counterparties; implement sanction screening.

Disclosure / Reporting

White papers, ongoing disclosures; ART/EMT reporting (especially non-EUR-denominated) via European Banking Authority (EBA) templates.

Custody Rules

Safeguarding, segregation, liability and governance under MiCA; plus DORA ICT-risk controls if in scope.

Actionable Best Practices

Payments

Onboard only MiCA-authorised ART/EMT issuers. Verify authorisation and, for significant tokens, enhanced EBA oversight. Keep a counterparty evidence pack (authorisation number, reporting status, reserve/collateral methodology).
For stablecoin integration, maintain evidence of:
  • MiCA authorisation number and issuing NCA
  • Significant token classification status
  • Reserve methodology and attestation reports
  • EBA reporting compliance
Implement Travel-Rule orchestration. Enforce data capture and secure transmission for all crypto transfers with policy fallbacks (hold/return rules when VASP data missing). Log mismatches to an AML case system. FX/stability risk routines for non-EUR stablecoins. Incorporate EBA non-EU-currency ART/EMT reporting templates; monitor thresholds that could trigger “significant” classification.

Trading

CASP authorisation playbook. Prepare governance, prudential, Information and Communications Technology (ICT) architecture, conflicts, market-abuse surveillance and DORA alignment before filing. Expect NCAs to probe business model controls and ICT third-party risk.
NCA Authorization Requirements: Before submitting your CASP authorization application, ensure you have documented:
  • Governance structure and decision-making processes
  • Prudential requirements (capital, insurance)
  • ICT architecture and third-party dependencies
  • Conflicts of interest management
  • Market abuse surveillance capabilities
  • DORA compliance framework
Listing & marketing controls. Classify assets (MiCA crypto-asset vs. MiFID financial instrument); don’t imply MiCA coverage where it doesn’t apply (ESMA warned on misleading status). Maintain delisting triggers and marketing pre-clearance. Reverse-solicitation guardrails. Implement geo-fencing and onboarding attestations; keep audit logs to substantiate any reverse-solicitation claims. (ESMA reverse-solicitation guidance.)

Funds & Assets

Product governance & disclosure. Use MiCA white-paper standards for public offers/admissions; align with ESMA knowledge/competence rules for client-facing staff. Build a disclosure pack (risks, fees, technology, reserves/attestations). Custody & segregation for asset-backed products. If structuring notes/ETNs off-chain, ensure underlying crypto custody meets MiCA + DORA expectations (incident reporting, TLPT readiness).

Custody

Safeguarding by design. Segregate client assets on-chain and in books & records; publish asset-location attestations; define compensating-transaction procedures for error remediation (no history edits) with dual approval.
See Custody Patterns for technical implementation guidance on:
  • On-chain segregation models
  • Asset-location attestation generation
  • Compensating transaction workflows
  • Reconciliation automation
DORA compliance stack. Maintain ICT risk management, incident reporting, threat-led penetration testing (TLPT), and third-party risk registers for wallet infra, node providers, and custodial HSMs.
DORA Requirements (Effective 2025-01-17):
  • ICT risk management framework
  • Incident classification and reporting (72-hour window for major incidents)
  • Threat-led penetration testing (TLPT) every 3 years
  • Third-party ICT service provider risk management
  • Register of Information for all critical ICT dependencies
Key-management resilience. Dual-control ops, MPC/HSM with break-glass and key-compromise runbooks; map all critical providers into DORA Register of Information.

Identity & Compliance

KYC lifecycle. Risk-based Customer Due Diligence (CDD)/Enhanced Due Diligence (EDD); verify beneficial ownership; monitor source of funds; Travel-Rule integration at transfer initiation + screening on receipt.
See Identity & Compliance Patterns for:
  • KYC lifecycle automation
  • Travel Rule data capture and transmission
  • Sanctions screening integration
  • AML case management workflows
Competence & conduct. Train client-facing staff to ESMA knowledge/competence standards; keep training logs and assessment evidence for NCAs. Marketing fairness. Prominent risk warnings; no “implied MiCA insurance”; maintain NCA-ready archives of all communications.

Data & Oracles

Oracle due diligence. Document selection, governance, fallbacks and dispute procedures; record data lineage for Net Asset Value (NAV)/pricing if feeding regulated disclosures.
See Data & Oracles Patterns for:
  • Oracle selection frameworks
  • Fallback mechanism design
  • Data lineage documentation
  • Dispute resolution procedures
Outsourcing oversight. If using oracle or index vendors, include DORA-compliant contractual clauses (SLAs, audit rights, incident notices, subcontracting).

Key Risks to Watch

High-Risk Areas for Enforcement:
  1. Misclassification - MiCA crypto-asset vs. MiFID financial instrument triggers the wrong regime and can invalidate your authorisation basis.
  2. Marketing/mis-selling - ESMA is actively scrutinizing CASPs overstating regulatory cover or implying deposit insurance equivalents.
  3. Operational resilience gaps - DORA audits will focus on: ICT third-party risk documentation, TLPT readiness, and completeness of Register of Information.

Enterprise Opportunities

EU-wide passport after one authorisation (scales distribution across 27 member states). Stablecoin rails with authorised ART/EMT issuers (bank-grade governance; clearer onboarding for pay/settlement use cases). Professionalised sales & support (ESMA competence rules) as a differentiator for institutional clients.

Implementation Checklist

When implementing MiCA compliance:
  • Determine CASP services in scope and relevant NCA
  • Map MiCA vs. MiFID classification for all listed assets
  • Establish Travel Rule data capture at transfer initiation points
  • Verify all stablecoin counterparties hold MiCA ART/EMT authorisation
  • Build DORA Register of Information for ICT dependencies
  • Implement asset segregation and attestation generation
  • Establish incident reporting workflows (72-hour DORA window)
  • Train client-facing staff to ESMA competence standards
  • Prepare white papers for token offerings
  • Document oracle governance and fallback procedures

See Also

Official Sources: Related IPTF Patterns:

Build docs developers (and LLMs) love

Get started for freeTalk to us