What are the new MiCA obligations for CASPs in the EU?
Under the EU Markets in Crypto-Assets Regulation, crypto-asset service providers, or CASPs, must be authorized to provide crypto-asset services in the EU unless they qualify under a specific exemption or existing regulated-entity pathway. Core obligations include authorization, prudential safeguards, fit-and-proper governance, fair and non-misleading client communications, risk disclosures, pricing transparency, complaints handling, conflicts of interest controls, outsourcing oversight, orderly wind-down planning, safekeeping of client assets, market abuse detection, and service-specific requirements for custody, trading platforms, order execution, transfer services, advice, and portfolio management.
For existing providers that relied on national transitional regimes, the EU-wide transition period ends on July 1, 2026. After that date, any entity providing crypto-asset services to EU clients without a MiCA license must cease offering those services.
Why MiCA matters now
MiCA was designed to replace fragmented national crypto regimes with a harmonized EU framework for crypto-assets, issuers, and crypto-asset service providers. For CASPs, the practical shift is significant: crypto compliance in the EU is no longer just a matter of registering locally or meeting narrowly defined anti-money laundering requirements. MiCA creates a broader operational, governance, disclosure, market integrity, and client protection framework.
The result is a much higher bar for firms that custody crypto-assets, operate trading platforms, exchange crypto-assets for funds or other crypto-assets, execute or transmit orders, place crypto-assets, provide crypto-asset advice, manage crypto-asset portfolios, or provide transfer services.
MiCA also changes how global firms should think about EU market access. A non-EU firm cannot rely on broad website disclaimers or boilerplate “reverse solicitation” language if the facts show active solicitation of EU clients. Reverse solicitation is intended to be narrow, fact-specific, and client-initiated.
Who is a CASP under MiCA?
A CASP is a legal person or undertaking whose occupation or business is the professional provision of one or more crypto-asset services to clients. Crypto-asset services include custody and administration, operation of a trading platform, exchange of crypto-assets for funds or other crypto-assets, execution of orders, placing of crypto-assets, reception and transmission of orders, advice, portfolio management, and transfer services.
This matters because MiCA obligations are not limited to exchanges. Wallet providers, custodians, brokers, trading venues, transfer service providers, and advisory models may all fall within scope depending on the services provided and how they are marketed or delivered.
Key MiCA dates for CASPs
MiCA was published in the Official Journal of the European Union on June 9, 2023, and entered into force later that month. The provisions relating to crypto-asset services entered into application on December 30, 2024.
Existing CASPs that provided services in accordance with applicable national law before December 30, 2024, may have been able to rely on national transitional arrangements. However, ESMA has clarified that the transitional period expires across the EU on July 1, 2026. After that date, unauthorized CASPs serving EU clients are in breach of EU law and must cease offering those services.

1. Authorization and EU passporting
The most important MiCA obligation is authorization. A firm may not provide crypto-asset services within the EU unless it is authorized as a CASP or is an eligible regulated financial entity permitted to provide the relevant services under MiCA.
Authorized CASPs must have a registered office in a Member State where they carry out at least part of their crypto-asset services, effective management in the EU, and at least one director resident in the EU. Once authorized, a CASP may provide services across the EU through passporting, subject to the required notification process.
For firms pursuing authorization, the application process is not a light-touch filing exercise. Applications must include detailed information on the firm’s business model, governance, management body, qualifying shareholders, internal controls, ICT systems, custody arrangements, outsourcing, complaints handling, conflicts of interest, prudential safeguards, and, where relevant, trading platform operating rules and market abuse detection systems.
2. Governance, fit-and-proper standards, and internal controls
MiCA requires CASPs to maintain sound governance arrangements. Members of the management body must be of sufficiently good repute and have the knowledge, skills, and experience necessary to perform their duties. Qualifying shareholders must also be of sufficiently good repute, particularly regarding money laundering, terrorist financing, and other conduct that could affect sound and prudent management.
CASPs must adopt effective policies and procedures to comply with MiCA. They must employ personnel with the knowledge, skills, and expertise required for their responsibilities, periodically review compliance arrangements, maintain business continuity plans, and use resilient and secure ICT systems consistent with the Digital Operational Resilience Act.
MiCA also requires CASPs to keep records of crypto-asset services, activities, orders, and transactions. These records must be sufficient to allow competent authorities to supervise compliance and take enforcement action. Records generally must be retained for five years, and up to seven years if requested by the competent authority.
3. Prudential safeguards
CASPs must maintain prudential safeguards equal to at least the higher of either the permanent minimum capital requirement applicable to their service class or one quarter of fixed overheads from the preceding year.
Those safeguards can take the form of own funds, an insurance policy, a comparable guarantee, or a combination. This creates a clear financial resilience requirement for firms operating in the EU crypto market.
4. Conduct obligations and client disclosures
CASPs must act honestly, fairly, and professionally in the best interests of clients and prospective clients. Client information, including marketing communications, must be fair, clear, and not misleading.
CASPs must warn clients about the risks associated with crypto-asset transactions. Depending on the service, they must also provide clients with access to the relevant crypto-asset white papers. Pricing policies, costs, and fees must be made publicly available in a prominent place on the CASP’s website.
CASPs must also publish information about the principal adverse climate and environmental impacts of the consensus mechanisms used for the crypto-assets they support.
5. Complaints handling
MiCA requires CASPs to establish and maintain effective and transparent procedures for the prompt, fair, and consistent handling of client complaints. Clients must be able to submit complaints free of charge. CASPs must make complaint templates available, keep records of complaints and measures taken in response, and communicate complaint outcomes within a reasonable period.
This is a meaningful operational requirement. Complaint governance needs to be documented, repeatable, measurable, and integrated into management reporting.
6. Conflicts of interest
CASPs must identify, prevent, manage, and disclose conflicts of interest. This includes conflicts between the CASP and its shareholders, management body, employees, linked persons, clients, and conflicts between clients.
Disclosures must be placed prominently on the CASP’s website and must include enough detail for clients and prospective clients to make informed decisions. CASPs must review their conflicts policy at least annually and address deficiencies.
7. Outsourcing and third-party risk
MiCA permits outsourcing, but it does not permit outsourcing accountability. CASPs remain fully responsible for their obligations even when operational functions are outsourced.
Outsourcing arrangements must not delegate the CASP’s responsibility, alter the CASP’s client obligations, undermine authorization conditions, or prevent competent authorities from supervising outsourced activities. CASPs must maintain the expertise and resources needed to oversee outsourced providers, have direct access to relevant outsourced-service information, ensure EU data protection standards are met, and maintain written outsourcing agreements with termination rights.
8. Orderly wind-down planning
For firms that will not achieve authorization before July 1, 2026, wind-down planning is not a compliance checkbox – it is the compliance task. ESMA expects unauthorized firms to have implemented wind-down plans by that date and expects authorized CASPs to have actively managed migration of existing EU clients before it arrives.
A credible wind-down plan must show that the firm can exit without causing material harm to clients – that assets can be returned, positions unwound, and obligations discharged in an orderly way. Firms that cannot demonstrate this face both regulatory and reputational exposure.
9. Safekeeping of client crypto-assets and funds
CASPs that hold client crypto-assets or means of access to crypto-assets must safeguard client ownership rights, especially in insolvency. They must prevent the use of client assets for their own account and, where applicable, maintain arrangements to safeguard client funds.
For custody and administration services, CASPs must have client agreements, custody policies, client position registers, security controls, and legal and operational segregation of client crypto-assets from the CASP’s own estate. CASPs may be liable to clients for loss of crypto-assets or means of access where the incident is attributable to the CASP.
10. Trading platform obligations
CASPs operating crypto-asset trading platforms face detailed operating requirements. They must maintain clear and transparent trading rules, set admission and exclusion criteria, establish fair and orderly trading procedures, maintain resilient systems, manage market stress, reject erroneous orders, prevent or detect market abuse, and prevent abuse for money laundering or terrorist financing purposes.
Trading platforms must also provide transparency around bid and ask prices, market depth, executed transaction price, volume, and time. Order book data must be retained for competent authority review.
ESMA has also clarified that an EU-authorized trading platform cannot pool its order book with non-EU trading platforms operated by entities that are not authorized as CASPs under MiCA.
11. Advice, portfolio management, and staff competence
CASPs providing advice or portfolio management must assess whether crypto-assets or crypto-asset services are suitable for clients or prospective clients. This assessment must consider the client’s knowledge and experience, investment objectives, risk tolerance, financial situation, and ability to bear losses.
CASPs must warn clients that crypto-assets may fluctuate in value, may result in full or partial loss, may be illiquid, and are not covered by investor compensation schemes or deposit guarantee schemes.
ESMA has also published guidelines for staff knowledge and competence. CASPs should ensure that staff providing information or advice on crypto-assets have appropriate qualifications, experience, ongoing training, and role clarity.
12. Transfer services and the EU Travel Rule
CASPs providing transfer services must enter into client agreements that specify duties, responsibilities, transfer modalities, security systems, fees, and applicable law.
Separately, the EU Transfer of Funds Regulation, often referred to as the Travel Rule, applies to certain crypto-asset transfers. The EBA’s Travel Rule Guidelines apply from December 30, 2024, and require policies and procedures for information accompanying transfers of funds and certain crypto-asset transfers. While this is a separate regulation from MiCA, it is operationally tied to the same EU crypto compliance environment and should be treated as a core CASP compliance workstream.
13. AML/CFT risk management
MiCA does not replace AML/CFT obligations. CASPs must still maintain effective procedures and arrangements for risk assessment and compliance with national laws implementing EU AML rules.
The EBA has extended its money laundering and terrorist financing risk-factor guidance to CASPs. This means CASPs should assess customer, product, transaction, geographic, delivery-channel, and blockchain-related risk factors and tailor controls accordingly.
For practical compliance, this requires more than sanctions list screening. CASPs need a complete view of customer risk, ownership, counterparties, wallets, transaction exposure, adverse media, politically exposed persons, sanctions, and network risk.
14. Market abuse surveillance
MiCA establishes market abuse rules for crypto-assets admitted to trading or for which admission to trading has been requested. Persons professionally arranging or executing crypto-asset transactions must maintain systems and procedures to prevent and detect market abuse and report suspicious orders or transactions without delay.
This increases pressure on CASPs to monitor trading activity, identify suspicious behavior, and connect market activity with broader risk signals. For trading venues and order execution models, market surveillance and financial crime controls should not operate in separate silos.
15. Regulated and unregulated services must be clearly distinguished
ESMA has warned that CASPs offering both MiCA-regulated and unregulated products or services may create investor protection risks if clients assume all products benefit from MiCA protections. CASPs should avoid creating confusion, should not use MiCA authorization in a way that implies blanket coverage, and should clearly distinguish regulated services from unregulated activity.
This has practical implications for websites, product pages, onboarding flows, apps, client communications, and sales enablement materials.
16. Non-MiCA-compliant stablecoin restrictions
MiCA includes specific rules for asset-referenced tokens and e-money tokens. ESMA has stated that CASPs operating trading platforms should stop making non-MiCA-compliant ARTs and EMTs available for trading and should restrict services involving such tokens where those services constitute an offer to the public in the EU.
CASPs should also clearly communicate to EU investors when restrictions apply and support an orderly transition to MiCA-compliant alternatives.
MiCA compliance checklist for CASPs in 2026

CASPs serving EU clients should focus on the following areas:
- Confirm whether each service is in scope of MiCA.
- Confirm authorization status, transitional status, or wind-down obligations before July 1, 2026.
- Map regulated, unregulated, and out-of-scope products and update customer-facing disclosures.
- Review governance, fit-and-proper documentation, shareholder records, and management body oversight.
- Validate prudential safeguards and insurance or guarantee arrangements.
- Update conflicts of interest policies and website disclosures.
- Review custody policies, client asset segregation, client fund safeguards, and insolvency protections.
- Strengthen complaints handling, complaint templates, recordkeeping, and response tracking.
- Review outsourcing agreements, termination rights, data protection standards, contingency plans, and exit strategies.
- Align ICT resilience, incident response, and business continuity controls with DORA expectations.
- Implement Travel Rule policies and procedures for relevant crypto-asset transfers.
- Refresh AML/CFT risk assessments for crypto-specific exposure, including wallet, counterparty, network, and geography risk.
- Implement market abuse surveillance for trading, order routing, and execution workflows.
- Train staff and document knowledge and competence standards for client information and advice.
- Maintain audit-ready records across services, orders, transactions, alerts, decisions, and customer communications.
How Sigma360 helps CASPs strengthen MiCA readiness

AML/CFT and customer risk
MiCA requires CASPs to assess customer, counterparty, wallet, transaction, geographic, and network risk – and to tailor controls accordingly. Sigma360 consolidates sanctions screening, PEP identification, adverse media monitoring, beneficial ownership resolution, and blockchain-linked entity risk into a single workflow. Instead of running parallel checks across disconnected tools, compliance teams get a unified customer risk profile that updates continuously and documents every decision with an auditable trail.
Market abuse surveillance
Persons professionally arranging or executing crypto-asset transactions must have systems in place to detect and report suspicious activity. Sigma360’s entity resolution and network analysis capabilities help teams connect trading behavior to the broader risk picture – linking wallet activity, counterparty exposure, and adverse signals in ways that point-in-time screening cannot. That means fewer false negatives and a defensible record of what was reviewed and why.
Outsourcing oversight and third-party risk
MiCA holds CASPs fully accountable for outsourced functions. Sigma360 supports ongoing third-party monitoring by tracking risk signals across vendors, partners, and service providers.
Audit-ready record-keeping
MiCA requires records to be retained and produced on demand by competent authorities. Sigma360’s explainable AI outputs and decision-log architecture mean that every alert, investigation, and risk determination is documented in a form regulators can review.
Onboarding and ongoing monitoring across the client lifecycle
Authorization alone doesn’t satisfy MiCA. CASPs must demonstrate continuous compliance across the client relationship. Sigma360 supports EDD at onboarding, periodic review triggers based on risk-tier changes, and escalation workflows that keep compliance teams ahead of exposure rather than reactive to it.
FAQ: MiCA obligations for CASPs
What is MiCA?
MiCA is the EU Markets in Crypto-Assets Regulation. It establishes a harmonized framework for crypto-assets, crypto-asset issuers, and crypto-asset service providers across the European Union.
What is a CASP under MiCA?
A CASP is a crypto-asset service provider that professionally provides one or more crypto-asset services to clients, such as custody, trading platform operation, exchange, order execution, transfer services, advice, or portfolio management.
When did MiCA apply to CASPs?
MiCA provisions relating to the provision of crypto-asset services entered into application on December 30, 2024.
What is the MiCA deadline for existing CASPs?
The EU-wide transitional period expires on July 1, 2026. After that date, unauthorized CASPs serving EU clients must cease offering crypto-asset services.
Can non-EU crypto firms rely on reverse solicitation?
Only in narrow circumstances. Reverse solicitation applies when the EU client acts at their own exclusive initiative. ESMA has made clear that disclaimers or contractual clauses cannot override the facts if a firm is actively soliciting EU clients.
Does MiCA require CASPs to segregate client assets?
Yes. CASPs holding client crypto-assets must safeguard client ownership rights and prevent use of client assets for their own account. Custody providers must also legally and operationally segregate client crypto-assets from the CASP’s estate.
Does MiCA include AML rules?
MiCA includes governance and risk-management obligations that interact with AML/CFT controls, but it does not replace EU AML/CFT obligations. CASPs must also comply with applicable AML/CFT laws, EBA risk-factor guidance, and the EU Travel Rule where relevant.
What should CASPs prioritize now?
CASPs should prioritize authorization or wind-down readiness, governance documentation, client asset safeguarding, Travel Rule readiness, AML/CFT risk controls, market abuse surveillance, customer disclosures, staff competence, and audit-ready recordkeeping.