A practical roadmap for crypto start-ups moving from national VASP registration to full MiCA authorisation
1. Background: two regulatory generations
In the years leading up to the Markets in Crypto-Assets Regulation (MiCA), and particularly after the adoption of the Fifth Anti-Money Laundering Directive (5AMLD), crypto-asset service providers in Europe operated under a fragmented set of national regulations. These regulations were influenced by the anti-money-laundering and counterterrorism financing (AML/CFT) requirements of 5AMLD, the Financial Action Task Force (FATF) standards regarding virtual assets and virtual asset service providers (VASPs), as well as additional domestic choices made by individual Member States. As a result, the conditions for registration or licensing, prudential expectations, and supervisory practices varied widely across different jurisdictions. This inconsistency created legal uncertainty and allowed for regulatory arbitrage in cross-border activities.
Regulation (EU) 2023/1114, known as MiCA, was created to address this fragmentation by establishing a unified EU framework for crypto-asset service providers (CASPs). For authorised CASPs, MiCA introduces a Union-wide passport, harmonised organisational and conduct requirements, and common rules to ensure market integrity and protect investors.
The shift from the VASP concept to the CASP framework is not just a change in terminology. It signals a broader regulatory shift from a primarily AML/CFT approach to a more comprehensive financial services framework. However, during the transitional period, certain national differences still need to be considered, particularly regarding the treatment of grandfathered entities.
2. The CASP authorisation framework under MiCA
Article 3(1)(16) of Regulation (EU) 2023/1114 defines ten categories of crypto-asset services, including the custody and administration of crypto-assets on behalf of clients, the operation of a trading platform for crypto-assets, the exchange of crypto-assets for funds or other crypto-assets, the execution of orders, and portfolio management. Title V of MiCA then lays down the authorisation and operating conditions applicable to crypto-asset service providers (CASPs). As a general rule, persons providing one or more crypto-asset services on a professional basis in the Union must be authorised as CASPs by the competent authority of their home Member State, subject to the specific arrangements provided by MiCA for certain already regulated financial entities.
The MiCA authorisation framework departs materially from the earlier landscape of national VASP registration regimes.
First, an applicant must have a registered office in a Member State where it carries out at least part of its crypto-asset services, which limits the use of purely formal or shell-entity authorisation structures.
Second, minimum own funds requirements apply on a three-tier basis under Article 67 and Annex IV: EUR 50,000 for Class 1 CASPs, EUR 125,000 for Class 2 CASPs, and EUR 150,000 for Class 3 CASPs. This marks a clear departure from the comparatively uneven and often less prudentially developed pre-MiCA national registration frameworks.
Third, MiCA imposes governance requirements, including scrutiny of the management body and of shareholders or members with qualifying holdings, as part of the authorisation assessment conducted by the competent authority.
Fourth, MiCA establishes a directly applicable Union-level framework governing the organisation and conduct of CASPs, including requirements relating to safeguarding clients’ crypto-assets and funds, conflicts of interest, complaints-handling, and other service-specific obligations.
Once authorised, a CASP may provide services throughout the Union, either under the freedom to provide services or through the right of establishment, subject to the notification procedure laid down in MiCA. This Union passport was generally absent from the earlier patchwork of national VASP registration regimes.
MiCA also introduces a defined regulatory timetable. The competent authority must acknowledge receipt of the application within five working days, assess whether the application is complete within twenty-five working days of receipt, and adopt a fully reasoned decision granting or refusing authorisation within forty working days from receipt of a complete application.
3. The transition: grandfathering and its limits
MiCA became fully applicable to CASPs on 30 December 2024. From that date, the MiCA authorisation framework became the governing regime for new market entrants. Article 143(3), however, provides for a transitional measure under which CASPs that were providing their services in accordance with applicable law before 30 December 2024 may continue to do so until 1 July 2026, or until they are granted or refused an authorisation pursuant to Article 63, whichever is sooner.
That grandfathering mechanism is not uniform across the Union. Article 143(3) expressly allows Member States not to apply the transitional regime at all, or to reduce its duration, where they consider that their national regulatory framework applicable before 30 December 2024 is less strict than MiCA. ESMA’s published register of national grandfathering periods under Article 143(3) records materially different transitional durations across Member States.
Several jurisdictions did not adopt the full 18-month period. In the Netherlands, for example, ESMA’s list records a transitional period of six months rather than the maximum duration permitted by Article 143(3). Firms that assumed a uniform grandfathering period across the EU, therefore, exposed themselves to material compliance risk.
Grandfathering also has important substantive limits. It does not confer a MiCA passport. ESMA has stated that grandfathered entities do not benefit from an EU passport unless and until they obtain MiCA authorisation; accordingly, cross-border activity during the transitional period depends on compliance with the legislation applicable in both the home and the host Member State.
Finally, reliance on Article 143(3) does not displace the national legal framework under which the relevant provider was previously operating. Rather, the transitional regime allows continued activity for a limited period under the applicable pre-MiCA framework, subject to the constraints of Article 143(3) and the choices made by the relevant Member State. National AML/CFT, registration, and supervisory requirements, therefore, remain relevant during the transition to the extent they continue to apply under national law.
4. Key compliance challenges for incumbent operators
The transition to MiCA has exposed several practical compliance challenges for operators and their legal advisers.
First, firms must reassess the scope of their activities against MiCA’s service taxonomy. Certain activities that were not expressly regulated, or were only indirectly captured, under pre-MiCA national VASP regimes may fall within one or more of the crypto-asset service categories defined by MiCA. Incumbent operators, therefore, need a fresh legal analysis of their business model, including service mapping, functional reclassification, and a review of whether any activity now falls within the authorisation perimeter.
Second, white paper obligations require careful attention where a firm issues crypto-assets, offers them to the public, or seeks their admission to trading. For crypto-assets other than asset-referenced tokens and e-money tokens, MiCA requires a crypto-asset white paper to be drawn up in accordance with Article 6, notified under Article 8, and published under Article 9, subject to the exemptions provided for by the Regulation. The white paper must satisfy detailed disclosure requirements, and Article 15 provides for civil liability if the white paper is incomplete, unfair, unclear, or misleading.
Third, third-country firms face significant risk in relying on reverse solicitation. Article 61 permits the provision of crypto-asset services only when the relevant service is initiated by the client at the client’s own exclusive initiative. ESMA’s Guidelines require this exception to be construed narrowly, emphasise that the assessment is factual rather than formal, and state that contractual disclaimers cannot override contrary facts. They also make clear that the reverse solicitation exemption must not be used to circumvent MiCA’s authorisation requirements. In practice, this creates substantial risk for business models that previously relied on an expansive understanding of passive marketing or unsolicited inbound demand from EU-based clients.
Fourth, incumbent groups must revisit their assumptions about structure. Where a group previously relied on a single VASP entity to service several EU markets, it must assess whether that model remains compatible with MiCA’s requirements concerning registered office, governance, and operational presence in the home Member State. That assessment should also take into account MiCA’s scope exclusions, including the exclusion for services provided exclusively within a qualifying corporate group.
5. Regulatory developments and the path to 2026
MiCA implementation is being shaped not only by the Level 1 Regulation itself, but also by an expanding body of Level 2 and Level 3 measures developed by ESMA and the EBA. These include technical standards, guidelines and related supervisory materials on topics such as authorisation, sustainability disclosures, white paper-related requirements, and the monitoring and detection of market abuse.
At the supervisory level, market participants should expect some variation in operational readiness and authorisation practice across Member States. ESMA has itself identified CASP authorisation procedures and transitional measures as areas requiring particular vigilance to promote convergence and reduce the risk of regulatory arbitrage.
Applicants should therefore expect competent authorities to examine not only the formal completeness of an application, but also the substantive credibility of the applicant’s governance arrangements, safeguarding framework, internal controls, and broader compliance architecture. Where pre-application dialogue is available under national practice, early engagement with the competent authority may be advisable.
Looking beyond the end of the MiCA transition, CASPs will also need to prepare for the interaction between MiCA and the EU’s new AML/CFT framework, including Regulation (EU) 2024/1624, Directive (EU) 2024/1640, Regulation (EU) 2024/1620 establishing AMLA, and the Transfer of Funds Regulation (EU) 2023/1113. That interaction will deepen compliance expectations in areas such as customer due diligence, information accompanying crypto-asset transfers, transparency on ownership and control, and supervisory coordination.
AMLA is expected to begin direct supervision of selected obliged entities in 2028, including selected financial-sector entities that may encompass certain CASPs where they fall within the applicable selection framework. MiCA authorisation should therefore be treated not as an endpoint, but as the starting point for a continuing Union-level compliance architecture.
