MiCA Compliance: Requirements and Checklist for Crypto Businesses

MiCA compliance is the act of meeting every obligation that Regulation (EU) 2023/1114 places on crypto firms serving the European Union. It binds crypto-asset service providers (CASPs), token issuers and offerors, and covers authorisation, own funds, governance, conduct, custody, market abuse and AML. The CASP regime applies from 30 December 2024.

This guide turns that regulation into an actionable checklist. Every item is tagged with the MiCA article that creates it, drawn from the ESMA Interactive Single Rulebook and the official EUR-Lex MiCA summary. Read it as a definitive reference, not a sales pitch: the article numbers, the capital figures and the dates are what make a CASP application defensible in front of a national competent authority.

By Magnus Müller · Reviewed by Magnus Müller · Last updated: 2026-06-14

What is MiCA compliance and who must comply?

MiCA compliance means satisfying the full set of duties in Regulation (EU) 2023/1114, the Markets in Crypto-Assets Regulation. It is not a one-off authorisation event but an ongoing state that spans prudential, governance, conduct, custody, market-abuse, AML and ICT obligations. The regulation is enforced by the national competent authority (NCA) of a firm's home Member State, with ESMA and EBA issuing the technical standards and guidelines that flesh it out.

MiCA in one paragraph

MiCA is a single EU regulation that brings crypto-asset markets inside a harmonised licensing and conduct framework. It applies directly across all 27 Member States plus the EEA. A firm that provides crypto-asset services to EU clients must be authorised as a CASP and comply continuously; a firm that offers or seeks admission to trading for a token must publish a compliant white paper. The CASP regime (Title V) has applied since 30 December 2024.

Which crypto businesses are covered (CASPs and issuers)

MiCA splits the regulated population into two broad groups, and the distinction matters because the obligations differ. The first group is crypto-asset service providers; the second is issuers and offerors of crypto-assets.

CASPs covered by the regime include:

• Exchanges (crypto-for-funds and crypto-for-crypto)
• Custodians providing safekeeping and administration
• Brokers receiving, transmitting and executing orders
• Operators of trading platforms
• Transfer-service providers
• Advisers and portfolio managers for crypto-assets

Issuers, offerors and persons seeking admission to trading sit in the second group and carry the white-paper duties under Articles 6 and 8. A single firm can be in both groups at once, which is why this checklist keeps the two stacks visibly separate.

Does MiCA apply to NFTs, DeFi and utility tokens?

MiCA includes general carve-outs, but scope is assessed case by case rather than by label. A token marketed as a non-fungible token, a utility token or a purely decentralised arrangement is not automatically out of scope. The competent authority looks at the substance: economic function, fungibility in practice, and whether a person provides services around it. Because the exact carve-out wording must be read against the live regulation, treat any blanket "NFTs are exempt" claim with caution and analyse your specific tokens and structure before relying on an exemption.

MiCA compliance at a glance: the 9 domains

A complete MiCA programme for a CASP touches nine domains. The table below maps each domain to the MiCA article that creates it and to the one-line requirement, so a compliance officer can scan the whole obligation set in one place before diving into the detail.

Compliance-domain to MiCA-article map

These nine domains are the backbone of the rest of this guide. Domains seven (white paper) and eight (market abuse) apply only when a firm issues tokens or runs activity in crypto-assets admitted to trading, while domain nine is a parallel legal regime rather than part of MiCA itself.

Step by step: how to become MiCA compliant

The practical path to compliance for a service provider follows five steps under Title V. The first three are the core authorisation route; the last two are a shortcut and an expansion mechanism.

1. Establish an authorised legal person with an EU registered office, an EU-resident director and effective management in the EU (Art. 59).
2. File the authorisation application as a complete dossier with the competent authority (Art. 62).
3. Pass the competent-authority assessment of completeness and then merits, ending in a grant or refusal (Art. 63).
4. Or notify instead of applying, if the firm is already a regulated financial entity (Art. 60).
5. Then passport the single authorisation across the EU and EEA by notification (Art. 65).

Step 1: Establish an authorised legal person (Art. 59)

Crypto-asset services may only be provided by a legal person (or certain other undertakings) authorised as a CASP. Article 59 requires a registered office in a Member State, at least one director resident in the EU, and effective management located in the EU. A pure letterbox arrangement does not meet the substance test; the competent authority expects real decision-making and operational presence inside the bloc.

Step 2: File the authorisation application (Art. 62)

Article 62 sets out the application dossier. It is a substantial package: a programme of operations, governance arrangements, internal controls, AML procedures, proof of own funds, descriptions of IT and security systems, custody and segregation arrangements, and identification of the management body and qualifying shareholders. The full document list is broken out in the dossier section below.

Step 3: Pass the competent-authority assessment (Art. 63)

The competent authority first checks the application for completeness and then assesses it on the merits, before granting or refusing authorisation. Statutory time-limits apply to both the completeness check and the final decision. Many advisers quote a "3 to 6 months" timeline for the whole process; treat that as a practical estimate of real-world processing, not the legal limit, because the exact statutory day-counts in Article 63 must be read against the regulation text before being relied upon.

Shortcut: notification route for regulated financial entities (Art. 60)

Firms that are already supervised, including credit institutions, investment firms and e-money institutions, do not always need a fresh full authorisation. Article 60 lets certain financial entities provide specified crypto-asset services under a simplified notification to their competent authority before starting. This route recognises existing prudential and conduct supervision, but it still requires the notification and the relevant MiCA-specific information.

Then: passport across the EU (Art. 65)

Once authorised, a CASP does not re-apply in every country it wants to serve. Article 65 allows the single home authorisation to passport across all EU and EEA Member States: the home authority notifies the host authorities, and the firm gains pan-EU market access from one licence. For a firm planning multi-country operations, this is the core commercial advantage of MiCA. If you want to map this mechanism to a specific roll-out, see how to passport your licence across the EU.

Authorisation dossier: documents a CASP application needs (Art. 62)

The Article 62 dossier is where most applications either move quickly or stall. The competent authority will not start the substantive assessment until the package is complete, so the quality and consistency of the documents directly drive the timeline.

The core application documents

A complete Article 62 application typically includes:

• Programme of operations setting out the crypto-asset services to be provided
• Governance arrangements and a description of the management body
• Internal control mechanisms and risk-management procedures
• AML and CFT policies and procedures
• Proof of the required own funds
• Descriptions of IT systems, security arrangements and business continuity
• Custody and segregation arrangements for client assets
• Identification and good-repute evidence for management and qualifying shareholders

From our practice: where dossiers stall

In our work guiding CASP applications, the recurring friction point is rarely the headline capital figure. It is internal consistency: the programme of operations describes one set of services, the own-funds calculation assumes another, and the governance map names roles the application does not staff. Competent authorities read the dossier as a single document, so a mismatch between the services claimed and the Annex IV class applied is a common reason for a completeness query. The other frequent gap is custody and segregation language that asserts the outcome without describing the mechanism. We treat the dossier as a coherent operating model on paper, not a stack of separate forms, and we align the service list, the own-funds class and the governance chart before filing.

Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisers, no commitment. Book a Call

Minimum own funds under MiCA: Class 1, 2 and 3 (Art. 67 + Annex IV)

Own funds are one of the most misread parts of MiCA. Article 67 sets a two-part test: a CASP must hold own funds at all times equal to the higher of a fixed permanent minimum (set by service class in Annex IV) or one quarter of the preceding year's fixed overheads. The permanent minimums are EUR 50,000, EUR 125,000 and EUR 150,000.

The own-funds ladder by service class

The class a firm falls into depends on the services it provides, and the classes stack upward.

These figures come from Annex IV and Article 67 of MiCA. A firm that combines several activities is placed in the highest applicable class, so an exchange that also runs a trading platform sits in Class 3 at EUR 150,000.

The "higher of" test and the fixed-overheads element

The permanent minimum is a floor, not a ceiling. Article 67 requires own funds to be at least the higher of the Annex IV figure or one quarter of the previous year's fixed overheads. A larger firm with substantial running costs can therefore be required to hold materially more than EUR 50,000 to EUR 150,000. The fixed-overheads element is recalculated annually, which means the own-funds requirement is dynamic and grows with the business. Compliance teams should build the recalculation into their year-end process rather than treating capital as a one-time hurdle cleared at authorisation.

Capital vs qualifying insurance policy

MiCA allows own funds to be held as capital, as a qualifying insurance policy, or as a combination of the two under Article 67. The insurance route can ease the capital burden, but it is not an unconditional substitute: the policy must meet specific MiCA criteria. The precise conditions sit in the detailed sub-paragraphs of Article 67, so confirm the exact insurance requirements against the regulation text before assuming a policy can fully replace held capital.

Governance, fit-and-proper and wind-down (Arts. 68, 74)

Authorisation is not only about money and forms; MiCA also tests who runs the firm and whether it can fail safely. Two articles carry these duties.

Governance arrangements and the management body (Art. 68)

Article 68 requires a clear organisational structure with well-defined lines of responsibility, effective risk management, internal controls, business-continuity arrangements, and accounting and record-keeping. The management body must be of good repute and collectively hold adequate knowledge, skills, experience and time to perform its duties. Qualifying shareholders must be fit and proper, which in practice means no relevant AML or financial-crime convictions and a transparent ownership chain. These are continuing standards, not one-off checks at authorisation.

Orderly wind-down plan (Art. 74)

Article 74 requires every CASP to maintain a plan for an orderly wind-down. The plan must ensure continuity or recovery of critical activities and the return of client assets if the firm ceases to operate. For client-asset-heavy businesses such as custodians and exchanges, regulators scrutinise this plan closely, because it is the mechanism that protects clients when a firm fails.

Conduct of business and client protection (Arts. 66, 71, 72, 73)

MiCA imposes a conduct regime familiar from traditional financial services. Four articles set the core duties.

Act honestly, fairly and professionally (Art. 66)

Under Article 66 a CASP must act honestly, fairly and professionally in the best interests of its clients. Information and marketing communications must be fair, clear and not misleading; the firm must warn clients of the risks of crypto-assets, disclose pricing and fees, and provide information on the environmental impact of the crypto-assets it deals in. This is the article that governs how a CASP speaks to its market.

Complaints handling and conflicts of interest (Arts. 71, 72)

Article 71 requires effective and transparent complaints-handling procedures: complaints must be investigated promptly and free of charge, with records kept. Article 72 requires a policy to identify, prevent, manage and disclose conflicts of interest between the CASP, its staff, its shareholders and its clients. Both must operate on a live basis, not exist only on paper.

Outsourcing with retained responsibility (Art. 73)

A CASP may outsource functions under Article 73, but it cannot outsource accountability. The firm retains full responsibility, must ensure the quality and continuity of outsourced functions, and must preserve oversight and audit access. Management responsibility itself cannot be delegated. Outsourcing arrangements should be documented and monitored as part of the governance framework.

Safeguarding client assets: segregation and custody (Arts. 70, 75)

Client-asset protection is the most consequential part of MiCA for exchanges and custodians, and it is split across a general duty and a custody-specific rule.

Segregation and safekeeping (Art. 70)

Article 70 requires a CASP to segregate clients' crypto-assets and funds from its own and to refrain from using them on its own account. Client funds must be placed with a credit institution or central bank, and the firm must put arrangements in place to protect clients' ownership rights, especially in the event of the CASP's insolvency. This segregation duty applies to every CASP that holds client assets, not only to dedicated custodians.

Custody service-specific rules (Art. 75)

Custodians face additional duties under Article 75. They must enter a written agreement with mandatory terms, maintain a position register per client, operate a custody policy, and accept liability for the loss of client crypto-assets or means of access, including losses arising from ICT incidents, up to market value. This explicit liability standard is one of the strictest client-protection provisions in MiCA.

Service-specific rules: trading, transfers, advice (Arts. 76, 81, 82)

Beyond the rules that apply to all CASPs, MiCA layers in obligations that attach to particular services.

Operating a trading platform (Art. 76)

A firm that operates a trading platform for crypto-assets must comply with Article 76: it needs operating rules, admission-to-trading criteria, resilient systems, pre-trade and post-trade transparency, and arrangements for fair and orderly trading. Crucially, the operator may not engage in proprietary matched trading on its own platform, subject to limited exceptions. This separation of the venue from the operator's own dealing is central to market integrity under MiCA.

Transfer services and advice/portfolio management (Arts. 82, 81)

Article 82 requires a firm providing transfer services to put in place an agreement specifying the duties and responsibilities for transferring crypto-assets on behalf of clients. Article 81 governs advice and portfolio management: the firm must run a suitability assessment, ensure staff knowledge and competence, and provide periodic reporting to clients. These obligations sit on top of the general conduct rules in Article 66.

White-paper obligations for issuers (Arts. 6, 8)

The white-paper duties are issuer-facing, not CASP-facing, and they are a frequent source of confusion. A firm that offers crypto-assets to the public or seeks their admission to trading must satisfy these obligations even if it never provides a regulated service to clients.

White-paper content and the "fair, clear, not misleading" standard (Art. 6)

For offers or admissions of crypto-assets other than asset-referenced tokens and e-money tokens, Article 6 requires a white paper containing mandatory information: details of the offeror or issuer, the project, the offer to the public, the rights and obligations attached to the crypto-asset, the underlying technology, the risks, and the principal adverse environmental and climate impacts. The white paper must be fair, clear and not misleading, and it must carry a disclaimer that no competent authority has approved it. Because the exact sub-paragraph wording of Article 6 must be read against the live regulation, confirm the detailed content list from the regulation text before quoting it verbatim.

Notify the competent authority before publication (Art. 8)

Article 8 requires the issuer to notify the white paper to the competent authority before publication. For crypto-assets other than ART and EMT this is a notification, not a prior approval: the authority does not approve the white paper, but the notification and publication are mandatory. The distinction between notification and approval is important and frequently misstated. For the full issuer workflow, see the MiCA white-paper requirements guide.

Market-abuse rules every crypto firm must police (Title VI, Arts. 86 to 92)

Market abuse is the domain most often missing from older MiCA summaries, yet it carries direct surveillance and reporting duties for any firm dealing in crypto-assets admitted to trading.

Scope and inside information (Arts. 86, 87, 88)

Article 86 sets the scope: Title VI applies to acts concerning crypto-assets that are admitted to trading or for which a request for admission has been made. Article 87 defines inside information, and Article 88 requires issuers, offerors and persons seeking admission to disclose inside information that directly concerns them to the public as soon as possible. These transparency duties are the foundation of the market-integrity regime.

The three prohibitions (Arts. 89, 90, 91)

MiCA prohibits three behaviours. Article 89 bans insider dealing, including attempts, using inside information. Article 90 bans the unlawful disclosure of inside information. Article 91 bans market manipulation, which covers false or misleading signals, price-positioning, deceptive devices and the dissemination of false information. The prohibitions apply to everyone, not only to regulated firms.

Detection systems and STORs (Art. 92)

Article 92 requires persons professionally arranging or executing transactions, including CASPs operating platforms, to maintain systems to prevent and detect market abuse and to submit suspicious transaction and order reports (STORs). ESMA has delivered draft regulatory technical standards on STORs under Article 92(2) and guidelines on the prevention and detection of market abuse under Article 92(3), so surveillance design should track those standards as they finalise.

The other two legal stacks: AML, travel rule and DORA

MiCA does not stand alone. A compliant CASP must run two further legal regimes in parallel: anti-money-laundering law (including the travel rule) and the Digital Operational Resilience Act. Older guides blur these into MiCA; in reality they are distinct stacks with their own statutes and supervisors.

The crypto travel rule (Reg (EU) 2023/1113 + EBA/GL/2024/11)

Regulation (EU) 2023/1113, the recast Transfer of Funds Regulation, applies the travel rule to crypto-asset transfers. A CASP must collect, transmit and verify originator and beneficiary information on transfers, and the rule applies from 30 December 2024. The EBA Travel Rule Guidelines (EBA/GL/2024/11) specify how to detect and manage missing information, with a CASP transitional period running to 31 July 2025. For the operational detail, see the crypto travel rule page.

Full AML/CFT as an obliged entity (AMLD to AMLR)

Because the Transfer of Funds Regulation treats MiCA-authorised CASPs as obliged entities, the full AML/CFT regime applies: customer due diligence and KYC, ongoing monitoring, risk assessment, suspicious activity reporting and sanctions screening. The current framework is the AML Directive (Directive (EU) 2015/849, as amended), which is being replaced by the AML Regulation (Regulation (EU) 2024/1624) as part of the EU AML package. The AMLR is reported to apply from mid-2027, with AMLD duties applying in the interim; confirm the exact application date against EUR-Lex before relying on it. The broader programme is covered in our AML and KYC requirements guide.

DORA: ICT and operational resilience (Reg (EU) 2022/2554)

The third stack is the Digital Operational Resilience Act, Regulation (EU) 2022/2554. CASPs are financial entities under DORA and must run ICT risk management, incident reporting, digital operational-resilience testing and oversight of ICT third-party providers. DORA is reported to apply from 17 January 2025; confirm the exact date and the precise CASP scoping against the DORA text before stating it as fact. Note that MiCA Article 75 also imposes ICT-incident liability on custodians, so the two regimes reinforce each other on operational resilience.

Ongoing obligations after you are authorised

Authorisation is the start of compliance, not the end. MiCA obligations continue for the life of the firm, and supervisors expect evidence that they operate continuously.

Continuous prudential and governance duties

A CASP must maintain own funds above the Annex IV or fixed-overheads threshold at all times and recalculate the fixed-overheads element annually (Art. 67). Governance, risk, internal-control, business-continuity and record-keeping systems must stay current, and the firm must notify the competent authority of material changes, including changes to the management body and to qualifying holdings (Art. 68). The orderly wind-down plan must be kept up to date (Art. 74).

Continuous client-asset, conduct and surveillance duties

Segregation and safekeeping of client assets, with periodic reconciliation and per-client position registers, run continuously (Arts. 70, 75). Complaints-handling and conflicts-of-interest policies operate on a live basis (Arts. 71, 72). Where a firm runs platform activity, market-abuse surveillance and STOR submission are ongoing (Art. 92). Alongside MiCA, the AML/CFT programme, travel-rule data capture on every transfer, and DORA's ICT risk management, incident reporting and resilience testing all continue indefinitely.

MiCA compliance timeline: the dates that matter

A small number of dates anchor the MiCA transition for service providers. The table below lists the ones that drive planning.

Key MiCA and adjacent-regulation dates

The two MiCA dates to plan around are 30 December 2024, when Title V started to apply, and 1 July 2026, the hard cap on national grandfathering arrangements under Article 143. The 31 July 2025 milestone closes the EBA travel-rule transitional window. The DORA and AMLR dates belong to the parallel stacks and should be verified directly before they drive a deadline. For a fuller breakdown, see the MiCA transition deadlines guide.

MiCA and Switzerland: what Swiss crypto firms need to know

Switzerland is frequently grouped with the EU in crypto coverage, but the legal position is different and the difference is material.

Switzerland is not in the EU or EEA

Switzerland is not a member of the European Union or the European Economic Area, so MiCA does not apply to a Swiss firm by virtue of being established in Switzerland. A Swiss crypto business needs MiCA only when it wants to serve clients in the EU or EEA, in which case it must authorise as a CASP through an EU Member State and comply in full. Domestically, Switzerland runs its own regime under FINMA and the DLT framework, which is separate from MiCA. Being based in Zug does not grant MiCA standing on its own. Firms planning a Swiss footprint should treat the two regimes as parallel and map each to the markets it intends to serve; see our guide to a crypto licence in Switzerland for the domestic route, and our MiCA regulation guide for the EU side. MiCA contains no tax provisions; for the fiscal picture, see crypto tax by country. If you intend to operate inside the EU, the how to get a CASP licence companion walks through the authorisation route in detail.