MiCA Compliance Guide: What Crypto Businesses Need in 2026
From application to ongoing compliance: what MiCA actually requires and how to navigate the authorization process.
The Markets in Crypto-Assets (MiCA) regulation establishes the EU's comprehensive framework for crypto-asset service providers. By July 1, 2026, any firm offering crypto services to EU customers must hold authorization from a national competent authority. This guide covers what that means in practice.
Who needs MiCA authorization
MiCA applies to "crypto-asset service providers" (CASPs) offering any of these services to EU customers:
- Operating a trading platform for crypto-assets
- Exchange of crypto-assets for funds or other crypto-assets
- Custody and administration of crypto-assets on behalf of clients
- Transfer of crypto-assets on behalf of clients
- Placing of crypto-assets (helping issuers distribute tokens)
- Reception and transmission of orders for crypto-assets
- Advice on crypto-assets
- Portfolio management of crypto-assets
The regulation applies regardless of where your company is based. A Singapore exchange serving French customers needs authorization just like a Paris-based platform.
What authorization requires
The MiCA regulation sets baseline requirements that all CASPs must meet. National competent authorities (NCAs) may add supplementary requirements.
Legal entity: The applicant must be a legal entity established in an EU member state. Branches of non-EU companies don't qualify; you need a subsidiary.
Capital requirements: Minimum own funds depending on services: EUR 50,000 for advice/order transmission, EUR 125,000 for custody/exchange/platform operations, EUR 150,000 for operating a trading platform. Higher of fixed amount or 1/4 of previous year's fixed overheads.
Governance: Directors must be of good repute with adequate knowledge and experience. At least two directors required in most jurisdictions. UBOs face fit-and-proper assessment.
Organization: Written policies for conflicts of interest, business continuity, outsourcing, risk management, and complaints handling. AML/CFT framework meeting EU standards.
Technical infrastructure: Systems must be resilient, secure, and capable of handling expected volumes. DORA requirements for operational resilience apply.
Prudential safeguards: Client asset segregation, appropriate insurance or guarantees for custody services, transparent pricing.
The application process
Choose your jurisdiction: You can apply in any EU member state. Authorization allows passporting to all 27 countries. Considerations: processing speed, regulatory approach, substance requirements, language, banking access. Lithuania, France, Germany, and Ireland are common choices.
Prepare documentation: Applications require extensive documentation including business plan, governance structure, policies and procedures, financial projections, technical architecture, AML framework, and personal documentation for directors and UBOs.
Establish substance: Most NCAs require genuine local presence: office space, local directors, and staff. "Brass plate" arrangements are increasingly scrutinized.
Submit and respond: NCAs have 40 business days to acknowledge complete applications and 90 business days to decide. In practice, rounds of questions extend timelines to 6-12 months.
Post-authorization: Notification required before commencing each authorized activity. Passporting notifications for operating in other member states.
Grandfathering and transition
Existing CASPs operating under national regimes had an 18-month transition period from MiCA's entry into force (June 2024) to obtain authorization. This period ends July 1, 2026.
Firms that were licensed or registered under national law before July 2024 can continue operating during the transition while their MiCA application is pending, provided they submitted by April 2026 (in most jurisdictions).
New entrants without pre-existing national authorization cannot operate in the EU until they receive MiCA authorization.
Ongoing compliance
Authorization is the beginning, not the end. MiCA requires:
Conduct of business rules: Act honestly, fairly, and professionally. Provide clear, accurate information. Assess client suitability for complex products. Handle complaints effectively.
Market abuse prevention: Prohibitions on insider dealing and market manipulation apply to crypto-assets. Surveillance systems required for trading platforms.
Disclosure: White papers required for crypto-asset offerings. Ongoing disclosure of material events.
AML/CFT: Full AML framework including CDD, transaction monitoring, suspicious activity reporting, Travel Rule compliance.
Reporting: Regular reports to NCAs on activities, volumes, complaints, incidents. Annual audited financial statements.
Capital maintenance: Own funds must stay above minimums. Notification required if approaching thresholds.
Common failure points
Applications fail or stall for predictable reasons:
Insufficient AML framework: Template policies aren't enough. Regulators want evidence your compliance team understands your specific business risks and has designed appropriate controls.
Weak governance: Directors without relevant experience, UBOs with problematic backgrounds, unclear reporting lines, or lack of independent oversight.
Technical gaps: Security measures that don't match the claimed risk assessment, inadequate capacity planning, missing DORA compliance elements.
Substance questions: Directors who don't actually direct, offices that are mail drops, key functions outsourced to the point where nothing meaningful happens locally.
Incomplete applications: Missing documents, inconsistent information between sections, failure to respond promptly to NCA questions.
Cost reality
Budget for year one:
- Minimum capital: EUR 125,000-150,000 (depending on services)
- Legal and consulting fees: EUR 30,000-80,000
- Application/registration fees: EUR 5,000-15,000 (varies by NCA)
- Local office: EUR 15,000-40,000/year
- Compliance staff: EUR 60,000-120,000/year (at least MLRO)
- Technology and security: EUR 20,000-100,000+
Total first-year costs: EUR 250,000-500,000+ depending on scope and jurisdiction. Ongoing costs: EUR 150,000-300,000+ annually.
These aren't arbitrary barriers. They reflect the cost of operating a regulated financial services business in the EU.
Next steps
If you're not already in the application process: start immediately. Applications submitted after March 2026 may not be processed by the July deadline in many jurisdictions.
If you're deciding whether to pursue EU authorization: assess whether your business model justifies the cost. Not every crypto business needs EU customers.
Monitor ESMA's MiCA guidance for technical standards and FAQ updates as implementation continues.
Related Jurisdictions
Related Articles
CBDC Pilots Reshape the Stablecoin Landscape: Who Bans, Who Coexists, Who Retreats
China banned yuan-linked stablecoins and made its CBDC interest-bearing. The US banned CBDCs and legalized stablecoins. The EU wants both to coexist under caps. Three approaches, three different futures for digital money.
Crypto Prime Brokerage Licensing 2026: What Institutional Intermediaries Need
No jurisdiction issues a dedicated crypto prime brokerage license. Firms piece together custody, execution, and financing permissions from existing frameworks. Here is what that actually looks like under MiCA, US rules, and the UK's incoming regime.
Kazakhstan AIFC Digital Asset License: What Crypto Firms Actually Need
Kazakhstan's AIFC has licensed 29 digital asset service providers including Binance and ByBit, with $6.8 billion in trading volume through September 2025. Here is what the license actually costs, how long it takes, and whether the tax exemption through 2066 is as good as it sounds.
Reverse Solicitation Under MiCA: When Crypto Firms Can Serve EU Clients Without a License
ESMA's guidelines on MiCA reverse solicitation make one thing clear: Article 61 is an exception so narrow it barely exists. Non-EU crypto firms treating it as a business model are building on sand.