MiCA Compliance Guide: What Crypto Businesses Need in 2026
From application to ongoing compliance: what MiCA actually requires and how to navigate the authorization process.
The Markets in Crypto-Assets (MiCA) regulation establishes the EU's comprehensive framework for crypto-asset service providers. By July 1, 2026, any firm offering crypto services to EU customers must hold authorization from a national competent authority. This guide covers what that means in practice.
Who needs MiCA authorization
MiCA applies to "crypto-asset service providers" (CASPs) offering any of these services to EU customers:
- Operating a trading platform for crypto-assets
- Exchange of crypto-assets for funds or other crypto-assets
- Custody and administration of crypto-assets on behalf of clients
- Transfer of crypto-assets on behalf of clients
- Placing of crypto-assets (helping issuers distribute tokens)
- Reception and transmission of orders for crypto-assets
- Advice on crypto-assets
- Portfolio management of crypto-assets
The regulation applies regardless of where your company is based. A Singapore exchange serving French customers needs authorization just like a Paris-based platform.
What authorization requires
The MiCA regulation sets baseline requirements that all CASPs must meet. National competent authorities (NCAs) may add supplementary requirements.
Legal entity: The applicant must be a legal entity established in an EU member state. Branches of non-EU companies don't qualify; you need a subsidiary.
Capital requirements: Minimum own funds depending on services: EUR 50,000 for advice/order transmission, EUR 125,000 for custody/exchange/platform operations, EUR 150,000 for operating a trading platform. Higher of fixed amount or 1/4 of previous year's fixed overheads.
Governance: Directors must be of good repute with adequate knowledge and experience. At least two directors required in most jurisdictions. UBOs face fit-and-proper assessment.
Organization: Written policies for conflicts of interest, business continuity, outsourcing, risk management, and complaints handling. AML/CFT framework meeting EU standards.
Technical infrastructure: Systems must be resilient, secure, and capable of handling expected volumes. DORA requirements for operational resilience apply.
Prudential safeguards: Client asset segregation, appropriate insurance or guarantees for custody services, transparent pricing.
The application process
Choose your jurisdiction: You can apply in any EU member state. Authorization allows passporting to all 27 countries. Considerations: processing speed, regulatory approach, substance requirements, language, banking access. Lithuania, France, Germany, and Ireland are common choices.
Prepare documentation: Applications require extensive documentation including business plan, governance structure, policies and procedures, financial projections, technical architecture, AML framework, and personal documentation for directors and UBOs.
Establish substance: Most NCAs require genuine local presence: office space, local directors, and staff. "Brass plate" arrangements are increasingly scrutinized.
Submit and respond: NCAs have 40 business days to acknowledge complete applications and 90 business days to decide. In practice, rounds of questions extend timelines to 6-12 months.
Post-authorization: Notification required before commencing each authorized activity. Passporting notifications for operating in other member states.
Grandfathering and transition
Existing CASPs operating under national regimes had an 18-month transition period from MiCA's entry into force (June 2024) to obtain authorization. This period ends July 1, 2026.
Firms that were licensed or registered under national law before July 2024 can continue operating during the transition while their MiCA application is pending, provided they submitted by April 2026 (in most jurisdictions).
New entrants without pre-existing national authorization cannot operate in the EU until they receive MiCA authorization.
Ongoing compliance
Authorization is the beginning, not the end. MiCA requires:
Conduct of business rules: Act honestly, fairly, and professionally. Provide clear, accurate information. Assess client suitability for complex products. Handle complaints effectively.
Market abuse prevention: Prohibitions on insider dealing and market manipulation apply to crypto-assets. Surveillance systems required for trading platforms.
Disclosure: White papers required for crypto-asset offerings. Ongoing disclosure of material events.
AML/CFT: Full AML framework including CDD, transaction monitoring, suspicious activity reporting, Travel Rule compliance.
Reporting: Regular reports to NCAs on activities, volumes, complaints, incidents. Annual audited financial statements.
Capital maintenance: Own funds must stay above minimums. Notification required if approaching thresholds.
Common failure points
Applications fail or stall for predictable reasons:
Insufficient AML framework: Template policies aren't enough. Regulators want evidence your compliance team understands your specific business risks and has designed appropriate controls.
Weak governance: Directors without relevant experience, UBOs with problematic backgrounds, unclear reporting lines, or lack of independent oversight.
Technical gaps: Security measures that don't match the claimed risk assessment, inadequate capacity planning, missing DORA compliance elements.
Substance questions: Directors who don't actually direct, offices that are mail drops, key functions outsourced to the point where nothing meaningful happens locally.
Incomplete applications: Missing documents, inconsistent information between sections, failure to respond promptly to NCA questions.
Cost reality
Budget for year one:
- Minimum capital: EUR 125,000-150,000 (depending on services)
- Legal and consulting fees: EUR 30,000-80,000
- Application/registration fees: EUR 5,000-15,000 (varies by NCA)
- Local office: EUR 15,000-40,000/year
- Compliance staff: EUR 60,000-120,000/year (at least MLRO)
- Technology and security: EUR 20,000-100,000+
Total first-year costs: EUR 250,000-500,000+ depending on scope and jurisdiction. Ongoing costs: EUR 150,000-300,000+ annually.
These aren't arbitrary barriers. They reflect the cost of operating a regulated financial services business in the EU.
Next steps
If you're not already in the application process: start immediately. Applications submitted after March 2026 may not be processed by the July deadline in many jurisdictions.
If you're deciding whether to pursue EU authorization: assess whether your business model justifies the cost. Not every crypto business needs EU customers.
Monitor ESMA's MiCA guidance for technical standards and FAQ updates as implementation continues.
Related Jurisdictions
Related Articles
Crypto Custody License Requirements for Institutional Providers in 2026
Crypto custody licensing is distinct from exchange licensing, with requirements around cold storage architecture, key management, insurance, and client asset segregation that catch unprepared applicants off guard.
Dubai VARA Crypto Licensing: Full Authorization vs MVP Pathway
Dubai's VARA offers two routes to market: the Minimum Viable Product license for limited launch, or full authorization for unrestricted operations. Here's how they differ.
MiCA Stablecoin Rules Reshape European Crypto Payments
MiCA's stablecoin framework distinguishes between e-money tokens and asset-referenced tokens with different authorization requirements. Here's what issuers need to know.
EU Crypto Travel Rule Takes Effect: Compliance Requirements for 2026
The EU's Transfer of Funds Regulation now applies to crypto transfers, requiring CASPs to collect and transmit originator and beneficiary information for all transactions.