MiCA Compliance: Requirements, Timelines & What CASPs Need to Do

MiCA is the EU's unified regulatory framework for crypto-asset services — requiring exchanges, custodians, and token issuers serving European markets to obtain authorisation, implement transaction monitoring, and meet ongoing operational resilience obligations.
The EU's Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) replaces the fragmented patchwork of national crypto regimes across 27 member states with a single authorisation framework. MiCA compliance is no longer optional — full CASP requirements have applied since 30 December 2024, subject in some Member States to transitional grandfathering for firms already operating lawfully before that date. This guide covers what the regulation requires, who it applies to, key deadlines, and what operational capabilities are needed to meet it.
Reviewed by the Web3Firewall compliance team · Last updated: 18 March 2026
Book a Demo

What is MiCA compliance?

MiCA compliance means meeting the requirements of the EU Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114), which establishes a unified framework for crypto-asset services across all 27 EU member states. It applies to crypto-asset service providers (CASPs) — including exchanges, custodians, wallet providers, and certain token issuers — operating in or serving EU markets. Full CASP requirements have applied since 30 December 2024, subject in some Member States to transitional grandfathering for firms already operating lawfully before that date. MiCA compliance is shaped not only by the regulation itself but also by technical standards, guidelines, and supervisory expectations published by ESMA, EBA, and the European Commission on an ongoing basis.

What is MiCA?

MiCA is the EU's comprehensive legal framework for crypto-asset services and token issuance — the first of its kind at this scale globally. Published in the Official Journal on 9 June 2023 and entering into force on 29 June 2023, it replaces the fragmented patchwork of national crypto regimes that previously applied across EU member states.
MiCA establishes a single set of rules covering: who can provide crypto-asset services, what disclosures are required, how market abuse is defined and monitored, what operational controls are expected, and how incidents must be reported. A firm authorised as a CASP in one EU member state can passport that authorisation across the entire bloc — eliminating the need for separate national registrations.
MiCA is structured around three main categories: crypto-asset services (the CASP framework), asset-referenced tokens (ARTs, referencing multiple assets), and e-money tokens (EMTs, referencing a single fiat currency). Each carries distinct obligations, with the ART and EMT regimes being the most demanding. Crypto-assets already regulated as financial instruments under MiFID II fall outside MiCA's scope.

Who needs MiCA compliance?

Request a demo
Any legal entity providing crypto-asset services to clients in the EU on a professional basis requires MiCA authorisation. This includes centralised exchanges, custodians, transfer services, portfolio managers, and advisors. Non-EU platforms that actively market services to EU customers may also fall within scope regardless of where they are incorporated.
The regulation defines eight categories of regulated CASP services:

Custody and administration

Safekeeping or administering crypto-assets or the means of access to them on behalf of clients. Applies to custodians and wallet providers that hold or control cryptographic keys or equivalent means of access on behalf of clients.

Operation of a trading platform

Running a multilateral system that brings together buyers and sellers of crypto-assets. Applies to centralised crypto exchanges operating order books or matching engines.

Exchange for fiat currency

Exchanging crypto-assets for fiat currency (or vice versa) on own account. Applies to OTC desks, on-ramp/off-ramp services, and retail exchange platforms.

Exchange for other crypto-assets

Exchanging crypto-assets for other crypto-assets on own account. Applies to platforms facilitating crypto-to-crypto swaps or conversions.

Execution of orders

Concluding agreements to buy or sell crypto-assets on behalf of clients. Applies to brokers and trading service providers acting as intermediaries.

Portfolio management

Managing portfolios of crypto-assets on a discretionary basis under client mandates. Applies to crypto asset managers and algorithmic portfolio services.

Advice on crypto-assets

Providing personalised recommendations relating to crypto-assets or crypto-asset services. Applies to firms giving client-specific recommendations or investment-style guidance.

Transfer services

Providing services to transfer crypto-assets on behalf of clients from one address or account to another. Applies to payment processors, remittance platforms, and infrastructure providers handling transfers.

When did MiCA take effect? Key deadlines

MiCA entered into force on 29 June 2023. Its requirements came into effect in phases — stablecoin rules first, CASP rules second.

Date

Milestone

9 June 2023
MiCA published in the EU Official Journal
29 June 2023
MiCA enters into force
30 June 2024
ART and EMT provisions apply — stablecoin issuers must be authorised or wind down
30 December 2024
Full CASP provisions apply — new in-scope firms generally require MiCA authorisation, while some existing firms may continue temporarily under Member State grandfathering regimes
17 January 2025
DORA applies — ICT resilience and incident reporting requirements take effect
Up to 18 months after Dec 2024
Grandfathering — some member states allow existing firms to continue temporarily; exact window varies by jurisdiction, up to 1 July 2026 in some cases
Ongoing
ESMA, EBA, and European Commission publish RTS, ITS, guidelines, and supervisory expectations
The grandfathering period varies by jurisdiction. ESMA has published a statement on MiCA transitional measures and a list of national grandfathering periods under Article 143(3) — cross-border firms must assess each relevant member state separately. Firms that have not yet begun the authorisation process are already operating against a tightening timeline.

What does MiCA require from CASPs?

MiCA imposes obligations across six core areas: authorisation, disclosure, consumer protection, market integrity, operational resilience, and AML/CFT compliance. Every area requires ongoing operational capability — not just one-time documentation.MiCA imposes obligations across six core areas: authorisation, disclosure, consumer protection, market integrity, operational resilience, and AML/CFT compliance. Every area requires ongoing operational capability — not just one-time documentation.
Authorisation
CASPs must be authorised by the national competent authority (NCA) of their EU home member state. The application requires demonstrating financial resources, governance arrangements, fit and proper management, and operational capability. Authorisation in one member state enables passporting across the full EU.
Transparency and disclosure
CASPs must provide clients with clear, accurate, and non-misleading information about crypto-assets and services — including fees, conflicts of interest, and custody arrangements. Token issuers must publish compliant white papers.
Consumer protection
CASPs must act in clients' best interests, handle complaints fairly, segregate client assets from firm assets, and maintain appropriate custody arrangements with documented conflict of interest policies.
Market integrity
MiCA explicitly extends market abuse prohibitions — insider dealing and market manipulation — to crypto-asset markets. CASPs operating trading platforms must implement systems to detect, prevent, and report suspected market abuse. This is a direct operational driver of continuous transaction monitoring.
Operational resilience
CASPs must maintain appropriate ICT systems, business continuity plans, and incident management processes. Significant operational or security incidents must be reported to the NCA. DORA, applying from 17 January 2025, adds ICT-specific requirements on top of MiCA — including incident classification, reporting timelines, and threat-led penetration testing.
AML/CFT compliance
MiCA does not replace existing AML/CFT obligations. CASPs remain subject to EU Anti-Money Laundering Directives and the Transfer of Funds Regulation (Regulation (EU) 2023/1113), which extends Travel Rule requirements to crypto-asset transfers. Transaction monitoring and suspicious activity reporting remain mandatory alongside and independently of MiCA.
MiCA compliance requirements for crypto exchanges
Centralised exchanges face the broadest set of MiCA obligations because they typically provide multiple regulated CASP services simultaneously — operating a trading platform, exchanging crypto-assets, and executing orders. Key requirements include: implementing real-time market abuse detection across all order flow, collecting TFR originator and beneficiary data for every transfer with no minimum threshold, applying risk-based controls for transfers involving self-hosted wallets, screening all counterparties against applicable sanctions lists, and reporting significant operational or security incidents to their NCA. Exchanges seeking MiCA authorisation must also demonstrate adequate financial resources, governance arrangements, and fit and proper management to their home member state NCA. A full breakdown of how these requirements apply to exchange operations is available in our crypto exchange compliance guide [link: /cexs].
MiCA compliance requirements for custodians
Custodians providing safekeeping or administration of crypto-assets or means of access on behalf of clients are regulated as CASPs under MiCA's custody and administration service category. Key obligations include: segregating client assets from firm assets at all times with documented custody arrangements, applying TFR controls and risk-based verification measures for transfers involving self-hosted wallets, monitoring custodied wallet portfolios continuously for changes in risk profile that trigger reporting obligations, implementing operational resilience controls and incident reporting procedures under both MiCA and DORA, and maintaining audit-ready records for all custody decisions and transaction activity. A full breakdown of how these requirements apply to custodian operations is available in our custodian compliance guide [link: /custodians].

What is the difference between MiCA and the Travel Rule?

Request a demo
MiCA is the broad EU framework for crypto-asset services. The Travel Rule refers specifically to the Transfer of Funds Regulation (Regulation (EU) 2023/1113) — an AML/CFT obligation that sits alongside MiCA and requires CASPs to collect and transmit originator and beneficiary information for all crypto-asset transfers. Both apply concurrently to most CASPs.
The TFR applies with no de minimis threshold — every transfer requires accompanying originator and beneficiary data. The EBA has issued final guidance under the TFR. ESMA has published guidelines on transfer services for crypto-assets under MiCA, providing further supervisory expectations for CASPs in scope.
Market abuse monitoring under MiCA
CASPs operating trading platforms must detect patterns consistent with wash trading, spoofing, layering, pump-and-dump schemes, and insider-informed trading. This requires continuous analysis of order flow and transaction behavior — not point-in-time checks.
Suspicious activity reporting
CASPs must report suspected market abuse to their NCA and maintain records supporting each report. Effective transaction monitoring is the operational mechanism that makes timely, accurate reporting achievable at scale.

TFR originator data collection

Every crypto-asset transfer must include verified originator and beneficiary information. CASPs need systems to collect, validate, and transmit this data at scale with no minimum threshold.

Self-hosted wallet controls

Transfers involving self-hosted (unhosted) wallets require risk-based controls and verification measures under the TFR and related AML/CFT rules. Wallet risk scoring provides the structured risk assessment signal needed to support this obligation efficiently.

Market abuse detection

Monitoring for wash trading, spoofing, layering, and pump-and-dump patterns. Required for CASPs operating trading platforms under MiCA's market integrity provisions.

Suspicious transaction reporting

Automated flagging of reportable transactions with audit trails supporting NCA reporting obligations and internal compliance records.

Sanctions screening

Real-time screening of counterparties against OFAC, EU, and UN consolidated sanctions lists. A prerequisite for TFR compliance and a standalone AML/CFT obligation. Note: sanctions obligations arise under AML/CFT frameworks, not directly from MiCA itself.

Incident detection and reporting

MiCA requires CASPs to detect and report significant operational and security incidents. Transaction monitoring infrastructure provides the visibility needed to identify incidents early and document them accurately.

Does MiCA apply to self-hosted wallets?

MiCA itself does not directly regulate self-hosted wallets (also called unhosted wallets). However, the Transfer of Funds Regulation (Regulation (EU) 2023/1113) — which applies alongside MiCA — requires CASPs to apply risk-based controls when processing transfers involving self-hosted wallets.
Specifically, for transfers to or from self-hosted wallets, CASPs must apply the TFR and related AML/CFT controls — including risk-based checks, collection and assessment of required transfer information, and verification measures where required under the EU framework and applicable supervisory guidance. The precise verification steps depend on the risk assessment and the transaction context.
Web3Firewall's wallet screening API [link: /product] integrates directly into deposit and withdrawal workflows to support this requirement — providing a structured, auditable risk assessment for any blockchain address, whether custodied or self-hosted.

Stablecoin and token issuer obligations under MiCA

Request a demo
MiCA's ART and EMT frameworks impose the most stringent requirements of any category — reflecting the systemic risk large-scale stablecoins pose to financial stability. ART and EMT provisions have applied since 30 June 2024.

Asset-referenced tokens (ARTs)

ARTs reference multiple assets — a basket of currencies, commodities, or crypto-assets — to maintain stable value. Issuers must obtain NCA authorisation, publish a detailed white paper, maintain adequate reserves, implement redemption rights for holders, and meet governance and capital requirements. ARTs where significance thresholds under MiCA are met face additional requirements including direct EBA oversight.

E-money tokens (EMTs)

EMTs reference a single fiat currency — functionally similar to electronic money. EMT issuers must be authorised as a credit institution or e-money institution under existing EU law, in addition to meeting MiCA's white paper and redemption requirements. EMTs where significance thresholds under MiCA are met face the same enhanced regime as significant ARTs.

Utility tokens and other crypto-assets

Crypto-assets that do not qualify as ARTs or EMTs — and are not financial instruments under MiFID II — fall into a general category sometimes described as other crypto-assets or utility tokens. Issuers must publish a white paper and comply with disclosure requirements, but do not require authorisation unless they are also providing regulated CASP services.

MiCA compliance checklist for CASPs

This checklist covers the core operational requirements most CASPs need to address. It is a practical reference, not legal advice — firms should assess their specific obligations with qualified legal counsel.
Authorisation
  • Identify your home member state NCA and submit a MiCA CASP authorisation application
  • Demonstrate adequate financial resources and governance arrangements
  • Complete fit and proper assessment for all qualifying management personnel
  • Confirm passporting arrangements for any member states beyond your home state
  • If operating under a transitional grandfathering period, confirm the exact window applicable in your jurisdiction and the conditions under which it applies
Disclosure and conduct
  • Implement client-facing disclosures covering fees, conflicts of interest, and custody arrangements
  • Publish compliant white papers for any crypto-assets you issue
  • Establish complaint handling procedures meeting MiCA standards
  • Segregate client assets from firm assets with documented custody arrangements
Market integrity
  • Implement transaction monitoring systems capable of detecting market abuse patterns (wash trading, spoofing, layering, pump-and-dump)
  • Establish procedures for reporting suspected market abuse to your NCA
  • Maintain records supporting each market abuse report and each AML/CFT suspicious activity filing, as applicable
Travel Rule and AML/CFT
  • Implement TFR originator and beneficiary data collection for all crypto-asset transfers (no minimum threshold)
  • Apply risk-based controls and verification measures for transfers involving self-hosted (unhosted) wallets, in line with the EU framework and applicable supervisory guidance
  • Maintain real-time sanctions screening against applicable sanctions lists as required under AML/CFT obligations
  • Establish suspicious activity reporting procedures aligned with your AML/CFT obligations
Operational resilience
  • Implement ICT systems, business continuity plans, and incident management processes meeting MiCA standards
  • Establish NCA incident reporting procedures for significant operational and security incidents
  • Assess DORA obligations (applying from 17 January 2025) — including incident classification, reporting timelines, and threat-led penetration testing requirements
Ongoing compliance
  • Monitor ESMA, EBA, and European Commission publications for new RTS, ITS, and supervisory guidance
  • Review grandfathering status periodically if operating under a transitional arrangement
  • Maintain audit-ready records for all monitoring decisions, alerts, and transaction verdicts

MiCA vs MiFID II: what is the difference?

Request a demo
MiCA and MiFID II are complementary frameworks that cover different categories of asset — they do not overlap for any single asset.
MiFID II covers financial instruments. Some crypto-assets already qualify as financial instruments under MiFID II — tokenised securities are the most common example. For those assets, MiFID II continues to apply and MiCA does not.
MiCA covers crypto-assets that do not qualify as financial instruments under MiFID II. If a crypto-asset does not qualify as a financial instrument under MiFID II, it will often fall within MiCA's scope, subject to MiCA's own exclusions and the asset's specific characteristics. This includes utility tokens, asset-referenced tokens, e-money tokens, and the services built around them.
The practical question for firms is asset classification: does this crypto-asset qualify as a financial instrument? If yes, MiFID II applies. If no, it will often fall within MiCA — subject to MiCA's exclusions. For multi-product firms operating across both tokenised securities and crypto-asset services, operating under both frameworks simultaneously is a common operational reality — though it is a practical consequence of the product mix rather than a universal legal requirement.

MiCA vs prior national crypto regulation

Feature

Prior national regimes

MiCA

Geographic scope
Single member state
All 27 EU member states
Passporting
Not available
Full EU passport on single authorisation
Travel Rule / TFR
Varied by jurisdiction
Uniform — no de minimis threshold
Market abuse rules
Rarely applied to crypto
Explicitly extended to crypto-asset markets
Stablecoin regulation
Minimal or absent
Detailed ART and EMT framework
Operational resilience
Inconsistent requirements
Mandatory — reinforced by DORA from 17 Jan 2025
Enforcement
National only
NCA enforcement with ESMA coordination
Consumer protection
Varied
Standardised across the EU
Technical standards
None
Ongoing ESMA, EBA, and Commission RTS/ITS
The single most significant practical change for firms already registered under a national regime is the passporting benefit — but it comes at the cost of meeting a more demanding compliance standard. Firms previously operating under lighter-touch national registration now face authorisation requirements, capital thresholds, and ongoing monitoring obligations that are substantially more demanding. The continuing publication of ESMA and EBA technical standards means MiCA compliance is also a moving target — not a one-time implementation exercise.

Use cases by team

Request a demo
MiCA compliance requirements land differently across the organisation. Here is how different teams are affected and what capabilities they need.

Compliance and legal teams

Lead the MiCA authorisation process, maintain ongoing regulatory reporting, and manage NCA relationships. Need transaction monitoring infrastructure that produces auditable records, supports suspicious activity reporting, and generates evidence needed for regulatory examinations and supervisory review.

Exchange operations (CEX)

Implement TFR originator data collection for all transfers, apply risk-based controls for self-hosted wallet transfers, monitor order flow for market abuse patterns, and integrate wallet risk scoring into deposit and withdrawal workflows. Link text: How Web3Firewall supports crypto exchange compliance Link: /cexs

Custodians

Maintain segregated client asset records, apply TFR controls and risk-based checks for self-hosted wallet transfers, and monitor custodied wallet portfolios for changes in risk profile that trigger reporting obligations. Link text: How Web3Firewall supports custodian compliance Link: /custodians

Stablecoin and token issuers

Meet ART and EMT authorisation requirements, publish compliant white papers, maintain reserve monitoring, and implement transaction monitoring for token transfers to meet TFR and market abuse obligations under MiCA. Link text: How Web3Firewall supports stablecoin issuers Link: /stablecoin-issuers

Infrastructure providers

Support downstream CASP clients in meeting MiCA compliance obligations by integrating wallet risk scoring, transaction monitoring, and screening capabilities into the infrastructure layer — reducing the compliance build burden for clients. Link text: How Web3Firewall supports infrastructure providers Link: /infrastructureproviders

MSSPs

Deliver managed MiCA compliance monitoring as a service. Use Web3Firewall's API to power TFR support, wallet screening, market abuse alerting, and regulatory reporting workflows for multiple CASP clients from a single integration. Link text: How Web3Firewall supports MSSPs Link: /mssps

Why Web3Firewall for MiCA compliance

Request a demo
MiCA compliance is an operational challenge, not a documentation one. The regulation's transaction monitoring, market abuse detection, Travel Rule, and incident reporting requirements all demand live, continuous capability — not annual audits or static policy documents.
Every transaction processed through Web3Firewall receives a real-time verdict: allow, deny, or require approval. This means CASPs are not just generating records for auditors — they are actively enforcing compliance policies at the transaction level, in real time, before funds move.
Web3Firewall is a Web3 security and compliance platform — often described as a SIEM for blockchain. It runs on transactions routed through the platform in near real time, feeds into an automated verdict system, and integrates with compliance workflows designed to support — not replace — the controls organisations need to align with frameworks such as MiCA, NIST, and OWASP. No software product alone satisfies MiCA, DORA, or TFR obligations in full; Web3Firewall provides the operational infrastructure that supports compliance workflows within a broader programme.

Travel Rule and TFR support

Wallet screening and risk scoring for every transfer — including the risk-based controls and verification measures needed for self-hosted wallet transfers under Regulation (EU) 2023/1113. Provides a structured, auditable risk assessment signal designed to support EU Travel Rule compliance workflows efficiently at scale.

Real-time transaction monitoring

Continuous monitoring of transaction flows, wallet interactions, and on-chain behavior. Automated alerting when patterns consistent with market abuse, money laundering, or suspicious activity are detected — with complete audit trails supporting NCA reporting.

Wallet risk scoring for self-hosted wallets

The TFR requires risk-based controls for self-hosted wallet transfers. Web3Firewall's wallet risk scoring provides a structured, auditable risk assessment for any blockchain address — integrating directly into deposit and withdrawal workflows.

Programmable compliance policy engine

Define compliance policies aligned with your regulatory obligations in a no-code interface or via API. Policies can be jurisdiction-aware, asset-specific, or threshold-driven. The enforcement layer updates as ESMA and EBA technical standards evolve.

Incident detection and reporting support

MiCA requires CASPs to detect and report significant operational and security incidents. Web3Firewall's behavioral monitoring surfaces anomalous activity early — giving compliance teams the lead time needed to assess materiality, document the incident, and meet NCA reporting deadlines.

Audit-ready evidence trails

Every decision, alert, and transaction verdict is logged with execution details, risk signals, verdict, and supporting evidence. Compliance teams have a complete, auditable record for NCA examinations, suspicious activity reporting, and internal governance reviews.

Get MiCA-ready with Web3Firewall

Try the sandbox to see wallet screening and transaction monitoring in action, or book a 30-minute demo to discuss how Web3Firewall supports your MiCA compliance programme.
Try the sandbox
Book a demo

Frequently Asked Questions

What is Web3 incident response?

Web3 incident response is the set of processes and tools used to detect, investigate, and contain security incidents affecting blockchain infrastructure — including smart contract exploits, wallet compromises, bridge attacks, and unauthorised token movements. It differs from traditional IT incident response because blockchain transactions are irreversible and assets move at machine speed across decentralised networks.

How is Web3 incident response different from traditional IR?

In traditional IT, incident responders can contain a breach by isolating systems, revoking access, or rolling back changes. In Web3, confirmed transactions cannot be reversed. This makes pre-exploit detection and automated enforcement — identifying attacker reconnaissance and staging activity before funds move — far more valuable than post-incident forensics alone.

What does a Web3 security incident look like?

Crypto exchanges are required under AML and VASP regulations in most jurisdictions to monitor transactions and identify suspicious activity. Wallet risk scoring automates a large part of that process — flagging high-risk deposits and withdrawals for review without requiring manual analysis of every transaction.

What is the difference between wallet risk scoring and blockchain analytics?

Blockchain analytics is a broad category covering any analysis of on-chain data. Wallet risk scoring is a specific, structured output: an actionable risk signal attached to a wallet address. Scoring is designed to integrate into operational workflows — transaction monitoring, onboarding checks, compliance queues — rather than being used purely for investigation or research.

Can wallet risk scoring detect new or unknown threats?

Yes. Behavioural analysis can identify suspicious patterns even when a wallet has no prior labels or flags. By comparing a wallet's behaviour to known patterns of money laundering, scam activity, or protocol exploitation, risk engines can surface novel threats before they appear in external watchlists.

What regulations require wallet risk monitoring?

Key frameworks include FATF Recommendation 16 (the Travel Rule), the EU's MiCA regulation, FinCEN guidance for US-based VASPs, and the UK FCA's requirements for registered crypto asset firms. All require some form of transaction monitoring and suspicious activity reporting — for which wallet risk scoring provides the operational foundation.

How often are wallet risk scores updated?

In a well-designed system, scores update on a near-real-time basis as new transactions are confirmed on-chain. A wallet that clears an onboarding check can see its score change significantly after a single new transaction — which is why ongoing monitoring matters, not just point-in-time checks at onboarding.

What blockchains does wallet risk scoring cover?

Most enterprise-grade scoring systems cover Bitcoin, Ethereum, and their Layer 2 networks, plus leading altcoins and EVM-compatible chains. Coverage varies by provider. Web3Firewall supports multi-chain scoring across the most widely used blockchain networks from a single API integration.
HomeAbout UsCareerProductPartnership
CEXsCustodiansInfrastructure ProvidersMSSPsStablecoin and Token Providers
Docs Blogs Privacy Policy Terms and Conditions
© All rights reserved. Web3Firewall. Privacy |  Terms and Conditions