MiCA Compliance: Requirements, Timelines & What CASPs Need to Do

MiCA is the EU's unified regulatory framework for crypto-asset services — requiring exchanges, custodians, and token issuers serving European markets to obtain authorisation, implement transaction monitoring, and meet ongoing operational resilience obligations.
The EU's Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) replaces the fragmented patchwork of national crypto regimes across 27 member states with a single authorisation framework. MiCA compliance is no longer optional — full CASP requirements have applied since 30 December 2024, subject in some Member States to transitional grandfathering for firms already operating lawfully before that date. This guide covers what the regulation requires, who it applies to, key deadlines, and what operational capabilities are needed to meet it.
Reviewed by the Web3Firewall compliance team · Last updated: 18 March 2026
Book a Demo

What is MiCA compliance?

MiCA compliance means meeting the requirements of the EU Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114), which establishes a unified framework for crypto-asset services across all 27 EU member states. It applies to crypto-asset service providers (CASPs) — including exchanges, custodians, wallet providers, and certain token issuers — operating in or serving EU markets. Full CASP requirements have applied since 30 December 2024, subject in some Member States to transitional grandfathering for firms already operating lawfully before that date. MiCA compliance is shaped not only by the regulation itself but also by technical standards, guidelines, and supervisory expectations published by ESMA, EBA, and the European Commission on an ongoing basis.

What is MiCA?

MiCA is the EU's comprehensive legal framework for crypto-asset services and token issuance — the first of its kind at this scale globally. Published in the Official Journal on 9 June 2023 and entering into force on 29 June 2023, it replaces the fragmented patchwork of national crypto regimes that previously applied across EU member states.
MiCA establishes a single set of rules covering: who can provide crypto-asset services, what disclosures are required, how market abuse is defined and monitored, what operational controls are expected, and how incidents must be reported. A firm authorised as a CASP in one EU member state can passport that authorisation across the entire bloc — eliminating the need for separate national registrations.
MiCA is structured around three main categories: crypto-asset services (the CASP framework), asset-referenced tokens (ARTs, referencing multiple assets), and e-money tokens (EMTs, referencing a single fiat currency). Each carries distinct obligations, with the ART and EMT regimes being the most demanding. Crypto-assets already regulated as financial instruments under MiFID II fall outside MiCA's scope.

Who needs MiCA compliance?

Request a demo
Any legal entity providing crypto-asset services to clients in the EU on a professional basis requires MiCA authorisation. This includes centralised exchanges, custodians, transfer services, portfolio managers, and advisors. Non-EU platforms that actively market services to EU customers may also fall within scope regardless of where they are incorporated.
The regulation defines eight categories of regulated CASP services:

Custody and administration

Safekeeping or administering crypto-assets or the means of access to them on behalf of clients. Applies to custodians and wallet providers that hold or control cryptographic keys or equivalent means of access on behalf of clients.

Operation of a trading platform

Running a multilateral system that brings together buyers and sellers of crypto-assets. Applies to centralised crypto exchanges operating order books or matching engines.

Exchange for fiat currency

Exchanging crypto-assets for fiat currency (or vice versa) on own account. Applies to OTC desks, on-ramp/off-ramp services, and retail exchange platforms.

Exchange for other crypto-assets

Exchanging crypto-assets for other crypto-assets on own account. Applies to platforms facilitating crypto-to-crypto swaps or conversions.

Execution of orders

Concluding agreements to buy or sell crypto-assets on behalf of clients. Applies to brokers and trading service providers acting as intermediaries.

Portfolio management

Managing portfolios of crypto-assets on a discretionary basis under client mandates. Applies to crypto asset managers and algorithmic portfolio services.

Advice on crypto-assets

Providing personalised recommendations relating to crypto-assets or crypto-asset services. Applies to firms giving client-specific recommendations or investment-style guidance.

Transfer services

Providing services to transfer crypto-assets on behalf of clients from one address or account to another. Applies to payment processors, remittance platforms, and infrastructure providers handling transfers.

The Anatomy of a Blockchain Exploit

Most significant blockchain exploits follow a recognisable pattern. Understanding the phases helps security teams know where monitoring and enforcement can have the most impact.
Phase 1: Reconnaissance
The attacker identifies a target protocol and begins mapping its behavior. This typically involves sending low-value test transactions, querying contract state, and probing specific functions to understand how the system responds. This phase is often detectable — unusual query patterns and test transactions leave a trace on-chain.
Phase 2: Staging
The attacker prepares the infrastructure needed to execute and extract funds. New wallets are created, sometimes funded from exchanges or other sources. Relationships between wallets are established. Flash loan sources are identified. Cross-chain bridges are mapped for post-exploit asset movement.
Phase 3: Execution
The exploit is triggered. In flash loan attacks, this often happens in a single transaction. In multi-step exploits, a sequence of transactions executes in rapid succession. The window between execution and completion is typically seconds to minutes.
Phase 4: Extraction
Funds are moved rapidly — typically through DEX swaps, cross-chain bridges, and mixing services — to make tracing and recovery more difficult. Asset velocity during this phase is abnormally high.
The practical implication: monitoring focused only on Phase 4 is monitoring after the damage is done. Effective Web3 incident response requires visibility and enforcement capability in Phases 1 and 2 — before execution begins.

Real-world examples of Web3 security incidents

According to Chainalysis, approximately $3.7 billion was lost to crypto exploits in 2022 alone, with the majority of funds extracted within minutes of execution. Understanding how real attacks unfolded illustrates why pre-exploit detection and enforcement matter more than post-incident forensics.
Euler Finance
2023
$197M
Attackers used a flash loan combined with a liquidation logic flaw to drain funds across multiple transactions in a single block sequence. The exploit executed faster than any manual response could have intervened. Key detection window: the staging phase, when test interactions with the vulnerable contract functions occurred prior to the main attack. An enforcement layer capable of blocking anomalous contract interactions during this phase would have changed the outcome.
Ronin Bridge
2022
~$540M
Attackers compromised five of nine Ronin validator private keys and executed fraudulent withdrawals of 173,600 ETH and 25.5M USDC — approximately $540M at the time of the attack. The theft went undetected for six days. Key detection window: behavioral anomaly monitoring would have flagged the abnormal validator signature pattern and the scale of outflows relative to historical baseline — activity that was statistically anomalous even though each individual transaction appeared structurally valid.
Mango Markets
2022
$114M
An attacker used two wallets to manipulate the price of MNGO tokens on a low-liquidity market, inflating their collateral value and draining the protocol's treasury via an oversized borrow. Key detection signals: abnormal price movement in the MNGO-PERP market combined with concentrated trading behavior from a specific wallet cluster — both detectable before the drain completed. Oracle price deviation monitoring with automated enforcement would have flagged and blocked the manipulated borrow.
Wormhole Bridge
2022
$320M
A signature verification flaw in the Wormhole bridge was exploited to mint 120,000 wETH without depositing collateral. Key detection window: the exploit involved unusual minting patterns and anomalous validator interactions that deviated significantly from normal bridge operation — signals that behavioral monitoring would surface as high-risk before confirmation.
These incidents share a common thread: in each case, detectable on-chain signals preceded or accompanied the attack. The gap between those signals and the point of no return was the intervention window. Detection surfaces that window — enforcement closes it.

Early detection signals in Web3 security

Request a demo
Beyond reconnaissance-specific patterns, a broader set of behavioral signals can indicate an incident is developing or has begun. According to Chainalysis, approximately $3.7 billion was lost to crypto exploits in 2022 alone, with the majority of funds extracted within minutes of execution — making automated, real-time detection paired with enforcement the only viable response mechanism.

Abnormal transaction velocity

A sudden spike in transaction frequency involving a specific contract or wallet cluster. May indicate automated exploit execution has begun.

Large unexpected outflows

Transfers significantly above the historical baseline for a given protocol or wallet, particularly when followed immediately by cross-chain bridge activity.

Oracle price deviation

Rapid price manipulation in an AMM pool or oracle source immediately before a large borrow or liquidation — a hallmark of oracle manipulation attacks like Mango Markets.

Reentrancy-consistent call patterns

Nested contract calls where the same function is invoked multiple times within a single transaction execution — a pattern associated with reentrancy exploits.

Multi-hop asset routing

Assets moved through three or more protocols in rapid succession — DEX, bridge, mixer — immediately after leaving a target protocol. A key extraction-phase indicator.

Governance attack setup

Rapid accumulation of governance tokens in a single wallet or cluster prior to a governance proposal submission. Associated with governance manipulation attacks.

Web3 vs traditional incident response

Capability

Traditional IR

Web3 IR

Transaction reversibility
Possible (rollback, restore)
Impossible once confirmed
Response time available
Minutes to hours
Seconds
Attack indicators
Known-bad IPs, malware signatures
Behavioral anomalies, new wallets
Attack identity
Persistent threat actors
Fresh wallets per attack
Attack indicators
Known-bad IPs, malware signatures
Behavioral anomalies, new wallets
Containment options
System isolation, credential revoke
Contract pause, wallet blocking
Enforcement mechanism
Firewall rules, access revocation
Real-time transaction blocking, automated policy verdicts
Post-incident recovery
System restore, data recovery
Fund tracing, exchange coordination
Monitoring focus
Network, endpoint, identity
Real-time transaction blocking, automated policy verdicts
The core implication is that Web3 IR requires a fundamentally different toolset — one built for blockchain transaction data, capable of making and enforcing decisions at on-chain speed. Connecting Web3 incident findings to broader blockchain analytics, wallet risk scoring, and automated policy enforcement is what allows security and compliance teams to operate from a unified picture rather than siloed tools.

Use cases by team

Request a demo
Web3 incident response capabilities serve different functions across the organisation.

Security operations teams

Monitor blockchain infrastructure for anomalous activity in real time. Receive automated alerts when behavioral signals deviate from baseline. Investigate incidents with full transaction context — wallet graphs, contract call traces, asset flow maps. Enforce automated responses via configurable policies, not just manual review queues.

Exchange operations (CEX)

Detect when customer deposit or withdrawal addresses show signs of exploit activity. Automatically block or escalate incoming funds from wallets flagged during an active incident. Coordinate with compliance teams when suspicious activity involves customer accounts. Link: /cexs

Custodians

Monitor custodied wallets for unusual outbound transaction patterns. Detect when a custodied address is being probed or interacted with by a wallet exhibiting reconnaissance behavior. Alert and enforce before funds move, not after. Link: /custodians

Protocol and DeFi teams

Monitor your own smart contracts for unusual interaction patterns. Detect test transactions and contract probing before a full exploit attempt. Consume Web3Firewall risk signals directly in smart contracts to gate transactions or restrict access based on real-time scoring.

Infrastructure providers

Offer downstream incident detection and enforcement capabilities to clients operating on your infrastructure. Surface behavioral signals, transaction anomalies, and automated verdicts through API integration — without clients needing to build their own monitoring stack. Link: /infrastructureproviders

MSSPs

Deliver managed blockchain security monitoring as a service. Use Web3Firewall's API to power alerting, automated enforcement, investigation workflows, and client reporting across multiple digital asset clients from a single integration. Link: /mssps

Regulatory context

Web3 incident response is not only a security best practice — it is increasingly a regulatory requirement for organisations operating digital asset infrastructure.
Item 1
DORA (EU)
The Digital Operational Resilience Act requires financial entities — including crypto asset service providers under MiCA — to implement ICT incident management processes, classify and report major incidents, and conduct threat-led penetration testing. DORA applies from 17 January 2025.
Item 2
EU MiCA
MiCA requires CASPs to implement operational resilience measures and report significant operational or security incidents to competent authorities. Incident detection and response capabilities are a core operational requirement for EU licence holders.
Item 3
FCA (UK)
UK-registered crypto asset firms must meet operational resilience standards comparable to those applied to traditional financial institutions. The FCA has increased enforcement activity against platforms with inadequate incident detection and transaction monitoring controls under the UK MLRs.
Item 4
FinCEN / BSA (US)
US-registered money services businesses must file Suspicious Activity Reports when they identify transactions potentially involving criminal activity. Effective incident response infrastructure is what makes timely SAR filing operationally feasible.
Item 5
SEC (US)
The SEC's cybersecurity incident disclosure rules require public companies — including those operating digital asset businesses — to disclose material cybersecurity incidents within four business days of determining that a cybersecurity incident is material. Incident detection tooling directly affects how quickly that determination can be made.

Why Web3Firewall for incident response

Request a demo
Most blockchain security tools do one of two things: they monitor and alert, or they investigate after the fact. Web3Firewall does something more fundamental — it acts as the decision and enforcement layer for Web3 security operations.

Every transaction processed through Web3Firewall receives a real-time verdict: allow, deny, or require approval. This means teams are not just notified of threats — they can block malicious activity, enforce compliance policies, and automate incident response actions before funds move on-chain. Detection without enforcement is incomplete. Web3Firewall closes that gap.

For example, Web3Firewall detects patterns such as repeated low-value contract calls and flash loan probing — signals that historically precede major exploits like those seen in the Euler Finance and Mango Markets incidents — and can automatically enforce a block or escalate for approval before execution, not after.

Decision engine, not just monitoring

Every transaction receives a real-time verdict — allow, deny, or require approval. Web3Firewall enforces actions, not just alerts. Teams can define automated policy responses that execute at machine speed without human intervention.

Pre-broadcast simulation and enforcement

Evaluate and act on the risk profile of a transaction before it is broadcast to the network. Block high-risk transactions before they are confirmed on-chain and become irreversible — not after.

Programmable policy engine

Define compliance and security policies in a no-code interface or via API. Policies can be jurisdiction-aware, asset-specific, or protocol-specific. The enforcement layer adapts to your risk framework, not the other way around.

Wallet control and active defense

Freeze wallets, block specific transaction types, or trigger downstream actions via API. Web3Firewall operates as an active defense layer — not a passive observer — giving teams control over what executes on their infrastructure.

On-chain risk oracle for protocol integration

Smart contracts can consume Web3Firewall risk signals directly, enabling protocol-level enforcement. DeFi protocols can use risk verdicts to gate transactions, restrict liquidity access, or pause activity based on real-time scoring.

Pre-broadcast and post-broadcast coverage

Web3Firewall monitors both before and after transactions hit the network. Pre-broadcast simulation catches threats before confirmation. Post-broadcast monitoring tracks asset movement, extraction patterns, and ongoing attacker behavior continuously.
You can explore live wallet scoring in the Web3Firewall sandbox [https://ui.web3firewall.ai/] without a sales conversation, or read the API documentation [https://ui.web3firewall.ai/docs/] to understand integration requirements. For teams evaluating vendors, we're happy to run a proof-of-concept against your own transaction data.

See Web3 incident detection and enforcement in action

Try the sandbox with any wallet address or smart contract, or book a 30-minute demo to see how Web3Firewall fits into your security operations workflow.
Try the sandbox
Book a demo

Frequently Asked Questions

What is Web3 incident response?

Web3 incident response is the set of processes and tools used to detect, investigate, and contain security incidents affecting blockchain infrastructure — including smart contract exploits, wallet compromises, bridge attacks, and unauthorised token movements. It differs from traditional IT incident response because blockchain transactions are irreversible and assets move at machine speed across decentralised networks.

How is Web3 incident response different from traditional IR?

In traditional IT, incident responders can contain a breach by isolating systems, revoking access, or rolling back changes. In Web3, confirmed transactions cannot be reversed. This makes pre-exploit detection and automated enforcement — identifying attacker reconnaissance and staging activity before funds move — far more valuable than post-incident forensics alone.

What does a Web3 security incident look like?

Crypto exchanges are required under AML and VASP regulations in most jurisdictions to monitor transactions and identify suspicious activity. Wallet risk scoring automates a large part of that process — flagging high-risk deposits and withdrawals for review without requiring manual analysis of every transaction.

What is the difference between wallet risk scoring and blockchain analytics?

Blockchain analytics is a broad category covering any analysis of on-chain data. Wallet risk scoring is a specific, structured output: an actionable risk signal attached to a wallet address. Scoring is designed to integrate into operational workflows — transaction monitoring, onboarding checks, compliance queues — rather than being used purely for investigation or research.

Can wallet risk scoring detect new or unknown threats?

Yes. Behavioural analysis can identify suspicious patterns even when a wallet has no prior labels or flags. By comparing a wallet's behaviour to known patterns of money laundering, scam activity, or protocol exploitation, risk engines can surface novel threats before they appear in external watchlists.

What regulations require wallet risk monitoring?

Key frameworks include FATF Recommendation 16 (the Travel Rule), the EU's MiCA regulation, FinCEN guidance for US-based VASPs, and the UK FCA's requirements for registered crypto asset firms. All require some form of transaction monitoring and suspicious activity reporting — for which wallet risk scoring provides the operational foundation.

How often are wallet risk scores updated?

In a well-designed system, scores update on a near-real-time basis as new transactions are confirmed on-chain. A wallet that clears an onboarding check can see its score change significantly after a single new transaction — which is why ongoing monitoring matters, not just point-in-time checks at onboarding.

What blockchains does wallet risk scoring cover?

Most enterprise-grade scoring systems cover Bitcoin, Ethereum, and their Layer 2 networks, plus leading altcoins and EVM-compatible chains. Coverage varies by provider. Web3Firewall supports multi-chain scoring across the most widely used blockchain networks from a single API integration.
HomeAbout UsCareerProductPartnership
CEXsCustodiansInfrastructure ProvidersMSSPsStablecoin and Token Providers
Docs Blogs Privacy Policy Terms and Conditions
© All rights reserved. Web3Firewall. Privacy |  Terms and Conditions