MiCA Legal Framework - How To Comply With the EU’s Crypto-asset Rules

The Markets in Crypto-assets Regulation (MiCA) is the European Union’s first comprehensive legal framework for crypto-assets across all member states, adopted as Regulation (EU) 2023/1114. It entered into force in June 2023 and will apply in two phases: stablecoin rules from 30 June 2024, and broader crypto-asset and service provider requirements from 30 December 2024.

MiCA aims to harmonise the regulation of crypto-assets across the EU, enhance consumer and investor protection, ensure financial stability, and support innovation by creating a single rulebook for the sector.

Who Must Comply? Scope and Coverage MiCA applies to:

• Issuers of crypto-assets (including stablecoins)

• Crypto-asset service providers (CASPs), such as exchanges, wallet providers and advisory services

• Any person making a public offer of crypto-assets or seeking admission to trading

Importantly, MiCA does not apply to crypto-assets that qualify as financial instruments under the Markets in Financial Instruments Directive 2014 (MiFID II). Where a token is classified as a financial instrument, including derivatives or structured products, it falls outside MiCA and remains subject to the existing EU financial services regime.

While the European Securities and Markets Authority (ESMA) is expected to issue guidance to assist in classification, determining whether a token qualifies as a financial instrument is often a complex, fact-specific exercise. It must be assessed on a case-by-case basis, with legal and regulatory expertise.

Other exclusions include:

• Deposits and e-money governed by existing frameworks

• Insurance and pension products

• Certain unique, nonfungible tokens (NFTs)

• Fully decentralised protocols with no identifiable issuer or intermediary

MiCA categorises crypto-assets into:

• Asset-referenced tokens (ARTs)

• E-Money tokens (EMTs)

• Other crypto-assets, such as utility or payment tokens Issuers must publish white papers and comply with disclosure, governance and prudential requirements, depending on the classification

Issuers must publish white papers and comply with disclosure, governance and prudential requirements, depending on the classification

Licensing Under MiCA – CASP Authorisation and Passporting

Firms providing crypto-asset services must obtain CASP authorisation from their national competent authority (NCA). Once authorised, they benefit from EU-wide passporting rights, allowing them to offer services across all member states.

The process includes:

• Preparing and submitting application materials

• Acknowledgement of receipt (within five working days)

• Completeness check (within 25 working days)

• Final decision (within circa 40 working days of complete file)

Most expect the end-to-end timeline to take three to four months

 Key Compliance Areas

1. Governance and Competence

 MiCA imposes clear expectations around governance structures and staff qualifications. ESMA’s draft guidelines propose standards such as: • Tertiary education with relevant experience

• Recognised professional training

• Ongoing development and supervision

 2. White Papers and Disclosures

Issuers must publish a white paper at least 20 working days before making an offer or applying for trading admission. The white paper must include:

• Issuer details

• Description of the asset and technology

• Use of proceeds

• Associated rights and risks

3. Stablecoin (ART/EMT) Requirements Stablecoin issuers must:

• Maintain reserve assets

• Ensure redeemability at par value

• Implement adequate risk management frameworks Large-scale issuance may trigger enhanced oversight due to systemic risk concerns.

 4. Anti-money Laundering and Countering the Financing of Terrorism (AML/CFT) Obligations

MiCA aligns with the EU’s AML regime, particularly via the “travel rule” requiring CASPs to share identifying information with counterparties during transfers. These measures mirror Financial Action Task Force (FATF) recommendations and are reinforced by the forthcoming AML regulation.

 5. Marketing and Consumer Protection

CASPs must ensure marketing communications are fair, clear and not misleading. ESMA has cautioned against implying regulatory approval where none exists 

MiCA Compliance and Legal Risk – Why Expert Advice Is Essential

MiCA introduces a harmonised framework, but implementation is far from straightforward. Below are just a few of the legal and compliance challenges that firms are already grappling with, each of which requires careful interpretation, tailored structuring and, in many cases, direct engagement with regulators., especially around consumer protection and guarantees.

 White Papers and Disclosures

Under MiCA, any person making a public offer of a crypto asset or seeking its admission to trading must prepare a white paper and notify the relevant competent authority at least 20 working days in advance.

The white paper must include, among other things:

• The identity of the issuer • A description of the crypto-asset and underlying technology

• The terms of the offer and use of proceeds

• Associated risks and legal rights for holders

 However, where a crypto-asset does not have an identifiable issuer – as with tokens created through mining, such as bitcoin – the obligation to produce a white paper does not apply to an issuer, as none exists.

That does not mean there is no white paper obligation at all.

 If a CASP takes steps that amount to a public offer of such a token, for example, by actively promoting or marketing the asset, or structuring a mechanism for primary sale, they can fall within scope of the white paper requirement themselves, even if they did not create the asset.

 There is regulatory uncertainty in this area. MiCA does not provide a bright-line rule, and ESMA has acknowledged the need for further guidance. National competent authorities may interpret the term “offer to the public” differently, some taking a more expansive view that includes certain CASP activities.

As such, CASPs should not assume that listing or facilitating access to a decentralised token is automatically exempt. Where a CASP plays an active or promotional role, a white paper may be required, and the obligation can attach to the CASP itself.

 Legal advice is strongly recommended where the nature of the token or the CASP’s activities fall into a grey area.

Even where a white paper is not formally required, CASPs remain subject to MiCA’s wider governance, disclosure and conduct obligations. They must ensure that information provided to clients is fair, clear and not misleading – and may be liable if retail clients are misinformed or inadequately protected.

 Reverse Solicitation – A Narrow Exemption 

MiCA permits third-country firms to provide crypto-asset services into the EU without CASP authorisation, but only where the service is provided at the exclusive initiative of the client, a concept known as reverse solicitation.

 However, the exemption is strictly limited. 

 Under Article 61(2) of MiCA, if an EU client approaches a third-country firm entirely on their own initiative – and no solicitation or marketing has occurred – the service may be provided without triggering MiCA authorisation. But this applies only to the initial contact. If the firm then markets new services or crypto-assets, or onboards additional clients through that contact, they fall within MiCA’s scope.

In practice, this exemption is narrow, and its misuse is a known regulatory concern. ESMA and several national authorities have already warned against firms using generic disclaimers or post hoc contractual language (e.g. “you approached us”) as a substitute for genuine client-initiated engagement.

Firms relying on reverse solicitation must be able to demonstrate that:

• The client approached them without any prior advertising or marketing

• No communication was targeted to EU clients prior to the engagement

• Any ongoing service remains limited to that initial mandate

• No cross-selling or promotional follow-up has occurred

Critically, MiCA gives national authorities the power to monitor and restrict the use of reverse solicitation in their jurisdiction, and to take enforcement action where they consider the exemption to have been abused

As such, reverse solicitation should not be treated as a commercial strategy or backdoor to the EU market. Firms operating from outside the EU must tread carefully – relying on this exemption without a well-documented legal basis can expose them to regulatory bans, reputational harm, and criminal liability in some jurisdictions.

Group Structures and Licensing Strategy – Balancing Efficiency and Regulatory Expectations

MiCA introduces a single EU-wide authorisation regime for CASPs, allowing firms to obtain a licence in one member state and “passport” services across the EU. On paper, this creates an efficient route to market, but in practice, licensing strategy and group structure present a series of challenges.

Many firms operating across multiple jurisdictions are seeking to centralise regulated activities in one EU hub, typically based on perceived regulator responsiveness, tax environment, or talent pool. However, this approach must be carefully reconciled with MiCA’s expectations around local substance, governance and outsourcing.

In particular:

• The authorised CASP must have a real presence in the member state of authorisation, including appropriate senior management, compliance function and decision-making capacity

• MiCA places limits on outsourcing critical functions, particularly where these are delegated to group entities outside the EU

• The authorised entity remains fully responsible for all outsourced activities, and must be able to demonstrate effective oversight

• Firms using a “lightweight shell” structure risk breaching MiCA requirements or facing scrutiny from both national regulators and ESMA

This creates complexity for firms with existing operations split across jurisdictions – for example, where one group entity holds client relationships, another manages technology infrastructure, and a third seeks the CASP licence.

There is also a strategic dimension: some firms are exploring dual licensing (e.g. one entity for custody, another for trading), or whether to seek multiple CASP authorisations to maintain operational flexibility. While this may be defensible in principle, it must be backed by strong governance, compliance resourcing and internal controls across the group.

MiCA requires more than just regulatory registration. It demands a licensing strategy aligned to the group’s actual operating model. Legal and compliance input is essential to avoid a mismatch between the business’s ambitions and what regulators are prepared to authorise.

 Engaging experienced MiCA experts can help with: 

• Token classification (especially borderline cases)

• White paper preparation and disclosures • Governance and AML system design

• CASP licensing and EU passporting strategy

• Cross-border structuring and regulatory alignment Strong guidance ensures compliance, minimises delays and improves stakeholder confidence.