MiCA one year on: what crypto-asset service providers have learned

The Promise and the Reality of MiCA Year One

MiCA entered partial application in June 2023 with provisions for asset-referenced tokens and e-money tokens, before full CASP-level application took effect from December 2024. One year into the broader implementation, the regulatory landscape looks markedly different from what many in the industry anticipated — in some respects more permissive, in others considerably more demanding.

The framework has done what its architects intended: it has created a single European market for crypto-asset services while establishing a floor of investor protection and institutional integrity. What it has not done is resolve the practical ambiguities that compliance teams face when translating high-level requirements into operational procedures.

What the Early Movers Learned

The white paper is a liability document, not a marketing document

MiCA requires detailed crypto-asset white papers for most token issuances. Many early filers treated these as marketing documents with regulatory formatting. NCAs have consistently pushed back, requiring substantive disclosure of risks, technical characteristics, and issuer obligations. The white paper is a legally binding disclosure document — it should be drafted with the same rigour applied to a securities prospectus.

Custody segregation requirements caught institutions by surprise

MiCA's requirements for client asset segregation in custody arrangements are more prescriptive than many operators anticipated. Specifically, the requirement to segregate client crypto-assets from proprietary holdings at the level of distributed ledger records — not merely at the accounting level — requires technical arrangements that were not in place at most institutions at the point of application.

AML integration demands are higher than expected

While MiCA does not itself constitute AML legislation, NCAs have consistently scrutinised AML controls as part of the authorisation process. The Travel Rule compliance posture, in particular, has received detailed attention. Institutions that had not fully operationalised Travel Rule compliance found this created significant delays.

The operational resilience requirements are substantive

Business continuity plans, disaster recovery procedures, and ICT security requirements under MiCA have been more extensively tested during application reviews than many applicants prepared for. Applicants who had not conducted formal business impact analyses or independent penetration testing faced extended review periods.

The Compliance Gaps That Remain Most Consequential

1. Conflicts of interest management at the governance level

MiCA requires board-level governance of conflicts of interest, including documented policies and a register of identified conflicts. In practice, this is rarely fully operationalised. The policies exist; the active management infrastructure frequently does not.

2. Complaint handling and client communication standards

The client communication and complaint handling requirements under MiCA are more prescriptive than those many CASPs previously operated under. Response timelines, escalation procedures, and record-keeping requirements all require specific infrastructure that was often absent from pre-MiCA operational setups.

3. Market manipulation surveillance for smaller operators

Larger exchange operators have sophisticated market surveillance capabilities. Mid-sized and smaller CASPs providing trading services often do not. MiCA requires detection and reporting of suspected market manipulation, which implies real-time monitoring capabilities that represent a meaningful operational investment for smaller platforms.

4. Stablecoin reserve management and reporting

For issuers of asset-referenced tokens and e-money tokens, reserve management and regular reporting requirements have proven operationally intensive. Independent audit requirements for reserve assets and quarterly reports to NCAs require ongoing institutional capacity that some issuers underestimated.

5. Cross-border passporting operationalisation

One of MiCA's principal benefits — the ability to passport a CASP authorisation across the EU — has not been as frictionless in practice as the single-passporting regime implies. Host state NCAs retain supervisory competence over certain aspects of local operations, and practical coordination between home and host state supervisors is still maturing.

Supervisory Priorities for 2025

• Investor disclosure quality — with particular focus on the accuracy and completeness of white paper risk disclosures.
• Client asset protection — supervisors will be testing whether segregation requirements are technically implemented, not merely documented.
• AML and Travel Rule compliance — ongoing enforcement will stress-test operational compliance in live environments.
• Market integrity — surveillance capabilities and suspicious transaction reporting procedures will be examined in detail.

Looking Forward: MiCA's Unresolved Questions

Several significant questions remain unresolved at the one-year mark. The treatment of DeFi protocols and whether certain non-custodial arrangements fall within MiCA's scope remains contested. The interaction between MiCA and the DLT Pilot Regime for tokenised securities is not fully clarified. And the third-country equivalence framework — relevant for non-EU platforms accessing EU clients — is still under development.

The lesson of MiCA year one: the regulation is substantive, the supervisors are serious, and the compliance infrastructure required to operate safely within it is more demanding than the industry initially priced in. Institutions that have internalised this are building genuine competitive advantage.