June 30, 2023

Doing Crypto Business in Europe: MiCAR, the EU’s New Uniform Crypto Code – Part 2

As noted in our previous Marketing Crypto-Assets in and Into Europe: MiCAR, the EU’s New Uniform Crypto Code, the European Union (EU) Markets in Crypto-Assets Regulation (MiCAR) was published in the Official Journal of the European Union on 9 June 2023. MiCAR is a major step toward an EU-wide uniform code governing crypto-assets, such as BTC, ETH, and stablecoins.

Although MiCAR came into force on 29 June 2023, there is a period of time before its provisions come into effect:

  • The provisions governing certain stablecoins will apply from 30 June 2024.
  • The provisions governing the remaining crypto-assets will apply from 30 December 2024.

There is, therefore, one year and 18 months, respectively, to achieve compliance with MiCAR.

As we discuss below, MiCAR indicates that it will apply where any non-EU crypto-business, including those in the US and UK, provides a crypto-service identified in MCAR to someone in the EU.

How Are Crypto-Asset Businesses Currently Regulated in the EU?

Regulation of crypto-assets in the EU is currently fragmented, with each EU member state having its own regulatory regimes for the regulation of crypto-assets that are not financial instruments within the meaning of the Markets in Financial Instruments Directive (MiFID). The fifth EU Money Laundering Directive (MLD5) does, however, require EU Member States to impose anti-money laundering and counterterrorist financing requirements on businesses providing custodian wallet services or fiat-to-crypto exchange services. MLD5 also requires these types of firm to be registered with their home state national competent authority. MLD5 does not impose any requirements on crypto businesses that advise on or offer placing services. This has left scope for significant variation between the regimes of different member states. For example, Germany follows a strict approach to regulation, requiring some firms to be fully authorized, whereas countries such as Denmark and the Netherlands do not have any specific regulation beyond the requirements of MLD5. 

What Is MiCAR?

As noted in our previous alert, MiCAR is an EU regulation, and unlike an EU directive, it will bind EU businesses directly without the need for individual EU member states to implement laws to put it into effect. It will, therefore, address the current fragmented position in the EU, although individual EU member state authorities will be responsible for enforcing MiCAR in their respective territories.

MiCAR addresses the following:

  • the issuance and marketing/offering of crypto-assets, to which MiCAR applies, covered in our alert “Marketing Crypto-Assets in and Into Europe: MiCAR, the EU’s New Uniform Crypto Code
  • the performance of activities/offering of services connected with crypto-assets, such as the custody and administration of crypto-assets on behalf of third parties, the operation of a trading platform for crypto-assets, and the exchange of crypto-assets for fiat currency or other crypto-assets, covered in this alert
  • the prevention of market abuse involving crypto-assets (to be covered in another alert)

MiCAR will be relevant not only to those involved in carrying on these activities but also to those who acquire businesses involved in carrying on these activities, as discussed further below. 

What Types of Crypto-Assets Does MiCAR Apply To?

As discussed further in our previous alert “Marketing Crypto-Assets in and Into Europe: MiCAR, the EU’s New Uniform Crypto Code,” MiCAR defines a “crypto-asset” as “a digital representation of a value or a right that is able to be transferred and stored electronically, using distributed ledger technology or similar technology”. However, the Commission is given power to introduce secondary legislation to “specify technical elements of the definitions [in MiCAR]… and to adjust those definitions to market developments and technical developments”, so the question of whether certain assets fall within the definition should be kept under review.

Despite the broad definition of “crypto-assets”, the obligations imposed by MiCAR do not apply to certain types of crypto-assets, including central bank digital currencies and “unique” non-fungible tokens (NFTs). 

What Types of Crypto-Asset Businesses Does MiCAR Apply To?

MiCAR extends the regulatory perimeter to capture businesses providing the following categories of crypto-asset services, thereby making that business a crypto-assert service provider (CASP),:

  • Custody and administration of crypto-assets on behalf of clients: This includes safekeeping or controlling crypto-assets or the means to access crypto-assets on behalf of clients. Note this would apply to custody and administration of private cryptographic keys.
  • Operation of a trading platform for crypto-assets: This is defined to include management of systems that bring together or facilitate the bringing together of multiple third parties purchasing and selling crypto-assets in a way that results in a contract. This would apply to platforms allowing both the exchange of crypto-assets for other crypto-assets as well as for fiat currency. 
  • Exchange of crypto-assets for funds or other crypto-assets: This is defined as concluding purchase or sale contracts concerning crypto-assets with clients against fiat currency or other crypto-assets using proprietary capital. 
  • Execution of orders for crypto-assets on behalf of clients: This captures the activity of concluding agreements to buy or to sell one or more crypto-assets or to subscribe for one or more crypto-assets on behalf of clients.
  • Placing of crypto-assets: This is defined as marketing crypto-assets to purchasers on behalf of or for the account of the offeror or a party related to the offeror.
  • Reception and transmission of orders for crypto-assets on behalf of clients: This involves the reception from a person of an order to purchase or sell one or more crypto-assets and the transmission of that order to a third party for execution.
  • Providing advice on crypto-assets: This includes offering, giving, or agreeing to give personalised recommendations to a client, either at the client’s request or on the initiative of the CASP, in respect of transactions relating to crypto-assets or the use of crypto-asset services.
  • Providing portfolio management on crypto-assets: This includes managing portfolios in accordance with mandates given by clients on a discretionary client-by-client basis where such portfolios include one or more crypto-assets.
  • Providing transfer services for crypto-assets on behalf of clients: This is defined to include providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another.

Will MiCAR Apply to Non-EU Crypto Businesses?

Whether MiCAR will apply to the activities of a CASP will depend on the place in which the services are provided, rather than the jurisdiction in which the CASP is established. 

The wording of MiCAR indicates that it will have extra-territorial effect requiring any third-country firms that provide services to EU-based customers to become authorised under MiCAR. 

MiCAR provides a reverse solicitation exception for clients established in the EU that seek out crypto-asset services provided by a third-country firm on their own initiative. In this case the crypto-asset services will not be deemed to be provided in the EU and so will be out of scope of MiCAR. However, the Recitals to MiCAR state that if the third-country firm solicits clients or otherwise promotes or advertises any crypto-asset services in the EU, then it will not be able to rely on this exception, regardless of any contractual disclaimers that may be in place. 

It is important to note that a condition of authorisation is that CASPs must have their “place of effective management” in the EU, and at least one director must be resident in the EU. The Recitals to the act adds that “place of effective management” is the location of the key management and commercial decisions that are necessary for the conduct of the business. Essentially this means that, subject to a narrow reverse solicitation exception discussed below, third-country firms will not be permitted to provide crypto-asset services within the EU. 

Once authorised, a CASP can rely on a passporting regime to provide crypto-asset services throughout the EU. To do this, the CASP should provide its home regulator with a list of the member states in which it intends to provide crypto-asset services and the date it intends to start providing these services. The home regulator must then, within 10 working days, communicate this to the regulator in each of the relevant member states, allowing the services to be provided 15 calendar days after the intention to provide the cross-border services is communicated to the home regulator. 

What Must a Business Do Before It Can Become a CASP?

Subject to the narrow reverse solicitation exception described above, under MiCAR, crypto-asset services may be provided in the EU only by: 

  • Firms that have been authorised as a CASP. 
  • Firms holding other authorisations that are deemed by MiCAR to be equivalent to certain specified crypto-asset services and that have provided specified information to the competent authority of their home member state at least 40 working days before providing the crypto-asset services for the first time. For example, an authorised central securities depository may provide the crypto-asset service of custody and administration of crypto-assets without obtaining further authorisation.

To obtain authorisation as a CASP, a firm must (i) have a registered office in the EU where it carries out at least part of its crypto-asset services; (ii) have its place of effective management in the EU; and (iii) have at least one director resident in the EU. 

Following receipt of a complete application for authorisation, a regulator will have 40 working days to grant or refuse authorisation and must provide a fully reasoned decision to the applicant within five working days of making a decision. Following authorisation, a CASP will be added to a public register maintained by the European Securities and Markets Authority (ESMA).

Are There Any Transitional Provisions for Firms That Are Registered or Authorised Under Existing Regimes?

Prior to MiCAR, there were no uniform rules governing the activities of CASPs across the EU. As a result of this, each member state regime contains important differences regarding the scope of crypto-assets and activities captured and the requirements placed on these activities.

MiCAR nevertheless provides that CASPS that provided their services in accordance with applicable law before 30 December 2024, may continue to do so until 1 July 2026 or until they are granted or refused authorisation under MICAR, whichever is sooner.

What Ongoing Obligations Are Crypto-Asset Service Providers Subject to Under MiCAR?

Ongoing obligations placed on all CASPs

All CASPs are under a general obligation to act honestly, fairly, and professionally and to act in the best interests of their clients. This includes an obligation that communications must be fair, clear, and not misleading and that marketing communications must be identified as such. 

All CASPs are also subject to ongoing disclosure requirements. This includes obligations to publish policies on pricing, costs, and fees as well as any relevant principal adverse impacts on the climate. In addition to this, CASPs must comply with stringent prudential requirements, including minimal capital requirements (held in the form of own funds or qualifying insurance policies).

Various organizational and governance requirements must also be complied with by all CASPs, including requirements as to:

  • the suitability of members of the management body, direct or indirect shareholders, and employees
  • Business continuity and disaster recovery planning
  • Recordkeeping
  • Safeguarding of clients’ crypto-assets and funds
  • Complaint handling
  • Identification, prevention, management, and disclosure of conflicts of interest
  • Outsourcing
  • Plans for an orderly wind-down

There are also requirements around outsourcing of operational functions. CASPs are required to put in place a policy on outsourcing and must have a written agreement with any third parties involved in outsourcing. Regardless of whether activities have been delegated to third parties, CASPs will remain responsible for complying with all their obligations under MiCAR. 

Ongoing obligations relevant to specific crypto-asset services
Crypto-Asset Service
 Type of Obligation Obligation 
 Custody and administration of crypto-assets on behalf of clients Governance obligation
  • Must enter into an agreement with their clients specifying their duties and responsibilities as well as certain specified information.
  • Must establish a custody policy that ensures the safekeeping or control of crypto-assets.
  • Must facilitate the exercise of any rights attaching to the crypto-assets.
Information obligation
  • Must keep a register of positions opened in the name of each client containing certain specified information.
  • At least every three months, and on request, must provide clients with a statement of position of the crypto-assets held on behalf of those clients containing certain specified information.
Prudential requirements
  • Must segregate assets held on behalf of clients from the CASP’s own assets.
  • Note: MiCAR holds these CASPs liable to clients for the loss of crypto-assets or the means of access to crypto-assets resulting from any incident that is attributable to the CASP.
 Operation of a trading platform for crypto-assets Governance obligation  
  • Must lay down, maintain, and implement operating rules for the trading platform, including certain specified minimum requirements. CASPs must ensure that crypto-assets comply with the operating rules before admission to trading.
  • May not deal on own account on the trading platform they operate.
  • May engage in matched principal trading only where the client has consented to that process and must provide the regulator with information explaining their use of matched principal trading.
  • Must put in place systems and procedures to ensure that the trading platforms:
    • Are resilient
    • have capacity to deal with peak order and message volumes
    • are able to operate under severe market stress
    • are able to reject orders that exceed predetermined volume and price thresholds or are clearly erroneous
    • are subject to business continuity arrangements
    • are able to prevent or detect market abuse
    • are sufficiently robust to prevent abuse for purposes of money laundering or terrorist financing
  • Must ensure that fee structures are transparent, fair, and nondiscriminatory and do not create incentives to contribute to disorderly trading conditions or market abuse.
Information obligation  
  • Must inform the regulator when they identify market abuse or attempted market abuse on their trading systems.
  • Must make public the price, volume, and time of transactions executed as well as any bid and ask prices and the depth of trading interests at those prices. These must remain published for at least two years.
  • Must be capable of reporting to the regulator at all times and keep available for at least five years relevant data relating to all orders advertised through their systems.
Operational requirements
  • Must complete final settlement of transactions on the distributed ledger within 24 hours of the time the transactions are executed on the trading platform.
 Exchange of crypto-assets against funds or other crypto-assets Governance obligation
  • Must establish a nondiscriminatory commercial policy indicating the type of clients they interact with and the conditions to be met by these clients.
Information obligation
  • Must publish a firm price or method for determining the price of crypto-assets.
  • Must publish details of orders and transactions concluded, including transaction volumes and prices.
Operational requirements
  • Must execute clients’ orders at the prices displayed at the time when the order for exchange is final.
 Execution of orders for crypto-assets on behalf of clients Governance obligation
  • Must implement effective execution arrangements including an order execution policy. CASPs are required to monitor the effectiveness of this policy and notify clients of any changes to this policy.
Information obligation
  • Must provide appropriate and clear information to clients on this order execution policy and be able to demonstrate that they have executed orders in accordance with this execution policy.
Operational requirements
  • Must take all necessary steps to obtain the best possible result for their clients, taking into account certain specified factors. 
 Placing of crypto-assets Governance obligation
  • Required to have specific and adequate procedures to prevent, monitor, manage, and disclose conflicts of interests where (i) placing crypto-assets with their own clients; (ii) the proposed price of the crypto-assets has been over- or underestimated; or (iii) incentives are paid or granted by the offeror to the CASP.
Operational requirements
  • Must communicate and agree with the issuers the type of placement, proposed timing, process, price, and transaction fees and information about the targeted purchasers.
 Reception and transmission of orders for crypto-assets on behalf of clients. Governance obligation
  • Must establish and implement procedures and arrangements that provide for the prompt and proper transmission of client’s orders to another CASP.
Operational requirements
  • May not receive any benefits for routing clients’ orders to a particular CASP.
  • May not misuse, and must take all reasonable steps to prevent the misuse of, information relating to pending clients’ orders by their employees.
 Providing advice on crypto-assets Operational obligation


  • Must assess the compatibility of crypto-assets and crypto-asset services with the needs of clients, taking into account certain specified factors. CASPs must maintain policies and procedures to conduct this assessment. A report should be provided to the client summarizing the advice given and specifying how the advice meets the client’s demands and needs.
  • Must ensure that natural persons providing advice possess necessary knowledge and experience.
Information obligation
  • Prior to providing advice: inform prospective clients (i) whether the advice is provided on an independent basis; (ii) whether it is based off a broad or restricted analysis of different crypto-assets; (iii) of information on all costs and related charges.
  • Must warn clients of certain specified risks.
 Portfolio management of crypto-assets Operational obligation
  • Required to assess the compatibility of crypto-assets and crypto-asset services with the needs of clients, taking into account certain specified factors. CASPs must maintain policies and procedures to conduct this assessment. A report should be provided to the client summarizing the advice given and specifying how the advice meets the client’s demands and needs.
  • Must not accept and retain benefits provided by any third party in relation to the provision of the service.
Information obligation
  • Must warn clients of certain specified risks.
  • Must provide statements to clients of the portfolio management activities carried out on their behalf every three months.
 Providing transfer services for crypto-assets on behalf of clients. Contractual Obligations 
  •  Must conclude an agreement with their clients specifying their duties and responsibilities, including certain specified information.

How Does This Differ for “Significant” Crypto-Asset Service Providers?

A CASP is deemed to be “significant” where on average during one calendar year it has 15 million daily active users in the EU. If this is the case, the CASP must notify the member state regulator within two months of reaching the threshold. 

The regulatory framework for significant CASPs remains the same; however, the member state regulator is obliged to report annually to ESMA on key supervisory developments related to that CASP. The ESMA will have the power to issue opinions on how to promote supervisory coordination in relation to a significant CASP. In addition to this, where there is a threat to the orderly functioning and integrity of the financial markets or the stability of the EU financial system, the ESMA may exercise an intervention power to prohibit or restrict the provision of crypto-asset services by the CASP or take other appropriate measures. 

Are There Any Provisions Governing The Acquisition of CASP?

Yes. If a legal person wishes to acquire voting rights or capital in a CASP reaching or exceeding thresholds of 20%, 30%, or 50%, it will be required to notify the relevant member state regulator indicating the size of the intended holding and providing other information. MiCAR prescribes a process and the matters to be taken account of in making an assessment. These are similar to those found in other directives, such as:

  • the reputation of the proposed acquirer
  • the reputation, knowledge, skills, and experience of any person who will direct the business of the CASP as a result of the proposed acquisition
  • the financial soundness of the proposed acquirer
  • whether the crypto-asset service provider will be able to comply with the requirements of MiCAR
  • whether the acquisition could increase the risk of money laundering or terrorist financing

These provisions will be subject to secondary legislation to be developed by the European Securities and Markets Authority in cooperation with the European Banking Authority.

Will the Position on CASPS in the UK Be the Same as That Under MiCAR?

No. The UK government issued a consultation Future financial services regulatory regime for cryptoassets - GOV.UK ( on an expanded regime for CASPS, some of which are subject to a regime similar to that under MLD5 discussed in our Alert Buying A U.K. Crypto Business: The New Regulatory Hurdles. Under current proposals, the UK regime will be similar to that under MiCAR in that it identifies specific crypto-asset services, the carrying on of which will require any entity to be authorized by the Financial Conduct Authority as a CASP. The new regime is expected in early 2024. 

To discuss the contents of this alert, please contact the authors or your usual Goodwin contact.