The transitional window closed on 1 July 2026. Crypto-asset service providers that had been operating across the EU under national regimes have now either secured authorization under MiCA, or they have lost the legal basis to serve clients in the Union.
That deadline is the reason MiCA CASP authorization stopped being a planning exercise and became an operating requirement. Under Article 143(3), providers who were serving clients under applicable national law before 30 December 2024 could continue only until 1 July 2026, or until they were granted or refused authorization under Article 63, whichever was sooner.
This piece walks the actual mechanism. Not "MiCA matters for crypto." The specific triggers, the procedure, the thresholds, and the point where MiCA CASP requirements hand off to DORA. Every claim below traces to a numbered article of Regulation (EU) 2023/1114.
What is a CASP under MiCA, and which services trigger authorization?
MiCA defines a crypto-asset service provider in Article 3(15) as a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide those services in accordance with Article 59.
Two elements do the work there. "On a professional basis" is the activity test. And "allowed in accordance with Article 59" is the licensing gate. If you provide a crypto-asset service professionally in the Union, you need authorization.
Article 3(16) enumerates the ten services that constitute a "crypto-asset service." Providing any one of them triggers the regime:
→ providing custody and administration of crypto-assets on behalf of clients → operation of a trading platform for crypto-assets → exchange of crypto-assets for funds → exchange of crypto-assets for other crypto-assets → execution of orders for crypto-assets on behalf of clients → placing of crypto-assets → reception and transmission of orders for crypto-assets on behalf of clients → providing advice on crypto-assets → providing portfolio management on crypto-assets → providing transfer services for crypto-assets on behalf of clients
Each is separately defined in Article 3, points (17) to (26). Custody, for example, is defined in Article 3(17) as the safekeeping or controlling, on behalf of clients, of crypto-assets or of the means of access to such crypto-assets, where applicable in the form of private cryptographic keys.
This matters for scoping. Your authorization is not generic. Article 59(6) requires competent authorities to specify, in the authorization itself, exactly which crypto-asset services the CASP is authorized to provide. Adding a service later is not a courtesy notification. Article 59(8) requires a formal extension request, complementing and updating the Article 62 information, processed under Article 63.
Article 59(1) also sets out the two lawful routes to provide crypto-asset services in the Union. Either you are authorized as a CASP under Article 63, or you are one of the incumbent financial entities named in Article 60 — a credit institution, central securities depository, investment firm, market operator, electronic money institution, UCITS management company, or alternative investment fund manager — allowed to provide services through a notification route rather than full authorization.
Why does the transitional grandfathering window closing in mid-2026 force existing providers into full authorization now?
The MiCA transitional regime was never a permanent carve-out. It was a bridge, and the bridge had a fixed end.
Article 143(3) is explicit. CASPs that provided their services in accordance with applicable law before 30 December 2024 could continue to do so until 1 July 2026, or until they were granted or refused an authorization under Article 63, whichever was sooner. That is the grandfathering clause, and its terminal date has now passed.
Two features of Article 143(3) sharpened the pressure. First, the "whichever is sooner" language meant a refusal terminated the right immediately, regardless of the calendar. Second, the same paragraph let Member States decide not to apply the transitional regime at all, or to reduce its duration, where they considered their pre-existing national framework less strict than MiCA. Member States had to notify the Commission and ESMA by 30 June 2024 whether they exercised that option and how long their transition would run.
The practical consequence: the runway was not uniform across the Union. A provider passporting into multiple markets could face different transitional end-dates depending on each home Member State's election. That is why "we have until mid-2026" was never a safe planning assumption for a multi-jurisdiction operator.
Article 143(6) offered one accommodation. By way of derogation from Articles 62 and 63, Member States could apply a simplified authorization procedure for applications submitted between 30 December 2024 and 1 July 2026 by entities that were already authorized under national law on 30 December 2024. But even under that simplified route, competent authorities had to ensure compliance with Chapters 2 and 3 of Title V before granting authorization. Simplified procedure, same substantive bar.
How does the MiCA CASP authorization procedure work (Article 62/63), and what must the application contain?
Crypto-asset service provider authorization runs through two articles. Article 62 governs the application. Article 63 governs the assessment and the decision.
Article 62(1) directs the application to the competent authority of the home Member State. Article 62(2) then lists what the application must contain. Among the required items:
→ a programme of operations setting out the types of crypto-asset services the applicant intends to provide, and how they will be marketed (point d) → proof that the applicant meets the prudential safeguards in Article 67 (point e) → a description of governance arrangements (point f) → proof that management body members are of sufficiently good repute and possess appropriate knowledge, skills and experience (point g) → the identity of shareholders and members with qualifying holdings, and proof of their good repute (point h) → a description of internal control mechanisms, risk management, AML/CFT procedures, and business continuity plan (point i) → technical documentation of the ICT systems and security arrangements, with a non-technical description (point j) → a description of the procedure for segregating clients' crypto-assets and funds (point k) → a description of complaints-handling procedures (point l) → where custody is intended, a description of the custody and administration policy (point m)
Article 62(3) adds the fit-and-proper evidence: absence of criminal convictions and of penalties under commercial, insolvency, financial-services, AML or CTF law for management-body members and for qualifying holders alike.
Article 63 then sets the clock. Competent authorities acknowledge receipt within 5 working days (Article 63(1)). They assess completeness within 25 working days by checking the Article 62(2) items were submitted (Article 63(2)). Once the application is complete, they have 40 working days to assess compliance with the Title and adopt a fully reasoned decision granting or refusing authorization, notifying the applicant within 5 working days of that decision (Article 63(9)).
That 40-day assessment can be suspended. Under Article 63(12), the authority may request further information no later than the 20th working day of the assessment period, and the clock pauses for up to 20 working days pending the response. Article 63(5) also requires the authority, before deciding, to consult the competent authorities of another Member State where the applicant is a subsidiary of, or controlled alongside, certain other regulated entities.
Article 63(10) sets out the refusal grounds — a management body that threatens sound and prudent management, management members who fail the Article 68(1) criteria, qualifying holders who fail the good-repute test in Article 68(2), or an applicant that fails, or is likely to fail, any requirement of the Title.
What governance, fit-and-proper, and conflicts-of-interest duties does MiCA impose on CASPs?
Governance sits in Article 68. Article 68(1) requires members of the management body to be of sufficiently good repute and to possess appropriate knowledge, skills and experience, both individually and collectively. It bars anyone convicted of money laundering or terrorist financing offences, or other offences affecting good repute, and requires members to commit sufficient time to their duties.
Article 68(2) extends the good-repute test to shareholders and members with qualifying holdings — direct or indirect. Under Article 3(36), a qualifying holding is a direct or indirect holding of at least 10% of capital or voting rights, or one allowing significant influence over management. Article 68(3) empowers competent authorities to act where a qualifying holder's influence is prejudicial to sound management, up to suspending voting rights.
Article 68 also requires effective policies and procedures to ensure compliance (paragraph 4), appropriately skilled personnel (paragraph 5), periodic management-body review of those arrangements (paragraph 6), and record-keeping of all services, activities, orders and transactions, retained for five years and, on competent-authority request, up to seven (paragraph 9).
Conflicts of interest are governed separately by Article 72. CASPs must implement and maintain effective policies to identify, prevent, manage and disclose conflicts — between the provider and its shareholders, controlled persons, management body, employees or clients, and between two or more clients whose interests conflict (Article 72(1)). Article 72(2) requires the general nature and sources of those conflicts, and the mitigation steps, to be disclosed in a prominent place on the provider's website. Article 72(4) requires the conflicts policy to be reviewed at least annually.
What prudential safeguards and own-funds requirements must a CASP hold?
Article 67 sets the prudential floor. A CASP must, at all times, hold prudential safeguards equal to at least the higher of two amounts (Article 67(1)):
→ the permanent minimum capital requirement for the relevant class of services set out in Annex IV, which varies by the type of crypto-asset services provided → one quarter of the fixed overheads of the preceding year, reviewed annually
For providers not yet a year into operations, Article 67(2) substitutes the projected fixed overheads from the first twelve months, as submitted with the authorization application. Article 67(3) then defines precisely how fixed overheads are calculated, subtracting items such as discretionary bonuses and profit shares from total expenses.
Article 67(4) fixes the eligible forms. The safeguards may be held as own funds — Common Equity Tier 1 items under Articles 26 to 30 of Regulation (EU) No 575/2013, after the full deductions in Article 36 — or as an insurance policy or comparable guarantee, or a combination. Where insurance is used, Article 67(5) requires an initial term of at least one year, a cancellation notice period of at least 90 days, and provision by an authorized third-party insurer. Article 67(6) then prescribes the risks that policy must cover, including losses from business disruption or system failures, failure to prevent conflicts of interest, and — where applicable to the business model — gross negligence in safeguarding clients' crypto-assets and funds.
Note the interaction with Article 60. Financial entities using the notification route under Article 60 are, by Article 60(10), not subject to Article 67 — their existing prudential regime carries.
How must a CASP handle custody and safekeeping of clients' crypto-assets and funds?
MiCA splits CASP custody and safekeeping across two articles. Article 70 is the general safekeeping obligation for all CASPs. Article 75 is the specific regime for providers offering custody and administration as a service.
Article 70(1) requires any CASP holding clients' crypto-assets, or the means of access, to make adequate arrangements to safeguard clients' ownership rights, especially in insolvency, and to prevent use of clients' crypto-assets for the provider's own account. For clients' funds other than e-money tokens, Article 70(3) requires the provider to place those funds with a credit institution or a central bank by the end of the business day following receipt, in an account separately identifiable from the provider's own. Article 70(5) exempts CASPs that are themselves electronic money institutions, payment institutions or credit institutions from paragraphs 2 and 3.
Article 75 goes deeper for custodians. It requires:
→ a written agreement with each client specifying duties, the custody policy, security systems, fees and applicable law (Article 75(1)) → a register of positions opened in each client's name, updated for movements (Article 75(2)) → a custody policy that minimises the risk of loss of clients' crypto-assets due to fraud, cyber threats or negligence (Article 75(3)) → a statement of position provided at least once every three months and on request (Article 75(5)) → procedures to return clients' crypto-assets, or the means of access, as soon as possible (Article 75(6))
The segregation requirement in Article 75(7) is strict. Custodians must segregate clients' holdings from their own, hold clients' crypto-assets separately on the distributed ledger, and ensure those assets are legally segregated from the provider's estate so that the provider's creditors have no recourse to them in insolvency. Operational segregation is required as well.
Article 75(8) then imposes liability. A custodian is liable to clients for the loss of crypto-assets, or the means of access, resulting from an incident attributable to it, capped at the market value of the lost asset at the time of loss. Where a custodian sub-delegates to another provider of that service, Article 75(9) permits it only to CASPs authorized under Article 59, and the client must be informed.
What complaints-handling and client-disclosure obligations apply to CASPs?
Complaints handling is a standalone obligation under Article 71. CASPs must establish and maintain effective, transparent procedures for the prompt, fair and consistent handling of client complaints, and publish descriptions of them (Article 71(1)). Clients must be able to file complaints free of charge (Article 71(2)), the provider must supply a filing template and keep records of complaints and responses (Article 71(3)), and complaints must be investigated in a timely and fair manner with the outcome communicated within a reasonable period (Article 71(4)).
Disclosure duties sit primarily in Article 66, the honest-fair-professional obligation. CASPs must act in the best interests of clients (Article 66(1)), provide information that is fair, clear and not misleading, including in marketing communications identified as such (Article 66(2)), warn clients of the risks of crypto-asset transactions (Article 66(3)), and make their pricing, cost and fee policies publicly available in a prominent place on their website (Article 66(4)). Article 66(5) adds the disclosure of principal adverse environmental impacts of the consensus mechanism used.
How do MiCA's ICT and operational-resilience expectations tie into DORA for CASPs?
This is where MiCA CASP requirements stop being self-contained. MiCA does not build its own ICT-resilience regime. It points directly at DORA.
Article 68(7) requires CASPs to take all reasonable steps to ensure continuity and regularity in performing their services, using resilient and secure ICT systems "as required by Regulation (EU) 2022/2554" — DORA. The same paragraph requires a business continuity policy that includes ICT business continuity plans and ICT response and recovery plans set up pursuant to Articles 11 and 12 of DORA.
Article 68(8) goes further. It requires CASPs to have in place the mechanisms, systems and procedures required by DORA, and to have systems and procedures to safeguard the availability, authenticity, integrity and confidentiality of data pursuant to DORA. The MiCA DORA operational resilience link is written into the text of the governance obligation itself.
The practical reading is that a CASP cannot satisfy Article 68 without satisfying DORA's ICT risk management framework, incident-reporting, testing and third-party-risk requirements. For a crypto-asset service provider, MiCA authorization and DORA compliance are not two projects. They are one control set viewed from two regulations, and the same evidence — ICT risk framework, business continuity plans, incident procedures, third-party register — has to satisfy both.
That overlap is exactly the kind of duplication that source-grounded mapping resolves. When an obligation under MiCA Article 68 and an obligation under DORA Chapter II describe the same control, you answer once and satisfy both, rather than running two disconnected evidence collections. This is where an operational resilience view of your obligations, aligned to DORA and the broader financial-services stack, keeps the CASP file coherent instead of fragmented across frameworks.
Every obligation traced to a verbatim quote from the legal text. No AI hallucinations. A posture you can defend in front of a regulator, a board, or a plaintiff.
FAQ: MiCA CASP authorization timelines, passporting, and DORA overlap
How long does MiCA CASP authorization take? Once an application is complete, Article 63(9) gives the competent authority 40 working days to assess compliance and adopt a reasoned decision, with notification to the applicant within 5 working days of that decision. Before that, there is a 5-working-day acknowledgement (Article 63(1)) and a 25-working-day completeness check (Article 63(2)). The 40-day clock can be suspended for up to 20 working days if the authority requests further information no later than the 20th working day (Article 63(12)).
Can a CASP passport across the EU? Yes. Article 59(7) allows an authorized CASP to provide crypto-asset services throughout the Union, either through the right of establishment, including a branch, or through the freedom to provide services. A CASP providing services cross-border is not required to have a physical presence in the host Member State.
What happened to providers that missed the 1 July 2026 transitional deadline? Under Article 143(3), the right of pre-existing providers to continue under national law ended on 1 July 2026, or on the grant or refusal of authorization under Article 63, whichever was sooner. Member States could also shorten or disapply the transition. After that terminal date, continuing to provide crypto-asset services without MiCA authorization has no lawful basis.
Do banks and investment firms need full CASP authorization? No. Article 60 lets certain incumbent financial entities — credit institutions, investment firms, e-money institutions, CSDs, market operators, UCITS management companies and AIFMs — provide specified crypto-asset services through a notification submitted at least 40 working days in advance, rather than full Article 62/63 authorization. Article 60(10) exempts them from Articles 62, 63, 64, 67, 83 and 84.
How does DORA fit into MiCA CASP authorization? DORA is referenced inside MiCA's governance obligation. Article 68(7) and 68(8) require CASPs to use resilient and secure ICT systems, business continuity and ICT response-and-recovery plans, and data-integrity safeguards "as required by Regulation (EU) 2022/2554." A CASP's ICT resilience evidence therefore has to satisfy both regulations.
Map your MiCA CASP obligations against DORA in one profile — see your exposure at aegis-grc.com


