ESMA and MiCA: The End of the Transition Period and the Beginning of Full EU Crypto Enforcement
Credit: City AM
The EU's comprehensive crypto-asset framework is now fully operational, all grandfathering periods expire on 1 July 2026, and ESMA's complete regulatory technical standard package is in place.
Context:
The Markets in Crypto-Assets Regulation (MiCA) which entered into force in June 2023, has been progressively implemented across 2024 and 2025. As of 1 July 2026, the transitional provisions allowing crypto-asset service providers (CASPs) operating under legacy national VASP registrations to continue providing services pending MiCA authorisation will have fully expired across all EU member states. From that date, any CASP providing services to EU clients without MiCA authorisation is in breach of EU law and must cease operations.
ESMA has completed its full package of Level 2 and Level 3 measures, more than 30 technical standards and guidelines covering every aspect of MiCA implementation. The final piece was published on 28 January 2026: ESMA's Guidelines on Knowledge and Competence for CASP staff, which apply from 28 July 2026. The publication of these guidelines marked the completion of the EU's regulatory framework for crypto-asset service providers. Additional guidelines were published on 5 March 2026 covering systems and security protocols, market abuse supervision, and classification of cryptoassets.
The regulatory landscape for 2026 has therefore shifted from one of implementation and transition to one of authorisation, supervision, and enforcement. ESMA has warned that national competent authorities are expected to take enforcement action against unauthorised firms continuing to operate after 1 July 2026, and has flagged that last-minute authorisation applications submitted near the deadline should be subject to heightened regulatory scrutiny.
Rules and Guidelines:
The MiCA framework establishes requirements across three broad areas. For CASPs (crypto exchanges, custodians, brokers, advisers, and others): mandatory authorisation by a competent NCA, with passporting rights across EU member states once authorised; capital adequacy requirements calibrated to the type and scale of activities; governance and fit-and-proper requirements for senior managers; conduct-of-business rules including best execution, conflicts management, and client asset protection; mandatory disclosure of costs, risks, and conflicts; and compliance with operational resilience, cybersecurity, and AML obligations.
For issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs): additional requirements apply, supervised by the EBA for significant tokens and NCAs for smaller issuers. These include reserve management standards, redemption rights, and specific governance controls. For white paper requirements: any issuer making a public offer of crypto-assets in the EU must produce a MiCA-compliant white paper submitted to and available through ESMA's central register.
ESMA's MiCA register provides the authoritative public record of MiCA-authorised entities, submitted white papers, and firms subject to enforcement action. CASPs operating cross-border within the EU can passport their authorisation, but must notify host-state NCAs before beginning services. For third-country firms: they may serve EU professional clients on a reverse solicitation basis but cannot actively market to EU retail clients without authorisation.
Businesses Affected:
Any firm currently providing crypto-asset services to EU clients including exchanges, custodians, brokers, advisers, staking service providers, and portfolio managers, that has not yet obtained MiCA authorisation.
UK-based crypto firms with EU client bases, who must assess whether their activities fall within MiCA's territorial scope and, if so, whether to seek authorisation or to cease EU-targeted services.
Banks and investment firms with crypto-asset units or subsidiaries may benefit from grandfathered permissions under existing financial services authorisation, but must ensure MiCA conduct rules apply to crypto activities from 1 July 2026.
Stablecoin issuers, whose ART and EMT classifications determine whether EBA or NCA supervision applies and what reserve management and redemption obligations must be met.
Next Steps:
Confirm authorisation status by 1 July 2026. Any EU-facing CASP operating under transitional provisions must hold MiCA authorisation by this date or cease services. There is no further extension.
For UK crypto firms with EU clients: conduct a territorial scope analysis of your EU-facing activities. Reverse solicitation exemptions are narrow and should not be relied upon for anything beyond passive enquiry responses.
Implement ESMA's January 2026 knowledge and competence guidelines for client-facing staff from 28 July 2026. Staff providing information or advice on cryptoassets must meet the qualification and experience standards specified.
Monitor ESMA's MiCA register for authorised entities and enforce against competitors using the 'Unauthorised entity' mechanism if they continue operating without MiCA authorisation after 1 July.
For UK firms: understand the parallel UK regime (FCA authorisation gateway opens September 2026, regime live October 2027). The two frameworks are substantively different; mapping UK obligations against MiCA will identify gaps early.
Source | ESMA | MiCA Enforcement Regime
