MiCA Compliance Checklist: What Every Crypto Platform Must Do Before July 2026

Understanding MiCA's Scope

Who MiCA Covers

MiCA applies to any entity that provides crypto-asset services to EU residents, regardless of where the entity is headquartered. The regulation defines Crypto-Asset Service Providers (CASPs) broadly to include exchanges, custody providers, platforms that enable transfers, advisors, portfolio managers, and entities that place or execute orders on behalf of clients.

If a platform allows EU residents to buy, sell, trade, store, or transfer crypto assets, it falls within MiCA's scope. The "EU resident" test is based on where the customer is located, not where the platform is incorporated.

What MiCA Covers

MiCA establishes rules for three categories of crypto assets. Utility tokens have lighter requirements. Asset-Referenced Tokens (ARTs) — stablecoins backed by a basket of assets — face stringent reserve, governance, and disclosure obligations. E-Money Tokens (EMTs) — stablecoins pegged to a single fiat currency — are regulated under the existing e-money framework with additional MiCA-specific requirements.

The regulation also establishes a whitepaper requirement for token issuers, market abuse rules for crypto-asset trading, and a framework for cross-border passporting of CASP licenses across EU member states.

The Compliance Checklist

1. CASP Authorization

Every platform providing crypto-asset services to EU residents must obtain CASP authorization from the national competent authority in an EU member state. The authorization application includes a detailed business plan, description of governance arrangements, proof of good repute for management, evidence of professional competence, description of IT systems and security arrangements, a business continuity plan, and evidence of adequate financial resources.

The Netherlands, Germany, and Malta have emerged as the primary authorization jurisdictions, with the Netherlands processing the highest volume of applications. Authorization in one member state allows passporting to all 27 member states, though notification requirements apply.

Timeline action: If your application is not already submitted, begin immediately. Authorization processing takes 3-6 months in most jurisdictions.

2. Capital Requirements

CASPs must maintain minimum capital based on the services they provide. The requirements range from €50,000 for advisors and order placement services to €125,000 for exchanges and custody providers to €150,000 for platforms operating as trading facilities.

Capital must be maintained as permanent own funds — not contingent or borrowed capital. Quarterly capital adequacy reporting is required once authorized.

3. KYC and Customer Due Diligence

MiCA's KYC requirements align with the EU's existing AML framework (AMLD5/AMLD6) but add crypto-specific provisions. All CASPs must verify the identity of customers before providing services, apply risk-based customer due diligence, conduct enhanced due diligence for higher-risk customers, and maintain records of all verification activities for at least five years.

For identity verification specifically, CASPs must verify customer identity using reliable and independent sources. This means government-issued identity documents, biometric verification, and database cross-checks. Self-declaration or email verification alone are not sufficient.

The upcoming EU AML Regulation (AMLR), applicable from July 2027, will further tighten these requirements — including a €1,000 threshold for identity verification of hosted wallet transactions and specific provisions for unhosted wallet transfers.

4. AML/CFT Compliance

CASPs must implement a comprehensive AML/CFT compliance program including customer due diligence procedures, ongoing transaction monitoring, suspicious transaction reporting to relevant Financial Intelligence Units (FIUs), sanctions screening against EU and UN sanctions lists, PEP (Politically Exposed Person) screening, and staff training on AML/CFT obligations.

Transaction monitoring must be continuous and risk-based. Batch processing that reviews transactions daily or weekly is not sufficient for high-volume platforms — real-time monitoring is the expectation.

5. Travel Rule Compliance

The FATF Travel Rule (Recommendation 16) is implemented in the EU through the Transfer of Funds Regulation (recast). CASPs must collect and transmit originator and beneficiary information for all crypto-asset transfers above €1,000.

For transfers below €1,000 from hosted wallets, basic identity information must still be collected (though the verification threshold is higher). For transfers involving unhosted wallets, additional risk-based measures apply, including verifying that the unhosted wallet is controlled by the customer.

Travel Rule compliance requires technical integration with counterparty CASPs for data transmission. Several interoperability protocols exist, and platforms should ensure their chosen solution is compatible with the systems used by major European exchanges and custodians.

6. Stablecoin-Specific Requirements

Issuers of Asset-Referenced Tokens must obtain authorization from a competent authority, maintain reserve assets equal to the outstanding value of tokens at all times, publish a whitepaper describing the token and its reserve composition, submit to regular audits of reserve assets, and comply with marketing communication rules.

The stablecoin landscape has already been reshaped by MiCA. USDT was delisted by Coinbase EU in December 2024, Crypto.com in January 2025, and Binance EEA in March 2025. Tether continues restructuring its reserve and disclosure framework to meet MiCA requirements. Platforms that list stablecoins must verify that each stablecoin meets MiCA requirements — or delist it.

7. Whitepaper Requirements

Any entity issuing crypto assets to the public in the EU must publish a crypto-asset whitepaper. The whitepaper must include a description of the issuer, the crypto asset and its technology, the rights and obligations attached to the crypto asset, the risks, and the underlying technology. It must be notified to the relevant competent authority before publication.

Whitepapers for ARTs and EMTs require prior approval from the competent authority before the token can be offered.

8. Market Abuse Prevention

MiCA introduces market abuse rules specifically for crypto-asset trading, including prohibitions on insider trading using material non-public information about crypto assets, market manipulation including wash trading, spoofing, and layering, and failure to disclose inside information.

CASPs that operate trading platforms must implement surveillance systems to detect market manipulation and insider trading. These systems must be documented and available for regulatory inspection.

9. Governance and Operational Resilience

CASPs must establish governance arrangements including a clearly defined organizational structure with transparent reporting lines, effective risk management policies, internal control mechanisms, business continuity and disaster recovery plans, IT security policies meeting EBA and ESMA technical standards, and complaint handling procedures.

The Digital Operational Resilience Act (DORA), which also applies to CASPs, adds specific requirements for ICT risk management, incident reporting, digital operational resilience testing, and third-party ICT risk management.

10. Ongoing Reporting

Once authorized, CASPs face ongoing reporting obligations including regular financial statements, capital adequacy reports, transaction reports to competent authorities, complaint handling reports, and material change notifications (changes to governance, services, or operational arrangements).

ESMA is developing technical standards for reporting formats and frequencies, with final standards expected to be published throughout 2026.

The Penalty Structure

MiCA enforcement carries real consequences. Competent authorities can impose administrative fines of up to 12.5% of annual turnover for the most serious violations, or up to €5 million for natural persons. Additional penalties include withdrawal of CASP authorization, temporary or permanent bans on individuals from management positions, public censure, and periodic penalty payments for ongoing non-compliance.

Over €540 million in penalties have been issued since enforcement began. The penalty trajectory is clear: regulators are using the full range of enforcement tools available.

The July 1 Deadline

Platforms that have been operating under transitional provisions must obtain full CASP authorization or cease providing services to EU residents by July 1, 2026. The transitional period that allowed platforms to continue operating under national frameworks while applying for MiCA authorization expires on this date.

For platforms that are still in the authorization process, the priority is accelerating the application. For platforms that have not yet applied, the realistic options are applying immediately in a jurisdiction with shorter processing times, partnering with an already-authorized CASP to operate under their license, or planning an orderly exit from EU markets.