MiCA Regulation (EU) 2023/1114 — In force since December 2024
VASP→CASP Transition Deadline: 1 July 2026
Offices in Düsseldorf · Vilnius · Tallinn
Free Initial Consultation
Crypto License Europe MiCA CASP Authorization
Get Free Consultation
Regulatory Overview · MiCA · DORA · 2025/2026
Published: March 28, 2026 · Updated: March 2026 · 11 min read · By Thomas Müller

Crypto Regulation Europe 2025/2026 — Complete Regulatory Overview

EU regulatory framework for crypto 2025 and 2026 — MiCA, DORA, VASP to CASP transition overview

2025 is the first full year of MiCA's CASP authorization regime in force, combined with DORA's digital resilience requirements, the ongoing VASP-to-CASP transition, and approaching July 2026 deadline. This guide provides a complete overview of European crypto regulation in 2025 and 2026 — what changed, what's coming, and what crypto businesses must do now.

Get Regulatory Compliance Advice Read the Overview ↓

1. The 2024 Milestone: MiCA Fully in Force

December 30, 2024 was the most consequential date in European crypto regulatory history. On this date, the CASP authorization provisions of MiCA Regulation (EU) 2023/1114 became fully applicable across all 27 EU member states — ending three years of regulatory uncertainty for the European crypto industry.

From December 30, 2024: all businesses providing crypto-asset services to EU clients on a professional basis are legally required to either (a) hold a valid CASP authorization from an EU national competent authority, or (b) operate under the MiCA Art. 143 transitional provisions, which allow legacy VASPs with existing national registrations to continue until July 1, 2026.

This was a genuine regulatory watershed. For the first time in the EU, crypto businesses operate under a unified, directly applicable regulation with consistent rules, equivalent capital requirements, harmonized AML obligations, and a common passporting mechanism — across all member states simultaneously.

MiCA Is Not Just a License Requirement

MiCA creates ongoing behavioral obligations — not just an authorization requirement. CASPs must maintain adequate capital, implement AML/KYC programs, operate DORA-compliant ICT systems, publish white papers for token issuances, segregate client assets, handle client complaints, and report to NCAs. Our MiCA compliance service covers all ongoing obligations.

2. The 2025 Regulatory Calendar

January 17, 2025
DORA (Digital Operational Resilience Act) In Force
Regulation (EU) 2022/2554 — DORA — became applicable on January 17, 2025. DORA applies to all MiCA CASPs as "financial entities." It mandates: ICT risk management frameworks, ICT-related incident classification and NCA reporting (within 4 hours for major incidents), mandatory ICT systems resilience testing, third-party ICT provider risk management, and information sharing arrangements. DORA compliance documentation is now required in every NCA CASP application.
Q1–Q2 2025
EU NCAs Open CASP Application Windows
Most EU national competent authorities formally opened their CASP authorization application processes in the first half of 2025. The Bank of Lithuania, FSC Bulgaria, FSA Estonia, KNF Poland, MFSA Malta, CySEC Cyprus, and Central Bank of Ireland were among the first fully operational NCAs. A small number of NCAs in smaller member states finalized their internal procedures and application portals during Q2–Q3 2025.
Ongoing 2025
VASP→CASP Transition Period Active
Throughout 2025, VASPs registered under pre-MiCA national frameworks (AML registrations in Lithuania, Estonia, Poland, and others) may continue operating under the MiCA Art. 143 transitional provisions. However, these transitional rights expire on July 1, 2026 — and CASP applications take 4–8 months. Companies that began their CASP process in mid-2025 are on track; those starting in early 2026 face authorization gap risk.
2025 Ongoing
ESMA & EBA Publishing MiCA Technical Standards
ESMA and EBA are publishing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) under MiCA throughout 2025–2026, covering: CASP authorization documentation requirements, ART and EMT reserve asset management, passporting notification formats, DORA intersection rules, and DeFi scope guidance. CASPs must monitor these standards as they are finalized and incorporated into NCA application requirements.

3. July 1, 2026 — The Hard Deadline

July 1, 2026 is the most critical date for the European crypto industry in 2026. Under MiCA Art. 143(3), the 18-month VASP transitional period expires on this date. From July 1, 2026:

  • All entities providing crypto-asset services to EU clients must hold a valid CASP authorization
  • Transitional operation under pre-MiCA national VASP registrations is no longer permitted
  • Non-compliant entities face NCA enforcement: cease-and-desist orders, fines, public warnings, and in some member states, criminal prosecution
  • EU clients are no longer legally able to use services from unauthorized providers — creating liability risk for both sides
Time Is Running Out — Act Now

As of March 2026, only 4 months remain before the July 1, 2026 deadline. A complete CASP application takes 4–8 months from project start. Companies that have not yet begun their CASP process face a significant risk of an authorization gap. Contact us immediately for an expedited CASP application assessment.

4. Country-by-Country NCA Status

As of March 2026, the status of major EU NCAs processing MiCA CASP applications:

Country NCA Application Status Processing Time
🇱🇹 Lithuania Bank of Lithuania Active — High Volume 3–5 months
🇧🇬 Bulgaria FSC / KFN Active — Fast Processing 3–4 months
🇪🇪 Estonia FSA (Finantsinspektsioon) Active — Selective 5–7 months
🇵🇱 Poland KNF Active 3–5 months
🇩🇪 Germany BaFin Active — Rigorous Review 6–12 months
🇲🇹 Malta MFSA Active 4–6 months
🇨🇾 Cyprus CySEC Active 4–6 months
🇮🇪 Ireland Central Bank of Ireland Active 5–7 months
🇫🇷 France AMF Active — Slower Ramp 6–9 months
🇳🇱 Netherlands DNB / AFM Active — High Standards 6–10 months

5. MiCA vs DORA — Dual Compliance Requirements

CASPs in 2025 and 2026 face two concurrent EU regulatory frameworks that must both be satisfied simultaneously: MiCA and DORA. These are complementary but distinct regimes:

⚖️
MiCA — Markets in Crypto-Assets
Authorization framework covering CASP business conduct, capital requirements, client asset protection, and market integrity.
  • CASP authorization requirement
  • Capital adequacy (€50K–€150K)
  • AML/KYC compliance
  • Client asset safeguarding
  • White paper requirements
  • EU passporting mechanism
  • NCA supervision and reporting
🛡️
DORA — Digital Operational Resilience Act
ICT risk management and operational resilience framework applicable to all financial entities — including CASPs.
  • ICT risk management framework
  • ICT incident reporting (4-hour window)
  • Digital resilience testing
  • TLPT for larger CASPs
  • Third-party ICT risk management
  • Information sharing arrangements
  • Annual ICT risk assessments

DORA compliance documentation — specifically the ICT risk management framework, incident response procedures, and third-party provider register — is now required as part of every NCA CASP authorization application. NCAs increasingly view DORA compliance as a prerequisite to authorization, not just a post-authorization obligation.

6. What Changes for Businesses in 2025–2026

If you are already authorized as a CASP:

  • Maintain ongoing MiCA compliance: capital adequacy monitoring, AML program updates, annual NCA reporting
  • Implement DORA compliance: full ICT risk management framework if not already in place, annual penetration testing
  • File passporting notifications before entering any new EU member state market
  • Monitor ESMA/EBA technical standards as they are finalized — some require policy updates

If you are operating as a VASP under transitional provisions:

  • Begin your CASP authorization application immediately — July 1, 2026 is 4 months away as of March 2026
  • Verify whether your home member state has a shorter transitional period than the standard 18 months
  • Start DORA gap analysis — DORA compliance will be required for your CASP application
  • Review your AML program against MiCA's enhanced requirements

If you are a new entrant building a crypto business:

  • Select an EU jurisdiction and begin the CASP application process before launching any EU-facing services
  • Structure your business entity to satisfy substance requirements from the start
  • Budget for both MiCA capital requirements (€50K–€150K) and ongoing compliance costs
  • Consider a ready-made CASP company to accelerate market entry

7. Key Enforcement Actions Expected in 2026

Post-July 1, 2026, EU NCAs are expected to take coordinated enforcement action against unauthorized CASPs. ESMA has explicitly called for consistent enforcement across member states to prevent regulatory arbitrage — where businesses might try to operate without authorization by serving EU clients from outside the EU or through complex corporate structures.

Expected 2026 enforcement patterns include:

  • Cease-and-desist orders against exchanges and custodians serving EU clients without CASP authorization
  • Public warnings published on NCA websites identifying non-compliant crypto businesses — damaging reputationally even without financial sanctions
  • Asset freezes in cases of large-scale unauthorized CASP operation
  • Criminal referrals where member state law provides criminal penalties for unauthorized financial services provision
  • Banking access restrictions — EU banks increasingly refusing to serve unauthorized crypto businesses, creating operational disruption even before formal NCA action
  • Coordinated cross-border enforcement via ESMA's convergence tools — ensuring that firms attempting to exploit jurisdictional gaps face coordinated action across multiple NCAs

The regulatory risk of operating without authorization after July 1, 2026 is existential for EU-facing crypto businesses. This is not a compliance formality — it is a fundamental business license requirement.

8. Frequently Asked Questions

Is MiCA fully in force in 2025?
Yes. MiCA Regulation (EU) 2023/1114 is fully in force as of December 30, 2024. All CASP authorization requirements, ART and EMT rules, and white paper obligations are now applicable across all 27 EU member states. NCAs are accepting CASP applications and processing them under the full MiCA framework.
What is DORA and does it apply to crypto businesses?
DORA — Digital Operational Resilience Act (EU) 2022/2554 — became applicable on January 17, 2025. It applies to all MiCA CASPs as "financial entities." DORA requires CASPs to implement ICT risk management frameworks, establish incident reporting procedures, conduct resilience testing, and manage third-party ICT service provider risks. DORA compliance documentation is required in every CASP authorization application.
When is the final deadline for VASPs to become CASPs?
The final EU-wide deadline is July 1, 2026 — 18 months after MiCA's CASP provisions became fully applicable on December 30, 2024 (MiCA Art. 143). After this date, operating as a VASP without CASP authorization is illegal throughout the EU and subject to NCA enforcement. Some member states have shorter transitional periods.
Which EU NCAs are currently processing CASP applications?
As of March 2026, all major EU NCAs are processing MiCA CASP applications. The most active are: Bank of Lithuania (highest volume), FSC Bulgaria (fastest processing), FSA Estonia (most selective), KNF Poland, BaFin Germany (most rigorous), MFSA Malta, CySEC Cyprus, and Central Bank of Ireland. A small number of smaller EU NCAs are still finalizing procedures.
What does MiCA mean for stablecoin issuers in 2025?
Stablecoin issuers face two MiCA frameworks: E-Money Token (EMT) issuers must hold an e-money institution license and comply with MiCA Title IV; Asset-Referenced Token (ART) issuers must obtain prior NCA authorization under MiCA Title III and maintain significant reserve assets. Both EMT and ART issuers above significance thresholds (€5 billion AUM or 10 million transactions) face EBA direct supervision.
What enforcement actions are expected in 2026?
Post-July 1, 2026, NCAs are expected to issue cease-and-desist orders against unauthorized CASPs, publish public warnings, freeze assets in major cases, refer criminal cases where applicable, and coordinate cross-border enforcement via ESMA. EU banks are already restricting access for unauthorized crypto businesses. ESMA has called for consistent enforcement across all 27 member states to prevent regulatory arbitrage.

Related Pages

Read also: MiCA Deadline 2026 Read also: MiCA Regulation Explained
Thomas Müller — EU Crypto Regulatory Expert
Regulatory Expert
Thomas Müller
Senior Regulatory Advisor — MiCA & DORA · Düsseldorf

Thomas Müller is a senior regulatory advisor at Crypto License Europe specializing in MiCA implementation, DORA compliance for CASPs, and VASP-to-CASP transition strategy. He monitors ESMA and EBA regulatory technical standard developments, NCA application procedure updates across all major EU jurisdictions, and coordinated EU enforcement trends. Thomas advises crypto exchanges, custodians, stablecoin issuers, and DeFi-adjacent businesses on regulatory compliance strategy for 2025 and 2026. Contact Thomas for regulatory advice →

Need Help with Your EU Crypto License?

The July 1, 2026 deadline is approaching. Our MiCA CASP specialists will assess your business, select the optimal jurisdiction, and manage your complete CASP authorization from start to finish. Free 30-minute consultation.

Get a Free Consultation