MiCA requires unified compliance, documented EU substance

MiCA requires crypto-asset service provider applicants to submit a compliance architecture that shows documented independence, collective expertise across three knowledge areas, concrete time commitments for managers and real physical substance inside the EU. Licenses under MiCA are issued to the operating organization rather than to named officers.

Article 68 of MiCA and ESMA guidance require members of the management body to have appropriate knowledge, skills and experience individually and collectively. National Competent Authorities expect the team, taken together, to cover traditional financial markets regulation and conduct; digital ledger technology and cybersecurity; and business strategy with governance and risk management.

ESMA’s draft regulatory technical standards require firms to disclose written estimates of each management member’s monthly and annual time commitment and to list all other executive and non-executive roles. Authorities will assess whether directors and officers can meaningfully perform their duties. Part-time or advisory arrangements with minimal hours are subject to scrutiny.

Internal control functions must be named, structured and independent. ESMA sets out three core areas that must report directly to the management body: the compliance function, the risk assessment function and the internal audit function. Anti-money-laundering and counter-terrorist financing functions and business continuity planning are also required elements of the organizational setup.

Regulators will examine reporting lines, documented scopes of responsibility and mechanisms for scheduled and emergency access to the management body. A compliance head reporting into a revenue-generating executive, or a risk team embedded within a trading desk, risks being found insufficiently independent.

Authorization packages must show a genuine place of effective management in the EU. Firms must provide a head office address and at least one director resident in the EU with real decision-making authority. Registered addresses supported by nominee directors or token physical presence do not meet substance expectations.

Business continuity and digital operational resilience are obligations for the management body under MiCA and the Digital Operational Resilience Act (DORA, Regulation EU 2022/2554). ESMA’s proposals require firms operating on permissionless blockchains to communicate proactively with clients during network-level disruptions, clarifying whether funds are at risk and how service resumption will be managed. Firms remain liable for losses arising from their own smart contracts even when incidents occur on public blockchains.

Data standards and reporting are part of the compliance remit. CASPs running trading platforms must use the Digital Token Identifier (DTI) to identify crypto-assets and the relevant distributed ledger technology, and they must adopt ISO 20022 for transactional messaging. Pre- and post-trade transparency data must be disclosed in machine-readable formats to allow cross-border surveillance and comparison across providers.

Regulatory guidance indicates that authorization applications should document an institution that already exists in operational form. Advisors point to a LegalBison study published in April 2026 showing that early-stage applicants often stall when compliance and management structures are retrofitted around an application rather than embedded in the organization.

Regulators in several jurisdictions outside the EU are adopting similar substance-focused requirements for virtual asset service provider licensing. Under MiCA, the presence of named officers alone will not satisfy National Competent Authorities. Applicants must demonstrate an integrated compliance architecture with documented independence, collective capability across the three core domains, verifiable time commitments and effective decision-making weight inside the EU.