MiCA Decoded is a 12-article weekly collection for Bitcoin.com Information, co-authored by LegalBison’s Co-Founding and Managing Administrators: Aaron Glauberman, Viktor Juskin and Sabir Alijev. LegalBison advises crypto and FinTech firms on MiCA licensing, CASP and VASP functions, and regulatory structuring throughout Europe and past.
This week’s entry has been written by Krystian Lapka, Lawyer at LegalBison. Krystian focuses on cross-border company and business transactions, alongside strategic threat administration on the intersection of civil and customary regulation.
Most founders approaching their first CASP software perceive, at the very least abstractly, that MiCA requires an actual EU presence. What they underestimate is how the regulator defines “actual.”
The everyday early-stage setup appears coherent on paper: a registered workplace in a positive EU jurisdiction, a director named within the governance paperwork, ICT techniques both cloud-hosted or managed from the group’s world infrastructure, and paid-in capital sitting in a newly opened checking account.
From the within, this appears like an EU firm. From a Nationwide Competent Authority’s perspective, it could appear to be a letterbox with a director connected.
This text maps what MiCA’s substance necessities really demand throughout personnel, know-how, and monetary resilience, and explains why regulators deal with every class as a practical take a look at somewhat than a documentation train.
The priority driving all of it’s the similar: stopping letterbox firms, entities that exist on paper in a positive jurisdiction however lack any significant financial exercise, human capital, or operational capability inside it.
The Delusion: Presence Equals Substance
The regulatory logic right here is older than MiCA. Within the landmark Cadbury Schweppes ruling (Case C-196/04), the Court docket of Justice of the European Union established that the liberty of multinational can’t be used to create “wholly synthetic preparations” that lack real financial exercise. MiCA codifies that precept straight into crypto-asset regulation.
Article 59(2) of MiCA states that licensed CASPs will need to have their registered workplace in a Member State the place they perform at the very least a part of their crypto-asset providers, will need to have their place of efficient administration inside the Union, and will need to have at the very least one director resident within the Union. The availability is temporary. What sits behind it’s significantly extra demanding.
ESMA’s Supervisory Briefing on Authorization of CASPs, whereas non-binding, indicators clearly how NCAs are anticipated to interpret these necessities in observe.
The hole between the statutory textual content and the supervisory expectation is the place many functions encounter friction.
Personnel: Who Is Truly Operating This Entity
The minimal threshold underneath MiCA is one EU-resident director. Supervisory steering raises that bar.
ESMA’s briefing anticipates at the very least two senior executives collectively overseeing each day operations. The rationale is easy: a single government creates focus threat and removes the inner checks {that a} functioning governance construction requires. Two executives with outlined, overlapping duties is the anticipated baseline.
Residency just isn’t enough by itself. The steering signifies that the place a administration physique member just isn’t resident within the NCA’s jurisdiction, that individual ought to be able to attending in-person conferences on the authority’s request inside two enterprise days.
For jurisdictions the place bodily proximity to the supervisor issues operationally, it is a sensible constraint on how removed from the house jurisdiction a director can successfully be situated.
Time dedication is handled with related seriousness. ESMA’s place, as articulated in its Supervisory Briefing on Authorization of CASPs, is that government administration board members ought to typically dedicate 100% of their skilled time to the CASP position. Double-hatting, the place the identical particular person serves in government capability at a number of entities, is permitted solely in restricted circumstances. An government who splits their consideration between the CASP and one other group firm is prone to entice scrutiny throughout the fit-and-proper evaluation.
Reporting traces matter as a lot as particular person profiles. The administration physique should reveal that strategic and operational management sits inside the EU entity, not with a father or mother firm in a 3rd nation that makes the actual selections and points directions downward.
An EU subsidiary whose executives functionally function implementation brokers for a non-EU headquarters just isn’t, within the supervisory sense, an entity with real EU administration.
The AML dimension reinforces this. The person liable for submitting suspicious exercise stories (the MLRO) have to be bodily current, maintain real authority inside the entity, and be capable of work together straight with the native Monetary Intelligence Unit. This requirement displays a broader world development: the FATF and OECD’s Crypto-Asset Reporting Framework (CARF) operates on the identical logic, extending substance and transparency necessities past the EU.
MiCA’s personnel necessities and CARF aren’t unrelated developments; they replicate a converging worldwide customary for what a regulated crypto entity should appear to be from the within.
The collective suitability customary from Article 68(1) requires the administration physique to own applicable data, expertise and expertise each individually and collectively. As lined within the earlier installment of this collection, that customary spans conventional monetary markets regulation, DLT infrastructure and cybersecurity, and organizational governance. Every of these domains must be represented within the room.
A group drawn fully from crypto-native backgrounds with no regulated monetary providers expertise, or one with deep TradFi expertise and no capability to evaluate on-chain threat, carries structural gaps that the evaluation course of will floor.
Expertise: Management, Not Simply Internet hosting
DORA (Regulation (EU) 2022/2554) applies on to CASPs and units the framework for ICT resilience necessities. The query regulators ask about know-how just isn’t what infrastructure a agency makes use of. The query is who controls it.
Cloud infrastructure hosted by AWS, Azure, or related suppliers is suitable underneath present supervisory observe. The difficulty arises when the entity licensed within the EU lacks significant administrative management over the techniques it will depend on.
If encryption key administration sits with a father or mother firm’s world IT group, if entry rights to consumer knowledge are administered from exterior the EU, or if the catastrophe restoration plan will depend on approvals from a third-country headquarters, the EU entity can not reveal real operational independence.
ESMA’s place, as mirrored in its session supplies, is that the EU administration group should maintain precise management over the ICT infrastructure related to the CASP’s operations. The enterprise continuity coverage and catastrophe restoration plans required underneath Article 68(7) have to be owned and executable by the EU entity, not depending on a world operate that will or could not reply in a disaster.
The sensible take a look at is pointed: if the father or mother firm’s world IT group turned unavailable in a single day, might the EU entity proceed to function, entry consumer funds, and return property to shoppers? If the reply isn’t any, or not with out important escalation to non-EU personnel, the substance query has not been resolved.
GDPR compliance and knowledge governance necessities layer on prime of the DORA framework. Information processing preparations, controller-processor relationships, and knowledge residency issues all type a part of the technical structure that regulators will look at.
Monetary: Capital That Truly Works
Article 67 units the minimal prudential safeguards. The capital tiers are outlined by service class:
The minimal capital determine is the start line, not the ceiling. Prudential safeguards should equal the upper of both the everlasting minimal capital or one-quarter of the previous 12 months’s fastened overheads.
As a CASP grows and its fastened overheads enhance, this second limb turns into the binding constraint. When overheads exceed 4 occasions the preliminary paid-in capital, the agency should transition to the overheads-based framework. That inflection level arrives sooner than many operators anticipate, and regulators anticipate proactive monitoring somewhat than reactive adjustment.
A structural level price noting: capital have to be paid into an account held with a proper credit score establishment.
An EMI or fee service supplier account doesn’t fulfill this requirement. Establishing a banking relationship as a crypto enterprise takes time and isn’t assured. Starting that course of early, earlier than the appliance is formally filed, just isn’t non-obligatory. It’s a sequencing constraint that impacts all the authorization timeline.
The requirement that monetary statements used within the fastened overheads calculation be duly audited or validated by nationwide regulatory authorities provides an extra administrative dimension. Newly integrated entities projecting their first twelve months of overheads should embrace these projections of their authorization software, with the methodology clearly documented.
Outsourcing and the Substance Threshold
Article 73 permits CASPs to outsource operational capabilities to 3rd events. The constraint is that outsourcing can not hole out the licensed entity. Duty stays with the CASP; delegation doesn’t switch accountability.
ESMA’s Supervisory Briefing on Authorization of CASPs identifies the share of complete prices attributable to capabilities situated exterior the EU as a sensible indicator of whether or not outsourcing has gone too far. A CASP whose majority of operational expenditure flows to non-EU service suppliers, even well-run and respected ones, could face questions on whether or not the EU entity has enough inside capability to qualify as a real service supplier somewhat than a conduit.
The excellence the regulator attracts is between CASPs that outsource particular capabilities whereas retaining management and CASPs that outsource every little thing substantive whereas retaining solely the authorized type. The latter is a shell, no matter how the association is described within the software.
Jurisdictional Variation: Identical Regulation, Totally different Follow
MiCA is straight relevant throughout all EU member states. The substantive necessities are uniform. Supervisory observe just isn’t.
Cyprus, by means of CySEC, has explicitly required that almost all of a CASP’s board of administrators be bodily residents of Cyprus. For a board of two government and two non-executive administrators, which means a minimal of three Cyprus-resident administrators. This goes past what MiCA’s textual content requires and displays nationwide AML directives layered on prime of the harmonized EU framework.
Estonia presents a special dynamic. Underneath the earlier VASP registration regime administered by the Monetary Intelligence Unit, Estonia turned one among Europe’s most accessible licensing jurisdictions. The transition to MiCA shifted supervisory duty to the Estonian Monetary Supervision and Decision Authority, which brings a special institutional method to assessment and ongoing oversight.
Poland’s legislative state of affairs, lined in earlier installments of this collection, has produced a structural hole the place the home MiCA implementation regulation has not but been enacted, leaving the KNF with out formal designation because the competent authority and VASP holders with out a viable home CASP software pathway.
These variations aren’t loopholes or administrative quirks. They replicate the fact {that a} harmonized authorized framework nonetheless operates by means of nationwide supervisory cultures, staffing constraints, and institutional histories. Deciding on a jurisdiction for CASP authorization means choosing a regulator, with all the sensible implications that entails.
What ‘Real Institution’ Truly Requires
Taken collectively, the substance necessities underneath MiCA replicate a supervisory philosophy somewhat than a guidelines. The regulator desires to be glad that, if one thing goes incorrect, it has significant recourse.
Meaning government management is bodily reachable and legally accountable underneath EU regulation. It means ICT techniques controllable by the EU entity with out dependency on non-EU authorization chains. It means capital that’s genuinely out there and sized towards precise operational threat.
And it means governance the place the EU entity makes actual selections somewhat than implementing directions issued from elsewhere.
Companies that method this as a documentation train have a tendency to search out the method more durable than anticipated. Companies that construct the substance first and doc what they’ve constructed have a tendency to search out it extra easy. The applying doesn’t create the group. It describes one that ought to already largely exist.
Sources:
This text relies on a research carried out by LegalBison in Might 2026. The content material is for informational functions solely and doesn’t represent authorized recommendation.
