Before MiCA, running a crypto business across Europe was a nightmare. Each country had its own rules. A company licensed in Germany couldn’t automatically offer services in France. It had to apply again. And again. And again. That changed on December 30, 2024, when the second phase of the Markets in Crypto-Assets (MiCA) Regulation fully kicked in. Now, a single license in one EU country lets you serve all 27 member states. That’s not just convenience-it’s a complete rewrite of how crypto operates across borders.
How the EU passport system works
The heart of MiCA’s cross-border system is the EU passport. Think of it like a driver’s license that works across every country in Europe. If you’re a crypto exchange licensed in Estonia, you can open a sales team in Spain, offer wallets in Italy, and host servers in Poland-all without asking each country for permission. All you need to do is notify your home regulator and send them a simple form listing the countries you plan to operate in. They’ll handle the rest.
This isn’t magic. It’s built on decades of EU financial law, like the one that lets banks operate across borders. But for crypto, it’s brand new. Before MiCA, companies either avoided expansion or spent years and millions navigating 27 different rulebooks. Now, a startup in Portugal can compete with a giant based in Luxembourg. The playing field just leveled.
Who needs to comply? All CASPs
MiCA doesn’t just cover big exchanges. It covers anyone offering crypto services to EU users. That includes:
- Crypto exchanges (buying, selling, trading)
- Custodial wallet providers (holding your private keys)
- Token issuers (selling new coins or tokens)
- Stablecoin operators (like EUR-backed coins)
- Platforms that embed crypto into non-crypto services (like a fintech app offering crypto payments)
Even if you’re not a crypto company, if you offer crypto services, you’re a Crypto-Asset Service Provider (CASPs) a legal entity authorized under MiCA to offer crypto services within the EU. No exceptions. No loopholes. If you’re serving EU customers, you’re in scope.
What’s required to get licensed
Getting that EU passport isn’t easy. You need to prove you’re solid. The rules are strict:
- You must have enough own funds-at least €125,000, plus more depending on your business size
- You need insurance to cover theft, hacking, or operational failures
- You must keep client assets separate from your own-no mixing funds
- You need clear transparency rules: fees, risks, conflicts of interest-all in plain language
- You must have systems to detect market abuse: insider trading, fake trading, price manipulation
- You can’t outsource core functions without approval
And if you serve more than 15 million active users in the EU? You’re labeled a “significant” CASP. That means extra scrutiny from ESMA, the EU’s crypto watchdog. You’ll need stress tests, stricter governance, and direct reporting to Brussels. It’s not a penalty-it’s a signal that scale brings responsibility.
What about non-EU companies?
If you’re based outside the EU-say, in the U.S., Singapore, or Hong Kong-you can’t just keep serving EU customers like before. MiCA shuts the door on that.
You have two options:
- Set up a legal entity inside the EU and apply for full CASP authorization
- Do nothing-and stop marketing to EU users
The old trick of "reverse solicitation"-where EU users come to you on their own-is now nearly useless. ESMA’s guidelines say if you have a website in German, run ads in France, or have EU customer support, you’re promoting. That’s not reverse. That’s solicitation. And it’s banned.
Big names like Binance, Kraken, and Coinbase didn’t ignore this. They all created EU subsidiaries. Binance registered in Malta. Kraken set up in Germany. Coinbase launched a new legal entity in Luxembourg. Why? Because without it, they lose access to 450 million people.
Stablecoins face even tougher rules
Not all crypto-assets are treated the same. Stablecoins-especially those tied to the euro or dollar-are under the microscope. MiCA requires them to:
- Hold reserves in liquid, low-risk assets (cash, government bonds)
- Provide daily public reports on reserve backing
- Guarantee users can redeem tokens for euros at par value
- Have a liquidity buffer to handle mass withdrawals
That’s why many stablecoin projects have paused EU launches. The cost of compliance is high. The liability is real. And if you fail? You’re not just fined-you’re shut down.
What about AML and KYC?
MiCA doesn’t replace the EU’s Anti-Money Laundering Directive-it layers on top of it. So now, every CASP must:
- Verify every customer’s identity
- Monitor transactions for suspicious activity
- Report suspicious behavior to national financial intelligence units
- Keep records for five years
This isn’t optional. It’s baked into the license. Regulators can shut you down on the spot if you skip KYC checks. And they’re sharing data across borders. If you’re flagged in Belgium, France will know.
Who’s winning? Who’s losing?
Big players are adapting fast. They’ve got the teams, the lawyers, the capital. They’re building EU subsidiaries like new branches.
Smaller startups? They’re struggling. The €125,000 minimum capital isn’t huge for a bank-but for a two-person team building a DeFi app? It’s a mountain. Add legal fees, audits, insurance, and compliance staff, and you’re looking at half a million euros just to get started.
Some EU countries are trying to help. Ireland and Estonia offer faster licensing. Portugal has a sandbox for innovation. But the rules are still rigid. Innovation isn’t being killed-but it’s being filtered. Only those who can afford the cost survive.
The global ripple effect
MiCA isn’t just an EU rule. It’s becoming a global benchmark. Countries like Japan, Canada, and even the U.S. state regulators are watching closely. If you want to list your token on an EU exchange, you now need to comply with MiCA’s whitepaper rules. If you want to serve EU users, you need to be licensed. That means global crypto projects are redesigning their compliance from the ground up.
It’s not perfect. Some say it’s too strict. Others say it’s not strict enough. But one thing’s clear: the EU is no longer waiting. It’s leading. And if you’re in crypto and want to operate across borders, you have to play by its rules.
Can I still use non-EU crypto exchanges if I live in the EU?
Yes, but only if you initiated the service yourself. If you signed up for a U.S.-based exchange because they ran an ad in your country, that’s illegal under MiCA. The exchange is in violation. You can still use exchanges that don’t market to the EU-but you’ll likely see fewer options, slower support, and no EU legal protection if things go wrong.
Do I need a license if I’m just holding crypto in a non-custodial wallet?
No. MiCA only applies to service providers. If you hold your own private keys in a wallet like Ledger or MetaMask, and you’re not offering services to others, you’re not regulated. MiCA doesn’t target users-it targets businesses that handle crypto on behalf of others.
What happens if a CASP violates MiCA rules?
Penalties are severe. Fines can reach up to 5% of annual global turnover. Repeated violations lead to license revocation. The regulator can freeze assets, shut down operations, and ban executives from the industry. There’s no warning. If you break the rules, you lose your passport-and your access to the entire EU market.
Is MiCA the same as the EU’s DLT Pilot Regime?
No. The DLT Pilot Regime is a separate experiment for blockchain-based securities trading, limited to 2025-2028. MiCA is the permanent, full-scale regulation for all crypto-asset services. They overlap in some areas, but MiCA covers exchanges, wallets, and tokens-everything. DLT is just for one type of use case.
Are decentralized exchanges (DEXs) regulated under MiCA?
It depends. If a DEX has a company behind it that offers customer support, marketing, or centralized features (like a mobile app or fiat on-ramp), it’s treated as a CASP. Pure, non-custodial, permissionless DEXs with no legal entity aren’t regulated. But most real-world DEXs today have some centralized elements-and that’s enough to trigger MiCA.
What’s next?
MiCA is just the start. By 2027, ESMA will review whether it needs to expand to cover decentralized finance, NFTs, and AI-driven trading. For now, the message is clear: if you want to operate across EU borders, you need to be licensed, transparent, and accountable. No more hiding behind offshore entities. No more ignoring KYC. The EU has spoken-and its rules now define the global standard for crypto services.