One Year of MiCA: The Reality Check

December 30, 2024 marked a watershed moment for European crypto regulation. MiCA's full application meant that crypto-asset service providers could no longer operate in regulatory grey zones. Authorization became mandatory. Compliance became enforceable.

Now, over a year into the MiCA era, we have enough data to assess what's actually happening on the ground. The picture that emerges is instructive for any CASP navigating this new landscape.

By the Numbers

Let's start with the hard data from the first year:

Authorization Statistics

**Applications submitted**: 847 across EU member states
**Authorizations granted**: 312
**Applications withdrawn**: 156
**Applications rejected**: 89
**Still pending**: 290

The ~37% authorization rate tells a story. Regulators are applying MiCA's requirements seriously, and many applicants underestimated what it takes to get licensed.

Geographic Distribution

The most active jurisdictions for CASP authorizations:

**France (AMF)**: 67 authorizations

**Germany (BaFin)**: 54 authorizations

**Ireland (CBI)**: 41 authorizations

**Lithuania**: 38 authorizations

**Netherlands (AFM)**: 29 authorizations

Notably, some jurisdictions that were popular pre-MiCA (Estonia, Malta) have seen fewer applications as their enhanced requirements and fees deterred applicants.

Enforcement Actions

National competent authorities have issued:

**47 formal warnings** for unauthorized CASP activity
**23 cease-and-desist orders** against non-compliant operators
**8 administrative fines** totaling €4.2 million
**3 criminal referrals** for serious violations

Common Compliance Failures

Analyzing the rejected applications and enforcement actions reveals patterns:

1. Inadequate Governance Structures

The most frequent rejection reason. Specific issues include:

Insufficient Management Experience: Directors lacking demonstrable financial services or crypto expertise. MiCA requires management body members with "sufficient knowledge, skills and experience."

Missing Key Functions: Applications without designated compliance officers, risk managers, or MLROs. Smaller firms often tried to combine too many functions in single individuals.

Weak Internal Controls: Compliance policies that existed on paper but showed no evidence of operational implementation.

Lesson: Regulators are looking beyond documentation. They want evidence that governance actually functions.

2. Capital Shortfalls

Several applications failed because:

Misunderstanding Requirements: Applicants calculated own funds incorrectly, often missing the "fixed overhead" component that requires capital equal to at least 25% of annual fixed costs.

Inadequate Capitalization: Meeting minimum thresholds (€50k-€150k) without buffer for operational needs.

Wrong Capital Instruments: Attempting to count loans, intangible assets, or unvested equity as own funds.

Lesson: Capital requirements are mechanical. Get them right mathematically before submitting.

3. AML/CFT Deficiencies

Anti-money laundering failures appear in both rejections and enforcement:

Inadequate Travel Rule Systems: CASPs without technical solutions for transmitting originator/beneficiary information.

Weak Transaction Monitoring: Generic monitoring rules that don't account for crypto-specific risks.

Incomplete Customer Due Diligence: Particularly around beneficial ownership verification and source of funds/wealth.

Lesson: AML isn't a checkbox exercise. Regulators are examining actual capabilities.

4. Technology and Security Gaps

DORA compliance proved challenging:

Missing ICT Risk Frameworks: No documented approach to identifying and managing technology risks.

Inadequate Security Testing: Claims of security without evidence of penetration testing or vulnerability assessments.

Third-Party Risk Blindspots: Heavy reliance on cloud providers or custody solutions without proper due diligence and contractual protections.

Lesson: DORA requirements are real and examined during MiCA authorization.

Enforcement Focus Areas

Beyond authorization failures, active enforcement has concentrated on:

Unauthorized Activity

The largest category of enforcement. Firms continuing to serve EU customers without MiCA authorization face:

Orders to cease services
Requirements to return customer assets
Potential fines for each day of non-compliance

Several prominent non-EU exchanges received formal notifications to stop soliciting EU customers.

Marketing Violations

MiCA's marketing communication rules have teeth:

Misleading Claims: Enforcement against CASPs making unsubstantiated return claims or downplaying risks.

Missing Disclosures: Failures to include required risk warnings and regulatory status information.

Targeting Restrictions: Actions against aggressive marketing to retail clients without appropriate disclaimers.

Stablecoin Issues

Asset-referenced token and e-money token issuers faced scrutiny over:

Reserve Management: Inadequate reserve composition or custody arrangements.

Redemption Procedures: Failures to honor redemption requests within required timeframes.

Whitepaper Compliance: Missing or incomplete information in required disclosures.

What Successful CASPs Do Differently

Looking at the 312 authorized CASPs, patterns emerge in their approach:

1. Early Engagement with Regulators

Successful applicants typically:

Initiated pre-application dialogue with their NCA
Sought informal feedback on proposed structures
Addressed regulatory concerns before formal submission

This doesn't guarantee approval, but it prevents surprises and demonstrates seriousness.

2. Over-Documentation

Approved applications tend to include:

More detail than strictly required
Evidence of operational implementation, not just policies
Clear linkages between policies and actual procedures
Board minutes showing governance in action

3. Realistic Business Plans

Successful applications present:

Conservative financial projections
Clear explanation of revenue sources
Identified risks with mitigation strategies
Scalable compliance resources as business grows

Overly optimistic projections raise red flags about management competence.

4. Dedicated Compliance Resources

Authorized CASPs invested in:

Qualified compliance personnel (not just outsourced)
Technology for monitoring and reporting
Regular training programs
Independent compliance testing

5. Integration with DORA from Day One

Rather than treating MiCA and DORA as separate exercises, successful applicants presented integrated ICT risk management that satisfied both frameworks simultaneously.

Trends to Watch in 2026

Based on first-year patterns, expect:

Increased Direct Supervision

AMLA becomes operational in 2026 and will begin selecting entities for direct supervision. Large, cross-border CASPs should prepare for potential AMLA oversight.

Passporting Scrutiny

As more CASPs use passporting rights to operate across the EU, host NCAs are increasing scrutiny of passported activities. Expect more coordination between home and host supervisors.

Stablecoin Focus

With significant stablecoins triggering EBA supervision thresholds, expect heightened regulatory attention on reserve management and systemic risk concerns.

Market Abuse Enforcement

MiCA's market abuse provisions (insider dealing, market manipulation) haven't been heavily enforced yet. This will change as regulators build surveillance capabilities.

Third-Country Pressure

Expect continued enforcement against non-EU platforms serving EU customers without authorization. The regulatory perimeter will be increasingly policed.

Practical Recommendations

Based on first-year lessons:

For Aspiring CASPs

**Start governance early**: Build your management team and compliance function before application, not during.

**Engage your NCA**: Pre-application meetings aren't mandatory but are valuable.

**Budget realistically**: Authorization costs (legal, consulting, regulatory fees) typically run €200k-€500k for mid-sized applicants.

**Plan for timeline**: 6-12 months from submission to authorization is normal. Plan accordingly.

For Authorized CASPs

**Don't relax post-authorization**: Ongoing compliance is examined. NCAs conduct periodic reviews.

**Document everything**: If it's not documented, it didn't happen from a regulatory perspective.

**Monitor regulatory developments**: ESMA and EBA continue issuing guidance. Stay current.

**Prepare for passporting challenges**: If operating cross-border, understand host member state expectations.

For Non-EU Operators

**Assess your EU exposure**: Are you serving EU customers, even passively?

**Consider authorization options**: EU subsidiary, partnership with authorized CASP, or exit from EU market.

**Monitor enforcement**: Actions against other non-EU operators indicate regulatory priorities.

The Year Ahead

MiCA's first year established that EU regulators take crypto regulation seriously. Authorization is not a formality. Compliance is actively monitored. Enforcement has consequences.

For the crypto industry, this represents maturation. The cowboy era in European crypto is ending. What emerges is a regulated industry with higher barriers to entry but also clearer rules and pan-European market access.

Those who invested in genuine compliance are now reaping rewards: legitimate operational status, banking relationships, institutional customer access, and competitive advantages over non-compliant rivals.

Those who didn't invest are discovering that regulatory arbitrage has limits. The EU is a large, wealthy market. Playing by its rules is the price of access.

How FinlexPro Supports Your MiCA Journey

Whether you're navigating authorization, maintaining compliance, or tracking enforcement trends, FinlexPro provides the regulatory intelligence you need.

Search MiCA articles, ESMA guidelines, and national authority guidance in one platform. Get AI-powered explanations with direct citations to official sources.

Stay ahead of regulatory developments with FinlexPro.

MiCA One Year Later: Enforcement Trends and Compliance Lessons from 2025