MICA CASP authorisations: ESMA recommendations in peer review report

Background

The EU’s Markets in Crypto-assets Regulation (Regulation (EU) 2023/1114) (“MiCA”) establishes a unified regulatory framework for crypto-asset services across the EU (see also our MiCA Level 2 and 3 measures tracker here).

Since January 2025, crypto-asset service providers (“CASP”) in the EU must apply for an authorisation with their national competent authority (“NCA”), subject to a “grandfathering period” of 18 months (i.e. up until 30 June 2026) which allows existing CASPs that have been providing service in compliance with applicable law before 30 December 2024 (e.g. local Member State-level regimes) to continue to provide their services until they obtain MiCA authorisation. NCAs have the option of implementing a shorter grandfathering period, which means the transition period for existing CASPs vary between Member States.

In April 2025, the Board of Supervisors of ESMA decided to launch a peer review on the authorisation and early supervision of a CASP (which remained unnamed throughout the report) by the NCA of Malta, i.e. the Malta Financial Services Authority (“MFSA”).

ESMa published an executive summary of its peer review report on 10 July 2025. Although the peer review focuses on one NCA, it also aims to inform the supervisory practices of all NCAs, in order to encourage supervisory convergence and to prevent regulatory arbitrage.

Peer review: Malta

The peer review was carried out based on ESMA’s Peer Review Methodology by an ad hoc Peer Review Committee (“PRC”).

The PRC found that the MFSA did not fully meet expectations in certain areas—for example, the overall authorisation process should have been more thorough, and there were material issues which remained unresolved or pending remediation at the time of the authorisation.

That said, the PRC also highlighted the good practices of the MFSA, in terms of:

• its resources and expertise, noting that the MFSA has been proactive in recruiting supervisors with expertise in crypto services by (i) engaging with local universities, (ii) providing training and (iii) cooperating with other relevant authorities; and
• its proactive outreach to the industry to encourage early preparation for MiCA, and to communicate its expectations to industry in a timely manner.

ESMA recommendations to all NCAs

The PRC recommends to all NCAs to pay particular attention to certain aspects when processing authorisations, including:

• Business growth, i.e. NCAs should assess business plans in a forward-looking manner, taking into consideration expected growth and associated risks.
• Conflicts of interest, including conflicts arising from multiple CASP services and related disclosure requirements.
• Governance and intragroup arrangements, and in particular using ESMA’s cross-cutting principles on third-party risks supervision as a baseline to assess intragroup arrangements.
• ICT architecture including intragroup reliance and use of sub-providers. NCAs should review ICT systems (including business continuity) in light of the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554). NCAs should give particular attention to functions and services that are most critical to the CASP business (e.g. custody). (Read more about DORA on our Operational Resilience Hub.)

In terms of ICT security, entities should be able to appropriately and effectively react in case of a hack. Additionally, the authorisation process should confirm that an entity has adequate measures in place to efficiently and effectively block malicious transactions if needed.

• Web3 and decentralised products, including the promotion of unregulated services. NCAs should assess the exposure to DeFi risks. Further, NCAs should evaluate the promotion of any unregulated services, such as whether such promotions may create confusion among customers that such services are possibly regulated.
• User interfaces and customer journeys, including ensuring that risk warnings are clearly presented to users and that the overall customer experience is compliant with MiCA.

More broadly, the PRC encourages NCAs to:

• regularly share information and experiences through the dedicated ESMA Group, the Digital Finance Standing Committee (“DFSC”), to help foster a convergent approach; and
• consider how investors across the EU Member States are able to apply their rights under MiCA, and how this impacts an NCA’s resources and the need to cooperate with other EU supervisors.

It is worth noting that while CASPs must apply for an authorisation with an NCA, an authorisation under MiCA would allow a CASP to passport its services across the EU. NCA’s, therefore, play a significant gatekeeping role for the single market, with the authorisation process being the NCA’s key opportunity to assess CASP entities and to ensure investors in any jurisdiction across the EU will be given an adequate level of protection, regardless of where the CASP originates from.

What does this mean for firms?

Firms seeking to obtain a CASP authorisation under MiCA should be aware that ESMA is actively undertaking efforts to foster supervisory convergence and the consistent application of MiCA requirements across EU member states. Accordingly, CASPs will be expected to meet the high standards set out under MiCA, regardless of which NCA its application is submitted to.

Firms should also bear in mind the specific areas that ESMA has highlighted to NCAs when assessing CASP authorisation applications, and ensure that they are able to meet the required standards when submitting their application.

Authored by Christina Wu.