EU MiCA Implementation Guide for VASPs: Step-by-Step Compliance Checklist

## What Is MiCA and Why Must VASPs Act Now? The EU Markets in Crypto-Assets Regulation (MiCA) is the world's first comprehensive crypto regulatory framework, requiring all Crypto Asset Service Providers (CASPs) operating in the European Union to obtain authorization from a national competent authority. MiCA entered full force on December 30, 2024, with stablecoin provisions covering Asset-Referenced Tokens (ART) and E-Money Tokens (EMT) effective from June 30, 2024. Any VASP that services EU customers must either hold a CASP license or cease operations in the bloc. Non-compliance carries administrative fines up to 5% of annual global turnover and potential criminal referrals. ## What Changed on December 30, 2024? December 30, 2024 marked the end of the grandfathering window for existing crypto businesses operating in EU member states under prior national regimes. VASPs already registered under pre-MiCA national frameworks were permitted to continue operating under a transitional arrangement until that date, provided they had submitted a CASP authorization application. ESMA published its final technical standards under MiCA in late 2024, establishing precise requirements for authorization dossiers, conflict-of-interest management, and client asset safeguarding. The practical implication for VASPs in 2026 is stark: either hold a valid CASP authorization, be formally in the authorization pipeline with an NCA, or exit EU markets entirely. ## What Is the Difference Between a VASP and a CASP? MiCA introduces the term Crypto Asset Service Provider (CASP) as the EU's legal classification replacing the FATF's VASP terminology in the European regulatory context. A CASP under MiCA is any legal entity that professionally provides one or more crypto-asset services defined in Article 3(1)(16) of the Regulation, including operation of a trading platform, exchange of crypto-assets, execution of orders, placing of crypto-assets, portfolio management, advice, and transfer services. Every CASP must be a legal person established in an EU member state and must hold authorization from the NCA of that member state. ## What Are the MiCA Authorization Requirements Step by Step? Obtaining CASP authorization requires submitting a comprehensive dossier to the relevant NCA including: a detailed business plan, governance framework with fit-and-proper assessments, prudential requirements demonstrating minimum own funds, client asset safeguarding policy, ICT security policies aligned with DORA, AML/CFT policies, and a conflict-of-interest policy. The NCA has 25 business days to declare the application complete and then 40 business days to reach a decision. Total elapsed time is typically 6 to 12 months. | Authorization Element | Minimum Requirement | Estimated Cost | |---|---|---| | Own funds (trading platform) | EUR 150,000 | Already held as capital | | Own funds (exchange/transfer only) | EUR 50,000 | Already held as capital | | Fixed overhead requirement | 25% of prior year overheads | Ongoing | | Governance & fit-and-proper | All SMFs assessed | EUR 15,000–50,000 (legal) | | AML/CFT policies | Full AMLR-aligned framework | EUR 20,000–80,000 | | ICT/DORA security assessment | Full assessment mandatory | EUR 30,000–100,000 | | Legal counsel and filing | NCA-specific dossier | EUR 50,000–200,000 | | **Total estimated authorization cost** | | **EUR 115,000–430,000** | ## How Do ART and EMT Token Rules Work? MiCA establishes two distinct token categories effective June 30, 2024. Asset-Referenced Tokens (ARTs) maintain stable value by referencing multiple currencies, commodities, or crypto-assets. E-Money Tokens (EMTs) maintain stable value by referencing a single official currency. EMT issuers must additionally hold an electronic money institution (EMI) license. Both categories are subject to strict reserve asset requirements, and significant ARTs and EMTs (exceeding 10 million holders or EUR 5 billion in reserve value) are supervised directly by the European Banking Authority (EBA). ## What Does the EU AML Package (AMLR) Require for CASPs? The EU AML Regulation (AMLR), adopted in 2024, imposes directly applicable AML/CFT obligations on CASPs. CASPs must conduct customer due diligence for all customers, with enhanced due diligence for transactions over EUR 15,000, screen against EU consolidated sanctions lists and PEP databases, appoint a dedicated AML compliance officer, maintain transaction records for five years, and file STRs with the relevant FIU. The new EU Anti-Money Laundering Authority (AMLA) will assume direct supervisory responsibility for the largest cross-border CASPs from 2026 onward. ## How Does the Travel Rule Apply Under the Transfer of Funds Regulation (TFR)? The revised EU Transfer of Funds Regulation (TFR) extends Travel Rule obligations to all crypto-asset transfers regardless of value threshold — stricter than FATF's recommended EUR 1,000 threshold. Every transfer between two CASPs must be accompanied by originator and beneficiary information. For transfers to or from unhosted wallets, CASPs must collect the same information and apply enhanced due diligence for transfers exceeding EUR 1,000. | TFR Requirement | Threshold | Data Required | Action if Missing | |---|---|---|---| | CASP-to-CASP transfer | EUR 0 (all amounts) | Full originator + beneficiary | Block or reject transfer | | Transfer to unhosted wallet | EUR 0 (collect); EDD at EUR 1,000 | Wallet owner identity | Enhanced due diligence | | Transfer from unhosted wallet | EUR 0 (collect); EDD at EUR 1,000 | Wallet owner identity | Enhanced due diligence | | High-risk third country transfers | All amounts | Enhanced information set | Country-specific controls | | Record retention | All transfers | Full data set | 5 years minimum | ## What Is the MiCA Passporting Mechanism? Once a CASP has obtained authorization in one member state, it may provide the same services in any other EU member state under that single license. The process requires the CASP to notify its home NCA, which forwards the notification to the host state NCA within 10 business days. The CASP may commence cross-border services 15 business days after submitting the notification. This passport covers all 27 EU member states plus three EEA countries. ## What Is the Practical Step-by-Step MiCA Compliance Checklist? **Phase 1 — Scoping and Gap Analysis (Months 1–2):** Map all EU customer-facing activities against MiCA service definitions; determine applicable token categories; identify the most favorable authorization jurisdiction; conduct a formal gap analysis. **Phase 2 — Authorization Preparation (Months 2–6):** Engage local legal counsel; prepare governance documentation; draft AML/CFT policies aligned with AMLR; prepare ICT security framework per DORA requirements; capitalize the entity. **Phase 3 — Application Filing (Month 6–7):** Submit the completed authorization dossier; engage with NCA queries during review. **Phase 4 — Operational Implementation (Months 7–12):** Deploy Travel Rule solution with IVMS101 support; implement transaction monitoring; configure AML screening; establish STR filing workflows; conduct staff AML training. **Phase 5 — Ongoing Compliance (Post-Authorization):** Submit annual compliance reports; maintain DORA-compliant ICT risk assessment cycle; monitor ESMA and EBA guideline updates. ## What Are the Penalties for MiCA Non-Compliance? For the most serious breaches, NCAs may impose fines up to EUR 5,000,000 for natural persons or up to 5% of annual worldwide turnover for legal entities. For ongoing regulatory breaches, fines of up to EUR 700,000 for natural persons or 2% of annual worldwide turnover apply. NCAs may also issue public warnings, impose temporary bans on service provision, and refer criminal conduct to prosecutorial authorities. ## How Can Defy Help VASPs Navigate MiCA Compliance? Defy provides the compliance infrastructure that CASPs need to meet MiCA, TFR Travel Rule, and AMLR obligations from a single integrated platform. Defy's Live AML solution delivers real-time blockchain transaction monitoring, automated sanctions screening, and risk scoring calibrated to MiCA's risk-based approach requirements. The Defy Travel Rule module supports IVMS101 data standards, integrates with ESMA's CASP authorization register for counterparty verification, and handles both CASP-to-CASP and unhosted wallet transfer workflows. Whether you are preparing your initial MiCA authorization dossier or operationalizing Travel Rule compliance across multiple EU jurisdictions, Defy's platform can accelerate your MiCA readiness. [Contact Defy](https://getdefy.co/contact) for a MiCA compliance assessment.