Digital asset compliance — MiCA transitional window closing

Executive briefing: The MiCA transitional window closes 30 December 2025. Crypto-asset service providers (CASPs) operating under national regimes must obtain MiCA authorisation, implement asset-whitepaper governance, and harden market-abuse controls before that date. This roadmap aligns supervisory expectations with engineering and compliance execution, with navigation to the pillar hub, the MiCA authorisation playbook, and recent briefs on MiCA adoption and Reg SP incident response.

Transitional timeline

Authorisation workstream

1. Gap analysis. Map current national permissions to MiCA services (custody, exchange, execution, portfolio management, advice, transfer, placement, trading platform operation).
2. Programme governance. Appoint accountable executives for capital, safeguarding, conflicts, and operational resilience; set Board cadence through cutover.
3. Documentation pack. Prepare programme of operations, ICT and outsourcing policy, wind-down plan, business continuity testing evidence, and complaints procedures.
4. Capital and prudential. Validate initial capital floor by service type; evidence segregation of client assets and daily reconciliation.
5. Whitepaper diligence. For issuers and offerors, implement template and legal sign-off workflows for Article 6–21 whitepapers, including risk disclosures and technology description.
6. Regulator engagement. Pre-meet with the national competent authority (NCA), submit complete file, track clock stops, and prepare responses within statutory timelines.

Visual — MiCA control stack

        [Investor protection]
          ▸ Whitepapers ▸ Suitability ▸ Disclosures
        [Market integrity]
          ▸ Inside info handling ▸ Market manipulation monitoring ▸ Surveillance alerts
        [Operational resilience]
          ▸ Safeguarding ▸ BCP/DR ▸ ICT & outsourcing
        [Technology controls]
          ▸ Key management ▸ Access control ▸ Change management
            

Market-abuse and conduct controls

Technology and security baseline

• Key management. HSM-backed signing, dual control for transfers, and no single-operator access; rotation and destruction policy aligned to ISO/IEC 27001.
• Change management. Version-controlled infrastructure-as-code, segregation of duties, pre-deployment testing, and rollback playbooks.
• Resilience. Recovery time and point objectives set per service; regular failover tests; third-party outsourcing monitored against DORA-style ICT risk standards.
• Data and privacy. GDPR-aligned consent and retention; access logs immutable and reviewed; privacy by design for analytics.

Operational runbook (60-day countdown)

1. Week 1–2: Finalise authorisation file; run completeness check; lock responsible owners.
2. Week 3–4: Deploy updated surveillance scenarios and rehearse escalation with Legal and Communications.
3. Week 5–6: Execute BCP/DR tests, evidence RTO/RPO, and refresh outsourcing due diligence.
4. Week 7–8: Publish MiCA-aligned customer disclosures, fee cards, and complaints channels; backtest best-execution.
5. Week 9–10: Submit any whitepaper updates; run penetration test and remediate critical findings.
6. Week 11–12: Final Board attestation, evidence room packaging, and regulator Q&A readiness.

Metrics and evidence

Key stakeholder actions

• Board. Approve policy suite (safeguarding, conflicts, ICT risk), sign-off on capital sufficiency, and oversee remediation tracking.
• Legal. Own whitepaper templates, marketing review, and contractual updates for custody segregation and disclosure acknowledgements.
• Compliance. Run SM&CR/fit-and-proper checks, monitor conduct KPIs, and liaise with the NCA on information requests.
• Technology. Maintain service inventories, access controls, logging, and disaster recovery drills aligned to MiCA operational requirements.
• Operations. Execute reconciliation, incident response, customer support training, and complaints tracking.

Customer communication kit

• MiCA-aligned service descriptions, risks, and fees in clear language; pre-trade disclosures for retail users.
• Incident and vulnerability intake channels with response SLAs.
• Whitepaper availability for relevant tokens, plus notification cadence for updates.
• Explainer FAQs on custody model, key-loss scenarios, and dispute resolution.

Common pitfalls to avoid

• Partial licence scope. Filing for one service (e.g., custody) while offering unlicensed services (e.g., advice) triggers supervisory action.
• Insufficient operational evidence. NCAs expect BCP/DR tests, outsourcing oversight, and ICT logs—not just policies.
• Weak market-abuse tuning. Using equity-style thresholds without crypto liquidity calibration increases false negatives.
• Opaque fees. Hidden spread or routing incentives conflict with best-execution obligations.
• Delayed customer communications. Late incident notices erode trust and invite enforcement.

Issuer and product governance

• ART/EMT reserve governance. Daily reserve reconciliation, independent valuation of reserve assets, and disclosure of custody arrangements.
• Algorithmic features. Document stabilisation mechanisms, failure triggers, and contingency liquidity plans.
• Technology audits. Annual independent security review of smart contracts, custody platforms, and API gateways.
• Change management. Pre-deployment risk assessment for protocol upgrades; customer notice and rollback options.

Customer experience and disclosures

Data and recordkeeping

• Maintain full order lifecycle data for five years, with immutability guarantees and privacy controls.
• Log key management events (generation, use, rotation) with dual-control sign-off.
• Store surveillance models, thresholds, and tuning decisions with effective dates.
• Retain customer communications related to disclosures, incidents, and complaints.

Third-country and group considerations

• Assess intra-group outsourcing to non-EU entities against MiCA and DORA ICT-risk expectations; maintain substitution plans.
• Ensure marketing into the EU aligns with MiCA territorial scope; avoid reverse-solicitation reliance.
• Document passporting strategy post-authorisation and local consumer-protection overlays.

Assurance and testing cadence

1. Quarterly surveillance model backtesting with independent review.
2. Biannual disaster recovery tests covering custody, trading, and customer support systems.
3. Annual penetration test and smart-contract audit; remediate critical findings before production deployment.
4. Post-incident reviews within 10 business days; track actions to closure.

Supervisory engagement

• Maintain a regulator Q&A log with assigned owners and response deadlines.
• Offer demo sessions showing surveillance dashboards, custody reconciliations, and incident runbooks.
• Provide early notice of material changes (new services, significant outsourcing, technology migrations).

KPIs for ongoing supervision

Training and culture

Deliver role-based training for front-office, operations, and engineering on MiCA conduct, safeguarding, and incident escalation. Reinforce culture of immediate escalation and accurate disclosures to avoid greenwashing or mis-selling.

Document Board attestations on risk appetite for custody, market abuse, and technology resilience, and align them with MiCA conduct controls.