Compliance Regulation MiCA

MiCA Compliance for Crypto Exchanges: The Complete 2026 Guide

Codono Team

| February 21, 2026 | 23 min read

MiCA Compliance Is Now Mandatory for Every Crypto Exchange Serving EU Users

If you operate a crypto exchange that serves European users — or you are planning to launch one — MiCA compliance is no longer optional. The Markets in Crypto-Assets Regulation (MiCA) is fully enforced across all 27 EU member states, transition periods have expired, and regulators are actively blocking non-compliant operators.

In this guide, you will learn:

What MiCA requires from crypto-asset service providers (CASPs)
How to get CASP authorization — capital requirements, governance, and application process
Stablecoin listing rules under the EMT and ART framework
Technical and operational requirements for your exchange platform
How MiCA compares to regulatory frameworks in the US, Dubai, Singapore, and Hong Kong
A step-by-step checklist to take your exchange from zero to fully licensed
Realistic cost and timeline estimates for the entire process

Whether you are building a new exchange with crypto exchange software or adapting an existing platform, this guide gives you the operational knowledge to navigate MiCA without wasting time or budget.

What Is MiCA and Why Does It Matter?
Who Needs CASP Authorization Under MiCA?
CASP Capital and Organizational Requirements
MiCA Stablecoin Rules: ARTs and EMTs
Technical and Operational Compliance Requirements
MiCA vs. Other Crypto Regulatory Frameworks
MiCA Enforcement Timeline: What’s Live and What’s Coming
Step-by-Step CASP Authorization Checklist
How Codono Helps With MiCA Compliance
Frequently Asked Questions
Conclusion and Next Steps

What Is MiCA and Why Does It Matter for Crypto Exchanges?

MiCA (Markets in Crypto-Assets Regulation, EU 2023/1114) is the European Union’s single regulatory framework for crypto-assets and crypto-asset service providers. It replaces the previous patchwork of 27 different national regulations with one harmonized rulebook. This section explains what MiCA covers and why it fundamentally changes how exchanges operate in Europe.

MiCA was adopted in June 2023. Stablecoin provisions took effect in June 2024, and the full CASP authorization requirements became enforceable by late 2024 into 2025. The regulation does three fundamental things:

1. It creates a single rulebook for crypto across the entire EU. Before MiCA, each member state had its own approach — France had DASP registration, Germany had BaFin licensing, Malta had its VFA framework, and some countries had nothing at all. MiCA replaces all of that. Get authorized as a CASP in any EU member state, and you can passport that authorization across all 27 member states. One application. One fee. Access to the entire 450-million-person European market.

2. It defines clear categories of crypto-assets. MiCA classifies crypto-assets into three buckets:

Asset-Referenced Tokens (ARTs): Tokens maintaining stable value by referencing multiple currencies, commodities, or other crypto-assets. Think multi-collateral stablecoins.
E-Money Tokens (EMTs): Tokens maintaining stable value by referencing a single official currency. Think USDC (referenced to USD) or EURC (referenced to EUR).
Other crypto-assets: Everything else — Bitcoin, Ethereum, utility tokens, meme coins, all of it.

Each category has different rules for issuers and different implications for exchanges that list them.

3. It defines what crypto-asset service providers can do and how they must do it. MiCA identifies ten categories of crypto-asset services, from custody and exchange to advisory and portfolio management. Each comes with specific requirements around capital, governance, disclosure, and conduct.

Here is the key insight most guides miss: MiCA is actually well-designed regulation. Compared to the patchwork that came before it — where you needed separate registrations in France, Germany, the Netherlands, and every other EU country you wanted to serve — MiCA is a massive simplification. One license. Twenty-seven countries. That is a deal most exchange operators should be eager to take.

Who Needs CASP Authorization Under MiCA?

Any entity providing crypto-asset services to EU residents needs CASP authorization — regardless of where the company is incorporated. This section clarifies who falls under MiCA’s scope and who qualifies for exemptions.

Crypto Exchanges That Definitely Need CASP Authorization

You need authorization if you:

Operate a crypto exchange (spot trading, order matching, OTC desk) serving EU users
Provide custody or administration of crypto-assets for EU clients
Execute orders for crypto-assets on behalf of EU clients
Provide crypto-asset transfer services in the EU
Offer advice on or manage portfolios of crypto-assets for EU clients
Place crypto-assets on behalf of issuers in the EU

Third-Country Exchanges Targeting EU Users

You still need to comply if you:

Operate outside the EU but actively market to EU users (MiCA applies based on where the customer is, not where you are incorporated)
Run a DeFi protocol with a centralized front-end or identifiable team that serves EU users
Issue tokens available on exchanges serving EU markets

The third-country problem is critical. MiCA Article 61 makes this explicit: third-country firms cannot provide crypto-asset services to EU clients without authorization. The “we are not based in the EU so EU rules don’t apply” argument is legally dead. Several offshore exchanges learned this in 2025 when ESMA coordinated with national regulators to block access from EU IP addresses, issue formal cease-and-desist orders, and impose fines.

Who Is Exempt From MiCA?

Entities dealing only with crypto-assets that qualify as financial instruments under MiFID II (those fall under existing securities regulation)
The European Central Bank, national central banks, or EU institutions acting in public capacity
Fully decentralized protocols with no identifiable service provider (the “true DeFi” exemption — but the definition of “fully decentralized” is narrow and contested)

CASP Capital and Organizational Requirements for Crypto Exchanges

Getting authorized as a Crypto-Asset Service Provider is the gateway to operating legally in the EU. This section covers the capital requirements, governance structure, and organizational policies you need to have in place before applying.

Minimum Capital Requirements for CASP Authorization

MiCA sets minimum capital requirements based on the services you provide. This is permanent capitalization, not an application fee:

CASP Service Category	Minimum Capital Requirement
Providing advice on crypto-assets	50,000 EUR
Executing orders / Placing crypto-assets	50,000 EUR
Receiving and transmitting orders	50,000 EUR
Operating a crypto-asset trading platform	150,000 EUR
Exchanging crypto-assets for funds or other crypto-assets	125,000 EUR
Custody and administration of crypto-assets	125,000 EUR
Transfer services for crypto-assets	125,000 EUR
Portfolio management of crypto-assets	125,000 EUR

Important nuance: If you provide multiple services (which most exchanges do — trading platform + custody + execution), you are subject to the highest applicable requirement, not the sum. A typical exchange needs 150,000 EUR in capital. There is also an alternative calculation: 25% of fixed overhead expenditures from the previous year. You need the higher of the two figures.

Governance and Organizational Requirements

This is where most CASP applications get delayed or rejected. Your exchange needs:

Management body requirements: Directors and senior management must meet “fit and proper” criteria — clean criminal records, demonstrable knowledge and experience in financial services or technology, and sufficient understanding of the crypto-asset services being offered.

Documented governance policies for:

Internal controls and risk management
Business continuity and disaster recovery
Outsourcing arrangements (including tech providers)
Record-keeping and data retention (minimum 5 years)
Complaint handling procedures
Conflicts of interest identification and management
Personal transaction monitoring for staff

Dedicated compliance function: Either a full-time compliance officer or an outsourced arrangement with a qualified provider, responsible for monitoring MiCA adherence and acting as the primary contact with your national competent authority.

Client asset segregation: Client funds and crypto-assets must be segregated from the CASP’s own assets at all times. This requires technical enforcement in your wallet infrastructure and accounting systems — not just a policy document. This is where having proper security features built into your exchange platform becomes essential. The FTX-inspired provisions here have real teeth, and regulators take them seriously.

Information Disclosure Requirements

Before providing services, you must prominently communicate to users: your identity and regulatory status, complaint handling procedures, conflicts of interest policies, crypto-asset descriptions with risk warnings, full pricing structure, custody arrangements, and liability policies. Your admin dashboard should give you the tools to manage and display this information across your platform.

MiCA Stablecoin Rules for Exchanges: ARTs and EMTs

The stablecoin provisions are arguably the most impactful part of MiCA for exchange operators. These rules went into effect in June 2024 and have already reshaped which stablecoins exchanges can list in the EU. This section explains what you can and cannot list.

E-Money Token (EMT) Rules

An EMT references a single official currency and purports to maintain stable value — USDT referenced to USD, EURC referenced to EUR.

Who can issue EMTs: Only credit institutions (banks) or authorized electronic money institutions. This means stablecoin issuers without EU e-money authorization cannot issue EMTs for the EU market. Tether (USDT) faced significant compliance challenges here.

EMT reserve requirements:

100% of token value backed by reserves at all times
At least 30% of reserves held in deposits at EU credit institutions (60% for “significant” EMTs)
Reserves invested in safe, low-risk assets
Token holders have right of redemption at par value at any time
Issuers must publish regular reserve composition reports

What this means for your exchange: Verify that any stablecoin you list is issued by a MiCA-compliant entity. Listing a non-compliant stablecoin exposes you to regulatory action. Major compliant options as of 2026 include USDC and EURC (Circle, authorized through an EU-licensed entity) and several EU-native stablecoin projects.

Asset-Referenced Token (ART) Rules

ARTs reference multiple assets — a basket of currencies, commodities, or crypto-assets. Key requirements include explicit authorization from the national competent authority, an approved white paper, diversified reserve requirements, and enhanced EBA supervision for “significant” ARTs (daily volume above 5 million transactions or value exceeding 1 billion EUR).

Token Listing Decision Framework for EU-Compliant Exchanges

Token Type	Can You List It?	Requirements
Bitcoin, Ethereum, utility tokens	Yes	Standard due diligence, white paper disclosure
EUR-backed stablecoin (EMT)	Yes, if issuer is MiCA-authorized	Verify issuer’s authorization
USD-backed stablecoin (EMT)	Yes, if issuer is MiCA-authorized	Verify issuer’s authorization
Multi-asset stablecoin (ART)	Yes, if issuer has ART authorization	Verify ART authorization, check significance thresholds
Unauthorized stablecoin	No	Do not list
Security tokens (MiFID II instruments)	Not under MiCA	Requires MiFID II authorization (separate framework)
NFTs (truly unique, non-fungible)	Exempt from MiCA	Limited applicability, monitor guidance
Fractionalized NFTs or large collections	Potentially in scope	Seek legal guidance — may be treated as fungible crypto-assets

Technical and Operational Compliance Requirements for Crypto Exchanges

MiCA goes beyond governance and capital — it imposes specific technical requirements that affect your exchange’s architecture and daily operations. This section covers cybersecurity, record-keeping, and market abuse prevention obligations.

ICT Security and Operational Resilience Under MiCA and DORA

Your exchange must implement ICT security policies aligned with the EU’s Digital Operational Resilience Act (DORA), which applies to all EU financial entities including CASPs:

Cybersecurity framework: Documented policies covering network security, access controls, encryption, vulnerability management, and penetration testing (at least annually, ideally quarterly for internet-facing systems)
Incident management: Procedures for detecting, managing, and reporting significant ICT incidents to your national competent authority without undue delay
Business continuity: Documented BCP and disaster recovery plans that are tested regularly — regulators want evidence of testing, not just documentation
Third-party risk management: Formal agreements with critical service providers covering security requirements, audit rights, and exit strategies

Strong built-in security features are a regulatory requirement, not just good practice. Your exchange platform needs to support these controls natively. For a comprehensive look at exchange security architecture, see our security architecture deep dive.

Record-Keeping Requirements (Minimum 5 Years)

MiCA requires records of all services, activities, and transactions for at least five years, sufficient for the competent authority to reconstruct every transaction. Specifically: all orders (timestamps, quantities, prices, counterparties), client onboarding data (KYC/CDD documentation), client communications, complaints and actions taken, suspicious activity reports, and internal audit reports.

Market Abuse Prevention and Surveillance

MiCA introduces market abuse rules modeled on the Market Abuse Regulation (MAR). Exchange operators must:

Implement systems to detect and report suspicious orders (insider trading, market manipulation, front-running, wash trading, spoofing, layering)
Maintain insider lists for staff with access to material non-public information
Prohibit conflicting staff personal trading
Report detected market abuse to the competent authority

ESMA has issued guidelines on market surveillance systems, and national regulators include surveillance capabilities in CASP authorization assessments. If your exchange lacks market monitoring tools, you will need to add them.

MiCA vs. Other Crypto Regulatory Frameworks: A Global Comparison

Choosing where to base your exchange requires understanding how MiCA compares to competing regulatory frameworks. This comparison helps you evaluate the trade-offs between market access, cost, and compliance burden.

Requirement	EU (MiCA)	US (Federal + State)	Dubai (VARA)	Singapore (MAS)	Hong Kong (SFC)
Single license covers	All 27 EU member states	Federal only — state MTLs required separately	Dubai only (not other Emirates)	Singapore only	Hong Kong only
Minimum capital	50,000 - 150,000 EUR	Varies by state ($0 - $5M+)	150,000 - 600,000+ AED	SGD 250,000	HKD 5,000,000
Application cost (total)	30,000 - 100,000 EUR	$100,000 - $500,000+	$15,000 - $50,000	$50,000 - $100,000	$80,000 - $200,000
Timeline	3-6 months	6-24 months (varies by state)	2-4 months	6-12 months	6-12 months
Ongoing monthly cost	5,000 - 15,000 EUR	$10,000 - $30,000	$3,000 - $8,000	$8,000 - $20,000	$15,000 - $30,000
Travel Rule threshold	0 EUR (all transfers)	$3,000	3,500 AED	1,500 SGD	0 HKD (all transfers)
Market access	450M people (27 countries)	330M people (50 states)	~3.5M people (Dubai only)	~6M people	~7.5M people
Enforcement posture	Aggressive, accelerating	Fragmented, aggressive on securities	Moderate, increasing	Strict, thorough	Selective, serious

The MiCA advantage: Unmatched market access per license. No other jurisdiction gives you 450 million potential users from a single authorization. The US might have a larger total market, but reaching it requires navigating a multi-year, million-dollar patchwork of federal and state licenses.

Where MiCA is tougher: The zero-threshold Travel Rule is the strictest globally. Stablecoin restrictions have real teeth. Ongoing compliance obligations are more demanding than lighter-touch regimes.

For a detailed breakdown of licensing costs across jurisdictions, our crypto exchange license guide covers each one in depth. Also see our institutional exchange requirements guide for enterprise-level considerations.

MiCA Enforcement Timeline: What’s Live and What’s Coming

Understanding what is already enforced versus what is still evolving helps you prioritize your compliance efforts. This section provides a precise status update as of early 2026.

Already in Full Effect

Stablecoin provisions (Title III and IV): Effective since June 30, 2024. EMT and ART issuers must be authorized. Non-compliant stablecoins cannot be issued or marketed in the EU.
CASP authorization requirements (Title V): Effective since December 30, 2024. No new CASPs can operate without authorization.
Transition provisions: Most major member states (France, Germany, Netherlands) had transitions end by mid-2025. A handful of smaller member states still have transitional CASPs through mid-2026 — but the window is closing.
Transfer of Funds Regulation (TFR): Zero-threshold Travel Rule for all VASP-to-VASP transfers is fully enforced.

Still Being Finalized or Refined

ESMA Level 2 regulatory technical standards (RTS): Detailed implementation standards being issued throughout 2025-2026. Most finalized, some still in consultation.
Market abuse surveillance standards: Principles are clear, but specific technical requirements for exchange detection systems are being refined.
DeFi and NFT guidance: Boundaries around “fully decentralized” exemption and NFT fungibility are still being tested by ESMA and national authorities.
Third-country equivalence assessments: No equivalence decisions made yet — a 2026-2027 development to watch.

Coming in the Next 12-18 Months

Enhanced sustainability disclosures for crypto-assets (ESMA developing standards)
Increased supervisory convergence across member states (less room for regulatory shopping)
Potential MiCA II discussions — European Commission review expected by 2027, with early policy discussions around DeFi, lending, and staking already beginning

For exchanges offering a staking platform, note that crypto staking services are being addressed through ESMA guidance. The regulatory treatment is settling but may still shift. Our staking and earn features guide covers the product and compliance considerations in detail.

Step-by-Step CASP Authorization Checklist for Crypto Exchanges

This practical checklist takes you from zero to authorized. Follow these steps in order to navigate the CASP application process efficiently.

Step 1: Choose Your EU Member State

Apply to the national competent authority (NCA) of the member state where you establish your legal entity. Consider:

Processing speed: Lithuania and Czech Republic have been notably efficient. France and Germany are thorough but slower.
Regulatory culture: Some NCAs engage in pre-application dialogue. Others are more formal.
Language: Some NCAs accept English applications. Others require the local language.
Substance requirements: You need operational presence. The definition of “substance” varies.

Recommendation for most operators: Lithuania, Ireland, or the Netherlands — balancing processing efficiency, English-language capability, established crypto ecosystems, and reasonable costs.

Step 2: Establish Your Legal Entity

Incorporate in your chosen member state with a registered office, at least one local director, legal counsel in the jurisdiction, and a banking relationship with an EU bank.

Step 3: Prepare Your Capital

Ensure you meet the minimum capital requirements for your service mix. The capital must be in place when you submit your application.

Step 4: Build Your Compliance Framework

This is the most time-consuming part. You need documented policies for:

AML/CFT procedures (customer due diligence, ongoing monitoring, suspicious activity reporting)
KYC procedures with tiered verification levels
Client asset segregation policy and technical implementation
Business continuity and disaster recovery plan
ICT security policy (covering DORA requirements)
Complaints handling procedure
Conflicts of interest policy
Outsourcing policy
Record-keeping policy (5-year minimum retention)
Market abuse detection and reporting procedures
Personal transactions policy for staff
Data protection policy (GDPR compliance)

Step 5: Set Up Your Technology Stack

Your exchange platform must support MiCA’s technical requirements. If building from scratch, this is a 12-18 month project. If using a white-label exchange solution, verify it covers:

KYC/AML integration with tiered verification, PEP screening, sanctions checking
Transaction monitoring and suspicious activity flagging
Travel Rule compliance (zero threshold for EU)
Client asset segregation at the wallet level
Comprehensive audit logging
Market surveillance tools
Incident reporting capabilities

For a full technology stack overview, see our crypto exchange technology stack guide.

Step 6: Appoint Key Personnel

At minimum: a compliance officer (can be outsourced initially), an MLRO (Money Laundering Reporting Officer), and management body members meeting “fit and proper” criteria.

Step 7: Submit Your Application and Engage With the Regulator

Submit to your chosen NCA, then prepare for multiple rounds of queries and clarification requests. This is normal. Respond thoroughly and promptly — delayed responses are the number one reason applications take longer than expected.

Step 8: Go Live and Maintain Ongoing Compliance

Authorization is the beginning. Ongoing obligations include regular NCA reporting (quarterly or annual), maintaining capital adequacy, updating policies when regulations change, cooperating with supervisory examinations, filing SARs within mandated timeframes, and keeping white papers and client disclosures current.

How Codono Exchange Software Supports MiCA Compliance

Codono is exchange software, not a law firm or compliance consultancy. We cannot get you your CASP authorization — that requires legal counsel and a proper application process. What we do is make the technology side of compliance dramatically easier.

Built-in KYC/AML: Our KYC/AML system integrates with Sumsub out of the box — tiered identity verification, document checks, liveness detection, PEP screening, and sanctions list checking across 220+ countries. This covers MiCA’s customer due diligence requirements from day one.

Transaction monitoring: Automated monitoring for suspicious patterns — structuring, rapid movement, dormancy spikes, geographic risk indicators. Alerts route to your compliance dashboard for review and escalation.

Travel Rule support: Data collection and transmission for originator and beneficiary information on every crypto transfer, meeting the EU’s zero-threshold requirement.

Client asset segregation: Segregated client wallets with independent reconciliation, meeting MiCA’s client asset protection requirements at the technical level.

Audit logging: Every action logged with timestamps and stored for your jurisdiction’s retention period. When the regulator asks to reconstruct a transaction, you pull it up in seconds.

Admin dashboard: The admin dashboard provides centralized compliance status, pending verifications, flagged transactions, and regulatory reporting data.

Multi-jurisdiction support: Different compliance rules per jurisdiction — serve EU and non-EU markets from one platform without running separate instances.

What Codono does not replace: Legal counsel, a qualified compliance officer, the CASP application process, and regulatory judgment calls. What we replace is months of custom development for compliance tooling that has nothing to do with your competitive advantage.

Check our pricing or start a conversation to evaluate whether our platform fits your compliance needs. For a broader perspective on building your exchange, see our how to start a crypto exchange guide.

Frequently Asked Questions About MiCA Compliance

Can I operate in the EU without CASP authorization if my crypto exchange is based outside the EU?

No. MiCA Article 61 explicitly prohibits third-country firms from providing crypto-asset services to EU clients without authorization. If you actively solicit EU customers — through targeted marketing, local-language websites, or accepting EU payment methods — you are in scope regardless of where your company is incorporated. Regulators have already blocked and fined offshore exchanges that tried to serve EU users without authorization during 2025.

How long does the CASP authorization process take for a crypto exchange?

Plan for 3-6 months from application submission to authorization, assuming your application is complete. The clock starts when the NCA confirms completeness, not when you first submit. Smaller member states (Lithuania, Czech Republic, Malta) tend to process faster than larger ones (France, Germany). The biggest variable is how quickly you respond to follow-up questions.

What happens if my national crypto license transition period has expired?

If your transition period has expired and you have not obtained CASP authorization, you are operating illegally. Contact your NCA immediately — in some cases, expedited processing is available if you can demonstrate you were applying before the deadline.

Which stablecoins can I list on my EU-compliant crypto exchange?

Only stablecoins issued by MiCA-authorized entities. For EMTs, the issuer must be an authorized credit institution or e-money institution in the EU. For ARTs, specific ART authorization is required. Major compliant options as of 2026 include USDC and EURC (Circle) and several EU-native stablecoin projects. Listing unauthorized stablecoins exposes your exchange to regulatory action.

How much does MiCA compliance cost in total for a crypto exchange?

Budget approximately 50,000-120,000 EUR for initial authorization (legal fees, application preparation, compliance framework), plus the 150,000 EUR minimum capital requirement. Ongoing compliance costs run 5,000-15,000 EUR per month. Using exchange software with built-in compliance features reduces the technology component significantly compared to custom infrastructure. See our cost to build a crypto exchange guide for detailed budgeting.

Does MiCA apply to DeFi protocols and NFTs?

MiCA excludes “fully decentralized” services and truly non-fungible tokens. However, the boundaries are narrower than many expect. A DeFi protocol with an identifiable team, centralized front-end, governance token holders who influence parameters, or admin keys is unlikely to qualify. Large NFT collections with functionally interchangeable tokens may be treated as fungible crypto-assets. ESMA is developing further guidance.

What is the relationship between MiCA and DORA for crypto exchanges?

DORA applies to EU financial entities, and CASPs authorized under MiCA are explicitly included. DORA imposes ICT risk management, incident reporting, resilience testing, and third-party risk management requirements. In practice, MiCA and DORA overlap significantly on cybersecurity and operational resilience. Build your compliance framework to satisfy both simultaneously.

Conclusion: Start Your MiCA Compliance Journey Today

MiCA is the most significant crypto regulation ever enacted, and it is fully live. For crypto exchange operators, this creates both an obligation and an opportunity.

The obligation: If you serve EU customers, you must be authorized. Capital requirements, governance standards, and compliance obligations are real and enforced. There is no “wait and see” left.

The opportunity: A single CASP authorization opens the door to 450 million potential users across 27 countries. Exchanges that are already MiCA-compliant are winning market share from competitors who could not or would not adapt. In a post-FTX world, “we are fully regulated under MiCA” is a competitive advantage no amount of marketing can replicate.

The path to compliance is well-defined: choose your member state, prepare your capital, build your compliance framework, get your technology right, and engage with the regulator honestly. With the right exchange platform and qualified legal counsel, you can go from zero to authorized in six months.

Next Steps

Evaluate your technology stack — Does your exchange platform support MiCA’s technical requirements? Request a demo to see how Codono handles compliance out of the box.
Engage legal counsel in your target EU member state — Start the pre-application dialogue with the NCA.
Review our related guides:
- Crypto Exchange License Guide — Multi-jurisdiction licensing breakdown
- KYC Compliance Guide — Deep dive into identity verification
- Security Architecture — Technical security framework
- How to Start a Crypto Exchange — End-to-end launch guide
Contact our team — We have helped hundreds of operators navigate the compliance landscape and can tell you honestly whether our platform fits your needs.

The exchange operators who prepared early are already reaping the rewards. The ones starting now can still catch up. The ones who keep waiting are running out of time.

This is operational guidance, not legal advice. Regulation is nuanced and your specific situation may have wrinkles this guide cannot anticipate. Work with qualified legal counsel in your target member state. What we provide is the practical technology context that most lawyers don’t — learned from helping hundreds of exchange operators navigate compliance with our crypto exchange software.

Compliance Regulation MiCA EU Guide 2026