MiCA Regulation: EU Crypto Asset Framework for Payment Companies

The EU crypto market reached an estimated 31 million users by 2024, operating under fragmented national regulations that created compliance uncertainty and consumer protection gaps. Payment companies handling stablecoins faced different rules in each EU country, limiting cross-border operations and creating regulatory arbitrage.

MiCA (Markets in Crypto-Assets) regulation establishes the EU's first comprehensive framework for crypto assets, fully applicable since December 30, 2024. It replaces the patchwork of national regulations with harmonized rules across 27 member states, enabling authorized providers to operate pan-European through passporting rights.

This guide explains what MiCA regulates, who needs authorization, compliance requirements for payment companies, and how the framework affects stablecoin operations. Understanding these requirements helps payment companies determine licensing needs and leverage passporting rights for EU-wide operations.

What is MiCA regulation?

MiCA (Regulation EU 2023/1114) is the European Union's comprehensive regulatory framework for crypto assets that became fully applicable on December 30, 2024. It covers issuance, trading, and services for crypto assets not regulated by existing financial services legislation like MiFID II.

The regulation was proposed in 2020, underwent revisions through 2021-2022, and received final approval from EU Parliament in April 2023. Implementation occurred in two phases: stablecoin provisions (asset-referenced tokens and e-money tokens) took effect June 30, 2024, followed by full application covering all crypto asset service providers on December 30, 2024.

MiCA's primary goals are consumer protection, market integrity, financial stability, and establishing harmonized rules across EU member states. According to ESMA, the regulation empowers them to publish a central register of authorized crypto asset service providers and non-compliant entities. This creates transparency and enables cross-border supervision that was impossible under fragmented national regimes.

What crypto assets does MiCA regulate?

MiCA categorizes crypto assets into three distinct classes, each with different regulatory requirements based on their characteristics and risks.

Asset-referenced tokens (ARTs)

ARTs stabilize value using multiple official currencies, commodities, or other assets. They require authorization before public offering in the EU, must maintain reserve backing matching issued tokens, and enable redemption based on current market value of reserve assets.

Issuers must be EU-based entities, publish detailed whitepapers approved by national competent authorities, and undergo regular audits of reserves. ARTs can become "significant" based on criteria like holder base size or transaction volume, triggering enhanced supervision by the European Banking Authority. The provisions for ARTs have been applicable since June 30, 2024.

E-money tokens (EMTs)

EMTs are pegged to a single fiat currency and must maintain 1:1 redemption at par value. They face the strictest regulatory requirements under MiCA because they function as digital cash. Major stablecoins like USDC and USDT fall into this category when operating in the EU.

Credit institutions authorized under existing banking regulations can issue EMTs after notifying their supervisory authority and publishing a whitepaper, giving them a streamlined path compared to new market entrants. EMTs must maintain full liquid asset backing, submit regular transparency reports, and meet capital requirements. Like ARTs, EMTs can be designated as "significant," triggering EBA oversight. EMT provisions have been applicable since June 30, 2024.

Other crypto assets (utility tokens)

Utility tokens and other crypto assets not classified as financial instruments under MiFID II require white papers and transparency disclosures but face lighter requirements than stablecoins. These include governance tokens, access tokens, and other cryptographic assets providing utility rather than investment value.

Issuers must publish white papers containing clear descriptions of token functionality, associated risks, and underlying technology. Marketing must be clear, fair, and not misleading. NFTs are generally excluded from MiCA scope except when their features or uses would reclassify them as crypto assets under the regulation.

Who needs MiCA authorization?

Crypto Asset Service Providers (CASPs) offering services to EU clients must obtain MiCA authorization by December 30, 2024, regardless of where they're located globally. Authorization from one EU member state enables passporting rights across all 27 member states.

MiCA regulates eleven distinct crypto asset services:

• Custody and administration of crypto assets on behalf of clients
• Operating trading platforms for crypto assets
• Exchange of crypto assets for fiat currency
• Exchange of crypto assets for other crypto assets
• Execution of orders for crypto assets on behalf of clients
• Placing of crypto assets
• Reception and transmission of orders for crypto assets on behalf of clients
• Providing advice on crypto assets
• Portfolio management on crypto assets
• Providing transfer services for crypto assets on behalf of clients

To avoid regulatory overlap, MiCA authorization requirements don't apply to services provided by certain authorized European financial institutions like credit institutions, investment firms, and e-money institutions already supervised under existing frameworks.

Requirements for non-EU payment companies

Non-EU companies must establish a legal presence in the EU to serve EU clients. According to Norton Rose Fulbright's MiCA guide, there is no third-country equivalence regime under MiCA.

Required elements include: registered office in an EU member state, conducting at least part of crypto asset services from the EU office, effective place of management in the EU, and at least one director who is an EU resident. This differs from some financial services regulations that allow third-country firms to operate through equivalence determinations.

Transitional measures and grandfathering

Entities providing crypto services under national law before December 30, 2024 can continue operating until July 1, 2026 or until granted/refused MiCA authorization, whichever comes first. This Article 143(3) grandfathering provision allows existing operators time to transition.

Member states can also implement simplified authorization procedures (Article 143(6)) for entities already authorized under national law on December 30, 2024. However, entities operating under transitional measures cannot use MiCA passporting rights until they receive full MiCA authorization. As ESMA noted in December 2024, this creates different transitional periods across member states during the 18-month transition window.

MiCA compliance requirements for payment companies

CASPs must meet capital requirements, implement AML/CFT controls, maintain operational resilience, and comply with market abuse prevention rules. These obligations apply to all CASPs regardless of which specific services they provide.

Capital and operational requirements

CASPs must maintain minimum capital based on service type and volume. Custody providers, exchange operators, and portfolio managers face higher capital requirements than advisory or order transmission services. The European Banking Authority has published draft regulatory technical standards detailing own funds requirements, liquidity management policies, and stress testing obligations.

"Significant" CASPs (15 million or more active users annually in the EU) face enhanced requirements and reporting obligations. While supervised at national level, significant CASPs must report to ESMA on key supervisory developments. According to an ECB board member, the 15 million threshold would likely exclude major global exchanges, creating potential regulatory gaps.

AML/CFT and Transfer of Funds Regulation

CASPs must comply with the EU's Fifth Anti-Money Laundering Directive (5AMLD) and Transfer of Funds Regulation (TFR). The TFR introduces "travel rule" requirements: CASPs must collect and exchange information about senders and recipients for every crypto asset transfer, similar to traditional wire transfers.

These requirements include: KYC verification for all customers, transaction monitoring for suspicious activity, maintenance of comprehensive transaction records, and suspicious activity reporting to national financial intelligence units. The TFR provisions became enforceable on December 30, 2024, alongside full MiCA application. Payment companies must implement systems capable of exchanging personal data with counterparty CASPs to ensure transparency and prevent money laundering.

Market abuse and consumer protection

MiCA introduces market abuse provisions prohibiting insider trading, market manipulation, and unlawful disclosure for crypto assets. These rules mirror those in traditional securities markets under the Market Abuse Regulation (MAR), adapted for crypto asset characteristics.

CASPs must implement policies and procedures to detect and prevent market abuse, maintain order book records in prescribed formats, and report suspicious transactions to national competent authorities. Marketing communications must be clearly identifiable, fair, clear, and not misleading. Consumer-facing materials must disclose risks associated with crypto asset volatility, potential loss of capital, and absence of deposit insurance.

Passporting rights and cross-border operations

MiCA-authorized CASPs can passport services across all 27 EU member states without obtaining separate authorizations in each country. This single authorization for pan-European operations is one of MiCA's most significant benefits for payment companies.

Passporting works through notification to the home authority, which then coordinates with host member state authorities. This process mirrors passporting under traditional financial services regulations like PSD2 and MiFID II. However, entities operating under transitional national measures cannot use passporting rights until they obtain full MiCA authorization.

The harmonized framework eliminates the previous need to navigate 27 different national crypto regimes, each with distinct requirements and supervisory approaches. For payment companies processing cross-border transactions, this dramatically reduces compliance costs and time-to-market for EU expansion.

Impact on payment companies using stablecoins

Payment companies using USDC, USDT, or other stablecoins for cross-border payments must ensure their stablecoin partners are MiCA-compliant. Non-compliant stablecoins cannot be offered or admitted to trading in the EU after June 30, 2024, when stablecoin provisions took effect.

According to ESMA's January 2025 public statement, CASPs providing services involving non-MiCA compliant ARTs and EMTs face restrictions. Major stablecoin issuers like Circle (USDC) and Tether (USDT) are pursuing MiCA compliance to maintain EU market access.

Société Générale became the first major bank to list a MiCA-compliant stablecoin in December 2023, launching EUR CoinVertible on Bitstamp, a Luxembourg-based exchange. This demonstrated how traditional financial institutions can leverage MiCA's framework to enter stablecoin markets.

Payment platforms must verify that partner stablecoins are authorized under MiCA before using them for EU operations. This includes checking the ESMA register of authorized issuers and ensuring ongoing compliance. Non-compliance risks service interruptions, regulatory penalties, and loss of EU market access.

How payment companies should prepare for MiCA

Payment companies serving EU clients should determine license category, assemble required documentation, align business processes with AML/KYC regulations, and apply for authorization before transitional periods expire in July 2026.

Preparation framework:

1. Determine license category: Identify which CASP services you provide. Most payment platforms need authorization for custody, exchange services (crypto-to-fiat), and transfer services at minimum.
2. Conduct gap analysis: Compare current operations against MiCA requirements for capital adequacy, governance structures, IT systems, and compliance programs. Document gaps and create remediation plans.
3. Assemble documentation: Prepare proof of capital adequacy, organizational structure and governance procedures, risk management policies, AML/CFT compliance programs, IT security and business continuity plans, and staff qualifications.
4. Apply for authorization: Submit applications to your chosen member state's national competent authority. Applications have been accepted since July 1, 2024. Authorization processes typically take 4-6 months depending on application completeness and authority workload.
5. Implement ongoing compliance: Establish transaction monitoring systems, regulatory reporting procedures, whitepaper maintenance processes, market abuse detection controls, and incident response protocols.

Given the complexity and 4-6 month timeline for authorization, payment companies should begin preparation immediately if planning to continue EU operations beyond July 2026 when transitional periods expire.

MiCA compliance for payment infrastructure providers

Due maintains MiCA compliance through VASP registration in Spain (transitioning to full MiCA authorization), enabling payment companies to access stablecoin infrastructure and traditional rails across 80+ countries while meeting EU regulatory requirements.

Due's compliance approach includes:

• VASP registration in Spain: Currently registered as VASP in Spain, transitioning to full MiCA CASP authorization to enable passporting across EU member states
• Non-custodial architecture: Maintains regulatory compliance while enabling instant stablecoin settlement, keeping customer funds in regulated accounts
• Built-in KYC/AML: Transaction monitoring, screening, and compliance tools integrated into platform
• Multi-rail access: Stablecoin networks (USDC, USDT) plus traditional rails (SWIFT, SEPA) through single API
• 80+ country coverage: MiCA compliance for EU operations alongside global payment corridors in Latin America, Africa, and Asia

Payment platforms using Due's infrastructure benefit from MiCA-compliant stablecoin access without building in-house compliance programs. Due handles authorization, ongoing reporting, regulatory requirements, and coordination with national competent authorities while providing unified API access to both crypto and traditional payment rails.

For payment companies processing $5M+ monthly through EU corridors, partnering with MiCA-compliant infrastructure providers reduces time-to-market and compliance costs versus obtaining direct CASP authorization. The Due platform offers consultation on MiCA compliance requirements for specific payment use cases.