EU MiCA CASP Compliance Finale 2026: The Complete Developer Toolkit for Crypto Asset Service Providers
Post #5 in the sota.io EU MiCA CASP Developer Compliance Series
If you are building a Crypto Asset Service Provider (CASP) for the EU market, 30 December 2025 was the end of the MiCA grandfathering window — and from that date, all new CASPs must operate under a full MiCA authorization. Existing providers operating under transitional provisions in member states that enacted them face their own national deadlines. The authorization machine is running.
This is the finale of our five-part series on MiCA CASP compliance for developers. The previous four posts covered the foundational framework (Part 1), IT and AML/KYC architecture (Part 2), client asset safeguarding (Part 3), and market integrity controls (Part 4). This guide consolidates all of it into one actionable developer toolkit: what to build, in what order, and how to organize the evidence your NCA will ask for.
The MiCA CASP Landscape: What Requires Authorization
MiCA Title V covers nine distinct CASP service types under Art.3(1)(16):
| Service Type | Title V Article | Example |
|---|---|---|
| Custody and administration | Art.75 | Cold storage provider, hot wallet service |
| Operating a trading platform | Art.76 | Crypto exchange, DEX aggregator |
| Exchange of crypto-assets for fiat | Art.77 | On/off ramp, OTC desk |
| Exchange of crypto-assets for other crypto | Art.77 | Swap service, bridging protocol |
| Executing orders on behalf of clients | Art.78 | Brokerage, routing engine |
| Placing crypto-assets | Art.79 | ICO facilitation, token distribution |
| Reception and transmission of orders | Art.80 | Order routing, API aggregator |
| Portfolio management | Art.81 | Automated rebalancing, managed crypto accounts |
| Providing transfer services | Art.82 | Payment layer, wallet-to-wallet transfers |
Developer implication: Each service type carries its own technical obligations layered on top of the common authorization requirements in Art.62-68. If your platform covers multiple service types — for example, an exchange that also offers custody and order execution — you must satisfy all applicable technical requirements simultaneously.
Authorization Prerequisites: The Technical Evidence Bundle
Before your NCA reviews your authorization application under Art.62, you must prepare a technical evidence bundle. NCAs across EU member states have converged on similar requirements even where MiCA leaves room for national discretion:
1. Program of Operations (Art.62(2)(b))
A written description of every CASP service you intend to provide, with:
- Architecture diagrams showing how each service works
- Data flow diagrams from client onboarding to order execution to settlement
- Descriptions of all third-party technology providers and their roles
- Contingency procedures if a third-party provider fails
2. Governance and Internal Controls (Art.62(2)(c))
Documentation of your internal control framework:
- Management body composition and CVs with proof of fitness and propriety (Art.68)
- Risk management function organizational chart
- AML/CFT compliance officer designation (see Part 2 of this series)
- Internal audit function (or third-party equivalent)
- Board-approved risk appetite statement
3. Prudential Requirements (Art.67)
Minimum capital requirements before you can apply:
| CASP Type | Minimum Own Funds |
|---|---|
| Custody only | €125,000 |
| Operating a trading platform | €150,000 |
| Exchange of crypto for fiat or other crypto | €125,000 |
| Portfolio management / order execution / placing | €50,000 |
These are ongoing minimum own funds requirements, not one-time fees. Your finance team must demonstrate compliance at all times.
4. ICT Risk Management Framework (DORA — from Part 2)
Documented adherence to DORA ICT standards (CASP operational resilience is governed by DORA, not MiCA):
- ICT risk register with residual risk scores
- Business continuity and disaster recovery plan with tested recovery time objectives (RTOs)
- 24-hour major ICT incident reporting procedure to your NCA
- Annual ICT audit plan
5. Asset Safeguarding Architecture (Art.70 — from Part 3)
Technical documentation proving:
- Client crypto-assets segregated from CASP own funds (on-chain proof available)
- Fiat client funds in segregated bank accounts with written bank letters
- Custody policy describing hot/warm/cold wallet allocation ratios
- Proof-of-reserves mechanism (at least quarterly audited)
- Professional indemnity insurance certificate with minimum coverage thresholds
6. Market Integrity Controls (Title VI, Arts.86-92 — from Part 4)
For CASPs operating trading platforms or executing orders:
- Best execution policy document (Art.78)
- Order handling procedures proving sequential fair treatment (Art.78)
- Market manipulation surveillance system documentation (Art.92 — prevention and detection of market abuse)
- STOR (Suspicious Transaction or Order Report) pipeline to your NCA (Art.92)
- Algorithmic trading controls if your platform permits automated strategies, with market-abuse monitoring per Art.92
The 60-Item MiCA CASP Developer Compliance Checklist
Use this as your engineering team's authorization readiness tracker. Each item maps to the MiCA articles your NCA will verify.
A. Authorization and Governance (Art.62-68)
- A1. Legal entity incorporated in an EU member state (Art.62(1))
- A2. Registered office in same member state as head office (Art.62(2)(a))
- A3. Program of operations prepared and reviewed by legal counsel
- A4. Governance arrangements documented — management body, risk function, compliance function
- A5. Management body members assessed for fitness and propriety — CVs + criminal records
- A6. Qualifying shareholders (>10% stake) declared with source-of-funds evidence
- A7. Capital adequacy calculation prepared and audited
- A8. Own funds level maintained above minimum at all times with monthly verification
B. ICT Risk and Security (DORA)
- B1. ICT risk register covering all systems in scope
- B2. Penetration test completed within 12 months — results documented
- B3. Vulnerability management process with SLA for critical findings (72h patch)
- B4. 24h major ICT incident notification procedure drafted and tested
- B5. Business continuity plan with tested RPO/RTO for core trading systems
- B6. Disaster recovery runbook accessible offline
- B7. Multi-factor authentication enforced for all staff access to production systems
- B8. Privileged access management (PAM) system deployed — least-privilege enforced
- B9. All infrastructure in EU or certified equivalent jurisdictions
- B10. DORA overlap analysis completed if you serve financial institutions
C. AML/KYC and Travel Rule (AMLD6/AMLR + Transfer of Funds Regulation (EU) 2023/1113)
- C1. AML/CFT compliance officer appointed with NCA notification
- C2. Customer due diligence (CDD) procedures documented — KYC tiers defined
- C3. Enhanced due diligence (EDD) triggers documented for high-risk clients
- C4. Sanctions screening integrated — at account opening and ongoing
- C5. PEP (Politically Exposed Person) screening active at onboarding
- C6. Travel Rule compliance: originator and beneficiary data transmitted for transfers ≥€1,000
- C7. IVMS 101 standard implemented in transfer messaging layer
- C8. Transaction monitoring system active — rules for structuring, layering, smurfing
- C9. Blockchain analytics vendor integrated — coverage for BTC, ETH, major chains
- C10. STR (Suspicious Transaction Report) pipeline to FIU operational
- C11. Annual AML risk assessment documented
D. Client Asset Safeguarding (Art.70 — from Part 3)
- D1. Client crypto-assets held in wallets architecturally separate from CASP treasury
- D2. Client fiat funds in segregated bank account — bank letter on file
- D3. Custody policy approved by management board: hot/warm/cold allocation ratios
- D4. Cold storage holds ≥95% of client assets unless trading platform (justifiable lower ratio)
- D5. Multi-signature or MPC scheme on all production wallets holding ≥€50k
- D6. Hardware security module (HSM) for key generation and signing
- D7. Proof-of-reserves mechanism running — at minimum quarterly, external audit annual
- D8. Professional indemnity insurance in force — coverage verified against client asset value
- D9. Insurance policy reviewed for crypto-specific exclusions
- D10. Reconciliation between client ledger and on-chain positions running daily
E. Market Integrity (Title VI, Arts.86-92 — from Part 4)
- E1. Proprietary trading architecturally separated from client order flow (Art.76)
- E2. Best execution policy document approved and published (Art.78)
- E3. Execution quality reporting pipeline running — price, slippage, latency per trade
- E4. Best execution report published at minimum annually (Art.78(5))
- E5. Order handling procedure documented — FIFO or justified alternative (Art.78)
- E6. Order timestamp granularity: microseconds on order receipt and execution
- E7. Market manipulation surveillance active — layering, spoofing, wash trading detection
- E8. STOR pipeline to NCA operational — test submission completed
- E9. Insider dealing controls documented — staff trading restrictions policy
- E10. Algorithmic trading controls if platform permits automated orders, integrated with market-abuse monitoring (Art.92)
- E11. Kill-switch mechanism documented and tested for all algorithmic strategies
- E12. Complaints handling procedure accessible to clients (Art.71)
F. White Paper and Marketing (Arts.46-58)
- F1. Crypto-asset white paper prepared for any asset you issue or admit to trading (Art.46)
- F2. White paper filed with NCA and published on ESMA CASP register
- F3. Marketing communications reviewed against Art.56 fair, clear, not misleading standard
- F4. Past performance disclaimers included in all promotional materials
Technology Stack Reference for MiCA-Compliant CASPs
Drawing from the first four posts, here is the reference architecture:
Identity and AML Layer
Client Onboarding
└── KYC Provider (Onfido, Sum&Substance, Veriff — EU-hosted preferred)
└── Sanctions + PEP Screening (Refinitiv, Dow Jones Risk, Comply Advantage)
└── Blockchain Analytics (Elliptic, TRM Labs, Chainalysis — data residency check)
└── Travel Rule (Notabene, Sygna, OpenVASP — IVMS 101 compliant)
Custody Layer
Asset Custody
└── HSM (Thales Luna, AWS CloudHSM — FIPS 140-2 Level 3+)
└── MPC Wallet Infrastructure (Fireblocks, Copper ClearLoop, Qredo — EU data center)
└── Cold Storage (air-gapped signing, 2-of-3 multisig minimum)
└── Proof-of-Reserves (Merkle tree + ZK-proof, quarterly external audit)
Trading Infrastructure
Order Management
└── Order Book Engine (low-latency, microsecond timestamps, immutable audit log)
└── Market Surveillance (NICE Actimize, b-next, in-house rule engine)
└── Best Execution Monitor (execution quality tracker per Art.78)
└── STOR Pipeline (FIU reporting API integration)
ICT Risk Layer
Security Infrastructure
└── SIEM (Wazuh, Elastic SIEM — EU-hosted)
└── PAM (CyberArk, HashiCorp Vault — fine-grained access control)
└── Vulnerability Scanner (OpenVAS, Tenable — EU-operated preferred)
└── Incident Management (PagerDuty EU region, or OpsGenie EU)
Compliance Evidence Layer
Regulatory Evidence
└── GRC Platform (ServiceNow GRC DE, OneTrust, LogicGate EU)
└── Document Management (SharePoint EU tenant, or Confluence Data Center)
└── Audit Trail (append-only log store — S3-compatible EU, minimum 5-year retention)
└── NCA Reporting Portal (member-state specific — BaFin, AFM, AMF, etc.)
NCA Authorization Timelines by Member State
MiCA authorization is handled at the national level. Key NCAs and their processing timelines:
| Country | NCA | Estimated Review Time | Notes |
|---|---|---|---|
| Germany | BaFin | 6-9 months | Crypto custody already regulated under KWG; experienced reviewers |
| Netherlands | DNB / AFM | 6-12 months | DNB handles prudential, AFM handles conduct |
| France | AMF / ACPR | 6-9 months | PSAN pre-registration can accelerate |
| Luxembourg | CSSF | 4-8 months | Fastest EU financial regulator historically |
| Ireland | Central Bank | 9-15 months | Slower; backlog from VASP applications |
| Estonia | Finantsinspektsioon | 6-9 months | Historically crypto-forward; now stricter under MiCA |
| Malta | MFSA | 6-12 months | VFA experience; now applying MiCA standards |
| Lithuania | Bank of Lithuania | 4-8 months | EU Sandbox program available for fintechs |
Practical tip: Luxembourg (CSSF) and Lithuania (Bank of Lithuania) have historically been the fastest EU financial regulators and both have strong familiarity with crypto asset businesses. If you have no existing NCA relationship and can justify incorporation in either jurisdiction, they are worth serious consideration for a June 2026 target.
Common MiCA CASP Authorization Failures
Based on the pattern of NCA feedback across the EU since MiCA came into force, these are the most common reasons applications are rejected or returned:
1. Insufficient ICT documentation (40% of rejections)
NCAs expect DORA-level ICT documentation even for small CASPs. The most common gap: no tested business continuity plan. NCAs want evidence that your RTO (recovery time objective) has been exercised — a written plan without a drill is insufficient.
Fix: Conduct a tabletop exercise and document the outcome. A three-hour tabletop on a Saturday with the engineering and operations team produces the evidence NCAs expect.
2. Weak AML/KYC procedures (35% of rejections)
Many applications describe a KYC provider integration but fail to document the risk-based approach: what triggers enhanced due diligence, how PEP screening is monitored on an ongoing basis, and how transaction monitoring rules are calibrated.
Fix: The three-tier KYC model (simplified/standard/enhanced) with clear triggers and documented tuning methodology satisfies most NCAs.
3. Asset safeguarding without on-chain evidence (25% of rejections)
Claiming client assets are segregated without being able to show on-chain proof is a common gap. NCAs increasingly expect cryptographic evidence of segregation, not just policy documents.
Fix: Implement labeled wallet sets with documented on-chain addresses at the NCA-submission stage. A quarterly proof-of-reserves certificate from a recognized auditor (ISAE 3402 or equivalent) converts this from a gap to a strength.
4. Market integrity for exchange operators (20% of rejections)
CASPs operating trading platforms often underestimate the surveillance burden. A basic rule engine that flags high-value outliers is not sufficient — NCAs want evidence that layering, spoofing, and wash trading patterns are actively monitored.
Fix: Map your surveillance rules to the recognized manipulation patterns in ESMA's MiCA technical standards (RTS under Art.92 on prevention and detection of market abuse). Show the NCA a sample alert and your investigation workflow.
The MiCA CASP Compliance Timeline: What to Build and When
Working backwards from a target authorization date of Q3 2026:
| Milestone | Target Date | Owner |
|---|---|---|
| Legal entity incorporated, registered address confirmed | T minus 18 months | Legal |
| Capital adequacy verified, own funds in place | T minus 15 months | Finance |
| ICT risk framework documented + first penetration test | T minus 12 months | Engineering |
| KYC/AML procedures drafted + provider integrated | T minus 12 months | Compliance + Engineering |
| Travel Rule (IVMS 101) integrated | T minus 10 months | Engineering |
| Asset safeguarding architecture completed + documented | T minus 10 months | Engineering |
| Custody policy approved by board | T minus 9 months | Legal + Engineering |
| Market surveillance system live (if exchange) | T minus 9 months | Engineering |
| Best execution policy drafted and tested | T minus 9 months | Compliance |
| Pre-application meeting with target NCA | T minus 8 months | Legal |
| Proof-of-reserves first run | T minus 8 months | Engineering |
| Authorization application submitted | T minus 6 months | Legal |
| NCA review period | T minus 6 to 0 months | NCA |
| Authorization granted, MiCA-compliant operations begin | T | All |
EU vs. Non-EU Infrastructure: The Jurisdiction Trap
One issue that comes up repeatedly in MiCA authorization: the question of where your infrastructure actually runs. MiCA does not contain an explicit EU-hosting requirement for all systems, but the ICT risk framework under DORA and the data protection obligations under GDPR interact to create a de facto EU preference.
The practical problem:
If your blockchain analytics vendor, KYC provider, or trading infrastructure provider processes client personal data in the United States, you need a valid GDPR transfer mechanism. Since the Schrems II ruling invalidated the old Privacy Shield framework, the options are:
- Data Processing Agreement referencing Standard Contractual Clauses (SCCs) with a valid Transfer Impact Assessment (TIA)
- Binding Corporate Rules (BCRs) — only practical for large groups
- EU-hosted processing — the simplest solution
For NCAs examining your application, a 15-page TIA for each US-hosted SaaS vendor raises questions. EU-hosted alternatives for the same categories:
| Category | US-Dominant Vendor | EU Alternative |
|---|---|---|
| KYC / Identity Verification | Onfido (UK/US operations) | Sum&Substance (EU-native), Incode EU |
| AML / Transaction Monitoring | Chainalysis (US) | Elliptic (UK + EU hosting), TRM Labs EU |
| Custody Infrastructure | Fireblocks (US primary) | Copper (CH + EU), Qredo (CH) |
| Cloud Infrastructure | AWS (US) | Hetzner (DE), OVHcloud (FR), Scaleway (FR) |
| Observability / SIEM | Datadog (US) | Grafana Cloud EU, Elastic Cloud EU |
Design principle: Where you have a choice between a US-headquartered vendor and an equivalent EU vendor with the same capabilities, the EU vendor eliminates a category of regulatory friction at authorization time and on an ongoing basis.
MiCA CASP Series: What We Covered
This five-part series has walked through the complete MiCA CASP compliance obligation stack for engineering teams:
| Post | Focus | Key Articles |
|---|---|---|
| Part 1 (Post #1378) | Authorization framework, service types, governance | Arts.62-68 |
| Part 2 (Post #1380) | ICT risk management, AML/KYC, Travel Rule | DORA + AMLD6/AMLR + Reg (EU) 2023/1113 |
| Part 3 (Post #1381) | Client asset safeguarding, proof-of-reserves | Art.70 |
| Part 4 (Post #1382) | Market integrity, best execution, surveillance | Art.78 + Title VI (Arts.86-92) |
| Part 5 (This post) | Complete checklist, timeline, tech stack | All |
Key Takeaways
1. Authorization is engineering work, not just legal work. The majority of NCA rejections relate to technical evidence gaps: untested BCPs, undocumented AML procedures, inadequate surveillance systems. Your engineering team is a co-owner of the authorization outcome.
2. The June 2026 deadline is not the end of the compliance journey. Authorization grants the right to operate. Ongoing MiCA obligations — annual best execution reports, periodic proof-of-reserves, NCA supervisory reviews — are permanent features of operating as a licensed CASP.
3. EU-hosted infrastructure is not mandatory but makes everything easier. A stack built on Hetzner/Scaleway/OVHcloud with EU-based AML vendors and EU-certified custody providers dramatically simplifies your GDPR transfer documentation and strengthens your application's credibility.
4. Pre-application NCA engagement is high-ROI. Most EU NCAs will hold a pre-application meeting if you request one. Using that meeting to validate your architecture decisions before investing months of development time is one of the highest-value activities a CASP can perform before submitting.
5. The 60-item checklist above is a starting point, not a ceiling. National NCAs layer additional requirements on top of MiCA's harmonized baseline. Your legal counsel in your target jurisdiction should review the checklist against any NCA guidance notes or Q&A publications before you finalize your application.
Part of the sota.io EU MiCA CASP Developer Compliance Series (5/5 complete). Related reading: EU DORA Compliance for FinTech Developers, EU AI Act for Financial Services, EU AML 6th Directive Implementation Guide.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.