EU MiCA CASP Compliance for SaaS Developers: Authorization, Technical Requirements and Operating Rules 2026

Post #1369 in the sota.io EU Cyber Compliance Series

The EU Markets in Crypto-Assets Regulation (MiCA, Regulation EU 2023/1114) has been fully in force since December 30, 2024. For SaaS developers building any product that touches crypto-asset services — wallets, exchanges, order execution, portfolio management — this is no longer a future concern. The authorization framework is live, the grace period ends June 30, 2026, and the penalties for non-compliance reach up to 5% of annual worldwide turnover.

This is post #1/5 in the EU-MICA-CASP-DEVELOPER-2026 series. We cover the authorization pathway, capital requirements, technical obligations, and what your engineering team needs to build before the deadline.

What MiCA Covers: The Eight CASP Services

MiCA Article 3(1)(16) defines a Crypto-Asset Service Provider (CASP) as any legal person providing one or more of these services:

Practical scope test: If your SaaS product holds user crypto-assets, executes trades on their behalf, or provides a trading interface connected to an orderbook — you are a CASP and authorization is mandatory.

The Authorization Pathway (Art.59-68)

MiCA's CASP authorization is handled by the National Competent Authority (NCA) of the EU member state where the applicant is legally established. Key steps:

Step 1: Choose Your Home Member State

Establish your legal entity in one EU member state. Once authorized there, you receive an EU passport to provide services across all 27 member states without additional licenses (Art.65). Popular jurisdictions:

• Netherlands (AFM) — strong FinTech ecosystem, Dutch-language NCA
• Lithuania (Bank of Lithuania) — fast processing (40 working days vs. 40 working days), English-language submissions accepted
• Ireland (CBI) — English, common law, EU-aligned enforcement
• Germany (BaFin) — strictest but highest credibility, grandfathering via existing BaFin VASP licenses

Step 2: Meet Capital Requirements (Art.67)

MiCA sets three capital tiers for CASPs based on the services offered:

Multi-service CASPs must meet the highest applicable threshold. Capital must be permanently available, not borrowed, and verifiable via audited accounts.

Alternative: Permanent minimum capital may be replaced by professional indemnity insurance (PII) covering a minimum of €1,125,000 per claim and €1,687,500 in aggregate — useful for smaller SaaS operators.

Step 3: Governance and Ownership (Art.62-63)

Your application to the NCA must include:

• Proof of legal establishment in the EU member state (articles of association, registration certificate)
• Program of operations (business plan, target services, countries of operation)
• Identity of all persons holding ≥10% shareholding with evidence of good repute and competence
• Management body composition: minimum 2 directors, at least one with professional crypto/FinTech experience
• Internal controls framework (AML, IT risk, operational risk)
• Safeguarding arrangements for client assets (see below)

Step 4: Assessment Timeline

NCAs have 40 working days (≈8 weeks) from receipt of a complete application to grant or refuse authorization. The NCA may request additional information once, resetting the clock. Realistically budget 3-6 months for preparation + assessment.

The June 30, 2026 Grace Period Deadline

CASPs that were already providing services in an EU member state before December 30, 2024, under national law, may continue operating under a transitional period of up to 18 months — ending June 30, 2026 (Art.143(3)).

What this means for SaaS builders:

Before June 30, 2026:
  ✓ Can continue operating existing services
  ✓ Must submit authorization application
  ✗ Cannot launch new CASP services without authorization

After June 30, 2026:
  ✗ Operating without authorization = violation
  ✗ Fines up to 5% annual global turnover
  ✗ Criminal liability for management in some member states

If you are building a new CASP service (launched after December 30, 2024), the grace period does not apply. You need authorization before going live.

Technical Requirements for SaaS Developers (Art.68, 70)

Beyond the legal authorization process, MiCA imposes specific IT and operational obligations that your engineering team must implement:

1. IT Systems and Security Controls (Art.68(6))

CASPs must maintain IT systems that are:

• Resilient: tested for availability, integrity, and confidentiality
• Continuously monitored: intrusion detection, anomaly alerts
• Regularly audited: annual penetration testing minimum
• Backed up: tested recovery procedures, recovery time objectives defined

MiCA does not specify exact controls but the EBA and ESMA guidelines (expected Q3 2025, now published) cross-reference DORA (Digital Operational Resilience Act) for larger CASPs. For smaller CASPs, NIS2 Article 21 controls are the practical baseline.

Recommended technical stack:

monitoring:
  - SIEM: Wazuh or Elastic SIEM (EU-native preferred)
  - Alerting: PagerDuty or equivalent on-call rotation
  - Log retention: minimum 5 years (MiCA Art.68 record-keeping)

network_security:
  - WAF: Cloudflare or EU-sovereign alternative
  - DDoS protection: upstream CDN + rate limiting
  - Key management: HSM or AWS KMS (dedicated)

access_control:
  - MFA: mandatory for all privileged access
  - PAM: CyberArk or HashiCorp Vault for secrets
  - RBAC: granular permissions per service tier

2. Safeguarding Client Crypto-Assets (Art.70)

This is the most technically demanding requirement for custodial wallet operators:

• Segregation: Client assets must be held separately from the CASP's own assets — in wallet architecture, this means per-user isolated key storage, not pooled treasury addresses
• Cold storage: ESMA guidelines recommend ≥90% of client assets in cold storage (offline, air-gapped)
• Reconciliation: Daily balance reconciliation between on-chain state and internal ledger
• Prohibition of rehypothecation: You cannot use client assets for trading, lending, or collateral purposes

Implementation pattern:

# Simplified illustration of segregated custody architecture
class UserWallet:
    def __init__(self, user_id: str):
        self.user_id = user_id
        # Each user gets a unique derived key path
        self.derivation_path = f"m/44'/0'/{user_id_to_index(user_id)}'"
        self.hot_wallet_address = derive_hot_wallet(self.derivation_path)
        self.cold_wallet_address = derive_cold_wallet(self.derivation_path)
    
    def enforce_cold_storage_ratio(self):
        hot_balance = get_balance(self.hot_wallet_address)
        cold_balance = get_balance(self.cold_wallet_address)
        total = hot_balance + cold_balance
        # MiCA guidance: ≥90% in cold storage
        if total > 0 and (hot_balance / total) > 0.10:
            trigger_rebalance_to_cold(self)

3. Business Continuity and Disaster Recovery (Art.68(6)(d))

CASPs must document and test:

• Recovery Time Objective (RTO): Maximum acceptable downtime — ESMA guidance suggests ≤4 hours for trading platforms
• Recovery Point Objective (RPO): Maximum acceptable data loss — ≤1 hour for transaction ledgers
• Incident response plan: Defined escalation paths, NCA notification procedure
• Succession plan: What happens to client assets if the CASP ceases operations

4. Transaction Monitoring and KYC/AML (AMLD6/AMLR + Transfer of Funds Regulation)

CASP AML obligations do not come from MiCA itself — they derive from the EU AML framework (the Anti-Money Laundering Directive/Regulation, AMLD6/AMLR) and the Travel Rule under Regulation (EU) 2023/1113 on transfers of funds, extended to crypto-assets:

Travel Rule implementation (mandatory for transactions ≥€1,000):

Sender CASP → Beneficiary CASP
Required data:
  - Sender name, account number (wallet address), address/DOB
  - Beneficiary name, account number (wallet address)
Transmission: before or simultaneously with asset transfer
Protocol: IVMS101 standard message format

KYC integration checklist for developers:

• Identity verification: integrate with eIDAS 2.0-compliant ID provider (or GDPR-compliant third-party KYC)
• PEP/Sanctions screening: real-time screening against EU consolidated sanctions list
• Transaction monitoring: rule-based + ML anomaly detection (flag structuring, round-trip transactions)
• Enhanced Due Diligence triggers: transactions >€15,000, politically exposed persons, high-risk jurisdictions

Compliance Architecture: What to Build Before Go-Live

If you are building a CASP product targeting EU users, here is the minimum viable compliance architecture:

┌─────────────────────────────────────────────────────────┐
│                    CASP SaaS Platform                    │
├─────────────────────────────────────────────────────────┤
│  Identity Layer (KYC/AML)                               │
│  ├── eKYC provider (Onfido, Veriff, or EU-sovereign)    │
│  ├── PEP/Sanctions: ComplyAdvantage or Dow Jones        │
│  └── Travel Rule: Notabene, Sygna, or TRP               │
├─────────────────────────────────────────────────────────┤
│  Custody Layer                                           │
│  ├── Hot wallet: limited balance, MPC or multi-sig      │
│  ├── Cold storage: HSM-backed, offline signing          │
│  └── Reconciliation: daily on-chain ↔ internal ledger   │
├─────────────────────────────────────────────────────────┤
│  Monitoring Layer                                        │
│  ├── Transaction monitoring (Chainalysis/TRM or custom) │
│  ├── SIEM: security events + incident response          │
│  └── Audit logs: 5-year retention, tamper-evident       │
├─────────────────────────────────────────────────────────┤
│  Reporting Layer                                         │
│  ├── SAR filing to FIU (Suspicious Activity Reports)    │
│  ├── NCA periodic reporting (quarterly/annual)          │
│  └── ESMA CASP register reporting                       │
└─────────────────────────────────────────────────────────┘

Penalties and Enforcement

MiCA establishes a two-tier penalty regime:

For CASPs (legal entities):

• Operating without authorization: up to €500,000 or 5% of annual worldwide turnover (higher)
• Market manipulation: up to €1,000,000 or 15% of annual worldwide turnover
• Insider trading: up to €1,000,000 or 15% of annual worldwide turnover

For management (natural persons):

• Operating without authorization: up to €700,000 personal fine
• Serious violations: up to €5,000,000 or 15% of annual income

NCAs also have power to:

• Suspend or withdraw authorization
• Prohibit individuals from holding management positions
• Issue public censures (reputational damage)
• Order disgorgement of profits

5-Step Pre-Authorization Checklist

Before submitting to your NCA, verify:

• Legal entity established in target EU member state with compliant articles of association
• Capital threshold met (€50K–€150K depending on services, permanently available)
• Management board complete: 2+ directors, at least one with verifiable crypto/FinTech experience, KYC'd, no disqualifying history
• AML/KYC program documented: policies, procedures, responsible officer named (MLRO)
• IT security assessment completed: pen test report, DORA/NIS2-baseline controls evidence, BCP/DRP documentation

What's Next in This Series

This is post #1/5 in the EU-MICA-CASP-DEVELOPER-2026 series:

• #2/5: MiCA Stablecoin Obligations (ART and EMT issuers) — reserve requirements, redemption rights, issuance limits
• #3/5: MiCA Market Abuse Framework — insider trading, market manipulation, and wash trading detection systems
• #4/5: MiCA Travel Rule Implementation — IVMS101, TRP protocol integration, beneficiary wallet screening
• #5/5: MiCA Full Compliance Stack — combined authorization + operations checklist for EU-native crypto SaaS

If you're building a crypto-asset service for EU users, June 30, 2026 is your hard deadline. Authorization applications take 3-6 months. If you haven't started, start now.

sota.io is a European developer platform with sovereign EU infrastructure. All guides in this series are based on the published MiCA regulation text, EBA/ESMA guidelines, and NCA guidance. This is not legal advice — consult a licensed FinTech regulatory counsel for your specific product.