Are you in scope for MiCA in 2026?: A Practical Guide for CASP Founders

Why MiCA Matters for Crypto Businesses in 2026

The Markets in Crypto-Assets Regulation, Regulation (EU) 2023/1114 (MiCA), is the first directly applicable, harmonized regulatory framework governing crypto-asset activity across the European Union.

As a regulation, not a directive, MiCA applies uniformly across all EU Member States without national transposition, fundamentally reshaping how crypto businesses must operate in and into the EU market.

From 2026 onward, MiCA is no longer a future compliance topic. It becomes an operational baseline. Any crypto business that falls within its scope without proper authorization will be operating unlawfully, regardless of whether it previously relied on regulatory arbitrage, fragmented national regimes, or informal interpretations of VASP rules.

One of the most common mistakes founders make is assuming that MiCA only matters if you issue a token. That is not how MiCA is designed.

‍

MiCA establishes three distinct, but interrelated, regulatory regimes:

1. A regime for issuers of asset-referenced tokens and e-money tokens (ARTs and EMTs), often referred to as stablecoins.
   
   
2. A regime for issuers of crypto-assets other than ARTs or EMTs.
   
   
3. A regime for entities providing services in respect of crypto-assets, defined as Crypto-Asset Service Providers, or CASPs.

This article focuses only on the third regime: CASPs.

‍

From a regulatory design perspective, this separation is deliberate. MiCA treats issuance risk and service provision risk as legally distinct. Many founders misunderstand this and assume that avoiding token issuance automatically removes them from the MiCA scope. That assumption is incorrect.

‍

MiCA is not just about tokens. It is about businesses. If your company provides crypto services to users in the EU, MiCA likely applies to you even if you never issued a token and even if you call yourself a tech platform.

‍

The Three Rulebooks You Need to Know

MiCA is structured around the idea that different crypto market activities create different regulatory risks and therefore require different legal treatments. MiCA is easier to understand if you stop thinking about it as one law and start thinking about it as three rulebooks.

Rulebook 1: Stablecoin Issuers
This is about financial stability, reserves, redemption rights, and systemic risk. If you issue something meant to stay stable, regulators care a lot.

Rulebook 2: Other Token Issuers
This is about disclosure, whitepapers, and fair marketing. The goal here is investor and consumer protection.

Rulebook 3: Crypto-Asset Service Providers (CASPs)
This is about how crypto services are run day to day. Governance, compliance, custody, order execution, conflicts of interest, and user protection.

Legally, these regimes are independent. A company may fall under one, two, or all three regimes depending on its activities. A CASP does not need to issue a token to be regulated. Likewise, a token issuer does not automatically become a CASP unless it also provides regulated services.

For example:

• An exchange with its own token may be both a CASP and a token issuer.
  
  
• A wallet provider with no token may still be a CASP.
  
  
• A token issuer with no platform may not be a CASP at all.
  
  

This article is about Rulebook 3, which lives primarily in Title V of MiCA and establishes authorization, organizational, prudential, and conduct of business requirements for CASPs.

Who This Article Is For

This article is written for founders and operators who are building or scaling crypto businesses where service delivery, not token issuance, is the core activity.

This includes, in particular:

• Crypto exchanges, whether centralized or hybrid.
  
  
• Custodial or non-custodial wallet providers.
  
  
• Trading platforms, brokerage models, and order-routing services.
  
  
• Fiat on-ramp and off-ramp providers integrated with crypto flows.
  
  
• Web3 products where crypto services are embedded into a broader platform.
  
  

It is equally relevant for founders who believe they are unregulated today because they operate under legacy VASP regimes, rely on disclaimers, or classify themselves as software providers.

MiCA adopts an activity-based and effect-based approach. What matters is not how you describe your business, but what your business actually does and who it serves. National regulators and ESMA have been explicit that labels, marketing language, and internal narratives do not override substance.

If users can buy, sell, store, exchange, or move crypto using your product, this article is for you. Even if you think you are “just infrastructure”.

‍

What Is a CASP Under MiCA

MiCA defines a Crypto-Asset Service Provider, or CASP, very broadly.

Under Article 3 of Regulation (EU) 2023/1114, a CASP is any legal person or undertaking whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis.

That definition is intentionally wide. MiCA does not start by asking what your company calls itself. It starts by asking what your business actually does.

This is where many founders misread the law.

MiCA does not regulate technologies. It regulates activities.
This is why MiCA follows an activity-based approach, not a label-based one.

From a regulatory perspective, the risk does not come from whether you say you are a wallet, a protocol, a SaaS tool, or an infrastructure provider. The risk comes from the fact that users rely on you to access, move, exchange, or manage crypto-assets.

That is why MiCA consistently uses the phrase “services in respect of crypto-assets”. This wording is doing a lot of work.

If your product enables users to interact with crypto-assets in a way that is operational, commercial, and user-facing, regulators will likely consider that a service in respect of crypto-assets.

It also does not matter whether:

• You touch fiat or only crypto.
  
  
• You are custodial or non-custodial.
  
  
• You operate fully on-chain or through smart contracts.
  
  
• You are incorporated inside or outside the EU.
  
  

If the service is offered to EU users or has effects in the EU, MiCA can apply.

‍

The Services That Trigger Regulation

MiCA does not regulate CASPs in the abstract. It regulates specific activities. If you provide one or more of these activities as a business, you are likely in scope.

Custody and Administration of Crypto-Assets

This covers services where you safeguard crypto-assets or cryptographic keys on behalf of users.

Classic examples include:

• Custodial wallets.
  
  
• Platforms holding user assets before settlement.
  
  
• Any setup where users depend on you for access to their crypto.
  
  

MiCA treats custody as a high-risk activity and imposes strict organizational and safeguarding requirements.

In simple terms:
If users would lose access to their crypto if your system goes down, you are probably providing custody.

‍

Operation of a Trading Platform for Crypto-Assets

This applies when you operate a system that brings together multiple buying and selling interests in crypto-assets and enables trades.

This includes:

• Centralized exchanges.
  
  
• Hybrid exchange models.
  
  
• Platforms that match orders or liquidity in an organized way.
  
  

Whether the matching happens on-chain or off-chain is not decisive. What matters is that you operate the system.

In simple terms:
If your platform looks, feels, or behaves like an exchange to users, regulators will likely treat it like one.

‍

Exchange of Crypto-Assets for Funds or Other Crypto-Assets

This covers services where users can:

• Buy or sell crypto for fiat.
  
  
• Swap one crypto-asset for another.
  
  

This includes integrated on-ramps, off-ramps, and swap features embedded into apps.

Even if you rely on third-party liquidity providers, you may still be in scope if the exchange is part of your service offering.

In simple terms:
If users can convert value inside your product, MiCA is interested.

‍

Execution, Reception, and Transmission of Orders

These are classic financial market concepts, adapted to crypto.

They cover situations where you:

• Execute trades on behalf of users.
  
  
• Receive and transmit orders to other platforms.
  
  
• Act as an intermediary between users and liquidity.
  
  

You do not need to be the final execution venue to fall under this category.

In simple terms:
If your product sits between the user and the trade, that is a regulated role.

‍

Placement and Advisory Services

MiCA also captures services related to the placement of crypto-assets and advice on crypto-assets.

This can include:

• Actively promoting or placing crypto-assets for issuers.
  
  
• Providing personalized recommendations on crypto-assets.
  
  

This is particularly relevant for platforms combining trading with content, signals, or structured offerings.

In simple terms:
If users trust your guidance or recommendations when dealing with crypto, regulators expect responsibility.

‍

Why Disclaimers Do Not Save You

A recurring theme in MiCA is that substance prevails over form.

Calling your product:

• “Non-custodial”
  
  
• “Decentralized”
  
  
• “Just a frontend”
  
  
• “Pure infrastructure”
  
  

does not automatically remove it from scope.

Regulators will look at:

• What users can do.
  
  
• How the service is delivered.
  
  
• Who controls key elements of the system.
  
  
• Where value and decision-making sit.
  
  

MiCA is explicit on this point, both in its definitions and its recitals.

‍

Are You In Scope: Practical Founder Test

This section is designed to help you answer one question with maximum clarity:

Are we likely a CASP under MiCA?

‍

MiCA is activity-based. So your scope analysis should also be activity-based. 

Step 1. Where is your company incorporated?

If you are incorporated in the EU:
Assume MiCA is relevant if you provide any crypto-asset services. The main question becomes which CASP services you provide and what authorization pathway you need.

If you are incorporated outside the EU:
Do not assume you are out of scope. MiCA can still bite if you serve EU clients or actively target the EU market.

EU entity equals high probability of MiCA relevance. Non-EU entity does not automatically mean “safe”.

Step 2. Where are your users located?

Ask two questions:

1. Do you have users in the EU today?
   
   
2. Do you market to, support, or onboard EU users intentionally?
   
   

MiCA risk increases sharply when you have EU users and your product is accessible in a way that looks like an active offering into the EU.If EU users can sign up and use your crypto features in practice, you need to treat MiCA as a live issue, not a theoretical one.

Step 3. What services do you actually provide?

This is the core of the analysis. Map your product features to MiCA CASP activities.

Quick prompts:

• Do users store crypto in your product?
  
  
• Do users buy, sell, swap, or convert crypto in your product?
  
  
• Do you route orders, execute trades, or connect users to liquidity?
  
  
• Do you operate a platform that matches buyers and sellers?
  
  
• Do you provide advice, signals, model portfolios, or recommendations tied to crypto-assets?
  
  

If the answer is “yes” to any of those, you are likely providing services “in respect of crypto-assets”.

Do not start with your brand story. Start with your feature list.

Step 4. Do you touch user funds or private keys?

This is not the only trigger for MiCA scope, but it is a major risk indicator.

Higher-risk signals:

• You custody user crypto.
  
  
• You hold or control private keys.
  
  
• You control a smart contract that can move user assets.
  
  
• Users rely on your system to access their crypto.
  
  

Lower-risk signals (but still not an automatic out):

• Users sign transactions themselves.
  
  
• You never hold keys.
  
  
• You only provide non-custodial transaction construction.
  
  

Important: non-custodial design can reduce obligations in some regulatory contexts, but it does not automatically remove you from CASP scope if you are still providing regulated services such as exchange, execution, order transmission, or operating a trading platform.

Step 5. Do you monetize crypto-related activity?

Regulators look at whether you provide the service “on a professional basis”. Monetization is a strong indicator.

Examples:

• Trading fees, swap fees, spreads.
  
  
• Subscription access to trading features.
  
  
• Fees on deposits, withdrawals, custody, or routing.
  
  
• Revenue shares from liquidity providers or on-ramps.
  
  
• Affiliate commissions for conversions.
  
  
• Monetized “signals” or advisory features tied to crypto-assets.
  
  

Even if fees are indirect, if your business model depends on crypto activity, treat it as professional service provision.

‍

Common Misconceptions That Put Founders in Trouble

Misconception 1: “We are non-custodial, so MiCA does not apply.”

Reality: MiCA is not custody-only. Execution, exchange, routing, and platform operation can be in scope even without holding keys.

Misconception 2: “We are just a tech provider.”

Reality: If users can buy, sell, swap, store, or move crypto through your product, you are providing a service, not just software.

Misconception 3: “We are not in the EU, so EU rules do not apply.”

Reality: If you serve or target EU users, you can still fall into scope. Incorporation location is not the only factor.

Misconception 4: “We use third-party providers, so we are not the regulated party.”

Reality: Outsourcing does not eliminate responsibility. If the crypto service is part of your product offering, you may still be a CASP, even if vendors perform parts of the flow.

Misconception 5: “Disclaimers solve it.”

Reality: Regulators look at substance. If your product functions as a CASP, disclaimers will not change that.

‍

Key Dates and the 2026 Reality Check

Transitional Periods, Grandfathering, and the End of Regulatory Flexibility

MiCA introduces a harmonized authorization regime for Crypto-Asset Service Providers, but it does not switch on overnight. The Regulation provides for transitional arrangements intended to allow existing market participants to move from fragmented national VASP regimes to the unified MiCA framework.

Under Article 143(3) of MiCA, CASPs that were lawfully providing services under national law before 30 December 2024 may continue operating during a transitional period. That period lasts only until the earlier of:

• the CASP being granted or refused MiCA authorization under Article 63, or
  
  
• 1 July 2026, which is the absolute EU-wide longstop.
  
  

Importantly, Member States were free to shorten or eliminate this regime altogether. As a result, transitional periods vary significantly:

• Some countries opted for the full period until 1 July 2026, including France, Malta, Luxembourg, Italy, Cyprus, and others.
  
  
• Others chose shorter windows, often ending 31 December 2025, such as Germany, Ireland, and Austria.
  
  
• Several allowed only 6 months, including the Netherlands, Finland, Poland, Latvia, and Hungary, where grandfathering largely ended in mid-2025.
  
  
• Lithuania extended its regime, but it expired on 1 January 2026.
  
  

The Practical Consequence

By early 2026, grandfathering has already expired in a growing number of Member States. In those jurisdictions, the rule is simple:

No MiCA authorization means no legal operation.

Once a country’s transitional window closes, there is no fallback position. Delaying MiCA preparation beyond this point is not a compliance choice. It is a material business risk, particularly for teams planning to enter or scale in the EU market.

The Strategic Risk of Waiting

From a legal and operational perspective, postponing MiCA preparation is not a neutral choice. It is a strategic risk.

Authorization under MiCA is not a filing exercise. It requires:

• A stable corporate structure.
  
  
• Defined governance and control functions.
  
  
• Operational policies and procedures.
  
  
• Risk management and compliance frameworks.
  
  
• Alignment between product design and regulatory scope.
  
  

These elements cannot be assembled meaningfully at the last minute.

Founders who wait until late 2026 often discover that:

• Their product architecture assumes activities that require authorization they cannot easily obtain.
  
  
• Their corporate structure is misaligned with MiCA substance requirements.
  
  
• Their business model depends on services that trigger higher regulatory thresholds.
  
  

By contrast, teams that plan early retain optionality. They can redesign flows, isolate regulated functions, adjust geographic exposure, or sequence authorization strategically.

In regulatory terms, MiCA rewards foresight and penalizes delay.

What Happens If You Are In Scope

If your business falls within CASP scope under MiCA, the implications are material. They extend far beyond obtaining a license.

Licensing and Authorization Obligations

A CASP in scope must obtain authorization from a competent authority in an EU Member State before providing crypto-asset services.

This authorization is activity-specific. The services you provide determine:

• The scope of your license.
  
  
• The prudential and organizational requirements that apply.
  
  
• The supervisory intensity you should expect.
  
  

Operating without authorization after the transitional period is not a compliance gap. It is a regulatory breach with enforcement consequences.

Ongoing Compliance, Governance, and Reporting

Authorization is not the end of the process. It is the beginning of continuous supervision.

CASPs must implement and maintain:

• Robust internal governance arrangements.
  
  
• Clear allocation of responsibilities and control functions.
  
  
• Risk management and internal control mechanisms.
  
  
• Safeguarding measures for client assets where applicable.
  
  
• Incident reporting and regulatory disclosures.
  
  
• Ongoing supervisory engagement with regulators.
  
  

These obligations directly affect headcount, internal processes, and cost structures.

Impact on Product Design, Tokenomics, and Growth Strategy

MiCA compliance is not just a legal overlay. It shapes the product itself.

Key areas of impact include:

• Whether certain features can be offered to EU users at all.
  
  
• How custody, execution, and settlement flows are designed.
  
  
• How tokens are integrated into the service, if at all.
  
  
• Whether revenue models remain viable under regulatory constraints.
  
  
• How fast and where the business can scale.
  
  

Founders who treat MiCA as an afterthought often discover that core product assumptions are no longer sustainable.

Why Early Structuring Decisions Matter

MiCA compliance is easier when it is designed into the business from the outset.

Early decisions around:

• Corporate structure and jurisdiction.
  
  
• Separation of regulated and non-regulated activities.
  
  
• Product architecture and control points.
  
  
• User segmentation and market access.
  
  
• Token design and utility assumptions.
  
  

have a disproportionate impact on regulatory outcomes later.

From a legal perspective, MiCA does not eliminate innovation. It channels it. The companies that succeed under MiCA will be those that align legal structure, product design, and growth strategy early, rather than trying to retrofit compliance under pressure.

Planning to Enter the EU Market? Read This Carefully.

For teams planning an EU expansion, MiCA is not just a compliance requirement. It is the entry ticket.

Many non-EU crypto companies approach Europe with the wrong assumption: that MiCA is something to deal with after traction, after users, or after revenue. In reality, MiCA shapes how and whether you can enter the EU market at all.

If you are:

• A non-EU crypto platform looking to onboard EU users.
  
  
• A Web3 product planning its first EU launch.
  
  
• A scale-up choosing Europe as its next growth market.
  
  
• A team deciding where to locate its regulated entity.
  
  

Then MiCA is a strategic market-entry decision, not a back-office task.

How Legal Nodes Helps EU-Bound Teams

At Legal Nodes, we help teams:

• Assess whether MiCA applies to their product before launch.
  
  
• Choose the right EU jurisdiction for authorization.
  
  
• Design product and operational flows that are licensable from day one.
  
  
• Sequence EU entry in a way that preserves speed and flexibility.
  
  
• Avoid over-regulation while staying fully compliant.
  
  

Most importantly, we help founders answer one question early:

“Can we enter the EU market under MiCA without breaking our product or business model?”

‍

What Comes Next in the Series

Your MiCA Decision-Making Toolkit

This article is Part 1 of a structured MiCA series designed for founders who need answers.

Each part tackles one regulatory regime and answers one core question.

Part 2

Are You Issuing a Token Under MiCA?
The Non-Stablecoin Issuer Regime Explained

This article will focus on projects that issue crypto-assets other than stablecoins and will cover:

• When token issuance triggers MiCA obligations.
  
  
• What counts as a public offer or admission to trading.
  
  
• Whitepaper requirements and exemptions.
  
  
• Marketing rules and common pitfalls.
  
  
• How token design choices affect regulatory exposure.
  
  

If you plan to issue a token, already have one, or are considering one as part of your growth strategy, this article is essential.

Part 3

Stablecoins Under MiCA
ART and EMT Issuers Explained

This article will break down the most heavily regulated part of MiCA, including:

• The difference between ARTs and EMTs.
  
  
• When a token becomes a regulated stablecoin.
  
  
• Reserve, redemption, and governance requirements.
  
  
• Why many “utility stablecoins” still fall into scope.
  
  
• Strategic structuring options and red flags.
  
  

If your business touches anything that looks stable, pegged, or value-referenced, this is required reading.

Why This Series Exists

MiCA is complex, but the decisions founders need to make are not theoretical. They are strategic, time-sensitive, and structural.

This series is built as a decision-making toolkit:

• Each article focuses on one regime.
  
  
• Each section leads to a concrete conclusion.
  
  
• Each part helps you decide what applies to you and what does not.
  
  

Whether you are planning authorization, restructuring, or simply validating your assumptions, this series is meant to help you move forward with confidence.

If you build in crypto and touch the EU market, understanding MiCA is no longer optional. Understanding which part of MiCA applies to you is where smart founders get ahead.

‍