MiCA VASP Transition Period Ended: What EU Firms Must Do Now
The grace period is over. As of 1 July 2026, every virtual asset service provider operating in the European Union must hold a formal crypto-asset service provider (CASP) authorization under the Markets in Crypto-Assets Regulation (MiCA). The Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg confirmed the deadline's closure on 2 July 2026, and the consequences for non-authorized providers are immediate, concrete, and escalating. For accounting firms, auditors, and CFOs serving clients in the digital asset space, this is not a regulatory footnote: it reshapes client eligibility, audit scope, and ongoing compliance obligations.
What Changed on 1 July 2026
MiCA's CASP authorization framework has been live since the regulation's full application date, but member states were permitted to run national transitional arrangements allowing legacy VASPs to continue operating while they pursued authorization. That window closed uniformly across the EU on 1 July 2026. From that date, no provider, regardless of the member state or the asset class it handles, may offer crypto-asset services in the EU without a valid CASP license.
Services Covered by the Requirement
The obligation is broad. It captures custody and administration of crypto-assets on behalf of clients, operation of trading platforms, exchange services between crypto-assets and fiat or between crypto-assets, execution of orders, placing of crypto-assets, reception and transmission of orders, portfolio management, and advice. Any firm whose clients are involved in these activities, whether as operators or as users, now needs to verify the authorization status of every counterparty and service provider in that chain.
Third-Country Providers Are Also Caught
The CSSF's notice is explicit on one point that practitioners sometimes overlook: providers incorporated outside the EU are not exempt simply because they are domiciled elsewhere. If a third-country VASP actively markets or solicits EU-based customers, it requires a CASP authorization in the EU. The only carve-out is genuine reverse solicitation, where the customer independently approached the provider without any prior solicitation. The CSSF warns, however, that unauthorized providers may be increasingly tempted to rely on this exemption in an expansive and inaccurate way. Regulatory scrutiny of reverse solicitation claims is expected to intensify.
Restrictions on Non-Authorized Providers
Providers that have not secured CASP authorization by the deadline are now operating in a restricted wind-down mode. The CSSF sets out exactly what they can and cannot do.
What Non-Authorized Providers Cannot Do
A provider without the necessary authorization may no longer onboard new EU customers, open new accounts or wallets for existing customers, advertise or distribute its products to anyone in the EU, or solicit business through any channel, including online advertising, email campaigns, social media, pop-ups, or telephone outreach.
The Only Permitted Actions
Two actions remain open. First, the provider may facilitate the transfer of a customer's crypto-assets to another platform operated by a duly authorized CASP. Second, it may allow customers to withdraw their assets in an orderly manner. Nothing else. This is not a soft landing: it is a structured exit obligation.
Operational and Audit Implications for Firms
Accounting firms and auditors with clients holding digital assets through external platforms face a clear and urgent due-diligence task. If a client's custody or trading provider is not on the ESMA CASP register, that provider is now operating outside the law. The knock-on effects are significant.
Client Portfolio Reviews
Any digital asset holdings custodied with a non-authorized provider are now subject to operational risk: the provider may be forced to close accounts at short notice, potentially creating forced disposals, valuation uncertainty, and tax events that were neither planned nor anticipated. For firms using crypto bookkeeping software or digital asset accounting software to track client positions, a systematic check of counterparty authorization status should be built into the next review cycle, not deferred.
Going Concern and Disclosure Considerations
For auditors, a client entity that continues to use a non-authorized provider, or that itself was operating as a VASP without securing CASP authorization, raises immediate questions. Continued operations in breach of MiCA are unlawful. That is relevant to going concern assessments, to representations management makes in financial statements, and to whether any contingent liabilities related to regulatory action need to be disclosed or provided for. The background on how MiCA CASP authorization became mandatory across the EU provides further context on the timeline and the legal basis.
Third-Country Counterparty Risk
Where clients transact with offshore platforms, the reverse solicitation exemption should be scrutinized carefully. Documenting that a client independently initiated contact with a third-country provider, without any prior advertising or outreach, is a high evidential bar. If that documentation does not exist, the counterparty may be in breach of MiCA, and the client's continued use of the platform carries regulatory and reputational risk. Firms advising on AML/KYC frameworks should factor this in: the CSSF is already flagging the risk that unauthorized providers will misuse the reverse solicitation label to continue EU-facing business improperly.
How to Verify CASP Authorization
The CSSF directs consumers and market participants to the ESMA register of authorized CASPs. For practitioners, this is the primary verification tool. A provider's official name, its home member state, and its authorized services are all searchable there. Checking a provider's legal notice or general terms and conditions may surface the authorization reference number, but the ESMA register is the authoritative source. ESMA's clarification on related MiCA scoping questions, including the white paper exemption for certain non-ART/EMT offerings, is also relevant when assessing which entities and which products fall within the full authorization requirement.
What Firms Should Do Right Now
The CSSF notice, while addressed partly to retail consumers, has direct professional implications. Practitioners should treat the following as immediate action items.
Immediate Steps
Cross-reference every digital asset platform used by clients against the ESMA CASP register. Where a provider is absent or authorization is unclear, document the finding and advise the client in writing. For clients operating as VASPs themselves who have not yet secured CASP status, the position is now urgent: continued service provision is unlawful, and the path to remediation requires engagement with the competent national authority without delay. Review any contracts or service agreements with third-country providers and assess whether the reverse solicitation exemption is genuinely sustainable given the CSSF's stated concerns. Update crypto accounting processes to flag unauthorized-provider risk as a standing check. Firms using digital asset accounting software should consider adding counterparty authorization status as a tracked field, ensuring that position data is linked to a verified, licensed provider.
The MiCA transition period closing is not a distant policy development: it is an enforcement-ready legal state that took effect two days ago. Clients who are slow to respond face account closures, forced asset transfers, and potential regulatory exposure. Firms that identify and address this now are in a position to add real value.
Source: CSSF Luxembourg
FAQ
As of 1 July 2026, operating without CASP authorization is unlawful under MiCA regardless of any prior national VASP registration. The provider must immediately cease onboarding new EU customers, stop all advertising and distribution activity, and enter an orderly wind-down: facilitating asset transfers to authorized CASPs or allowing customer withdrawals are the only permitted activities until authorization is granted or operations cease.
Only in narrow, well-documented circumstances where the EU customer approached the provider entirely on their own initiative, with no prior solicitation, advertising, or outreach of any kind from the provider. The CSSF has explicitly flagged that unauthorized providers may misuse this exemption and that regulatory scrutiny of such claims will increase. Practitioners should treat unsupported reliance on reverse solicitation as a material risk indicator.
The ESMA register of authorized crypto-asset service providers is the authoritative source. A provider's legal notice or general terms and conditions may also reference its authorization number and home competent authority, but the ESMA register should be the primary verification tool for compliance due diligence.
Auditors should consider whether continued use of a non-authorized provider affects going concern, whether contingent liabilities from potential regulatory action require disclosure, and whether management representations about regulatory compliance remain accurate. The risk of sudden account closure by a non-authorized provider also creates valuation and continuity risks that are material to financial statement preparation.
MiCA covers a wide range of services including custody, trading platform operation, exchange services, order execution, placing, portfolio management, and advice. Certain limited exemptions apply, such as for crypto-assets that qualify as financial instruments under MiFID II or for e-money tokens regulated under existing e-money directives. ESMA has published Q&A guidance on specific scoping questions, including the white paper exemption for non-ART/EMT offerings.
