ESMA Orders Unlicensed CASPs to Wind Down as MiCA Transition Closes
The European Securities and Markets Authority has issued a clear directive to crypto-asset service providers that have not secured authorisation under the Markets in Crypto-Assets Regulation: cease offering services and wind down operations in an orderly manner, while taking all necessary steps to protect client assets. With the MiCA transitional period now closed, operating without a licence is no longer a grey area anywhere in the EU.
What ESMA Has Said and Why It Matters Now
ESMA's statement, republished by the Malta Financial Services Authority on 24 June 2026, makes the regulatory position unambiguous. Any crypto-asset service provider that has not obtained, or is not actively in the process of obtaining, a MiCA authorisation from a competent national authority must stop taking on new clients and begin an orderly exit from the market.
The two-part obligation for unlicensed operators
The authority's call carries two distinct obligations. First, affected firms must halt new business. Second, and critically for the clients of those firms, they must safeguard existing client funds and positions throughout the wind-down process. ESMA is not simply pulling a plug; it is requiring a managed, client-protective exit.
For accounting firms, auditors, and CFOs advising or auditing entities that may fall into this category, the statement raises immediate questions about going-concern assessments, client asset segregation, and the accuracy of any representations made in financial statements about a firm's right to operate.
Background: The MiCA Transitional Arrangement
MiCA introduced a transitional regime that allowed firms already operating legally under national frameworks to continue providing services for a defined period while they pursued formal CASP authorisation. That window has now closed. National competent authorities across the EU, including the MFSA in Malta, have been aligning their supervisory activities accordingly.
How the transition affected different member states
Member states were permitted to set the length of their own transitional periods within the bounds set by MiCA, which created variation across the bloc. Some jurisdictions, such as Spain, made clear well before the deadline that no extensions would be granted. Others moved at different paces, but the pan-EU picture is now consistent: the transitional runway has ended, and ESMA is coordinating the supervisory response at the European level.
Firms that advise clients on Malta's VFA to CASP transition will recognise this pattern. The MFSA had already been communicating similar expectations to its own regulated population. ESMA's statement reinforces that message at scale.
Implications for Accounting Firms and Auditors
Three areas demand immediate attention from professional advisers.
Going-concern and licence status disclosures
An entity operating as a CASP without authorisation is, from the date the transitional period ended, operating unlawfully under EU law. That fact is material to any audit or accounting engagement. Auditors must consider whether continued operation constitutes a going-concern risk and whether any financial statements prepared for the period accurately reflect the entity's regulatory standing.
Client asset segregation and safeguarding obligations
ESMA's explicit reference to client protection during wind-down is a reminder that crypto-asset holdings held on behalf of clients carry custodial obligations. If a firm is winding down, those assets must be returned or transferred in a controlled way. Accountants and auditors reviewing such entities should verify that safeguarding arrangements are documented, that assets are properly ring-fenced, and that any transfers are recorded at the correct values.
Counterparty risk for licensed firms
Licensed CASPs and institutional participants that have existing relationships with now-unlicensed operators face counterparty risk. Compliance teams and CFOs at licensed firms should be reviewing their exposure. Spain's firm stance on MiCA deadlines illustrates how national authorities are backing ESMA's position with active enforcement, which means counterparty relationships with non-compliant entities carry real legal and reputational risk.
What Firms Should Do Right Now
The practical steps fall into two categories: client-facing review and internal governance.
Steps for advisers and auditors
Start by mapping every client in your portfolio that operates, or has operated, as a crypto-asset service provider in the EU. Confirm their authorisation status directly with the relevant national competent authority's public register. Where authorisation is absent or lapsed, assess the going-concern position and document your findings. If a client is in active wind-down, engage early on asset segregation, liability recognition, and the sequencing of client fund returns.
On the internal governance side, firms with crypto-asset exposures on their own balance sheets should check that any service providers they rely on for custody or trading hold valid MiCA authorisations. The risk of a counterparty entering an ESMA-mandated wind-down is not theoretical; it is a present operational consideration.
FAQ
It means the firm must stop onboarding new clients immediately and begin a structured exit process. Throughout that process, it remains obligated to protect existing client assets, return or transfer holdings in an orderly way, and cooperate with its national competent authority.
ESMA is restating and publicly reinforcing obligations that already exist under MiCA. The statement itself is not a new piece of legislation, but it signals that national supervisors are expected to act against non-compliant operators and that ESMA is coordinating that supervisory response at the EU level.
The absence of a required licence is a material fact. Auditors should assess whether it triggers a going-concern qualification, disclose it as a significant matter in the audit report where appropriate, and consider whether any representations in the financial statements about the firm's right to operate are accurate.
Each EU member state has a designated national competent authority, such as the MFSA in Malta, the BaFin in Germany, or the AMF in France. ESMA also maintains a register of authorised CASPs at the pan-EU level, which is the most practical starting point for a cross-border check.
It should review the contractual terms immediately, assess the counterparty risk of a regulatory wind-down, consider whether it needs to migrate assets or positions to a licensed alternative, and document its risk assessment. National supervisors may view continued engagement with an unlicensed entity as a compliance failure on the licensed firm's part.
