MiCA Enforcement Gaps: What Firms Face After the Transition Deadline
The MiCA grace period ended on 1 July 2026. Crypto-asset service providers operating without a valid CASP authorization are now technically in breach of EU law, and national competent authorities have the legal mandate to act. The problem is that mandate is not matched by uniform enforcement capacity across the 27 member states, and that gap creates a compliance risk that accounting firms, auditors, and CFOs advising digital-asset businesses cannot afford to ignore.
What the Transition Closure Actually Means
MiCA, the Markets in Crypto-Assets Regulation, became fully applicable across the EU at the end of 2024, but member states were permitted to allow existing crypto firms to keep operating under national licensing regimes for a transitional period of up to 18 months. That runway expired on 1 July 2026.
The authorization requirement is now hard
From that date, any entity providing crypto-asset services, whether exchange, custody, brokerage, or advisory, must hold a CASP authorization granted under MiCA by its home-member-state NCA. Operating without one is no longer a grey area. It is a regulatory breach, and national competent authorities are empowered to issue orders to cease activity, impose fines, or refer cases for criminal prosecution depending on the member state's implementing rules.
For context on how the authorization landscape developed in the run-up to this deadline, our earlier analysis of the MiCA transitional period expiry and mandatory CASP authorization set out the key obligations firms needed to have in place before July 1.
Grandfathering is over
A small number of firms that submitted complete authorization applications before their NCA's cutoff date may still be operating under an extended review period, depending on their jurisdiction's specific rules. That is distinct from operating without any application at all. Firms in the latter category have no legal basis to continue services directed at EU clients.
Where the Enforcement Challenge Lies
The regulation is uniform across the single market. Enforcement is not. Each of the 27 member states has designated its own NCA, and those authorities vary considerably in their staffing levels, supervisory technology, and prior experience regulating crypto-asset businesses.
Capacity gaps at national level
Some NCAs entered the MiCA era with established crypto supervisory teams built during years of operating national virtual asset service provider registers. Others are adapting general financial services supervisory frameworks to a sector they have less familiarity with. The practical result is that enforcement timelines, the depth of on-site reviews, and the speed of response to complaints from market participants will not be consistent across the bloc in the near term.
This is not a loophole. Firms that treat uneven enforcement as an invitation to delay compliance are misjudging the direction of travel. ESMA has a coordination role and can escalate where NCAs are seen to be failing to act. Cross-border referrals between NCAs are also a feature of the MiCA architecture.
The passporting dimension
MiCA's single-market passport means a CASP authorized in one member state can passport services into others through a notification process. This creates a supervisory dynamic where the home NCA is primarily responsible for prudential oversight, but host NCAs retain conduct-of-business powers. Where a firm is passporting into a jurisdiction whose NCA has stronger enforcement capacity than the home supervisor, that host authority's scrutiny can in practice be the more immediate compliance pressure.
Practical Risks for Advisers and Finance Teams
For accounting firms, auditors, and in-house finance functions serving digital-asset businesses, the post-transition enforcement landscape raises several issues that require immediate attention.
Authorization status in audit and due diligence
Any engagement involving a crypto-asset service provider, whether an audit, a transaction advisory, or an ongoing accounting mandate, now requires a verified check of that entity's authorization status. ESMA maintains a public register of authorized CASPs. An entity that cannot point to an entry in that register, or to a pending application with documented NCA acknowledgment, should be treated as operating outside the regulatory perimeter.
This matters for auditors assessing going-concern risk. A firm operating without MiCA authorization faces potential enforcement action that could result in a cessation order. That is a material uncertainty that must be evaluated and, where appropriate, disclosed.
AML and record-keeping obligations run in parallel
MiCA authorization does not exhaust a CASP's compliance obligations. Authorized firms remain subject to the EU's anti-money laundering framework, including the Transfer of Funds Regulation requirements that now apply to crypto-asset transfers. Accounting and audit teams should be checking not only that a client holds a valid CASP authorization but that its transaction monitoring, customer due diligence, and record-keeping practices meet the standards that MiCA and the AML framework jointly require.
For a broader picture of how illicit finance risk intersects with the crypto compliance landscape, our coverage of Huione Group's illicit marketplace and stablecoin AML risk illustrates the scale of exposure that poor compliance frameworks can create.
Record quality for mica compliance crypto engagements
Firms advising on MiCA compliance, whether on authorization applications, ongoing regulatory reporting, or internal governance frameworks, need their own records in order. Engagement letters should clearly define the scope of regulatory advice versus accounting or tax services. Where crypto accounting software or digital asset accounting software is used to support client reporting, the outputs need to be defensible against the transaction classification standards that MiCA and associated technical standards impose.
ESMA's Coordination Role and What to Watch
ESMA published technical standards and guidelines throughout the MiCA implementation period, and its Q&A process has been the primary vehicle for resolving interpretive questions that the regulation's text left open. Our earlier piece on the ESMA clarification on MiCA white paper exemptions is one example of how that guidance process works in practice.
Ongoing guidance and supervisory convergence
ESMA is expected to use its supervisory convergence tools, including peer reviews and thematic examinations, to narrow the enforcement gap between member states over time. Firms should treat this as a narrowing window, not a permanent accommodation. NCAs that are currently building capacity will not remain at their current level of supervisory intensity indefinitely.
Monitoring ESMA's published opinions, Q&As, and supervisory briefings is part of the ongoing compliance obligation for any firm in the digital asset space, not a one-time exercise at authorization.
Immediate Steps for Compliance and Advisory Teams
The following actions are relevant now, in the immediate post-transition period.
Verify authorization status for every crypto client
Check the ESMA CASP register for each digital-asset business in your client portfolio. Where a client is absent from the register without a documented pending application, escalate internally before continuing the engagement. This is not a formality; it is a material risk assessment step.
Review engagement scope and liability boundaries
Engagements that were scoped under national licensing regimes may need to be revisited now that MiCA is the operative framework. The obligations, reporting timelines, and governance requirements have changed, and engagement terms should reflect that.
Assess crypto bookkeeping software and reporting outputs
The transaction classification and reporting requirements under MiCA's regulatory reporting obligations, combined with the Transfer of Funds Regulation, demand that records be organized at a level of granularity that general-purpose bookkeeping tools may not support without configuration. Digital asset accounting software used in client engagements should be assessed against these specific requirements, not generic accounting standards alone.
Stay current on NCA enforcement communications
Your clients' home-member-state NCAs and host NCAs in key markets should be on your regulatory monitoring list. Enforcement notices, cease-and-desist orders, and supervisory letters directed at CASPs in any member state are relevant indicators of how the enforcement environment is developing across the bloc.
Source: Cointelegraph Regulation
FAQ
It depends on the member state. Some NCAs provided for an extended operational period for firms with complete applications submitted before a specified cutoff. Firms should obtain written confirmation from their NCA of their status and document it, as operating on an assumed extension without that confirmation carries enforcement risk.
The home NCA is the primary prudential supervisor, but host NCAs retain conduct-of-business powers in their jurisdictions. A host NCA with stronger enforcement capacity can act on client complaints or its own market intelligence independently of the home supervisor. Firms passporting widely should not assume that a permissive home supervisor insulates them from host-country action.
The auditor must assess whether this creates a material uncertainty relevant to going concern. A firm operating without authorization faces potential enforcement action including cessation orders. If the uncertainty is material, it requires disclosure in the audit report. The engagement team should also consider whether continuing the engagement is appropriate given the regulatory exposure and consult their firm's risk management process.
No. Authorization under MiCA and compliance with EU anti-money laundering obligations are separate requirements. An authorized CASP must still meet customer due diligence, transaction monitoring, record-keeping, and suspicious transaction reporting obligations under the applicable AML framework, including Transfer of Funds Regulation requirements for crypto transfers.
ESMA maintains a public register of authorized crypto-asset service providers. This is the primary reference point. Firms should also cross-check with the relevant home NCA's own published list, as the ESMA register depends on timely NCA notifications and there may be a short lag in some cases.
