MiCA Transitional Period Expires July 1 2026: CASP Authorization Is Now Mandatory
The 18-month transitional window built into the Markets in Crypto-Assets Regulation closes on 1 July 2026. Any cryptoasset service provider (CASP) that has been operating under a pre-MiCA national registration loses its legal basis to serve EU clients from that date. For accounting firms, auditors, and CFOs advising or transacting with crypto businesses, the practical question is immediate: which counterparties on your books are actually authorized, and which ones just ran out of runway?
What the Transitional Provision Did and Why It Now Matters
MiCA's authorization requirement under Article 59 has been live since December 2024. The transitional provision in Article 143 allowed firms that were legally operating under national frameworks before that date to keep going while they pursued full authorization. That window is now shut.
Key dates that already passed
The deadline is not uniform across the bloc. Several member states adopted shorter transitional windows that have already expired. The Netherlands, Finland, Latvia, Hungary, and Slovenia applied a six-month window, which closed on 30 June 2025. Sweden applied nine months, closing on 30 September 2025. France, Malta, Luxembourg, Ireland, Cyprus, and Germany used the full 18 months, with the outer limit falling on 1 July 2026.
Firms that were caught by an earlier national cut-off and kept operating were already in breach. The 1 July date is not a fresh start; it is the final member state's window closing.
The State of the ESMA CASP Register
ESMA maintains a public register of authorized CASPs. At the time the source material was compiled, 213 entries held authorization across 23 jurisdictions, though the register is updated weekly and the count has been rising. Authorization built slowly through 2025 and then accelerated sharply, with 41 firms authorized in December 2025 alone as organizations raced filing deadlines clustering around year-end.
Where authorization is concentrated
The five largest jurisdictions account for roughly 127 of those 213 entries, close to 60 percent of the total. Germany leads by volume, but a significant portion of its entries are established banks and brokerages taking narrow crypto permissions rather than dedicated crypto firms. The sector's center of gravity sits in Malta, the Netherlands, Cyprus, France, and Ireland. Most authorized firms have notified an intent to passport into other member states, which is MiCA's core commercial promise: a single authorization that opens the whole bloc.
Any figure from the register should be dated to the day it was pulled, since ESMA notes that newly reported authorizations do not appear immediately.
Three Routes Still Open for Firms Not Yet Authorized
Past the deadline, the options narrow considerably.
Options and their limits
First, a firm can submit a complete Article 63 application and wait. Processing time is real, and application quality, not product type or the number of years operating under a national regime, drives the outcome. Second, if a parent or affiliate entity already holds a CASP authorization, MiCA's passport can extend that authorization to a related business, but only if the authorized entity has genuine operational substance and its monitoring actually covers the transaction flows it would absorb. Shared branding is not sufficient. Third, and critically, reverse solicitation under Article 61 is not a viable workaround at scale. The provision allows an unauthorized firm to serve an EU client only when that client approached the firm entirely without any prompting. Any advertising, app store listing, affiliate arrangement, or search activity targeting EU users breaks the reverse-solicitation exemption. Regulators across several member states have signaled they will scrutinize this claim closely.
Ongoing Obligations for Authorized CASPs
Authorization is the starting gate, not the finish line. MiCA's ongoing obligations are, in large part, monitoring obligations. ESMA's order for unauthorised CASPs to wind down makes clear that the supervisory apparatus is now active, not waiting.
Authorized CASPs must screen wallets and transactions against on-chain risk, apply AML and KYC procedures aligned with the EU's transfer-of-funds rules, maintain adequate capital, safeguard client assets, and manage conflicts of interest on an ongoing basis. The compliance posture built for authorization has to become the posture for daily operations. For accounting firms reviewing client structures in Malta, Luxembourg, or Ireland, this is also a financial statement question, since authorization costs, ongoing compliance infrastructure, and capital adequacy all affect how a regulated CASP is assessed. For background on Malta's VFA-to-CASP transition under the MFSA's MiCA guidance, the practical steps differ from those in jurisdictions that had no prior crypto-specific regime.
What Accounting Firms and CFOs Should Do Now
Check every crypto counterparty against the ESMA register and record when you did it. The register is the definitive public list of who can legally operate. ESMA explicitly tells consumers and counterparties to verify authorization before dealing with a provider. Firms that can't be found on the register after 1 July 2026 are either unauthorized or their authorization hasn't been posted yet; the appropriate response to the former is not the same as to the latter, and the difference matters for due diligence files. Review any client that relied on national registration and has not confirmed a successful MiCA authorization. Assess whether their business model can survive the interim period and update any going-concern judgments accordingly.
What exactly closes on 1 July 2026 under MiCA?
The transitional window that allowed firms operating under pre-MiCA national registrations to continue serving EU clients. After this date, Article 59 of MiCA applies in full: a valid CASP authorization is the only legal basis for providing cryptoasset services in the EU. Firms without one must stop or face regulatory action.
Do all EU member states share the same 1 July 2026 deadline?
No. Member states chose transitional periods of 6, 9, or 18 months. The Netherlands, Finland, Latvia, Hungary, and Slovenia closed at six months (30 June 2025). Sweden closed at nine months (30 September 2025). France, Malta, Luxembourg, Ireland, and others applied the full 18 months, with 1 July 2026 as the outer limit.
Where can I verify whether a CASP is authorized?
ESMA publishes and updates the CASP register weekly at esma.europa.eu. Any search result or figure should be dated to the day it was checked, as new authorizations reported by national competent authorities do not appear in the register immediately.
Is reverse solicitation a reliable way to serve EU clients without a MiCA license?
No. Article 61 permits an unauthorized firm to serve an EU client only when that client approached the firm entirely on their own initiative. Any advertising, app listing, affiliate program, or search targeting aimed at EU users breaks the exemption. Regulators have signaled active scrutiny of this claim.
What are an authorized CASP's ongoing obligations after receiving its license?
Authorization triggers continuous obligations including on-chain wallet and transaction screening, AML and KYC procedures aligned with EU transfer-of-funds rules, prudential capital requirements, client asset safeguarding, and conflict-of-interest management. The compliance infrastructure built for authorization must operate on a daily basis going forward.
Source: Elliptic
FAQ
The transitional window that allowed firms operating under pre-MiCA national registrations to continue serving EU clients. After this date, Article 59 of MiCA applies in full: a valid CASP authorization is the only legal basis for providing cryptoasset services in the EU. Firms without one must stop or face regulatory action.
No. Member states chose transitional periods of 6, 9, or 18 months. The Netherlands, Finland, Latvia, Hungary, and Slovenia closed at six months (30 June 2025). Sweden closed at nine months (30 September 2025). France, Malta, Luxembourg, Ireland, and others applied the full 18 months, with 1 July 2026 as the outer limit.
ESMA publishes and updates the CASP register weekly at esma.europa.eu. Any search result or figure should be dated to the day it was checked, as new authorizations reported by national competent authorities do not appear in the register immediately.
No. Article 61 permits an unauthorized firm to serve an EU client only when that client approached the firm entirely on their own initiative. Any advertising, app listing, affiliate program, or search targeting aimed at EU users breaks the exemption. Regulators have signaled active scrutiny of this claim.
Authorization triggers continuous obligations including on-chain wallet and transaction screening, AML and KYC procedures aligned with EU transfer-of-funds rules, prudential capital requirements, client asset safeguarding, and conflict-of-interest management. The compliance infrastructure built for authorization must operate on a daily basis going forward.
