Spain Rules Out MiCA Extension: What Firms Must Do Now
Spain's financial markets regulator has confirmed it will not grant additional time to crypto-asset service providers that have not yet met their obligations under the Markets in Crypto-Assets Regulation (MiCA). For accounting firms advising crypto-active clients, auditors reviewing licensing status, and CFOs managing regulated entities in Spain or the broader EU, the message is unambiguous: the deadline is firm, and non-compliance carries real consequences.
What the Regulator Has Said
Spain's Comisión Nacional del Mercado de Valores (CNMV) has made its position clear: firms that are not operating under a valid MiCA authorisation will not receive a transitional extension. MiCA came into full effect for crypto-asset service providers across the EU, and Spain, like most member states, allowed a national transitional period for firms that were already registered under the prior domestic AML-registration regime. That window is closing, and the CNMV has signalled it will not stretch it further.
The regulator's stance aligns with the broader European Securities and Markets Authority (ESMA) push for consistent, timely enforcement across all member states. Spain is not an outlier here; it is applying the regulation as written.
Why This Matters for Accounting and Audit Teams
MiCA authorisation is not simply a licensing formality. For firms you advise or audit, it has direct implications for how their financial statements are prepared, how client assets are classified and segregated, and what disclosures are required. A firm operating without a valid CASP (crypto-asset service provider) authorisation after the transitional deadline is not just exposed to regulatory sanction; it may be trading in a way that affects the going-concern assessment you are required to make.
Auditors should be asking clients the following questions now, not at year-end:
- Has the entity submitted a full MiCA authorisation application to the CNMV or the relevant national competent authority?
- If operating under a transitional arrangement, when does that arrangement expire?
- Has the entity received written confirmation of its authorisation status?
- Are the entity's internal controls, custody arrangements, and capital requirements already aligned with MiCA's Title V requirements?
Failure to obtain authorisation on time does not pause a firm's obligations; it simply means the firm is operating unlawfully. That is a material fact for any audit or accounts preparation engagement.
The Transitional Period Mechanics
MiCA allowed member states to grant existing, nationally-registered crypto firms a transitional period of up to 18 months to obtain full authorisation. Spain implemented this option. However, that period is not indefinite, and the CNMV's latest communication makes clear it will not be extended at the national level, regardless of where a firm is in its application process.
Firms that submitted applications before the transitional deadline can, in principle, continue to operate while their application is under review, provided they meet the conditions set by the CNMV. Firms that have not submitted a complete application are in a materially different and more exposed position. The distinction matters enormously for any ongoing advisory or audit relationship.
For EU-wide context, ESMA has published guidance on supervisory convergence expectations under MiCA, and national competent authorities are expected to align their enforcement approach accordingly. Spain's position is consistent with that framework.
Practical Steps for Advisers and CFOs
If you are advising a crypto firm operating in Spain, or if your organisation provides services to Spanish retail or institutional clients, the immediate priorities are:
- Confirm authorisation status in writing. Do not rely on informal assurances. Obtain documentary evidence of the entity's standing with the CNMV.
- Map the gap between current operations and MiCA Title V requirements. This covers governance, capital, custody, conflicts of interest, and complaints handling.
- Review client agreements. MiCA imposes specific disclosure and contractual obligations. Agreements that predate the regulation may need updating before they can be relied upon.
- Coordinate with legal counsel on passporting. A MiCA authorisation granted by the CNMV gives the firm an EU-wide passport. If a client is also active in other member states, the scope of that passport needs to be confirmed.
- Update your going-concern and risk assessments. For audit engagements, the regulatory status of a crypto firm is now a first-order risk factor, not a footnote.
Firms building compliance infrastructure at a deeper level may also want to consider how broader blockchain-level controls interact with their MiCA obligations. Work in the area of infrastructure-level blockchain compliance controls is increasingly relevant for CASPs that need to demonstrate robust risk management to regulators. For a broader framework on meeting EU reporting requirements, our crypto compliance and reporting resource covers the key obligations in one place.
Frequently Asked Questions
Has the CNMV confirmed there will be absolutely no extension, even for firms mid-application?
The CNMV's position, as reported, is that it will not grant an extension for firms that are not MiCA-compliant. Firms that submitted a complete application before the transitional deadline may be permitted to continue operating while the CNMV processes their application, but this is not the same as an extension of the deadline itself. Firms that missed the application window are in a significantly more exposed position.
What happens to a firm that continues to operate in Spain without MiCA authorisation after the deadline?
Operating as a CASP without the required MiCA authorisation constitutes a breach of EU law. The CNMV has supervisory and enforcement powers that include the ability to issue public warnings, impose fines, and require a firm to cease regulated activities. The precise sanctions framework is set out in MiCA itself and in Spain's implementing legislation.
Does this affect firms based elsewhere in the EU that serve Spanish clients?
MiCA operates on an EU-wide passporting basis. A firm authorised in another member state can, subject to passport notification procedures, provide services into Spain. However, a firm that is not authorised anywhere in the EU cannot rely on passporting and would be providing services unlawfully if it does so to Spanish clients.
What are the key MiCA requirements a firm needs to meet to obtain CASP authorisation?
MiCA's Title V sets out the requirements, which include: a registered office in an EU member state, fit-and-proper management, adequate initial capital (the exact threshold depends on the class of service), organisational and governance requirements, custody and asset-segregation rules, conflict-of-interest policies, and client disclosure obligations. The CNMV will assess applications against these criteria.
How should auditors treat a client that has not yet obtained MiCA authorisation?
The absence of required regulatory authorisation is a material fact that affects the going-concern assessment and may also affect the legality of the entity's revenue streams. Auditors should obtain written confirmation of the client's regulatory status, assess whether continued operation without authorisation represents a material uncertainty, and consider whether this requires disclosure or qualification in the audit report. Legal advice specific to the client's situation is essential.
Source: Cointelegraph Regulation
FAQ
The CNMV's position, as reported, is that it will not grant an extension for firms that are not MiCA-compliant. Firms that submitted a complete application before the transitional deadline may be permitted to continue operating while the CNMV processes their application, but this is not the same as an extension of the deadline itself. Firms that missed the application window are in a significantly more exposed position.
Operating as a CASP without the required MiCA authorisation constitutes a breach of EU law. The CNMV has supervisory and enforcement powers that include the ability to issue public warnings, impose fines, and require a firm to cease regulated activities. The precise sanctions framework is set out in MiCA itself and in Spain's implementing legislation.
MiCA operates on an EU-wide passporting basis. A firm authorised in another member state can, subject to passport notification procedures, provide services into Spain. However, a firm that is not authorised anywhere in the EU cannot rely on passporting and would be providing services unlawfully if it does so to Spanish clients.
MiCA's Title V sets out the requirements, which include: a registered office in an EU member state, fit-and-proper management, adequate initial capital (the exact threshold depends on the class of service), organisational and governance requirements, custody and asset-segregation rules, conflict-of-interest policies, and client disclosure obligations. The CNMV will assess applications against these criteria.
The absence of required regulatory authorisation is a material fact that affects the going-concern assessment and may also affect the legality of the entity's revenue streams. Auditors should obtain written confirmation of the client's regulatory status, assess whether continued operation without authorisation represents a material uncertainty, and consider whether this requires disclosure or qualification in the audit report. Legal advice specific to the client's situation is essential.