MiCA Implementation Checklist: A Hands-On Guide for EU Crypto Firms

MiCA's core obligations have been live since June 2024 (stablecoins) and December 2024 (CASPs). The implementation gaps are still real for many firms. Some are still operating under the transitional regime, some are finalizing dossiers, and a meaningful share haven't run a proper gap analysis yet. This is the operational checklist: what to do, what evidence to keep, and where teams typically stall.

The tone here is not "MiCA explained." For that, see our MiCA Regulation overview. This is the hands-on version: who does what, by when, and what proof a competent authority will ask for.

The compliance map at a glance

Treat this table as the spine of your project plan. Everything below is detail.

1. Scope first: are you a CASP, an EMT/ART issuer, or both?

Before drafting a single policy, classify your activities. MiCA splits into two regimes:

• Title III (ARTs) and Title IV (EMTs): token issuance.
• Title V (CASPs): services provided on or around crypto-assets.

A single firm can fall under both. A stablecoin issuer that also runs a redemption portal is an EMT issuer and a CASP. Map every product line to one of the ten CASP services (custody, exchange, execution, placement, reception/transmission of orders, advice, portfolio management, transfer services, operation of a trading platform, exchange of crypto for fiat or other crypto). If a service touches EU users, it is in scope.

Checklist:

• Inventory every product line and revenue stream.
• Map each to a MiCA service category (or to "out of scope" with reasoning).
• Document who the contracting entity is for each user flow.
• Flag any DeFi-adjacent flows for legal review. The line between "tool" and "service" is where most disputes happen.

2. Authorization: choosing your home Member State

MiCA passports across the EU, so your home Member State decides which national competent authority (NCA) reviews your dossier. The choice matters because review timelines, supervisory style, and informal expectations differ.

Checklist:

• Compare NCA timelines (BaFin, AMF, CSSF, MFSA, AFM, CNMV are the most common).
• Match your business profile to NCA expertise (e.g., AMF on tokenized funds, BaFin on credit-institution structures).
• Confirm substance requirements: senior management based in the country, real office, local compliance officer.
• Budget 6 to 12 months from pre-application meeting to authorization.

Do not pick a jurisdiction purely on perceived leniency. NCAs share intelligence, and a thin substance setup invites passporting friction later.

3. White paper requirements (and exemptions)

Issuers of crypto-assets other than EMTs and ARTs must publish a white paper before any public offer or admission to trading in the EU. NCAs are notified, not asked for approval, but the white paper itself must meet detailed content rules under Article 6.

What goes in:

• Project, team, and underlying technology description.
• Rights and obligations attached to the asset.
• Risk factors and a plain-language summary.
• Marketing communications consistency clause.

Common exemptions:

• Offers to fewer than 150 persons per Member State.
• Offers solely to qualified investors.
• Offers below EUR 1 million over 12 months.
• Free distributions where no consideration is received.

Checklist:

• Draft the white paper against the Article 6 schedule.
• Run a legal review on liability statements (issuers are liable for misleading information).
• File with the NCA at least 20 working days before publication.
• Keep version history. Every material change requires a new notification.

4. EMT and ART specific obligations

If you issue an e-money token or an asset-referenced token, the rulebook is significantly thicker.

EMT issuers must:

• Hold an EMI or credit institution license.
• Redeem at par value, on demand, in fiat.
• Hold reserves in segregated, low-risk assets.
• Refuse interest payments on tokens.

ART issuers must:

• Obtain ART authorization from the NCA.
• Maintain a reserve of assets fully covering liabilities.
• Publish reserve composition reports.
• Operate a redemption mechanism that works "at all times."

Marketing rules apply to both: communications must be fair, clear, not misleading, and consistent with the white paper. Influencer campaigns and yield-style messaging are the highest-risk areas.

Checklist:

• Reserve policy: asset eligibility, custody, segregation, stress testing.
• Redemption policy: SLAs, queue management, fee disclosures (capped under MiCA).
• Reporting cadence: quarterly reserve reports, daily internal monitoring.
• Marketing review: a compliance gate on every public-facing asset.

Significant EMTs and ARTs (large user base or transaction volume) face additional EBA supervision and tighter thresholds. Build for the significance trigger before you hit it.

5. Governance and fit-and-proper checks

NCAs scrutinize people as much as policies. The management body must be collectively suitable, and individuals in key functions must pass fit-and-proper assessments.

Checklist:

• CV, criminal record extract, and reputation declaration for each director.
• Time commitment statements for non-executive directors.
• Conflicts of interest register, refreshed at least annually.
• Board-approved governance manual covering committees, reporting lines, and escalation.
• Independent compliance and risk functions, with direct board access.

A "fractional CCO" arrangement is acceptable in some jurisdictions for smaller firms. It is rarely accepted at all in others. Confirm with your NCA early.

6. Capital requirements: Class 1, 2, 3

CASPs must hold initial capital based on the services they provide.

On top of initial capital, CASPs must hold own funds equal to the higher of the initial capital or one-quarter of fixed overheads of the previous year.

Checklist:

• Calculate fixed overheads under the Article 67 methodology.
• Re-run the calculation annually and after any material change.
• Document the ICAAP (Internal Capital Adequacy Assessment Process), even in lightweight form.
• Maintain a regulatory capital buffer. Running at the floor invites supervisory action.

7. Conduct of business rules

MiCA imports MiFID-style conduct rules into crypto. The big four:

• Honest, fair, professional conduct in the best interest of clients.
• Clear, fair, not misleading marketing communications.
• Conflicts of interest policy with disclosure and mitigation.
• Complaint handling with documented procedures and free access for clients.

Checklist:

• Pre-trade and post-trade disclosure templates.
• Marketing review SOP: every campaign logged with the approver.
• Conflicts register with quarterly board review.
• Complaints log with a 15-business-day acknowledgement and resolution targets.
• Annual training for client-facing and marketing staff.

8. Custody and prudential requirements

CASPs holding client crypto-assets carry the heaviest operational burden.

Checklist:

• Segregate client assets from firm assets at the wallet and accounting level.
• Maintain a position-keeping system that can rebuild balances per client at any timestamp.
• Document key management: HSMs, multi-sig, recovery procedures, signer rotation.
• Insurance or own-funds coverage for losses caused by ICT failures or fraud (Article 75).
• ICT and operational resilience under DORA, which interlocks with MiCA from January 2025.

This is where Wag3s Ledger and Folio carry weight: per-wallet, per-client, per-chain reconciliation that produces the records an NCA actually wants to see during an inspection.

9. The Travel Rule in MiCA

The Transfer of Funds Regulation (TFR), which travels alongside MiCA, requires CASPs to collect and transmit originator and beneficiary information for crypto-asset transfers, with no de minimis threshold.

Checklist:

• Travel Rule provider integration (Sumsub, Notabene, Veriscope, or equivalent).
• Counterparty due diligence: VASP screening, sanctions checks.
• Self-hosted wallet handling: ownership verification for transfers above EUR 1,000 in some jurisdictions.
• Record retention: 5 years minimum.
• Suspicious transaction reporting integrated with your existing AML pipeline. See our AML & KYC for Crypto Businesses guide for the underlying framework.

10. Timeline: 12-month transitional period and the 2026 deadlines

If you were lawfully providing crypto services in an EU Member State before 30 December 2024, you can keep operating under the transitional regime, but only until 1 July 2026, and earlier in some Member States that opted to shorten it.

Key dates:

• 30 June 2024: Title III (ARTs) and Title IV (EMTs) applied.
• 30 December 2024: full MiCA applied; CASP authorization regime opened.
• 1 July 2026: outer limit of the transitional regime for existing CASPs.

If your dossier is not filed by Q1 2026, the timeline is tight. Authorization reviews routinely take 4 to 6 months once complete, and most dossiers go through at least one round of NCA questions.

11. Common implementation pitfalls

The same issues come up in nearly every MiCA project:

• Late white paper drafting. Teams underestimate Article 6. Start two months before you want to publish.
• Substance gap. A registered office with no real operations does not survive NCA on-site visits.
• Outsourcing without oversight. Critical functions can be outsourced, but the firm remains responsible. Service-level monitoring must be auditable.
• Marketing drift. Product teams ship campaigns faster than compliance can review them. Build a hard gate.
• DORA blind spot. ICT risk management is not optional; it is a parallel regulatory track that NCAs read together with MiCA.
• Reserve composition surprises. EMT/ART issuers occasionally hold ineligible assets. Codify the eligibility list and check it quarterly.

12. FAQ

Do I need a CASP license if I only offer services to qualified counterparties? Yes. MiCA does not have a "professional clients only" carve-out for CASP authorization. Conduct rules can be lighter for eligible counterparties, but the license is still required.

Can a non-EU firm passport into the EU under MiCA? No. Reverse solicitation is the only narrow path, and ESMA has signaled a strict reading. To serve EU users, set up an EU entity and get authorized.

What if my token doesn't fit cleanly into EMT, ART, or "other"? Get a legal opinion early and, where possible, an informal NCA view. Misclassification is a primary enforcement risk.

How does MiCA interact with DORA? DORA covers ICT risk and operational resilience for financial entities, including CASPs. MiCA refers to DORA for ICT requirements. Plan both projects in parallel.

Is MiCA going to change? Yes. The Commission must review MiCA's scope (DeFi, NFTs, lending) by 2025, and ESMA continues to publish technical standards. The framework will keep moving for the next 24 to 36 months.

Where Wag3s fits

Wag3s Trust is the MiCA-readiness layer of the Finance OS: white paper traceability, reserve reporting, conduct-of-business logs, and the records auditors and NCAs request. Combined with Ledger for transaction history and Folio for wallet-level reconciliation, the audit trail is built once and reused across every regulator request.

Further reading

• Product: Wag3s Trust
• MiCA Regulation: What It Means for Crypto Businesses in Europe
• AML & KYC for Crypto Businesses
• MiCA Regulation (EU) 2023/1114, full text on EUR-Lex.
• ESMA technical standards on CASPs, published in tranches through 2024 and 2025.

This article is for informational purposes only and does not constitute legal or compliance advice. National implementation differs across Member States. Consult qualified EU counsel and engage your national competent authority early.