Folio 05 Insights Article

Regulatory updatesVASP/CASP Crypto Assets

We missed the MiCA CASP deadline: what now

If you relied on a national VASP registration during a MiCA transitional period, that route no longer supports continued EU crypto-asset services. All national transitional periods had ended by 1 July 2026. The available responses are a fresh CASP application, acquisition of an authorised CASP subject to diligence and the applicable ownership assessment, or restructuring the product so that an authorised provider genuinely supplies the regulated services or the EU activity ends. A pending application is not current authority to provide services. Each route depends on the actual services, entities, contracts, client base, assets and control model.

Modern glass-fronted institutional building with an EU flag visible outside

Timelines

How the transitional window closed

MiCA has applied to crypto-asset service providers since 30 December 2024. Article 143 allowed Member States to apply transitional measures to firms that had provided services under national law before that date. ESMA confirmed that all such periods had ended by 1 July 2026. As of July 2026, the live question is therefore not how much transition time remains, but whether the entity providing each service is authorised under Article 63 or is an eligible financial entity permitted under Article 60.

The ESMA MiCA register and the relevant competent authority record are the public starting points for that check. A legacy registration, a pending application or a group-level regulatory statement should not be presented as current authority for a specific entity and service.

The stakes

What operating without authorisation now means

Article 59 permits crypto-asset services in the EU only where the provider is an authorised CASP or an eligible financial entity acting within the applicable MiCA route. A firm cannot replace that gate with a pending application, historic VASP status, an API agreement or another group company's authorisation. Continued activity can create regulatory, contractual, banking, safeguarding and customer remediation exposure, but the consequences must be assessed for the actual facts and competent authority.

Reverse solicitation is not a general continuity route. MiCA treats it as a narrow client-initiative situation, and ESMA guidance addresses its strict application. It should not be used as the assumed basis for maintaining an EU client book. Any continuity decision needs transaction-specific legal review and current authority evidence.

Immediate controls

Stabilise before you choose a route

  1. Map the exposure

    Map every EU customer, service, entity, contract, asset position and distribution channel. Reconcile the entity providing each service with the live ESMA register and relevant competent authority record.

  2. Escalate new onboarding and continued service

    Put new onboarding and continued regulated activity through immediate legal and compliance review. A pending application or historic VASP registration is not the Article 59 authority gate.

  3. Review provider communications

    Assess contractual notification duties and communications with banks and payment providers under legal and compliance advice. Keep the remediation facts accurate and distinguish decisions already taken from proposed next steps.

  4. Plan an orderly client outcome

    Do not make blanket termination, continuation or migration decisions without legal review. Preserve records and map contracts, assets, open instructions, notices and support obligations before implementing a client plan.

  5. Choose a route and date the milestones

    The three options below carry different dependencies and failure modes. Record the chosen route, decision owners, evidence gaps, conditions and review dates.

Route one

Option 1: a fresh CASP application

A fresh application is the route for a business that intends to provide regulated crypto-asset services through its own EU entity. The file must fit the requested services and evidence governance, prudential resources, ownership, management, safeguarding, complaints, outsourcing, ICT resilience, AML controls and operational readiness. MiCA contains procedural assessment periods, but they are not a universal end-to-end delivery estimate. Completeness work, information requests, file quality, supervisory review and applicant readiness determine the real plan.

The applicant must establish a defensible home-state and substance position rather than select a filing venue from an unofficial speed ranking. It must also plan for the operating gap: filing an application does not itself permit the applicant to provide the regulated services. A separate provider-led or wind-down arrangement may be considered only after the responsibilities and customer consequences are mapped.

Route two

Option 2: acquiring an authorised CASP

An acquisition can be examined where a real target has the required services, operating model and regulatory record. It is not an automatic continuity solution. A proposed acquisition of a qualifying holding is subject to the MiCA Articles 83-84 framework, and the transaction also requires corporate, regulatory, financial, technology, client-asset and compliance diligence.

A register entry does not show that an entity is for sale, suitable for the buyer or ready for the proposed change. Scope, liabilities, customer assets, outsourcing, financial crime controls, ICT dependencies, ownership assessment and remediation can each change the decision. We cover the process in detail in our guide to acquiring an authorised CASP.

Route three

Option 3: restructuring around your EU clients

Not every firm should claw its way back to EU authorisation. If EU-facing revenue is a modest share of the book, the honest answer may be to stop providing crypto-asset services in the EU: keep serving your non-EU markets from the existing entity, and wind down or migrate the EU client base in an orderly, documented way.

Orderly matters. Customer notices, asset return or migration, open orders, complaints, records, data retention and provider obligations should be mapped and carried out under a legally reviewed plan. A later CASP application may remain a separate strategic option, but it does not cure activity conducted without a valid current basis.

A provider-led model can sit inside this route where an EU-authorised CASP genuinely supplies the regulated services under its own agreement and within its verified scope. The product company may coordinate the customer experience and technical integration, but it does not inherit the CASP's authorisation. The contracting, order, custody, payment, AML and data roles must be mapped before this is treated as a viable operating model.

Side by side

The three routes at a glance

Route Regulatory mechanics Primary dependencies Fits best when
Route Fresh CASP application Regulatory mechanics Article 63 completeness review and assessment of a complete file; a qualifying information request can suspend the assessment within the limits set by that Article Primary dependencies Completeness, information requests, governance evidence, operating readiness and the NCA review process Fits best when EU revenue justifies the wait and you want the scope built around your own business
Route Acquire an authorised CASP Regulatory mechanics Qualifying-holding notification assessed by the NCA before completion (MiCA Articles 83-84 framework) Primary dependencies Target availability, diligence, deal negotiation, ownership assessment and post-closing remediation Fits best when A matching target exists and its scope, condition and ownership process withstand diligence
Route Restructure or use a provider-led model Regulatory mechanics Orderly wind-down or migration, or regulated services supplied directly by an authorised EU CASP after perimeter review Primary dependencies Client contracts, provider scope and approval, data and asset migration, integration and offboarding obligations Fits best when The product can keep regulated services with a selected provider, or EU activity no longer justifies an own authorisation
1 July 2026
the last national transitional period ended
Article 59
regulated crypto-asset services require an authorised or otherwise permitted provider
Article 65
cross-border provision depends on notification and the authorised service scope
3 routes
apply, acquire, or restructure around a valid provider-led or exit model

Choosing a route

How to decide from the facts already available

The route decision turns on facts the business can assemble: EU customers and services, contract and entity structure, current authority evidence, assets and money in flight, banking dependencies, provider options and any real acquisition target. SKY7 structures those facts into a route recommendation, evidence gaps and decision gates. See how a SKY7 mandate runs for the engagement model.

FAQ

Frequently asked questions

Straight answers to what founders and buyers ask. If yours isn't here, ask us directly

01 Can we keep serving existing EU clients while we apply?

Not on the strength of a pending application. As of July 2026, providing crypto-asset services in the EU requires a valid Article 59 basis, and a filed application does not create one. Reverse solicitation is a narrow exception under ESMA guidance for clients acting on their own exclusive initiative - it is not a way to run a book. Check the relevant authority's current statements and obtain transaction-specific advice before making any continuity decision.

02 Is buying an authorised CASP faster than applying?

Sometimes, but not automatically. The change of qualifying holding must be notified to and assessed by the national competent authority before completion under the MiCA Articles 83-84 framework. Target availability, diligence, transaction terms, regulatory assessment and remediation all affect the outcome. Compare the evidence and dependencies for a real target with those for a fresh application rather than relying on a generic speed claim.

03 Does one CASP authorisation cover all EU Member States automatically?

No authorisation proves automatic availability for every service and market. Article 65 provides a cross-border notification process, and the provider can offer only the services covered by its authorisation. Confirm the live register record, notification and target-market availability before relying on the route.

Tell us what you need

Map the viable route back to compliant EU operations

Bring your service scope, EU customer footprint, current authority evidence and operating model. SKY7 can structure a recommendation across fresh filing, acquisition, provider-led restructuring or orderly exit, together with the dependencies and evidence gaps to resolve.

Editorial note

Editorial disclaimer

Reviewed by Elena Korniets. Last reviewed: 13 July 2026. This article is general information only, not legal, regulatory, tax, investment or financial advice. Regulatory details in this article are time-sensitive; verify against the regulator's current publications before relying on them.