31.01.2025

MiCA Regulation: Steps towards digital compliance

The EU's MiCA regulation creates a single regulatory framework for crypto assets. Rules for asset-backed and e-money tokens have been in force since 30 June 2024, and the Regulation will be fully applicable from 30 December 2024. Existing national regulations, such as the Crypto Asset Transfer Regulation or the Banking Act, will be supplemented by the more comprehensive requirements of the MiCA Regulation. It is of great importance for companies in the digital sector, especially in the field of blockchain technologies.

Arrange a no-obligation initial consultation

Aims of the MiCA Regulation

The objective of the MiCA Regulation is to establish uniform requirements for the public offering and admission to trading on a trading platform of asset-referenced tokens (ARTs) and e-money tokens and crypto-assets other than asset-referenced tokens and e-money tokens, as well as requirements for providers of crypto-asset services.

The aim is to strengthen investor protection in an industry that has been lightly regulated to date, and to ensure market functioning and financial stability through clear requirements. As with the AI Regulation, the EU intends to strengthen the attractiveness of the EU as a business location for crypto, blockchain and AI technologies.

Scope of application

The regulation applies to natural and legal persons and certain other entities involved in the issuance, public offer and admission to trading of crypto-assets in the Union or providing services related to crypto-assets. Non-fungible tokens (NFTs) are explicitly excluded from the scope. Furthermore, the regulation does not apply to various insurance and pension products.

The scope of application with its focus on financially relevant crypto-assets shows that the EU wants to close a gap in financial market regulation with the MiCA Regulation by covering and regulating cases in which crypto-assets play a role comparable to that of securities in traditional financial transactions, for example.
The obligations and requirements that a company must observe and comply with depend on the type of crypto asset in question and whether crypto asset services are provided.

According to the regulation, a crypto-asset is a digital representation of value or a right that can be electronically transferred and stored using distributed ledger technology or similar technologies. The regulation further divides the term into three different types of token:

  • Asset-backed token: a crypto-asset, other than an e-money token, whose value is to be maintained by reference to another asset or right, or a combination thereof, including one or more official currencies.
  • E-money token: a crypto asset whose stability of value is maintained by reference to the value of an official currency
  • Utility Token: a crypto-asset whose sole purpose is to provide access to a good or service provided by the issuer.

The regulation therefore primarily covers so-called "stablecoins", i.e. cryptocurrencies whose value stability is linked to an official currency. Other crypto assets, including those without an identifiable issuer such as bitcoin, remain unregulated.

Investment tokens (so-called security tokens) also remain unregulated by the MiCA. Such tokens embody monetary rights vis-à-vis issuers. The rights consist, for example, in the participation of the investor in the reference value of the issuer's company. They are officially recognised securities in token form, following the rules already in place for securities. Security tokens also include tokens that make physical objects (e.g. works of art or real estate) tradable on the blockchain (so-called fractionalised NFTs).

Such security tokens are considered financial instruments pursuant to Section 1 (11) no. 10 of the German Banking Act (KWG), which are expressly excluded from the scope of the Regulation pursuant to Article 2 (4) (a) of the MiCA Regulation.

Requirements and obligations

The Regulation lays down specific legal consequences for market participants for each category of cryptocurrency and for the provision of cryptocurrency services. It also sets out measures to prevent market abuse.

Requirements for cryptoassets other than asset-backed tokens and e-money tokens

In Articles 4 to 15, the MiCA Regulation first sets out requirements for other crypto-assets that are not classified as asset-backed tokens or e-money tokens. In contrast to the other requirements of the regulation, these are therefore not aimed at a specific type of token. Rather, the title acts as a catch-all regulation, setting out requirements that apply to a wide range of tokens and crypto-assets.

In particular, it covers so-called utility tokens. However, it is important to make a distinction here. Utility tokens that grant access to a good or service that already exists or is already provided are excluded from the scope. The MiCA regulation therefore only covers utility tokens for a future good or service, i.e. one that does not yet exist or is not yet provided.

A concrete example:

A company issues utility tokens to grant access to a decentralised storage solution. If the decentralised application (dApp) is already fully developed and available and the token only serves as an access key, this token is not covered by the MiCA Regulation.

On the other hand, if the company sells tokens to fund the development of the dApp and the tokens are only intended to provide access to this software once it is complete, then these are utility tokens that fall under the scope of the MiCA Regulation. In this case, the token is being used as a means of financing future services and therefore the regulation applies.

The public offering and admission to trading of cryptoassets, with the exception of asset-backed tokens or e-money tokens, is subject to a so-called prohibition with permission (Art. 4 and 5 MiCA). This means that it is generally prohibited to offer such cryptoassets to the public or to apply for admission to trading unless certain conditions are met.

The requirements for a public offer and for an application for admission to trading are essentially identical. In principle:

  • it must be a legal entity,
  • a white paper on cryptoassets is prepared, submitted to the Authority and published on the website,
  • the marketing communications are prepared, submitted to the Authority and published on the website; and
  • comply with the provider requirements.

The first essential requirement for the public offering and admission to trading of cryptoassets other than ARTs and e-money tokens is the preparation of a cryptoasset white paper (Art. 7 MiCA). The content of this white paper is specified by the regulation in Art. 6 and a template is provided in Annex I of the Regulation. The purpose of such a white paper is to provide investors and competent authorities with sufficient information about the crypto asset.

It is therefore essential that the white paper contains, inter alia, information on

  • the provider or issuer
  • the crypto asset project
  • the crypto asset
  • the underlying technology
  • the risks

are included. The information must be accurate, clear and not misleading. In addition, the white paper must draw attention to the risks associated with crypto assets, such as the fact that crypto assets may lose some or all of their value.

The MiCA also regulates how and in what manner such crypto assets may be marketed. In order to adequately protect investors and ensure a fair market, marketing information must be clearly recognisable as such and must be honest and not misleading. In addition, marketing communications must be consistent with the information in the white paper.

Both the white paper and the marketing communications must be submitted to the competent authority (Art. 8 MiCA). Providers must also make this information freely available on their website (Art. 9 MiCA Regulation). The whitepaper must also be kept up to date at all times and must be amended if information in the whitepaper proves to be materially incorrect or inaccurate.

A common problem with cryptocurrencies is so-called "rugpulls", where investments are collected for a cryptocurrency, but the cryptocurrency is never issued. Instead, the provider disappears with the collected funds and investors are regularly left with their losses. The European legislator has also recognised this problem and has introduced provisions in Art. 10 para. 3 of the MiCA Regulation to prevent such practices. Providers are obliged to monitor the funds collected and to keep them safe, for example by depositing them with a credit institution.

Requirements for asset referenced tokens

The public offer and the application for admission to trading of asset-backed tokens are also subject to an admission requirement. Some of the requirements for both crypto-assets are essentially the same. For example, the issuer of an ART is also subject to the obligation to prepare, submit and publish the crypto asset white paper and the obligation to make fair and non-misleading marketing communications (Art. 19, 28, 29).

However, the requirements for ARTs are much stricter than those for other crypto assets such as asset-referenced tokens or e-money tokens.
For example, Art. 16 already restricts the group of persons who may apply for authorisation. While for other crypto-assets it is sufficient for a legal entity to apply for admission, for the admission of ARTs it is necessary to have a person who is the issuer of the crypto-asset and either

  • a legal person or other company with a branch in the EU, authorised by the competent authority or the home Member State in accordance with Art. 21, or
  • a credit institution. Credit institutions are also subject to extended requirements pursuant to Art. 17 MiCA.

An application for authorisation must be made to the competent authority of the home Member State.

The application for authorisation must be accompanied by a wide range of information. For example, information on the issuer, the business plan and the business model must be provided, the identity of the members of the management body must be disclosed and the security and risk management measures taken must be described in accordance with Art. 34 MiCA.

The aforementioned Art. 34 MiCA plays an important role. It establishes a corporate governance regime. It sets out personal requirements for the governing bodies and shareholders, as well as technical and organisational requirements. For example, clear organisational structures with precisely defined, transparent and coherent areas of responsibility must be established. This includes ensuring that board members have the necessary knowledge and skills to perform their duties. Above all, however, the members of the management body must be sufficiently reliable; in particular, criminal convictions may be an argument against reliability.

An effective risk management system is required, both technically and organisationally. The risk management system must include safeguards for the security of IT systems, a business continuity strategy, rapid recovery of data and functions, and internal control and evaluation measures.

To protect investors, issuers must also have a sufficient asset reserve to cover the risks associated with the assets to which the asset-backed tokens relate. This asset reserve must be separate from the issuer's assets and must also be insolvency-proof so that the issuer's creditors cannot access it in the event of insolvency.

Special case: Significant asset-backed tokens

The requirements for ARTs increase if they are so-called significant asset-referenced tokens. These include ARTs with significant market significance. According to Art. 43 para. 1 MiCA regulation, significance can be determined, among other things, either on the basis of

  • the number of token holders (as of 10 million holders)
  • the value of the issued tokens (more than EUR 5 billion), or
  • the classification of the issuer as a gatekeeper under the Digital Services Act,
  • the issuance of another ART or e-money token by the issuer.

Issuers may also voluntarily classify themselves as a significant ART.

The more stringent obligations for these significant ARTs relate primarily to the maintenance of liquidity. Issuers of significant ARTs must assess and monitor their liquidity needs in order to ensure that redemption requests from holders of asset-backed tokens can be met. To this end, they must establish, maintain and implement liquidity management policies and procedures and conduct regular liquidity stress tests.

In addition, a recovery plan must be drawn up which sets out the measures to be taken by the issuer to restore compliance with the requirements applicable to the asset reserve in the event that the issuer fails to comply with these requirements. The recovery plan must also cover the maintenance of the issuer's services related to the asset-backed token, the rapid recovery of business operations and the fulfilment of the issuer's obligations in the event of events that pose a significant risk of disruption to business operations.

Requirements for e-money tokens

The requirements for issuers of e-money tokens are essentially identical to those for issuers of ARTs. However, the circle of persons who wish to offer e-money tokens to the public or apply for admission to trading is again considerably restricted in Art. 48. While a legal entity with an establishment in the Union could still apply for admission to trading of an ART, only persons who are credit institutions or e-money institutions may offer e-money tokens or apply for admission to trading.

As with the cryptoassets mentioned above, issuers of e-money tokens must also prepare and publish a cryptoasset white paper and only publish fair, clear and non-misleading marketing communications (Art. 51, 53 MiCA Regulation).

Special case: Significant e-money tokens

E-money tokens can also be classified as significant e-money tokens due to their special role and importance in the market. However, in contrast to ARTs, it is not sufficient that only one of the criteria listed in Art. 43 (1) of the MiCA Regulation. Instead, at least three criteria must be met cumulatively. Issuers - like the issuers of ARTs - may also voluntarily classify their tokens as significant e-money tokens.

By classifying their tokens as significant e-money tokens, issuers will have to comply with the same obligations as for significant ARTs.

Requirements for crypto-asset service providers

In addition to issuers and providers of crypto-assets, the MiCA also covers providers of crypto-asset services (Art. 59 to 85). The following services and activities in connection with crypto assets are covered as crypto asset services

  • Custody and administration of crypto assets for clients,
  • Operating a trading platform for crypto-assets,
  • Exchanging crypto assets for cash or other crypto assets,
  • Executing orders for crypto assets for clients,
  • Placing crypto assets,
  • Accepting and transmitting orders for crypto assets for clients,
  • Providing advice on crypto assets,
  • Crypto asset portfolio management,
  • Providing crypto asset transfer services to clients.

The provision of such services is subject to authorisation and may only be provided by

  • a legal person or other entity authorised as a provider of cryptoasset services pursuant to Art. 63 MiCA, or
  • a credit institution, central securities depository, investment firm, market participant, electronic money institution, UCITS management company or alternative investment fund manager authorised to provide crypto-asset services pursuant to Art. 63 MiCA,

are provided. Providers must be established in a Member State in which they conduct at least part of their crypto-asset business and have their place of effective management in the Union, and at least one of the managers must be established in the Union (Art. 59 MiCA).

Like issuers of crypto-assets, providers of crypto-asset services must act honestly, fairly and professionally and in the best interests of their clients and potential clients and provide them with information that is clear, fair and not misleading. They also have a duty to keep crypto-assets and client funds safe.

Like issuers of ARTs, service providers are subject to corporate governance rules that are essentially the same. For example, the members of the board of directors must be trustworthy, have the necessary knowledge and have a risk management system in place.

In addition to these general obligations that must be fulfilled by all crypto asset service providers, the MiCA sets out specific requirements for different categories of services in Articles 75 to 82.

Prevention and prohibition of market abuse

In addition to the respective obligations and requirements for providers or issuers of crypto-assets and providers of crypto-asset services, Articles 86 to 92 of the MiCA Regulation contain provisions on the prevention and prohibition of market abuse. The provisions apply to all activities in connection with crypto assets that are admitted to trading or for which admission has been applied for.

The MiCA provides for the following measures to prevent market abuse

  • Disclosure of inside information (Art. 88 MiCA): Issuers, offerors and persons asking for admission to trading must disclose inside information that directly concerns them to the public without delay and in a manner that enables the public to have rapid access and to make a complete, accurate and timely assessment. The disclosure of inside information to the public must not be linked to the marketing of their activities.
  • Prohibition of unlawful disclosure of inside information (Art. 90 MiCA): In order to protect the companies concerned, anyone in possession of inside information is prohibited from unlawfully disclosing this inside information to third parties. Unless such disclosure is made in the normal course of employment, profession or duties.
  • Prohibition of insider trading (Art. 89 MiCA): The MiCA provides for a comprehensive prohibition of insider dealing. No person may engage or attempt to engage in insider dealing or use inside information about cryptoassets to acquire or dispose of such cryptoassets, directly or indirectly, for his own account or for the account of a third party. In addition, no one may recommend or induce third parties to engage in insider dealing.
  • Prohibition of market manipulation (Art. 91 MiCA): The regulation prohibits any form of market manipulation. Market manipulation within the meaning of the regulation includes, among others, actions that give false or misleading signals regarding the supply or price of cryptoassets or the demand for them, as well as causing an abnormal or artificial price level of cryptoassets. The MiCA Regulation gives as a regulatory example of market manipulation the securing of a dominant position in relation to the supply of or demand for a crypto-asset, which has the effect or is likely to have the effect of directly or indirectly fixing the buying or selling price or other unfair trading conditions.
  • Prevention and Detection of Market Abuse (Art. 92 MiCA): In order to prevent market abuse, the regulation requires that the companies concerned have effective arrangements, systems and procedures in place to prevent and detect market abuse. Firms are subject to a reporting obligation. They must immediately report any reasonable suspicion that there are circumstances indicating that market abuse has been committed, is being committed or is likely to be committed.

Liability and sanctions

Liability

Irrespective of the specific type of crypto-asset or the provision of crypto-asset services, compliance with the requirements is the responsibility of the management body of the provider or issuer. In principle, there is liability for the information contained in the crypto-asset white paper if it is incomplete, dishonest, incomprehensible or misleading and investors have suffered losses as a result (Art. 15, 26 and 52 MiCA). Liability cannot be contractually excluded.

Sanctions

Article 111 of the MiCA provides for sanctions in the form of fines for violations of the requirements and obligations of the regulation. The sanction framework is also differentiated - as are the respective requirements with regard to crypto assets.

For example, the level of fines depends on whether obligations relating to other crypto-assets, asset-backed tokens or e-money tokens have been breached.

This results in the following penalty regime:

  • Violations of the requirements for cryptoassets other than ARTs and e-money tokens (Art. 4 to 14 MiCA): A fine of EUR 5 million or 3% of the legal entity's total annual turnover.
  • Violations of the requirements for ART issuers: EUR 5 million or 12.5% of the total annual turnover of the legal entity.
  • Breaches of the requirements for issuers of electronic money tokens: EUR 5 million or 12.5% of the total annual turnover of the legal person.
  • Breaches of the requirements applicable to crypto-asset service providers: EUR 5 million or 5% of the total annual turnover of the legal person.
  • Breaches of measures to prevent market abuse: EUR 2.5 million or 2% of the total annual turnover for the unlawful disclosure of inside information and EUR 15 million or 15% of
  • the total annual turnover for the other measures.

It should be noted that the above fines are minimum fines and cannot be lowered.

Challenges and recommendations

Companies should first assess whether and to what extent they fall within the scope of the MiCA Regulation. It should also be noted that companies are not only subject to the obligations of the MiCA Regulation. In addition to the MiCA requirements, there are other regulatory requirements. Depending on the type of cryptoasset offered and the business activity, additional obligations may arise from the DORA Regulation. The German Banking Act (KWG) may also apply to the companies concerned. It is therefore necessary to have an overview of all regulatory requirements and to understand the relationship and interaction between the laws.

It is also important that the Crypto Asset Whitepaper is prepared with due diligence and that its content is regularly evaluated and amended if necessary. This is because the whitepaper is the starting point for potential liability. The regulation also requires close internal cooperation with marketing departments. It must always be ensured that marketing communications are consistent with the information in the crypto-asset whitepaper.

Compliance with data protection regulations on the one hand and cyber and IT security requirements on the other are challenging. For newly established companies in particular, meeting the obligation to maintain adequate asset reserves and the obligation to properly safeguard investors' funds may be more difficult.

Conclusion

Although the MiCA regulation imposes significant obligations on the companies concerned, the implementation and compliance of which entails organisational and financial costs, the regulation of crypto assets is to be welcomed. Not only does it protect investors from dishonest or even fraudulent intentions. It also strengthens and emphasises the importance that crypto assets now have. The convergence with existing financial market regulations shows that the EU attaches similar importance to cryptocurrencies as it does to traditional financial transactions.

We can provide you with comprehensive support in implementing and complying with regulatory requirements. In particular, we can assist your firm with the preparation of crypto asset whitepapers and related marketing communications.

More news

13.02.2025

Microsoft Copilot for M365 and privacy: How to use it securely in your organisation

10.02.2025

AI Act: New obligations from 2 February 2025

07.02.2025

Software Escrow: Secure storage of source code