MiCA Final Deadline: 60 Days for Crypto Firms to Get Authorized or Lose EU Access
ESMA confirmed April 17 that the MiCA transitional period ends July 1, 2026. After that date, any unauthorized CASP serving EU clients is in breach of EU law.
On April 17, 2026, the European Securities and Markets Authority issued a statement that left no room for ambiguity. The MiCA transitional period ends across the entire European Union on July 1, 2026. After that date, any entity providing crypto-asset services to EU clients without a MiCA license is in breach of EU law and must cease offering those services. ESMA's statement is published in full at esma.europa.eu and has been picked up by every major regulatory publication tracking the file.
For the unauthorized providers still operating under transitional national regimes, that is roughly 60 days from the publication of this article. There are no extensions on the table. There is no informal arrangement available. The window for strategic decisions is closing.
This is the regulatory milestone the industry has been preparing for since June 2023, when MiCA entered into force. It is also the milestone many crypto firms underestimated.
What ESMA's April statement actually requires
The statement (ESMA75-113276571-1679, published April 17, 2026) sets out three categories of supervisory expectation that every CASP and competent authority should be working against right now.
First, unauthorized CASPs must have credible, operational, immediately executable wind-down plans in place by July 1, 2026. ESMA explicitly rejects letter-of-the-law compliance: a wind-down plan that exists on paper but cannot be operationalized does not meet the standard. National competent authorities are expected to verify the existence and adequacy of those plans, not just to accept their submission.
Second, authorized CASPs are required to actively manage the migration of existing clients before the deadline. ESMA expects authorized firms to onboard existing EU clients into their licensed entity with full AML and CFT compliance. The supervisory tolerance for migrations that arrive incomplete or non-compliant is described as "now over."
Third, third-country (non-EU) firms cannot serve EU clients except under the narrow reverse-solicitation exception. ESMA explicitly addresses outsourcing and delegation arrangements designed to route EU customer traffic through non-EU entities. Those arrangements are out of bounds under MiCA Article 33 and equivalent provisions, and ESMA has signaled it will scrutinize group structures for circumvention attempts.
The penalties for non-compliance are not modest. Article 111 of MiCA permits fines of up to €5 million or 5% of annual turnover, cease-and-desist orders, and effective bans on EU operations. National competent authorities have been instructed to be prepared to take action against unauthorized service provision after July 1.
Why so many firms still aren't authorized
A few patterns explain the long tail of unauthorized firms heading into the deadline.
The first is timing. The technical standards (RTS) and implementing standards (ITS) supplementing MiCA were not all finalized until early 2025. Many firms held their applications waiting for the final templates, then ran into authority backlogs. The Netherlands and Malta led the early issuance, with Germany following shortly after. As of late 2025, public reporting indicated more than 40 CASP licenses had been issued — concentrated in a handful of jurisdictions. The longer tail of applications is queued behind these.
The second is scope. MiCA's authorization regime requires evidence of governance, capital, IT security, custody safeguards, conflict-of-interest management, and operational continuity that many smaller crypto firms simply did not have on hand. Building that evidence into an authorization-ready submission is months of work, not weeks.
The third is the third-country question. Non-EU firms that have historically served EU clients through marketing reach or partnership arrangements are now confronting the choice: establish an EU subsidiary, exit the EU market, or rely on the reverse-solicitation exception (which ESMA has narrowly construed). Each of these is a strategic decision with material business consequences, not a compliance task.
What the 60-day push looks like operationally
For firms still inside the authorization process, the next 60 days are mostly about three workstreams.
Workstream one is the application file. The CASP application requires evidence of governance, fit-and-proper assessments for management, capital and reserve calculations, IT security architecture, AML and CFT program design, and customer asset segregation arrangements. Files arriving incomplete face delays that may push past the July 1 deadline.
Workstream two is the operational compliance program. The DORA digital operational resilience regulation overlays MiCA from January 17, 2025. Applicants need to demonstrate ICT risk management, incident reporting procedures, and third-party risk management compliant with DORA. The FATF Travel Rule (transferring originator and beneficiary data on crypto transfers) overlays as well, with EU-specific implementation under TFR (Regulation 2023/1113).
Workstream three is the client migration. For firms that obtain authorization, the existing customer base needs to be re-onboarded into the licensed entity with full KYC and AML compliance. ESMA expects this to be completed before the deadline, not after. Authorized CASPs that drag client migrations across the deadline are in non-compliant territory even if the firm itself holds a license.
The dual-licensing question for stablecoin issuers
Stablecoin issuers (specifically issuers of asset-referenced tokens or e-money tokens under MiCA) face a layered question that's worth flagging separately. The MiCA authorization for an EMT issuer overlaps with PSD2 e-money licensing in many member states. Issuers heading toward the July 1 deadline are confronting whether their existing PSD2 license is sufficient, whether MiCA EMT authorization is required in addition, or whether dual licensing is the only route. The answer varies by jurisdiction and by token design.
For the specific case of dollar-pegged stablecoins issued into EU markets, the dual-licensing question becomes a material commercial decision. EBA guidance has tightened on prudential requirements for significant ART/EMT issuers, and the supervisory bar for cross-jurisdictional stablecoin operations is meaningfully higher than for single-jurisdiction issuers.
What deepidv brings to the deadline
For CASPs racing the deadline, the verification, AML, and Travel Rule infrastructure deepidv runs is examination-ready by default. A single platform handles KYC, KYB with UBO resolution, sanctions and PEP screening (Arbiter agent fleet), Travel Rule message generation and consumption, and ongoing transaction monitoring. Each verification produces a cryptographic receipt that survives regulatory examination, which is exactly what the AMLA's outcome-effectiveness supervision approach (effective in 2027) will require. Luna, the AI compliance co-pilot, drafts the procedural compliance documentation that the application file demands. The combination compresses the runway from "months to assemble" to "weeks to demonstrate."
MiCA Authorization Deadline FAQ
- What happens to firms that miss the July 1, 2026 deadline?
- Per ESMA's April 17 statement, any entity providing crypto-asset services to EU clients without MiCA authorization after July 1, 2026, is in breach of EU law and must cease offering services. National competent authorities are expected to take enforcement action, with penalties under MiCA Article 111 of up to €5 million or 5% of annual turnover.
- Can the deadline be extended?
- ESMA's statement is explicit that the deadline is uniform across the EU and is not subject to extension. Member state-level transitional measures cannot extend beyond July 1, 2026, regardless of national implementation timing.
- How long does CASP authorization take from application to decision?
- MiCA requires the competent authority to render a decision within 90 working days of a complete application (with possible extensions). In practice, the time from initial submission to authorization has ranged from 4 to 9 months depending on the jurisdiction and the firm's preparedness.
- What about firms that submitted applications and are awaiting decisions?
- Firms with applications under review benefit from the transitional regime until the authority renders a decision (or refuses authorization). However, firms must be operating under a valid national pre-MiCA regime to qualify for the transitional protection. Firms that never operated under national VASP rules cannot rely on the transition.
- Can a non-EU CASP serve EU clients via a partnership with an authorized firm?
- ESMA has signaled it will scrutinize outsourcing and delegation arrangements that effectively route EU customer activity through non-EU entities. Pure white-labeling arrangements are unlikely to satisfy the scrutiny. Genuine commercial partnerships where the authorized CASP is the contracting party with EU clients are workable; pass-through arrangements are not.
- What is the relationship between MiCA and the EU's AMLA?
- AMLA, the EU's anti-money laundering authority, is selecting its first 40 supervised entities and will begin direct supervision in 2027–2028. CASPs are within scope. The AMLA RTS deadline of July 10, 2026 covers ongoing monitoring and outcome-effectiveness obligations that overlay on top of MiCA's authorization-stage requirements. Compliance programs designed for MiCA authorization should also map cleanly to AMLA expectations.
- How does the FATF Travel Rule fit in?
- The FATF Travel Rule, as implemented in the EU under TFR (Regulation 2023/1113), requires CASPs to transmit and verify originator and beneficiary information on crypto transfers above specified thresholds. CASPs operating under MiCA must implement Travel Rule compliance independently, but the operational overlap (data collection, screening, record-keeping) is significant.
Relevant Articles
FDIC Extends GENIUS Act Comment Period to May 18
What stablecoin issuers should file before the deadline.
May 12, 2026
Meta Just Made AI Bone-Structure Analysis the Default Age Verification
Inferred-age detection is now production infrastructure at platform scale.
May 11, 2026
The UK Digital ID Consultation Closed Amid Industry Pushback
The architecture lesson is for everyone else designing digital ID.
May 13, 2026
The SEC Just Sent 'Regulation Crypto' to the White House
What it means for KYC at digital asset firms.
Apr 8, 2026
What is deepidv?
Not everyone loves compliance — but we do. deepidv is the AI-native verification engine and agentic compliance suite built from scratch. No third-party APIs, no legacy stack. We verify users across 211+ countries in under 150 milliseconds, catch deepfakes that liveness checks miss, and let honest users through while keeping bad actors out.
Learn More