Friday, June 26, 2026
MiCA Grandfathering Explained: The Rules, the Deadlines and the Enforcement
Global News.png){kind=logo}
On July 1, 2026, the last transitional protection available under the Markets in Crypto-Assets Regulation expired. Every crypto-asset service provider still operating in the EU without full CASP authorization is now in breach of EU law.
That protection was called grandfathering. Most firms understood the deadline. Far fewer understood how grandfathering actually worked, and that gap cost many of them their window to comply.
This post explains exactly what grandfathering required, why it was not automatic, which jurisdictions closed their windows early, where the EU market stands now, and what compliance teams need to do next.
Article 143(3) of Regulation (EU) 2023/1114 created a transitional arrangement for firms that were already providing crypto-asset services lawfully before December 30, 2024. Those firms were permitted to keep operating under their existing national registration or licensing regime while they worked through the MiCA CASP authorization process.
The outer time limit was 18 months from December 30, 2024. That put the final EU-wide deadline at July 1, 2026.
The purpose was practical. MiCA created an entirely new authorization framework with capital requirements, governance standards, AML obligations, and Travel Rule integration that did not exist in most EU national regimes. Requiring every existing firm to be MiCA-authorized from day one was not workable. Grandfathering gave firms time to prepare their applications and build the compliance infrastructure the new framework requires.
This is the detail that tripped up hundreds of firms across Europe, and it is worth being precise about it.
Grandfathering did not attach to every registered VASP by default. It required two conditions to be met at the same time.
First, the firm needed to be providing crypto-asset services lawfully in its EU member state before December 30, 2024. Second, it needed to submit a formal CASP authorization application to its national competent authority before that member state's own application deadline.
Both had to be true. A VASP registered before December 30, 2024, that did not file an application before its jurisdiction's cutoff has no grandfathering protection, regardless of what the EU-wide July 1 date says.
This matters because most EU member states set application deadlines that fell well before July 1, 2026. By the end of 2025, the window had already closed in the majority of jurisdictions.
A Crypto-Asset Service Provider (CASP) is a legal entity authorized by a national competent authority in an EU member state to provide one or more of the ten categories of crypto-asset services defined in Article 3(1)(16) of Regulation (EU) 2023/1114.
Before MiCA, the equivalent category was the VASP (Virtual Asset Service Provider), a designation used primarily in the context of FATF anti-money laundering standards. VASP status was an AML registration. It did not confer the right to provide financial services across borders and carried no harmonized supervisory standard.
A CASP authorization is materially different. It is a financial services license, not a registration. It requires a regulator to assess the firm's governance structure, capital adequacy, management suitability, AML program, IT security, and operational resilience before granting the right to operate. Once granted in one EU member state, it passports across all 30 EEA countries.
The ten service categories that require CASP authorization are:
A firm must be authorized for each category it provides. Authorization for custody does not automatically cover trading platform operation. Compliance teams reviewing counterparty CASPs should check the ESMA register not just for authorization status but for which specific service categories are covered.
For a full country-by-country breakdown of how to obtain a CASP authorization, see Scorechain's CASP license country guides.
The EU-wide July 1 date was the ceiling, not the common deadline. Every member state set its own application cutoff, and some set them very early.
Source: ESMA published list of MiCA grandfathering periods
Any firm registered in Germany, the Netherlands, Austria, Ireland, Lithuania, or Slovakia that did not submit a formal CASP application before its member state's cutoff cannot claim grandfathering protection. The July 1, 2026 date is irrelevant for them.
For country-specific CASP license requirements across all EU jurisdictions, see Scorechain's CASP license country guides.
The conversion from a pre-MiCA VASP registration to a full MiCA CASP authorization was not a simple renewal process. For most firms, it required rebuilding compliance infrastructure from the ground up.
Pre-MiCA national regimes in most EU member states were primarily AML frameworks. They required firms to register, implement KYC procedures, and report suspicious transactions. They did not require capital buffers, fit-and-proper management assessments, published white papers, segregation of client assets, or operational resilience programs. MiCA requires all of these.
The conversion process for an existing VASP typically involved:
Governance restructuring. MiCA requires a management body with documented fit-and-proper assessments of each member. Many pre-MiCA VASPs operated with informal governance structures that did not meet the standard. New roles had to be created or incumbent directors assessed and documented.
Capital adequacy. MiCA sets minimum own funds requirements based on service category, ranging from approximately 50,000 to 150,000 euros depending on which services the CASP provides. Many pre-MiCA VASPs did not hold dedicated regulatory capital of this kind.
AML program rebuild. While pre-MiCA VASPs had AML obligations, MiCA aligns CASP AML requirements with the full EU Anti-Money Laundering Directive framework. This includes documented risk appetite statements, enhanced due diligence procedures for high-risk customers, transaction monitoring systems, and STR filing procedures linked to national financial intelligence units.
Travel Rule infrastructure. Regulation (EU) 2023/1113 requires verified originator and beneficiary data on every crypto transfer with no minimum threshold. Most VASPs were not operationally ready for this. Implementing Travel Rule compliance required selecting a protocol, integrating counterparty discovery, and building workflows for handling incomplete or missing data.
Crypto-asset white papers. Where a CASP issues or offers crypto-assets to the public, a MiCA-compliant white paper must be published. For many existing platforms offering token-related services, this was an entirely new obligation.
The firms that converted successfully were, in almost every case, the ones that started building this infrastructure in 2023 and 2024, well before the December 2024 MiCA effective date. Firms that waited until 2025 ran into the reality that authorization processes take months, regulators were receiving high volumes of applications, and last-minute submissions faced heightened scrutiny.
ESMA confirmed in April 2026 that July 1 was final. No extensions. In the weeks before the deadline, ESMA was direct about what non-authorized firms had to do.
Stop onboarding new EU clients. Stop marketing to EU users. Help existing clients sell, transfer, or close their positions. Maintain custody only long enough to facilitate an orderly exit. Notify clients of any timelines for automatic position closure.
ESMA also warned that applications submitted in the final weeks before the deadline would face heightened scrutiny. A pending application filed at the last minute does not preserve the right to keep operating while it is reviewed.
The numbers tell a clear story about what happened to the pre-MiCA EU crypto market.
Approximately 200 to 210 crypto-asset service providers hold full CASP authorization as of mid-2026, according to the ESMA Interim MiCA Register. That is out of more than 1,200 entities that held pre-MiCA national registrations across the EU, a conversion rate of roughly 17%.
Across the EU as a whole, an estimated 3,000 crypto firms were registered in some capacity before MiCA. Most of them will stop serving EU customers, exit the market voluntarily, or face enforcement action.
The volume picture is different. The authorized firms account for an estimated 95% of EU crypto transaction volume. Market share was already concentrated in a small number of large platforms before MiCA. The firms that invested in compliance infrastructure were the ones that converted.
For context on how stablecoin authorization played out in parallel, including the USDT situation and which issuers have EMT authorization, see Scorechain's EU stablecoin regulation guide.
One of MiCA's most significant practical consequences is the EU passport. A CASP authorized by any single national competent authority in an EU member state can provide its licensed services across all 27 EU member states plus Iceland, Liechtenstein, and Norway, without requiring separate authorization in each country.
This replaces the pre-MiCA model, where a firm licensed in one member state had no automatic right to operate in another. A BaFin crypto custody authorization did not authorize operation in France. A Maltese VFA license was not recognized in Germany. Each jurisdiction required its own registration, its own compliance program, and its own regulator relationship.
Under MiCA passporting, a CASP authorized in Malta by the MFSA can serve customers in Germany, France, Italy, Spain, and all other EEA countries from that single authorization. The only procedural step required is a passporting notification to the host member state's regulator.
This has driven significant jurisdiction selection strategy. Firms have chosen their home member state based on regulatory speed, supervision style, language of proceedings, and perceived willingness of the NCA to engage constructively with crypto businesses.
The practical effect for compliance teams is also important. When you verify a counterparty CASP against the ESMA Interim MiCA Register, the home member state shown in the Title V file is the authorizing regulator. That NCA remains the primary supervisor regardless of which other EU countries the CASP is passporting into. If you have a supervisory concern or regulatory question about a passported CASP operating in your country, the relevant contact point is the home NCA.
The consequences of operating without authorization after July 1 are set out in Article 111 of MiCA.
At the administrative level: fines up to 5 million euros or 10% of annual turnover, whichever is greater. Suspension or prohibition of services by the national competent authority. Public listing on the ESMA non-compliant entity register, which is visible to every institutional counterparty and due diligence team in the market.
At the criminal level, France has gone further. The AMF has warned that operating without authorization in France can result in prosecution carrying up to two years in prison and a 30,000 euro fine for the responsible individuals.
For firms that are counterparties to unauthorized CASPs, the listing on ESMA's non-compliant register is now a live due diligence risk. Any transaction monitoring program worth running should be checking that register on a routine basis.
Getting authorization was the start, not the finish. MiCA compliance for authorized CASPs is a continuous program, and the post-authorization obligations are material.
Transaction monitoring has to cover every blockchain the platform supports, not just Bitcoin and Ethereum. A CASP offering TRON-based USDT transfers but running monitoring only on major chains has a coverage gap that regulators will find. Scorechain's transaction monitoring tools cover 23 blockchains.
Wallet screening needs to be continuous. Checking wallets at onboarding and leaving it there is not sufficient. Sanctions exposures and risk profiles change. A wallet that was clean six months ago may not be clean today. Scorechain's wallet screening solution runs ongoing checks against EU, UN, OFAC, and UK consolidated sanctions lists.
Travel Rule compliance under Regulation (EU) 2023/1113 applies to every crypto transfer with no minimum threshold. Every CASP-to-CASP transfer needs verified originator and beneficiary data flowing through the systems before or at execution. Self-hosted wallet transfers above 1,000 euros require ownership verification. If your Travel Rule infrastructure is not handling this operationally, it is the most urgent gap to close. See Scorechain's Travel Rule compliance guide for the full operational picture.
Know Your Customer obligations under MiCA are embedded from the EU Anti-Money Laundering Directive framework and apply to all authorized CASPs. Crypto KYC under MiCA is not a simplified process and regulators have been clear that standards applied in the crypto sector must match those applied in traditional financial services.
At onboarding, CASPs must collect and verify:
Beyond initial onboarding, MiCA requires ongoing KYC. Customer risk profiles must be reviewed periodically, triggered by transaction patterns, changes in customer behavior, or the passage of time. Enhanced due diligence is required for politically exposed persons, customers from high-risk jurisdictions, and transactions above applicable thresholds.
PEP screening and adverse media screening are not optional add-ons. They are required elements of the MiCA-aligned AML program. A compliance team that screens at onboarding but not on a continuous basis has a gap that supervisors will identify.
The most common KYC failure mode in MiCA supervisory reviews has been documentation. Firms can have the right procedures on paper but fail to demonstrate that those procedures were actually applied consistently and recorded adequately for each customer. MiCA-compliant KYC requires both the process and the audit trail.
Scorechain's wallet screening solution runs continuous KYC-adjacent checks on wallet risk, sanctions exposure, and counterparty classification, supplementing the customer-level KYC process with transaction-level intelligence.
AML compliance for MiCA-authorized CASPs operates across three layers that must work together: customer due diligence, transaction monitoring, and suspicious transaction reporting.
Customer due diligence is the KYC layer described above. It establishes who the customer is, what their risk profile is, and whether enhanced scrutiny is required.
Transaction monitoring is the operational layer that identifies financial crime risk in real time. It must cover all crypto-asset transfers the CASP processes, across all supported blockchains. Monitoring systems must be configured to detect layering, structuring, sanctions exposure, darknet market exposure, mixer usage, and other high-risk indicators. MiCA-compliant transaction monitoring is not achievable with a system that covers only Bitcoin and Ethereum when the CASP also processes TRON, BNB Chain, or other networks.
Suspicious transaction reporting (STR) is the reporting layer. When monitoring systems or compliance officers identify a transaction or customer that meets the threshold for suspicious activity, a report must be filed with the national Financial Intelligence Unit. Each EU member state operates its own FIU. The filing obligation exists regardless of whether a transaction is completed or refused.
These three layers must be documented, tested, and auditable. Regulators conducting MiCA supervisory reviews expect to see not just that systems are in place but that they are used, that alerts are investigated, that investigations are recorded, and that reporting decisions are documented with reasoning.
Starting in 2026, the EU's Anti-Money Laundering Authority (AMLA) will directly supervise the largest cross-border CASPs. Firms meeting the size thresholds for AMLA oversight will face a more intensive supervisory relationship than they experienced under national AML regimes.
Wallet screening is a core ongoing obligation for MiCA-authorized CASPs, not a one-time onboarding step.
The requirement flows from MiCA's AML program obligations. A CASP that screens wallets at customer onboarding but does not screen transaction counterparty wallets, does not re-screen existing customers periodically, and does not screen incoming transfers before crediting accounts has a material compliance gap.
Sanctions exposure is dynamic. An address that was clean at onboarding may become exposed to a sanctioned entity through subsequent transactions. A wallet that was unconnected to any high-risk entity six months ago may now have direct or indirect exposure to a darknet market or a newly designated individual. Screening once and never again leaves the CASP blind to changes that happened after the initial check.
For CASPs operating at volume, manual wallet screening is not a viable compliance model. The process requires automated blockchain analytics tools that run continuous checks, flag changes in wallet risk profiles, and generate audit trails showing when each check was run and what result it produced.
EU sanctions lists are updated regularly. The EU consolidated sanctions list is a live document. So are the OFAC SDN list, the UN consolidated list, and the UK sanctions list. A CASP's screening program must cover all applicable lists and must update when those lists change.
Scorechain's wallet screening runs continuous checks across 23 blockchains against EU, UN, OFAC, and UK consolidated sanctions lists, with real-time alerting when wallet risk profiles change.
The Travel Rule under MiCA is implemented by Regulation (EU) 2023/1113, the Transfer of Funds Regulation, which runs in parallel with the CASP authorization framework. It is one of the most operationally demanding compliance requirements in the MiCA package.
The core requirement: every crypto-asset transfer must be accompanied by verified information about both the originator and the beneficiary. There is no minimum threshold. A transfer of 10 euros triggers the same data collection and transmission obligation as a transfer of 10 million euros.
For CASP-to-CASP transfers, both the originating and receiving CASP must exchange Travel Rule data. The data must travel with the transaction, either before execution or at the moment of execution. Sending Travel Rule data after the fact does not meet the requirement.
The required data fields for the originator are: full name, crypto-asset account number (wallet address), and at minimum one of the following: physical address, national identity number, customer identification number, or date and place of birth. For the beneficiary: full name and crypto-asset account number.
Transfers to self-hosted wallets add another layer. For transfers above 1,000 euros to a wallet not hosted by a regulated CASP, the originating CASP must verify that the wallet is controlled by the customer. The verification method is not prescribed by the regulation but must be documented and risk-based.
The most common Travel Rule failure is counterparty discovery. When a CASP cannot identify the receiving VASP or the receiving entity does not support Travel Rule data exchange, the originating CASP cannot simply process the transfer as normal. It must apply risk-based controls, which may include declining the transfer or applying enhanced due diligence.
For a full operational guide to Travel Rule compliance, see Scorechain's Travel Rule compliance guide.
The source to use is the ESMA Interim MiCA Register, published as downloadable CSV files updated weekly.
The Title V file lists every authorized CASP by entity name, issuing regulator, authorized service categories, and authorization date. The non-compliant entity file lists firms that have been formally flagged by a national regulator.
If you are a compliance team onboarding a new counterparty, reviewing your existing CASP relationships, or conducting due diligence on a crypto firm for banking purposes, this register is the check that needs to be in your standard process. A firm not on the Title V list is not MiCA-authorized. A firm on the non-compliant list carries active regulatory risk.
MiCA grandfathering is the transitional provision in Article 143(3) of Regulation (EU) 2023/1114. It allowed crypto-asset service providers that were operating lawfully before December 30, 2024 to continue under their existing national regimes while applying for full CASP authorization. The maximum period was 18 months, ending July 1, 2026. It was not automatic. It required both a pre-MiCA lawful operation and a formal CASP application filed before the member state's own deadline.
The EU-wide MiCA grandfathering period ended on July 1, 2026 across all 30 EEA countries. ESMA confirmed in April 2026 there would be no extensions. For Germany, the Netherlands, Austria, Ireland, Lithuania, and Slovakia, the application deadlines that actually triggered grandfathering protection had already closed by December 2025.
No. Each member state set its own application deadline. The Netherlands and Poland closed their windows in June 2025. Germany, Austria, Ireland, Lithuania, and Slovakia set December 2025 cutoffs. France, Malta, Luxembourg, Estonia, and Cyprus allowed the full 18 months to July 1, 2026. July 1 was the outer ceiling, not the common deadline. The country-by-country breakdown is in the table above, sourced from the ESMA MiCA page.
A VASP that did not file a formal CASP application before its member state's deadline cannot claim grandfathering protection. After July 1, 2026, it must stop serving EU clients, stop marketing to EU users, and run down its existing positions in an orderly way. Operating without authorization is a breach of EU law and subject to fines under MiCA Article 111, which go up to 5 million euros or 10% of annual turnover.
Yes. The authorization process is still open. The difference is that a firm cannot legally provide crypto-asset services to EU clients while an application is pending, unless a specific member state's rules provide some form of provisional coverage during review, which varies by jurisdiction and is not available everywhere. For most firms that missed the deadline, the practical path is either to cease EU operations and apply for a fresh authorization, or to partner with an existing authorized CASP. See the CASP license country guides for jurisdiction-specific requirements.
Approximately 200 to 210 crypto-asset service providers hold full CASP authorization as of mid-2026, according to the ESMA Interim MiCA Register. This is out of more than 1,200 entities that held pre-MiCA national registrations, a conversion rate of around 17%. These authorized firms account for roughly 95% of EU crypto transaction volume.
Under MiCA Article 111, administrative penalties include fines up to 5 million euros or 10% of annual turnover, suspension of services, and listing on the ESMA public non-compliant entity register. In France, the AMF has stated that continued unauthorized operation can result in criminal prosecution carrying up to two years in prison and a 30,000 euro fine for responsible individuals.
The ESMA Interim MiCA Register is the European Securities and Markets Authority's official public database of all authorized CASPs, authorized stablecoin issuers, notified crypto-asset white papers, and non-compliant entities. It is published as downloadable CSV files at weekly intervals on the ESMA MiCA page. The Title V file is the one to check for CASP authorization status.
Grandfathering only applied to firms that were providing crypto-asset services lawfully in an EU member state under that state's national regime before December 30, 2024. Non-EU firms that were not registered under a national EU regime before that date cannot benefit from grandfathering. They need full CASP authorization from a national competent authority before serving EU clients. There is no equivalence arrangement that substitutes non-EU authorization for MiCA CASP authorization.
For authorized CASPs, the immediate priorities are confirming authorization covers all service categories the firm provides, verifying that transaction monitoring covers all supported blockchains, ensuring wallet screening is continuous rather than periodic, and auditing Travel Rule readiness against the requirements of Regulation (EU) 2023/1113. For counterparties transacting with crypto firms, checking the ESMA Interim MiCA Register should be part of standard due diligence.
July 1, 2026 is the date by which authorization must be held, not the date by which firms needed to act. The application deadlines that actually determined grandfathering eligibility were set by individual member states, and most of them fell between June and December 2025. A firm that did not file in its jurisdiction before that jurisdiction's own cutoff has no grandfathering protection, regardless of the July 1 outer limit. This distinction is covered in detail in the country-by-country table above.
A VASP (Virtual Asset Service Provider) is a designation used in FATF anti-money laundering standards. In most EU member states before MiCA, VASPs were registered for AML purposes only. A CASP (Crypto-Asset Service Provider) is a fully licensed financial services entity under MiCA Title V. The CASP authorization requires governance, capital, AML, Travel Rule, and operational resilience standards that go significantly beyond the VASP registration framework. Once authorized, a CASP holds a passport valid across all 30 EEA countries.
MiCA passporting is the mechanism under Regulation (EU) 2023/1114 that allows a CASP authorized by any single EU national competent authority to provide its licensed services across all 27 EU member states and the three EEA countries (Iceland, Liechtenstein, Norway) without requiring separate authorization in each country. The CASP notifies the host member state's regulator of its intention to passport, but no additional authorization application is required. The home NCA remains the primary supervisor.
After July 1, 2026, exchanges without MiCA authorization are prohibited from serving EU clients. They must stop onboarding new EU users and must wind down existing positions in an orderly way. If you are an EU user still holding funds on an unauthorized exchange, the exchange is legally required to help you transfer or withdraw your assets. You can verify any exchange's authorization status on the ESMA Interim MiCA Register Title V file. If the exchange is not on that list, it should not be serving EU clients.
An authorized CASP that has its authorization withdrawn by a national regulator must implement an orderly wind-down. Under MiCA client asset protection rules, customer crypto-assets must be segregated from the CASP's own holdings. This segregation means that customer assets should not be affected by the firm's own financial difficulties. However, if a CASP ceases operations, you should withdraw or transfer your assets as soon as notified. Do not wait for automatic closure. Move your assets the moment a CASP announces wind-down proceedings.
Under Article 63 of MiCA, a national competent authority has 25 working days to assess whether an application is complete, and then 40 working days from confirmation of completeness to make a decision. The 40-day period can be extended by 20 working days for follow-up queries. In practice, authorization timelines vary significantly by jurisdiction and application quality. Applications submitted to BaFin in Germany tend to take longer due to the volume of applications and the thoroughness of the review. Applications to Malta's MFSA or Lithuania's Bank of Lithuania have in some cases been processed closer to the statutory minimum.
MiCA applies to businesses providing custodial wallet services, where a third party holds private keys on behalf of customers. It does not apply to non-custodial wallets where the user holds their own private keys. A user who stores crypto in a hardware wallet or software wallet they control has no MiCA compliance obligations of their own. The Travel Rule does apply to the exchange side of a transfer to or from a self-hosted wallet. The CASP must assess ownership of the self-hosted wallet for transfers above 1,000 euros. The wallet holder themselves is outside MiCA's scope.
A crypto-asset white paper is the mandatory disclosure document required under MiCA for any entity making a public offer of crypto-assets or seeking their admission to trading. It is roughly equivalent to a prospectus in traditional securities law. The white paper must describe the crypto-asset, the issuer, the project, the rights and obligations attached to the asset, the risks involved, and how proceeds will be used. For e-money tokens and asset-referenced tokens, the white paper must be approved by the national competent authority before publication. For other crypto-assets, notification to the regulator is required but prior approval is not. White papers must be publicly accessible and kept up to date.
MiCA replaces a fragmented patchwork of national regimes with a single standard. For firms that invested in compliance infrastructure, it creates a level playing field and removes the cost of managing multiple national registrations. For users, it provides the same investor protections they would expect from a regulated financial services provider. The argument against MiCA is that its requirements are demanding enough to push smaller firms out of the EU market and that some provisions, particularly around stablecoins, have restricted product availability. The delisting of USDT from major regulated EU exchanges is the most cited practical consequence. Whether that is a net positive depends on whether you prioritize market access or investor protection.
MiCA gives EU crypto investors access to a regulated market with clear consumer protections. Authorized CASPs must segregate client assets, maintain complaint-handling procedures, provide clear disclosure on fees and risks, and operate under ongoing supervisory oversight. If an authorized CASP commits market abuse, investors have a regulatory body to report to. The trade-off is reduced product variety, particularly around non-authorized stablecoins and assets from issuers that have not gone through the MiCA white paper process. Investors who were using platforms that did not obtain MiCA authorization face a disrupted experience as those platforms wind down EU operations.
Scorechain is a European blockchain analytics and crypto compliance company covering 23 blockchains across 45 countries. We work with banks, VASPs, crypto exchanges, fintechs, custodians, regulators, and law enforcement.
For MiCA-authorized CASPs managing their ongoing compliance obligations, the Scorechain platform covers transaction monitoring, wallet screening, Travel Rule support, KYT, sanctions screening, blockchain investigations, and entity intelligence across all supported blockchains.
For compliance teams at banks or financial institutions managing counterparty exposure to the post-grandfathering crypto market, Scorechain provides the screening and intelligence infrastructure to verify authorization status, assess wallet risk, and meet your own regulatory obligations when dealing with crypto-related transactions.
Need a fast one-time wallet check? Scorechain AI generates instant wallet intelligence reports with no enterprise contract required.
