MICA CASP authorisations: ESMA recommendations in peer review report

Background

The EU’s Markets in Crypto-assets Regulation (Regulation (EU) 2023/1114) (“MiCA”) establishes a unified regulatory framework for crypto-asset services across the EU (see also our MiCA Level 2 and 3 measures tracker here).

Since January 2025, crypto-asset service providers (“CASP”) in the EU must apply for an authorisation with their national competent authority (“NCA”), subject to a “grandfathering period” of 18 months (i.e. up until 30 June 2026) which allows existing CASPs that have been providing service in compliance with applicable law before 30 December 2024 (e.g. local Member State-level regimes) to continue to provide their services until they obtain MiCA authorisation. NCAs have the option of implementing a shorter grandfathering period, which means the transition period for existing CASPs vary between Member States.

In April 2025, the Board of Supervisors of ESMA decided to launch a peer review on the authorisation and early supervision of a CASP (which remained unnamed throughout the report) by the Malta Financial Services Authority (“MFSA”).

On 10 July 2025, ESMA published an executive summary of the peer review report. Although the peer review focuses on one NCA, it also aims to inform the supervisory practices of all NCAs, in order to encourage supervisory convergence and to prevent regulatory arbitrage.

[Separately, on 11 July 2025, ESMA further published guidance for CASPs offering unregulated products and services – see our separate article on this development here [INSERT LINK]]

Peer review: Malta

The peer review was carried out based on ESMA’s Peer Review Methodology by an ad hoc Peer Review Committee (“PRC”). Among other things, the peer review covered whether MFSA adequately assessed that the CASP entity met the requirements for authorisation, the supervisory review and use of adequate powers by MFSA (e.g. including as to whether the CASP continued to meet the conditions for its authorisation following certain events), and the overall adequacy of the supervisory set-up and resources of the MFSA.

The PRC found that the MFSA did not fully meet expectations in certain areas—for example, the overall authorisation process should have been more thorough, and there were material issues which remained unresolved or pending remediation at the time of the authorisation.

The PRC also highlighted the good practices of the MFSA, in terms of:

• its resources and expertise, noting that the MFSA has been proactive in recruiting supervisors with expertise in crypto services by (i) engaging with local universities, (ii) providing training and (iii) cooperating with other relevant authorities; and
• its proactive outreach to the industry to encourage early preparation for MiCA, and to communicate its expectations to industry in a timely manner.

ESMA recommendations to all NCAs

The PRC recommends to all NCAs to pay particular attention to certain aspects when processing authorisations, including:

• Business growth, i.e. NCAs should assess business plans in a forward-looking manner, taking into consideration expected growth and associated risks.
• Conflicts of interest, including conflicts arising from multiple CASP services and related disclosure requirements.
• Governance and intragroup arrangements, and in particular using ESMA’s cross-cutting principles on third-party risks supervision as a baseline to assess intragroup arrangements.
• ICT architecture including intragroup reliance and use of sub-providers. NCAs should review ICT systems (including business continuity) in light of the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554). NCAs should give particular attention to functions and services that are most critical to the CASP business (e.g. custody). (Read more about DORA on our Operational Resilience Hub.)

In terms of ICT security, entities should be able to appropriately and effectively react in case of a hack. Additionally, the authorisation process should confirm that an entity has adequate measures in place to efficiently and effectively block malicious transactions if needed.

• Web3 and decentralised products, including the promotion of unregulated services. NCAs should assess the exposure to DeFi risks. Further, NCAs should evaluate the promotion of any unregulated services, such as whether such promotions may create confusion among customers that such services are possibly regulated.
• User interfaces and customer journeys, including ensuring that risk warnings are clearly presented to users and that the overall customer experience is compliant with MiCA.

More broadly, the PRC encourages NCAs to:

• regularly share information and experiences through the dedicated ESMA Group, the Digital Finance Standing Committee (“DFSC”), to help foster a convergent approach; and
• consider how investors across the EU Member States are able to apply their rights under MiCA, and how this impacts an NCA’s resources and the need to cooperate with other EU supervisors.

It is worth noting that while CASPs must apply for an authorisation with an NCA, an authorisation under MiCA would allow a CASP to passport its services across the EU. NCA’s, therefore, play a significant gatekeeping role for the single market, with the authorisation process being the NCA’s key opportunity to assess CASP entities and to ensure investors in any jurisdiction across the EU will be given an adequate level of protection, regardless of where the CASP originates from.

Next Steps

Stay tuned as we continue to monitor the implementation of MiCA, as entities across the EU seek to obtain their CASP authorisations under MiCA.

For more information, please contact a member of the team, or visit the Hogan Lovells Digital Assets and Blockchain Hub. Whether it's to find out the latest regulatory developments, or learn about new applications of the technology, we have you covered.

This article is for guidance only and is a non-exhaustive summary only of certain aspects of the points discussed and should not be relied on as legal advice in relation to a particular transaction or situation.

Authored by Christina Wu.