MiCA, one year in — what the new EU crypto rulebook actually changed
The Markets in Crypto-Assets Regulation — MiCA to anyone who has had to read it — has been fully in force across the European Union since the end of 2024, and as of January 2026 it is no longer a theoretical regime. It is a live rulebook with named supervisors, granted authorisations, public registers, enforcement actions, and a steadily lengthening list of firms that either fit inside it or have quietly left the EU market. The headline ambition was always simple: replace the patchwork of national crypto regimes with one harmonised framework that lets a firm authorised in one Member State serve customers across all twenty-seven. The reality, one year in, is messier and more interesting than that.
Before MiCA, a crypto-asset service provider in Europe operated under whichever national regime its home Member State had improvised — Germany's BaFin licence under the Banking Act, France's PSAN regime under the AMF, Italy's OAM register, the Netherlands' DNB registration, Malta's VFA Act, Estonia's now-tightened virtual currency service provider licence, and so on. Each regime had its own scope, its own capital requirements, its own AML expectations, and its own definition of what a "crypto-asset" even was. A firm wanting to serve the whole bloc had to either run a patchwork of national permissions or rely on reverse solicitation, which regulators have spent the last two years making clear they no longer accept as a passporting strategy.
MiCA replaces that patchwork with a single Crypto-Asset Service Provider authorisation, granted by a national competent authority but valid across the entire EU through the standard passporting mechanism that already exists for investment firms and payment institutions. It defines crypto-assets in three buckets — asset-referenced tokens, e-money tokens, and "other" crypto-assets including most utility tokens and unbacked cryptocurrencies — and applies a graduated set of rules to each. It introduces a white paper requirement for public offers and admissions to trading, market abuse rules modelled on MAR, custody and segregation obligations for client assets, conflict-of-interest rules for exchanges, and a complaints-handling regime that looks a lot like MiFID's. None of this is revolutionary on its own; the revolution is that it is the same in Dublin, Madrid, Warsaw and Helsinki.
As of January 2026, the league table of who is ahead is clearer than it was twelve months ago. Germany moved first and moved fast: BaFin had a structured transition pathway in place before MiCA became applicable, and by early 2026 it has granted a meaningful share of the EU's full CASP authorisations, mostly to firms that already held a Kryptowerte-Dienstleister licence under the Banking Act. France's AMF, building on the pre-existing PSAN register, has authorised a comparable cohort and is the regulator of choice for several of the larger pan-European exchanges. The Netherlands and Ireland have been measured but credible, granting fewer but higher-quality authorisations. Luxembourg and Malta — the latter once the default European base for crypto firms — have both tightened materially, and Malta in particular has seen a visible migration of firms to other Member States as the MFSA's expectations under MiCA proved stricter than the old VFA regime.
At the other end of the spectrum, several Member States have used the maximum transitional window — up to eighteen months from MiCA's application date — to let their existing VASPs continue to operate under national regimes while applications work through the queue. That is legal, but it creates a two-tier market in practice: a firm authorised under MiCA in Germany can passport into Spain or Portugal today, while a Spanish or Portuguese firm still on a legacy registration cannot offer its services into Germany on the same basis. The European Securities and Markets Authority has been explicit that the transitional period is not a soft landing, and the firms that have treated it as one are now visibly behind on their applications.
The stablecoin chapter — Titles III and IV, covering e-money tokens and asset-referenced tokens — has had the most immediate market impact. EMT issuers must be authorised either as a credit institution or as an electronic money institution, hold reserves one-for-one in segregated high-quality liquid assets, give holders a permanent right of redemption at par, and refrain from paying interest. ART issuers face a heavier regime including own funds requirements, governance rules, and tighter caps on usage if a token is judged "significant" by the EBA. The practical consequence is that several globally well-known dollar stablecoins are no longer offered to EU retail users by EU-authorised platforms, while euro-denominated EMTs from issuers like Circle's EURC, Société Générale–Forge's EURCV and a growing cohort of bank-issued tokens have moved from pilot to production. For the first time, a regulated euro stablecoin is something a European business can actually choose.
MiCA's promise is not that crypto becomes safe. It is that, for the first time, a European supervisor can tell you exactly who is responsible when it isn't.
For businesses, the advantages are concrete. A single authorisation removes the legal-fee tax of operating across multiple national regimes and lets product teams ship the same checkout, custody or treasury feature across the whole EU on day one. Stablecoin settlement, instant payouts in euro-denominated EMTs, and crypto-to-fiat on-ramps inside regulated apps are all materially easier to integrate because the counterparties are now supervised entities with named regulators, not offshore exchanges with a PO box. Banks and traditional PSPs that previously refused to touch crypto-adjacent flows are quietly opening accounts to MiCA-authorised CASPs, which unlocks the boring but essential plumbing of fiat in and out. Insurers are starting to underwrite custody risk on terms that did not exist eighteen months ago. Procurement and compliance reviews that used to take a quarter now take a few weeks because there is a standard set of disclosures to read.
For customers, the gains are equally tangible even when they are invisible. Client assets must be segregated from the firm's own assets, which addresses the single most painful lesson of the 2022–2023 exchange failures. Marketing communications must be fair, clear and not misleading, with the same enforcement teeth that apply to investment firms. White papers for public offers must include risk disclosures in a standardised format. Complaints must be handled inside defined timelines with escalation rights to the national regulator. And the existence of a public EU-wide register means a retail user can, for the first time, check in one place whether the platform asking for their money is actually allowed to do so.
The challenges are real and worth naming. Compliance costs have risen sharply, and they have risen most for the smaller firms that the old national regimes implicitly subsidised. Several mid-sized exchanges and custodians have already merged, sold, or withdrawn from the EU rather than absorb the cost, which means consumer choice in some Member States has narrowed even as quality has improved. Some innovative use cases — fully decentralised lending protocols, certain staking-as-a-service models, NFT-adjacent financial products — sit awkwardly inside MiCA's categories and are being interpreted differently by different supervisors, which is exactly the kind of fragmentation the regulation was meant to prevent. Transitional regimes that vary by Member State have created an uneven playing field that will only fully resolve when the last national authorisation expires in mid-2026. And the stablecoin caps for "significant" non-euro EMTs have, in practice, pushed some dollar-denominated liquidity offshore, which is good for European monetary sovereignty and inconvenient for European businesses that price in dollars.
For customers, the friction is most visible at onboarding. KYC requirements are stricter and more uniform, which is a feature for the system and an irritation for individual users. Travel rule compliance under the recast Transfer of Funds Regulation means that crypto transfers between regulated entities now carry payer and payee information by default, which closes a long-standing AML gap but also surprises users sending to or from self-hosted wallets, where additional verification steps now apply above defined thresholds. Some products that were freely available a year ago are no longer offered to EU residents, and the reasons are rarely explained in a way a non-specialist can parse.
The direction of travel is nevertheless clear. By the end of 2026, the transitional regimes will have expired, the public register of EU-authorised CASPs will be the single source of truth, and the question of whether a crypto service is "allowed" in Europe will have a binary answer for the first time. The locally licensed VASP era is ending, not because national regulators failed, but because a single market needs a single rulebook to be a single market. One year in, MiCA is doing what it was designed to do — slowly, expensively, and unevenly, but doing it.