What tools does a MiCAR CASP need for compliance?

A MiCAR CASP needs tools across six workstreams: (1) EU regulatory intelligence for monitoring ESMA/EBA guidance and NCA updates; (2) KYC/identity verification (e.g. Sumsub, Jumio) and blockchain analytics for AML/CFT (e.g. Chainalysis, Elliptic); (3) a Travel Rule platform for TFR compliance (e.g. Notabene, 21 Analytics); (4) governance and record-keeping tools including ESMA JSON schema export capability; (5) capital monitoring for the Article 67 own funds requirement; and (6) a marketing communications review workflow for Articles 66–68 compliance.

When does the MiCAR CASP transitional period expire?

The MiCAR CASP transitional period expires on 1 July 2026 in most EU member states. CASPs that were already operating under national law before 30 December 2024 could continue operating until that date. After 1 July 2026, all CASPs must hold a full MiCAR authorisation under Article 63.

What is the Travel Rule requirement under MiCAR?

The Travel Rule for crypto-asset transfers is set out in Regulation (EU) 2023/1113 (the Transfer of Funds Regulation). It requires CASPs to collect and transmit originator and beneficiary information for every crypto transfer where at least one CASP in the chain is established in the EU. There is no minimum value threshold — the Travel Rule applies to all transfers regardless of amount.

Does MiCAR require DORA compliance?

Yes. MiCAR expressly requires CASPs to comply with DORA (Regulation (EU) 2022/2554). The Level 2 authorisation RTS requires CASPs to include in their application a description of ICT arrangements demonstrating DORA compliance. In practice this means a DORA-aligned ICT risk management framework, an ICT third-party register under Article 28, and incident classification and reporting processes.

The MiCAR Compliance Stack: Tools and Processes Every EU CASP Needs in 2026

Getting a CASP licence under MiCAR is one milestone. Running a compliant operation every day afterwards is another. The July 2026 transitional period deadline is driving a wave of authorisation applications, but the firms that will sustain compliance — and avoid supervisory action after their licence is granted — are the ones that have built a functioning compliance infrastructure, not just a successful application file.

This guide maps the six compliance workstreams that every authorised CASP must maintain under MiCAR (Regulation (EU) 2023/1114), the Transfer of Funds Regulation (Regulation (EU) 2023/1113), and the AMLD framework, and identifies the categories of tools and processes required to operate each one. It is intended for compliance officers and CTOs at crypto firms approaching the July 2026 deadline who need to translate regulatory obligations into a technology and operating model.

The Six Workstreams of MiCAR Ongoing Compliance

MiCAR compliance is not a one-time exercise. Once authorised under Article 63, a CASP is subject to a continuous set of obligations spanning governance, capital, AML/CFT, client asset protection, conduct of business, and marketing. Each workstream requires dedicated processes, controls, and in most cases purpose-built technology.

The six workstreams are:

#	Workstream	Primary Regulatory Basis	Supervisory Focus in 2026
1	Regulatory intelligence	MiCAR Art. 1, ESMA/EBA guidance, NCA directives	High — ESMA publishing Level 2 measures on a rolling basis
2	AML/CFT and sanctions screening	AMLD6 (national), AMLR (EU), Art. 5(4) L2 RTS	High — NCAs citing AML gaps in CASP audits
3	Travel Rule (TFR)	Regulation (EU) 2023/1113 Art. 1	Very high — TFR in full application since December 2024
4	Governance, record-keeping, and reporting	MiCAR Arts. 68, 72, 75–84; ESMA order book schema	Medium — ESMA standardised JSON schema active
5	Capital and prudential monitoring	MiCAR Art. 67	Medium — quarterly capital reporting to NCAs
6	Marketing communications compliance	MiCAR Arts. 66–68	Medium-high — increasingly targeted in NCA reviews

Workstream 1: Regulatory Intelligence

Why It Is the Most Underrated Workstream

MiCAR is a dynamic regulatory framework. The Level 1 text (Regulation (EU) 2023/1114) entered full application on 30 December 2024 for CASPs, but the Level 2 measures — the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by EBA and ESMA — continue to be published on a rolling basis. As of Q2 2026, the following Level 2 measures relevant to CASPs have been published or are in final consultation:

Commission Delegated Regulation 32025R1125 — authorisation requirements for ART issuers (cross-applicable to CASPs in cooperation arrangements)
Commission Delegated Regulation 32025R1126 — authorisation requirements for ART issuers, cross-applicable CASP AML/CFT description requirements
ESMA standardised JSON schema for order book and trade records — published November 2025, NCAs expected to start requesting data within 6 months
ESMA guidelines on reverse solicitation — applicable to non-EU firms seeking to serve EU clients
ESMA guidelines on crypto-asset whitepaper requirements — including the notification and amendment procedures under Articles 8–12
EBA guidelines on CASP governance and remuneration — consultations ongoing in 2026

Beyond Level 2 measures, NCA guidance matters. The AFM, BaFin, CSSF, CySEC, and AMF have each issued national interpretive guidance on MiCAR application procedures, timelines, and specific requirements. This guidance is not always published in English, and it changes as NCAs develop supervisory experience.

What the Compliance Infrastructure Requires

Continuous regulatory monitoring: A CASP cannot rely on a law firm update or a quarterly briefing to stay current. The pace of Level 2 publications and NCA guidance makes weekly — and for high-impact CASPs, daily — monitoring necessary.

Structured analysis capability: When new ESMA guidelines are published, the compliance function needs to produce a gap analysis within days: what does this require, what do we currently do, what must change, and by when? This analysis requires access to the primary regulatory text alongside the new guidance — not a news summary.

Regulatory Q&A: MiCAR introduces novel classifications, definitions, and obligations (the distinction between Article 59 notifiers and Article 63 authorisation applicants, the interaction between DORA and MiCAR ICT requirements, the definition of a "significant" CASP). Compliance officers working through these questions daily need a tool that provides article-level-precise answers grounded in the actual regulation, not a general LLM.

Platform-grade solutions: The EU financial regulation AI analysis that formerly cost €50,000 per engagement is now available through purpose-built platforms that index the full MiCAR text, all Level 2 measures, and NCA guidance. A dedicated EU regulatory intelligence platform can cut analysis time from days to hours.

Ask any MiCAR question with article-level precision

Try free

Workstream 2: AML/CFT and Sanctions Screening

The Regulatory Basis

CASPs are "obliged entities" under the EU AML framework. The existing AMLD-based national frameworks apply pending the entry into application of the new AMLR (Regulation (EU) 2024/1624), which becomes directly applicable from 10 July 2027. The TFR (Regulation (EU) 2023/1113) is already in force.

In practical terms, a CASP must maintain:

Customer Due Diligence (CDD): Know Your Customer (KYC) procedures, including identity verification, beneficial ownership identification, politically exposed person (PEP) screening, and adverse media checks — at onboarding and on an ongoing basis
Enhanced Due Diligence (EDD): For higher-risk customers — non-EU nationals, high-value wallets, jurisdictions on the FATF grey/black list, and customers in certain professional categories
Transaction monitoring: Screening transactions in real time and retrospectively for suspicious patterns, unusual volume changes, and connections to sanctioned addresses
Sanctions screening: Wallet address and customer screening against EU, UN, OFAC, and OFSI sanctions lists — a zero-tolerance obligation for EU-established CASPs given the volume of crypto-related sanctions designations since 2022
Suspicious Transaction Reports (STRs): Filing with the national Financial Intelligence Unit when monitoring flags a transaction that cannot be explained

The L2 Regulation 32025R1126 expressly requires CASPs to include in their authorisation file "a detailed description of internal control mechanisms and procedures in compliance with the obligations under Directive (EU) 2015/849 or Regulation (EU) 2023/1113, including a forward-looking assessment of the continuous compliance with such obligations for the time horizon of the business plan." This forward-looking requirement means the compliance infrastructure must be operational from day one of authorisation, not retrofitted later.

Tool Categories Required

Identity verification (KYC): Purpose-built identity verification platforms that handle document verification, liveness detection, PEP/sanctions screening, and jurisdictional risk scoring at onboarding. The leading vendors in this category include Sumsub, Jumio, Onfido (now Entrust), and Veriff. For EU-established CASPs, GDPR compliance and EU data residency matter — verify where biometric data is processed and stored.

Blockchain analytics / transaction monitoring: Blockchain analytics tools trace the provenance of funds across the blockchain, identify wallets associated with sanctions designees or illicit activity, and provide risk scoring at the transaction level. Chainalysis, Elliptic, and TRM Labs are the category leaders. The choice between them typically depends on coverage of specific chains (Bitcoin, Ethereum, Solana, Tron) and the depth of darknet market and ransomware cluster data.

Sanctions list management: Real-time integration with EU Consolidated Sanctions List, UN Security Council lists, OFAC (SDN), and OFSI. Some blockchain analytics tools include sanctions screening; others require a separate sanctions list feed (WorldCheck, Refinitiv, ComplyAdvantage).

Case management / SAR filing: An internal workflow for escalating flagged transactions, documenting investigation steps, and filing STRs with the national FIU. This can be a standalone system or integrated into a broader GRC platform.

Workstream 3: Travel Rule Compliance

Why Travel Rule Is the Hardest Technical Problem

The Transfer of Funds Regulation (TFR), Regulation (EU) 2023/1113, requires CASPs to collect and transmit identifying information on both the originator and the beneficiary of any crypto transfer — regardless of value. The key requirements:

Originator information: Name, blockchain address, account number (where applicable), and unique identifier
Beneficiary information: Name and blockchain address
Scope: Applies where at least one CASP in the transfer is established in the EU — this means EU-established CASPs must comply even when transacting with unhosted wallets or non-EU CASPs

The technical challenge is that crypto transactions are peer-to-peer by nature. There is no correspondent banking infrastructure that automatically routes information alongside the transaction. CASPs must use a separate data transmission layer to carry Travel Rule information, and that layer must interoperate with the recipient CASP's system.

The Protocol Fragmentation Problem

Unlike traditional financial messaging (where SWIFT is the de facto standard), the Travel Rule for crypto has no single mandated protocol. Three protocols compete:

Protocol	Backing	Network Size (2026)	EU NCA recognition
IVMS101 + TRISA	FATF-aligned, open standard	Growing	Standards-aligned
VerifyVASP	Korean origin, Asian-dominant	Medium	Standards-aligned
OpenVASP	Ethereum Foundation origin	Smaller	Standards-aligned

In practice, most EU CASPs use a Travel Rule solution vendor that handles protocol interoperability rather than implementing a protocol directly. The leading vendors include Notabene, Sygna Bridge, 21 Analytics, and Elliptic Lens (which combines blockchain analytics with Travel Rule). When selecting a vendor, the key criteria are: (a) counterparty network coverage (how many CASPs does the network already include?), (b) unhosted wallet handling (how does the tool handle transfers to self-custody wallets, which do not have a CASP counterpart to exchange data with?), and (c) GDPR compliance for personal data transmitted in Travel Rule messages.

Unhosted Wallet Risk

The TFR requires CASPs to collect beneficiary information for transfers to unhosted wallets (self-custody wallets that are not held by another CASP). This is operationally complex: there is no counterparty CASP to send the data to, and verification of the wallet's beneficial owner is not straightforward. The practical approach adopted by most EU CASPs in 2026 is:

Apply a risk-based threshold for enhanced due diligence on unhosted wallet transfers
Collect a self-certification from the customer that the wallet is their own
Use blockchain analytics to assess the risk profile of the destination wallet

NCAs have different views on the unhosted wallet threshold — always check your home member state's NCA guidance.

Workstream 4: Governance, Record-Keeping, and Reporting

Governance Requirements Under MiCAR Articles 68–69

MiCAR Article 68 sets out governance requirements specific to CASPs. These mirror the framework applicable to ART issuers under Article 34 but are calibrated for service providers rather than token issuers:

Robust organisational structure with clear and consistent lines of responsibility
Effective processes to identify, manage, monitor and report risks
Adequate internal control mechanisms including sound administrative and accounting procedures
Management body fitness: all members must be of sufficiently good repute, possess appropriate knowledge and skills, and must not have been convicted of AML/CFT or other relevant offences
Qualifying shareholders are subject to the same fitness and propriety standard

Article 68 also requires a compliance function with direct access to the management body, a risk management function, and an internal audit function (or, for smaller CASPs, documented justification for why these cannot be separately established).

Record-Keeping: ESMA Order Book Schema

Under MiCAR Article 72, CASPs operating trading platforms and CASPs executing orders must maintain records of all orders and transactions. ESMA published a standardised, machine-readable JSON schema for order and trade records in November 2025. NCAs are expected to begin requesting data in this format within six months of publication — meaning from May/June 2026.

The ESMA JSON schema requires consistent metadata for every order including:

Instrument identifier (crypto-asset type)
Order type (limit, market, stop)
Timestamps (order entry, modification, execution)
Counterparty and client identifiers
Price and quantity at each stage
Transaction outcome (executed, cancelled, expired)

CASPs that are not already generating order records in a structured, queryable format will need to build or procure the extraction and transformation layer to produce ESMA-compliant JSON exports.

DORA and ICT Risk Management

MiCAR expressly requires CASPs to comply with DORA (Regulation (EU) 2022/2554). The L2 Regulation 32025R1125 requires CASPs to include in their authorisation application "a description of the arrangements and assigned ICT and human resources to ensure compliance with DORA." In practice this means:

An ICT risk management framework aligned to DORA Articles 5–15
An ICT incident classification and reporting process (see the DORA incident classification guide)
A register of ICT third-party providers (Article 28 of DORA — see the ICT third-party register guide)
TLPT readiness for CASPs identified by their NCA as systemically significant

For CASPs that have just obtained their authorisation, integrating DORA compliance on top of MiCAR compliance is a material operational burden. The risk management, incident classification, and third-party register components should be designed as a unified framework rather than separate silos.

Analyse your DORA + MiCAR gap in minutes

Start free analysis

Workstream 5: Capital and Prudential Monitoring

Minimum Own Funds Under Article 67

MiCAR Article 67 establishes minimum own funds requirements based on the services provided. The three capital tiers are:

Class	Services	Minimum Own Funds
1	Custody and administration, transfer services, advice, portfolio management	€125,000
2	Reception and transmission of orders, execution of orders, placing	€150,000
3	Operating a trading platform, exchange for funds, exchange for other crypto-assets	€150,000

Where a CASP provides services across multiple classes, the highest applicable threshold applies. CASPs must at all times hold own funds at least equal to the higher of: (a) the minimum threshold; and (b) one quarter of the preceding year's fixed overheads.

The overheads test means that fast-growing CASPs may find their capital requirement increasing each year even without changes in service scope. A CASP that spent €1M in fixed overheads in Year 1 must hold at least €250,000 in own funds in Year 2, regardless of which capital class applies.

Quarterly Monitoring and Reporting

NCAs expect CASPs to monitor own funds on at least a quarterly basis and to notify the NCA if own funds fall below the required threshold. The notification obligation is immediate — there is no grace period for notifying a breach.

The practical infrastructure needed:

A defined formula for calculating "fixed overheads" consistent with the applicable NCA's interpretation
A quarterly own funds calculation report
An alert process that flags a breach before it becomes a reportable event (i.e., monitoring the buffer above the threshold, not just the breach itself)
Board-level capital adequacy reporting

Workstream 6: Marketing Communications Compliance

The Regulatory Framework Under Articles 66–68

MiCAR Articles 66–68 establish conduct-of-business rules for CASPs that include specific requirements for marketing communications. These requirements are supervised by NCAs and are increasingly the focus of post-authorisation compliance reviews.

For a detailed treatment of the marketing communications requirements, see our dedicated guide: MiCAR Marketing Communications: Articles 66–68 Compliance Guide.

The headline obligations are:

Fair, clear, and non-misleading: All marketing communications about crypto-assets must meet this standard — borrowed from MiFID II but now expressly applicable to CASPs
Consistent with the whitepaper: Where a whitepaper exists, the marketing communication must be consistent with the information in it. No cherry-picking of positive information
Risk warnings: Marketing communications must include a prominent warning that (a) crypto-assets are not covered by deposit guarantee schemes and (b) the value of crypto-assets can go down as well as up
Identification as marketing: All marketing communications must be clearly identified as such — no advertorial or editorial camouflage
Article 68 fee disclosure: Information on fees, charges, and costs must be fair, clear, and not misleading

The Compliance Challenge

The marketing communications obligation applies to every channel: website, social media, email, push notification, and paid advertising. A CASP running active marketing — as most CASPs seeking to grow their customer base in 2026 are — must have a pre-publication compliance review process for all consumer-facing content.

This is more demanding than it sounds. Social media content is produced in volume and at speed. Risk warnings must be proportionate to the prominence of the marketing message. NCAs have taken action against CASPs in 2025–2026 for social media content that was deemed misleading or that omitted required risk warnings.

The compliance infrastructure required:

A pre-publication review process with documented sign-off — not just an approval workflow but a checklist against Articles 66–68 requirements
A content library of approved risk warning language (in each language the CASP operates in)
An archiving process for all published marketing content (NCAs can request historical marketing materials during supervisory reviews)
Periodic compliance audits of live marketing campaigns — particularly important for performance marketing where creatives change frequently

Putting It Together: The MiCAR Compliance Technology Stack

The six workstreams above map to a set of tool categories that a fully-operational CASP must either procure, build, or document as out-of-scope (with NCA-level justification):

Workstream	Tool Category	What to Look For
Regulatory intelligence	EU regulatory analysis platform	Article-level precision, MiCAR + Level 2 coverage, NCA guidance indexing
AML/CFT — KYC	Identity verification	EU data residency, GDPR compliance, PEP/sanctions integration
AML/CFT — transactions	Blockchain analytics	Multi-chain coverage, darknet/ransomware clusters, real-time alerts
Travel Rule	TFR compliance platform	IVMS101/TRISA support, unhosted wallet handling, counterparty network coverage
Governance	GRC/risk management	MiCAR-specific control framework, management body oversight workflows
Record-keeping	Order management / reporting	ESMA JSON schema export, timestamped audit trail
DORA alignment	ICT risk management	Third-party register (Art. 28), incident classification, TLPT readiness
Capital monitoring	Financial controls	Fixed overheads calculation, NCA notification triggers
Marketing	Content review workflow	Pre-publication checklist, multilingual risk warning library, archive

The Regulatory Intelligence Layer

Of these tool categories, regulatory intelligence is the one most commonly underfunded at the point of CASP authorisation. Firms invest heavily in KYC and transaction monitoring — because these failures generate immediate enforcement risk — but underinvest in the capability to track ongoing regulatory development.

The cost of that gap compounds quickly. ESMA and EBA published over 40 consultation papers, final reports, and supervisory guidance documents relevant to MiCAR in 2025 alone. NCAs in Germany (BaFin), the Netherlands (AFM), Luxembourg (CSSF), and France (AMF) have each issued implementation-specific guidance that diverges in detail from the Level 1 text. A compliance function operating without systematic coverage of this output will be managing regulatory risk reactively — always catching up, never ahead of it.

Purpose-built EU regulatory intelligence platforms offer article-level Q&A across MiCAR, the TFR, DORA, AMLD, and the 40+ regulations that constitute the EU financial regulatory framework. For a solo compliance officer at an early-stage CASP — or a small compliance team at a scaling exchange — this capability closes a gap that was previously only available through law firm retainers or Big 4 advisory relationships.

The July 2026 Deadline: What the Timeline Means for Compliance Infrastructure

CASPs operating under transitional arrangements under Article 143 MiCAR have until 1 July 2026 to obtain full CASP authorisation, or until the earlier of their application being granted or refused. Firms submitting applications now face a realistic 4–6 month processing timeline (25 working days for completeness assessment + 40 working days for substantive review under Article 63).

For firms that have not yet submitted, the window is closing. But the authorisation application itself is not the only concern. NCAs are increasingly conducting post-authorisation supervisory reviews within the first 12 months of a CASP's licence. These reviews examine whether the compliance infrastructure described in the application file is actually operational — not just documented.

The practical implication: the compliance stack described in this guide should be operational before authorisation is granted, not treated as a post-licensing build project. NCAs reviewing CASPs in H2 2026 and 2027 will look for evidence that AML monitoring is live, Travel Rule is functioning, governance frameworks are operational, and marketing materials are being reviewed before publication.

Key Regulations and Sources

All obligations referenced in this guide derive from primary EU law. The key instruments are:

Regulation (EU) 2023/1114 (MiCAR) — particularly Title V (Articles 59–85) on CASP authorisation and ongoing obligations
Regulation (EU) 2023/1113 (TFR) — Travel Rule for crypto-asset transfers
Directive (EU) 2015/849 (AMLD4) as amended, and the new AMLR (Regulation (EU) 2024/1624) applicable from July 2027
Regulation (EU) 2022/2554 (DORA) — ICT risk management, incident reporting, and TLPT
Commission Delegated Regulation 32025R1126 — CASP AML/CFT description requirements for authorisation applications
ESMA standardised JSON schema for order and trade records (published November 2025)

For jurisdiction-specific implementation guidance, see the MiCAR CASP NCA Tracker covering AFM, BaFin, CSSF, CySEC, and AMF.

For the full authorisation checklist, see MiCAR CASP Authorisation: Complete Compliance Checklist for 2026.

This guide reflects EU law and ESMA/EBA guidance as of April 2026. For jurisdiction-specific implementation requirements, consult your home member state NCA.