Background
The newly adopted European Union (EU) Regulation on Markets in Crypto-Assets (MiCA Regulation) aims to provide a unified framework to regulate crypto-asset markets. Crypto-assets are defined in the MiCA Regulation very broadly as ”a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology.”
Through our commitment to security and privacy, we can help you safely navigate this new regulatory environment. Least Authority provides comprehensive security consulting services, which can offer insight into potential security risks that may hinder important milestones in your development processes, thereby helping you remain regulation compliant.
The objective of the MiCA Regulation is threefold: to ensure legal coverage for all crypto-assets, support competition and innovation in the Web3 ecosystem, and increase transparency and accountability of participants in crypto-asset markets. By creating a single market for crypto-assets, the MiCA Regulation therefore ensures legal certainty, consumer protection, and financial stability.
Comparable with other EU laws such as the GDPR or the AI Act, the MiCA Regulation has an extraterritorial reach. It applies to persons and undertakings issuing or offering crypto-assets to the public, or providing services related to crypto-assets in the EU. Accordingly, non-EU located businesses must comply with MiCA if they serve EU customers.
The MiCA Regulation entered into force on June 29, 2023. It became applicable for issuers of Asset-Referenced Tokens (ARTs) (Title II of MiCA Regulation) and E-Money Tokens (EMTs) (Title IV of MiCA Regulation) on June 30, 2024. Its remaining parts, including the provisions regarding the authorization and operation conditions for Crypto-Assets Service Providers (CASPs) (Title V of the MiCA Regulation), will become applicable on December 30, 2024 – with certain exceptions. To ensure a smooth transition, EU Member states have the option to implement a transitional phase by allowing entities that are already providing crypto-asset services under applicable law in their jurisdictions to continue doing so until July 1, 2026.
MiCA’s Provisions for CASPs
The MiCA Regulation comprises a set of provisions that CASPs must comply with. In particular, they are required to be authorized as crypto-asset service providers with the competent authority of their home member state.
As part of the application for the authorization, CASPs are required to submit certain technical documentation of their system, and if available, a description of a cybersecurity audit conducted by a third-party cyber security auditor (see Art. 9 of the RTS Authorization of CASPs that is currently adopted but not yet published).
CASPs are therefore required to adhere to specific security requirements to ensure sufficient security measures have been administered to effectively protect their systems and data against cyberattacks, security breaches, and other forms of security incidents. One possible way to achieve this goal would be to establish a security risk management program that could periodically iterate on the potential risks identified along with the measures set in place to mitigate them. Another pivotal step that would be highly recommended is to regularly perform security audits to assess whether your systems continue to comply with the comprehensive security requirements set forth by the MiCA Regulation.
During this investigative process, our expert team can also suggest recommendations that would improve the quality of the systems being reviewed and assist with remediation or mitigation strategies.
Prepare for MiCA Compliance Today
The shift toward MiCA compliance affects hundreds, if not thousands, of CASPs operating within the EU, with a considerable focus on those who operate cross-border. Undertaking strategic planning to prepare for the new regulatory requirements helps ensure a timely and orderly transition and to reduce the risk of disruptive business models. Organizations should carefully ensure compliance with MiCA provisions to avoid potential penalties such as fines, public statements, cease-and-desist orders, or other regulatory actions (Art. 111 MiCA Regulation). With the transitional period for adopting these standards approaching, it’s essential to start integrating robust risk management and security measures.
Our team stands ready to support your path to compliance. Reach out today at consulting@leastauthority.com to get started.