MiCA Readiness: What CASPs Must Do Before 2026

# MiCA Readiness: What CASPs Must Do Before 2026 IGInfocredit Group March 12, 2026 9 min read The Markets in Crypto-Assets Regulation is now fully in force across the EU. Here's a practitioner's view of the 6 control domains every Crypto-Asset Service Provider must evidence — and where most CASPs are still falling short. With the **Markets in Crypto-Assets Regulation (MiCA)** now fully applicable across all 27 EU Member States since 30 December 2024, supervisory engagement has shifted from _"are you preparing?"_ to _"show us your evidence."_ National competent authorities — from BaFin in Germany to AMF in France and the CySEC in Cyprus — are running their first round of authorisation reviews, and early findings reveal a consistent pattern: most CASPs underestimated the operational depth required. Key fact CASPs operating under transitional regimes have until **1 July 2026** in most Member States to obtain full MiCA authorisation. After that date, unauthorised activity becomes a supervisory and criminal matter. ## The Six Domains of MiCA Readiness ESMA's Level 2 and Level 3 measures, combined with the EBA's joint guidelines on internal governance, organise CASP obligations into six interlocking domains. Treating them as separate workstreams is the single most common reason readiness programmes stall. ### Authorisation & Governance Programme of operations, fit-and-proper assessments, three lines of defence, conflict-of-interest registers, outsourcing inventory. ### AML/CFT & Travel Rule Customer due diligence, ongoing monitoring, sanctions screening, and compliant Travel Rule messaging for transfers ≥ €1,000 (€0 for VASP-to-VASP). ### Custody & Safeguarding Segregation of client assets, daily reconciliations, key-management ceremonies, insurance or own-funds coverage for operational losses. ### Market Integrity Order-book surveillance, MAR-style abuse detection, suspicious-transaction-and-order reporting (STORs) to the home regulator. ### Disclosures & White Papers Crypto-asset white papers notified to the NCA, marketing-communications register, complaints handling within 15 working days. ### DORA & ICT Resilience Incident classification, threat-led penetration testing, third-party ICT register, exit strategies for critical providers. ## Where We See CASPs Falling Short From our work with regulated firms across Cyprus, Germany, Malta and the Netherlands, three gaps recur in nearly every readiness review: - **Travel Rule data quality.** Many CASPs implemented IVMS 101 messaging but cannot evidence reconciliation between message payloads and the underlying on-chain transfer — a basic supervisory expectation under EBA's revised guidelines. - **Outsourcing registers.** The list of "critical or important functions" that must be documented under Article 73 MiCA and Article 28 DORA is broader than most firms initially scope. Cloud, KYC providers and even node infrastructure typically qualify. - **Marketing communications.** Article 7 requires every promotional message — including organic social posts and influencer content — to be fair, clear and not misleading, with an internal approval log. Few firms have a workable workflow. ## What to Do This Quarter A pragmatic 90-day plan: (1) baseline against the 42-control [MiCA Readiness Checklist](https://compliancesuite.ai/resources/mica-checklist), (2) close Travel Rule reconciliation gaps with your counterparties, (3) finalise the DORA ICT register, (4) rehearse a supervisory information request end-to-end. Firms that can produce evidence within 48 hours of an NCA request consistently rate higher in early supervisory scorecards. ## Turn compliance into your competitive advantage. See how ComplianceSuite.ai's four pillars can transform your KYC, AML, fraud, and transaction-monitoring workflows. [Book a demo](https://compliancesuite.ai/contact) [More insights](https://compliancesuite.ai/insights) ## We value your privacy We use essential cookies to make ComplianceSuite work. With your consent, we'll also use analytics and marketing cookies to improve the site and measure campaign performance. You can change your choice at any time. Read our [Privacy Policy](https://compliancesuite.ai/privacy) and [Cookie Notice](https://compliancesuite.ai/cookies). CustomiseReject non-essentialAccept all