The EU’s Markets in Crypto Assets Regulation will soon apply to crypto-asset service providers. Irish virtual asset service providers can benefit from a transitional period but must secure CASP authorisation to continue operating beyond December 2025. Our Financial Regulation team examines recent regulatory developments, the evolving standards set by ESMA, and guidance for crypto firms navigating compliance. Read on for key insights.
The Markets in Crypto Assets Regulation (MiCAR) will apply to crypto asset service providers (CASPs) from 30 December 2024.
Registered virtual asset service providers (VASPs) operating in compliance with Irish law before this date may benefit from a 12-month transitional ‘grandfathering’ period. To continue offering crypto-asset services beyond 30 December 2025, these providers must obtain authorisation as a crypto-asset service provider (CASP) under MiCAR.
The Central Bank of Ireland has stated that any VASP not intending to apply for a CASP authorisation should establish clear wind-down plans and make arrangements to cease providing services by the end of the transitional period provided under MiCAR. Relevant VASPs must formulate an exit strategy that will mitigate risk, protect stakeholders and fulfil their legal and regulatory obligations.
Overview
The European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) have been developing the Level 2 and 3 texts to provide greater granularity on MiCAR provisions.
As part of this process, ESMA consulted with the public on the draft regulatory technical standards (RTS), which were published in three packages.
ESMA published its first final report on draft RTS under MiCAR in March 2024 and submitted it to the European Commission (EC) for adoption. These draft RTS included:
- RTS specifying the information to be included in an application for authorisation as a CASP, i.e. the ‘RTS on Authorisation’, and
- RTS specifying the information to be included in a notification by certain financial entities of their intention to provide crypto-asset services, i.e. the ‘RTS on Notification’
These RTS set out the information that entities who wish to provide crypto-asset services must provide to their relevant competent authority. Categories of information to be provided include, for example:
- A programme of operations setting out the type of crypto-asset services that the entity wishes to provide, including where and how those services are to be marketed
- A description of the entity’s internal control mechanisms, including concerning anti-money laundering and counter-terrorist financing obligations, and
- A description of the entity’s information and communication technology (ICT) systems and security arrangements
European Commission rejection of draft RTS
The EC informed ESMA in September that it intended to adopt the RTS with amendments. On foot of this, the EC invited ESMA to submit new draft RTS reflecting the amendments the EC proposed.
The EC suggested that the information required to evaluate the “good repute” of members of a CASP’s management body should be an exhaustive list, in compliance with the principle of data minimisation.
In addition, the EC was of the view that ESMA had exceeded its mandate in requiring applicant CASPs to submit the results of a cybersecurity audit conducted by a third-party auditor. The EC expressed concern that this requirement was not aligned with the mandate under MiCAR, nor was it foreseen by the Digital Operational Resilience Act (DORA).
ESMA responded via a formal opinion on 11 October 2024, in which it recommended that the EC expand MiCAR’s mandate in the context of these requirements by:
- Amending Article 62(3)(a) of MiCAR to remove the limitations relating to the scope of the assessment of good repute of members of a CASP’s management body. This amendment would allow for the assessment of the absence of penalties in areas other than commercial law, insolvency law, financial services law, anti-money laundering and counter-terrorist financing, fraud, or professional liability.
- Amending Articles 60(7) and 62(2) of MiCAR to include a cybersecurity audit in the list of information to be submitted as part of a notification by a notifying entity. Alternatively, this amendment would allow competent authorities the power to request such cybersecurity audits where justified.
The EC does not appear to have accepted ESMA’s recommendations. The EC adopted the two draft RTS in October 2024, having incorporated the amendments it considered relevant. These included:
- Article 4 of the final RTS on Notification now requires notifying entities to provide, “if available”, a “description” of a cybersecurity audit
- Article 7 of the final RTS on Authorisation limits the information required to be provided by applicants to competent authorities regarding proposed members of the management body, to reflect the existing exhaustive list included in Article 62(3)(a) and (c) of MiCAR
Next steps
The European Parliament and Council may object to RTS adopted by the EC within a period of three months. If neither objects, the RTS will be published in the Official Journal and enter into force 20 days later.
Given that the MiCAR regime becomes applicable to CASPs from 30 December 2024, this should be closely monitored over the coming months. The purpose of the RTS is to provide more granular guidance to crypto operators concerning their compliance with the MiCA framework.
If RTS require further redrafting and their adoption is delayed, the deadlines for MiCAR’s implementation may be affected. This could potentially lead to the transitional period being extended.
Comment
The CBI will publish its CASP application form in due course. It remains to be seen whether the timelines for the authorisation process will be affected by the regulatory developments at EU level.
We have extensive experience advising crypto operators and are assisting firms who are interested in applying for authorisation under MiCAR.
We are also well placed to assist VASPs who do not intend to apply for authorisation as a CASP with arrangements to wind down their operations and transfer their book of business, as necessary.
Please reach out to a member of our Financial Regulation team should you require advice and support in this area.
People also ask
What is MiCAR? |
MiCAR is a comprehensive regulatory framework for European crypto assets. |
What is the status of MiCAR? |
MiCAR will become effective in 2024 in two parts. The first phase in June 2024 dealt with stablecoin issuers and the second phase in December 2024 will deal with crypto asset service providers. |
The content of this article is provided for information purposes only and does not constitute legal or other advice.
Share this:
