Research Report No. 06 · Regulation & Market

MiCA-licensed crypto providers — 244 approved, 1,738 rejected

Legal framework, market consolidation, supplier list, business models and supervision — plus checklists for suppliers and investors.

244
MiCA-approved providers (ESMA, 1 July 2026)
1.738
Suppliers without an EU license were eliminated
€50k–150k
Equity capital per class (Annex IV)
since July 1, 2026
binding · EU passporting
Circular ring of glowing orange stars around a blue EU-style shield on a dark, blurred background

Report 2026

Executive Summary

  • MiCA has been in operation since July 1, 2026 The central authorization and supervisory basis for crypto service providers in the EU internal market replaces the national patchwork.
  • Market consolidation: 244 companies were approved, 1,738 providers without an EU license had to withdraw (ESMA data, FT).
  • Full market regulation law (9 titles): CASP authorization (Title V), market abuse (VI), stablecoins (III/IV), ESMA register (Articles 109/110).
  • EU passporting From a single home state approval — the choice of „home state“ becomes a supervisory strategy.
  • Capital classes: €50k (Class 1), €125k (Class 2, +Custody/Exchange), €150k (Class 3, Trading Platform).
  • Compliance is a condition of operation., No project: Governance, custody segregation, AML/CFT, DORA and wind-down must be permanently verifiable.

01 Legal framework and timetable

MiCA is divided into nine titles — from definitions (Title I) through stablecoins (III/IV) and CASP approval (Title V) to market abuse (VI) and supervision/registry (VII). Business models are therefore not uniformly regulated: a spot broker primarily falls under Title V, an EMT issuer under Title IV.

1June 2023MiCA joinsin force2June 2024Stablecoin rules(ART/EMT)3Dec 2024CASP rulesapply4July 2026transition periodends
The MiCA timetable at a glance. Article 143 allowed CASPs already operating to continue until the MiCA decision, but no later than 1 July 2026 — with nationally shortened deadlines.

Nationally, MiCA is directly applicable as an EU regulation, but requires accompanying legislation: in Germany, the Crypto Markets Supervision Act (KMAG) with centralized BaFin supervision. Member states used the transition period differently—Germany and Ireland for 12 months, France and Italy for 18, and the Netherlands for only 6. This divergence significantly impacted application procedures, market exits, and passport strategies.

02 Market overview and cleanup

The official source for completeness is the ESMA central register under Article 109 MiCA (supplemented by the register of non-compliant providers under Article 110). According to FT/ESMA data, as of July 1, 2026, a total of 244 companies were authorized — while 1,738 providers without an EU license had to cease operations or wind down in an orderly manner.

12%LICENSEDMiCA approved (244)12 %Without EU license (1,738)88 %
Market consolidation on July 1, 2026. Only about one in eight previously active providers holds an active MiCA certification.
Germany4France4Netherlands4Malta3Austria2Ireland2Luxembourg2Italy1
MiCA providers per country of residence (condensed selection). Certain „Home States“ — Malta, Luxembourg, Ireland, France, Germany, the Netherlands, Austria — gained disproportionate importance in 2025/26.

Those approved include not only „crypto start-ups“, but also brokers and exchanges, pure custodians, banks (Commerzbank, Trade Republic), exchange infrastructure and stablecoin issuers — a sign of progressive institutionalization.

03 Consolidated list of providers

The following selection is reliably identifiable, but not completely. Anyone requiring completeness should check the ESMA register (Art. 109) and the national registers directly. All entries are CASP authorizations.

Providercountry of residencePermitCore services
OKX Europe LimitedMalta27.01.2025Custody, Trading, Exchange, Execution, Placing, RTO, Portfolio Mgmt, Transfer
Foris DAX MT Ltd (Crypto.com)Malta27.01.2025Custody, Exchange, Execution, RTO, Transfer
BP23 CA LimitedMalta27.01.2025Custody, Exchange, Execution, RTO, Transfer
Coinbase Luxembourg SA.Luxembourg20.06.2025Custody, Exchange, Execution, RTO, Transfer, Placing
Payward Europe Solutions (Kraken)Ireland25.06.2025Custody, Exchange, Execution, Placing, RTO, Portfolio Mgmt, Transfer
Payward Global Solutions (Kraken)Ireland25.06.2025Operating a trading platform
Bitpanda GmbHAustria09.04.2025Custody, Exchange, Execution, Placing, RTO, Transfer
Bybit EU GmbHAustria28.05.2025Custody, Exchange, Execution, Placing, Transfer
CheckSig Srl.Italy07.05.2026Custody, Exchange, Execution, Transfer
Trade Republic Bank GmbHGermany28.04.2025Custody, Execution, RTO, Transfer
Commerzbank AGGermany07.04.2025Custody, Transfer
BitGo Europe GmbHGermany09.05.2025Custody, Exchange, Execution, RTO, Transfer
Tangany GmbHGermany08.08.2025Custody, Transfer
Bitvavo BV.Netherlands26.06.2025Custody, Trading, Transfer
BTC Direct Europe BV.Netherlands18.06.2025Exchange, Transfer
Change Securities BV.Netherlands20.04.2026Custody, Exchange, Execution
Hidden Road Partners CIV NLNetherlands30.12.2024Exchange, Execution
PAYMIUM SASFrance22.06.2026Custody, trading, exchange, execution, transfer
MERIA SASFrance22.06.2026Custody, Exchange, Execution, Advice, Portfolio Mgmt, Transfer
Banque Delubac et CieFrance23.10.2025Custody, Exchange, Execution, Advice, Portfolio Mgmt, Transfer
Société Générale – ForgeFrance23.10.2025Custody, Transfer
STOKR SA.Luxembourg22.06.2026Custody, Transfer

Relevant EMT issuers

Issuercountry of residenceDateremark
Circle Internet Financial Europe SASFrance01.07.2024EMI licensed by the ACPR; issued in compliance with USDC & EURC MiCA.
Société Générale – ForgeFrance01.07.2024EMI-based EMT case (ACPR)
Banking Circle SA.Luxembourg29.10.2019Credit institution-based; EURI
Bitcoin symbol at the center with glowing star icons arranged around it in a dark, futuristic background.

From patchwork to single market standard. MiCA combines authorization, ongoing supervision and registration in a harmonized framework — the license becomes a reliable verification criterion.

04 Business models and compliance

MiCA differentiates CASPs functionally: authorization (Articles 59–65), ongoing obligations (66–74), specific activities (75–82). The equity capital requirement is set out in Annex IV.

Class 3 · Trading platform150Class 2 · +Custody/Exchange125Class 1 · Consulting/RTO/Exec50
Equity capital minimums per CASP class (in thousands of euros, Annex IV). Class 1: Advisory, portfolio management, RTO, execution, placement, transfers · Class 2: additionally custody/exchange · Class 3: Operation of a trading platform.
Business modelMiCA categoriesKey dutiesCompliance priorities
Central Exchange without CustodyArticles 76–78, 80Licensing, market integrity, cost/risk transparency, governance, conflict managementBest execution, market surveillance, trading rules, token listing governance
Central Exchange with CustodyArticles 75–78Additionally, strict safekeeping obligations, segregation, and control over customer assets.Key management, segregation, insolvency resistance, reconciliation, outsourcing
Reiner Custodian / WalletArticle 75Custody & Administration, Release/Transferability, Control SystemsCold/warm storage, recovery, access rights, audit trails, third-party custodian due diligence
Broker / Fiat On-/Off-RampArticles 77, 78, 80, partly 82Order execution, customer information, cash flows, complaints, conflicts of interestPayment transactions, treasury, slippage control, AML/KYC, travel rule
Advice / Portfolio ManagementArticle 81Suitability, conflicts of interest, documentation, governanceProduct governance, customer classification, suitability, research control
EMT issuerTitle IV, Articles 48–58EMI/credit institution status, white paper, reversion at par, interest rate ban, recovery/redemptionReserve/safeguarding structure, daily liquidity, redemption, whitepaper governance
ART issuerTitle III, Articles 16–47Authorization, white paper approval, governance, reserve assets, redemption, reportingAsset reserve management, custodian selection, valuation/crisis plans, EBA materiality tests

Across all models, similar core obligations apply: acting honestly in the customer's interest, prudence, governance, safeguarding customer assets, complaint and conflict management, outsourcing control, and a credible wind-down plan. AML/CFT It is not fully "built in," but inextricably linked—MiCA approval replaces neither AML obligations nor the transfer-of-funds rules. A second common thread is technical resilience (DORA, IKS, BCM, Incident-Handling): Custody and exchange models fail less often due to licensing issues than due to the long-term operation of this architecture.

05 Supervision and sanctions

MiCA harmonizes basic obligations but allows flexibility in procedures and the severity of sanctions. For legal entities, MiCA requires fines of at least €5 million or 3 times their turnover for certain infringements; for market abuse, at least €15 million or 15 times their turnover. Member States may go further and provide for criminal sanctions.

jurisdictionauthoritiesdeadlineprocedural styleSanctions / Enforcement
GermanyBaFin (+ Bundesbank in certain areas)12 monthscentralized, formalized; MiCAR fact sheets; completeness check with deadline for subsequent requestsKMAG: Penal and fine regulations; imprisonment up to 5 years
FranceAMF (CASP) · ACPR (EMI/Bank)18 monthsdual model; focus on application documentation and status demarcationAMF/ACPR sanctions architecture + MiCA minimum standards
ItalyConsob · Banca d'Italia18 monthsdual model; Consob is examining the issue with a statement from the Bank of Italy.Legislative Decree 129/2024 regulates supervision and intervention powers.
NetherlandsAFM (+ DNB in some matters)6 monthsearly, abbreviated; register- and enforcement-orientedInvolvement in white-collar crime investigations; active enforcement against unlicensed individuals.

The differences are less substantive than institutional: Germany is more focused on banking supervision and procedural formality, France and Italy have a stronger dual system, and the Netherlands kept the transition particularly short. For providers, the choice of home state is therefore also a factor influencing their supervisory strategy.

06 Risks and challenges

  • Safekeeping & Key Security: Legally sound segregation, reconciliation, segregation and controlled third-party chains — not just IT security.
  • Multiple regulation: MiCA is just one layer — it also includes AML/CFT, TFR, DORA, consumer protection, and in some cases MiFID/MiFIR, as well as EMI/banking law. The effort increases systemically, especially with hybrid models.
  • Evidence of inspections: The supervisory authority reviews documented processes — access controls, key ceremonies, board minutes, recovery/redemption plans, training records.
  • Cross-border residual problem: Despite passporting, supervisory style, substance expectations and sanction regimes diverge — room for regulatory arbitrage.

07 Recommendations and checklists

The most significant strategic error is treating MiCA as a one-off regulatory project. The bottleneck lies in the current regulatory framework. Heuristic: First the operating model, then the license.

Compliance checklist for providers

  • Map license scope: Which MiCA services in which legal entity, with which passporting goal.
  • Capital/class choice: Class 1/2/3 according to Annex IV; for EMT/ART additional reserve and redemption mechanism.
  • Document governance: Responsibilities, fit and proper, conflict and complaint management, control functions.
  • Custody controls demonstrable: Segregation, reconciliation, key management, recovery, emergency access, third-party custodians.
  • Mastering outsourcing: Critical providers, exit rights, DORA/BCM references.
  • Integrate AML/CFT: KYC/CDD, Screening, Monitoring, STR Process, Training, Record Retention, Travel Rule.
  • Token governance: Listing criteria, whitepaper review, stablecoin compliance, market abuse monitoring.
  • Wind-down plan: Customer communication, asset return, position liquidation, data storage, outsourcing termination.

Due Diligence Checklist for Investors

  • Check register: Is there an active MiCA authorization listed in the ESMA or national register?
  • Check legal entity: the brand ≠ the licensed EU company (Kraken/Circle use multiple units).
  • Check license scope: Custodialy only — or also platform, execution, consulting, portfolio management?
  • Customer protection mechanism: Segregation, redemption rights, appeal process, insurance, proof-of-reserves, wind-down.
  • Stablecoin exposure: MiCA-compliant EMTs/ARTs or third-country tokens with restricted legal status?
  • Evaluate supervisory authority: Home state, regulatory authorities, and the sanctions environment shape the actual quality of oversight.

08 Case studies

  • Bitpanda GmbH (AT): Broad broker/custody model; FMA approval according to Art. 63 MiCA (10.04.2025) with a full service package. Shows: MiCA primarily examines governance and control maturity in multi-service models.
  • Kraken (IE): Functional division within a group: Payward Europe Solutions holds the broad CASP license, Payward Global Solutions the platform operation — modular license architecture plus MiFID/E-Money components.
  • CheckSig (IT): Italy's first authorized CASP (Consob, May 7, 2026). Trading + Custody + Institutional Services, emphasizes Proof-of-Reserves and Segregation — Italy only listed nine actors by the end of June 2026 (selective).
  • Circle (FR): The most significant EMT case is the ACPR's EMI license (July 1, 2024), compliant with USDC and EURC MiCA. EMTs are characterized by their legal status, redemption at par, and reserve and safeguarding structure.
  • Bitvavo (NL): Early forced market shakeout: CASP approval on June 26, 2025 with only a 6-month NL transition period — license or market exit came particularly early here.

09 Classification by Financial Forensics

Expert commentary

MiCA licensing is a core due diligence criterion. The distinction between MiCA-licensed / nationally registered only / unregulated determines the legal and recovery position in the event of a claim.

For licensed CASPs, segregation, grievance procedures and supervision apply. Asset protection and information requests are more realistic than with unregulated offshore providers.

Brand ≠ licensed entity. Kraken and Circle use multiple EU companies — for delivery, freeze and forfeiture, the exact legal entity is what matters.

Off-ramp with regulated CASP is the most tangible point of reference. for cooperation with authorities, travel rule data and asset protection.

Source base
EU / ESMA (Primary)MiCA full text (EUR-Lex Regulation 2023/1114) · ESMA Interactive Single Rulebook · ESMA Register Art. 109/110 · ESMA list of national transitional periods (Art. 143).
National supervisionBaFin / KMAG · AMF & ACPR (FR) · Consob & Banca d'Italia (IT) · AFM & DNB (NL) · CSSF (LU) · Central Bank of Ireland · FMA Austria.
Provider & SecondaryCompany announcements (Circle, Kraken, CheckSig, Bitpanda) · Financial Times (ESMA figures) · EU Crypto Register (Register mirroring, only with primary source reference).

Selection not exhaustive; the current ESMA register (Art. 109) and national registers are authoritative. Secondary register references only with plausibility checks against primary sources. Status: 1 July 2026.

Professional headshot of a mature man in a dark blazer and white patterned shirt, looking at the camera.

David Lüdtke

Managing Director · OSINT Analyst & Crypto Forensic Expert · Financial Forensics GmbH

Court-admissible crypto transaction analysis, OSINT-based asset investigation, and expert reports for defense attorneys, insolvency administrators, and companies. Certified Crystal Expert (CECF, CEEI, CEUI). Financial Forensics Supports law firms, companies, investigative bodies and insolvency administrators — focus areas: Blockchain forensics, wallet analysis, court-admissible documentation, OSINT.

Contact: postfach@finanz-forensik.de +49 6057 772 994 86 

Vendor audit or crypto recovery?

We examine MiCA status and legal entity, classify off-ramps from a regulatory perspective, and provide the forensic basis for disclosure, freeze, and asset protection.