MICA to RegRally: The Crypto Guide, August 2025

ECOVIS brings you a curated selection of significant developments from the European crypto regulatory landscape. It provides viewers with a look at what’s ahead and high-profile insights into the ever-changing crypto industry.

Bank of Lithuania Warns Investors on MiCA Compliance Deadline

The Bank of Lithuania has urged crypto-asset investors to verify whether their exchange or wallet providers plan to obtain authorisation under the MiCA Regulation before the 31 December 2025 compliance deadline. After this date, only MiCA-licensed entities in Lithuania or other EU Member States may legally offer crypto-asset services in Lithuania, with unlicensed operators required to cease operations. Investors should confirm their provider’s licensing status and, if necessary, transfer assets to a licensed service or self-hosted wallet. The regulator warns that it will not protect investors dealing with unlicensed entities and advises consulting the official list of licensed CASPs to ensure compliance and safeguard assets.

Our recommendation:

• Identify crypto clients or counterparties that are not yet MiCA-licensed.
• Assess their transition plans and obtain written confirmation of licensing intent or withdrawal timeline.
• Align Internal Policies with MiCA Investor Protection Requirements.

Bank of Lithuania Orders Unlicensed Crypto Providers to Wind Down Before MiCA Deadline

On 1 August 2025, the Bank of Lithuania reiterated that cryptocurrency service providers not seeking MiCA authorisation must implement a timely and structured wind-down of operations. Registered operators planning to cease activities should immediately begin client outreach and asset offboarding, clearly communicating service termination dates and procedures for withdrawing or converting crypto-assets. After 31 December 2025, providing crypto-asset services without the required licence will be deemed illegal, carrying potential criminal liability, enforcement measures, and website blocking.

The regulator stressed that operators must prioritise the complete return of customer assets – in either fiat or crypto – and maintain open, multi-channel communication throughout the process. It also pledged to publish the names of unauthorised providers and refer suspected criminal breaches to law enforcement. Of more than 370 registered entities, only 120 show active operations, and just 30 have formally initiated the MiCA licensing process.

Our recommendation:

• Enhance transaction screening to identify and mitigate exposure to unregulated or wind-down-stage crypto service providers.
• Integrate alerts and internal escalation pathways for counterparties flagged as operating outside the regulatory perimeter after the transition period ends.

Bank of Lithuania Sets Licensing Rules for EMT-Related Crypto Services

On 11 June 2025, the Bank of Lithuania clarified that CASPs intending to offer services involving electronic money tokens (EMTs) must also obtain a payment institution licence under a simplified licensing regime. This requirement, effective no later than 1 March 2026, applies to both custodial and transactional operations involving EMTs, which are legally classified as payment services when executed on behalf of customers. EMT-related transfers or wallets that allow movement of tokens to or from third parties fall under payment regulation and trigger additional licensing and capital requirements. Applicants must submit a dedicated licence application, a business programme, and a business plan that includes a separate section on EMT-related operations. In addition, they must provide three-year capital and financial projections, distinguishing EMT transaction volumes from other crypto services.

Our recommendation:

• Identify crypto counterparties intending to operate with EMTs and assess whether they are progressing toward the required payment institution licence.
• Screen crypto service providers for EMT-related services that may trigger licensing obligations under the EU payment services regulation.
• Prepare internal guidance on EMT classification and licensing thresholds to support compliance and client due diligence.

ESMA Flags Malta’s Partial Compliance on CASP Licensing – Calls for Stricter MiCA Authorisation Standards

On 10 July 2025, the European Securities and Markets Authority (ESMA) published a fast-track peer review of the Malta Financial Services Authority’s (MFSA) authorisation and early supervision processes for CASPs under the MiCA Regulation. While the MFSA was recognised for strong expertise and supervisory capacity, ESMA found the authorisation process only partially compliant, citing cases where licences were issued despite unresolved issues in business planning, governance, conflicts of interest, ICT infrastructure, and AML/CFT controls. ESMA stressed the need for all EU licensing authorities to adopt more rigorous, forward-looking assessments and enhance coordination via the Digital Finance Standing Committee to ensure consistent cross-border supervision, given that MiCA passports allow licensed firms to operate EU-wide. Authorisation was highlighted as a critical investor protection step requiring substantive scrutiny before firms scale operations.

Our recommendations:

• Assess governance, conflict-of-interest arrangements, business plan sustainability, ICT resilience, and AML frameworks of CASPs before onboarding or continuing relationships.
• Apply enhanced scrutiny to CASPs operating via MiCA passport regimes, recognising the regulatory risk of inconsistent supervisory standards across Member States
• Require counterparties to disclose material supervisory or enforcement history and inform you promptly of any regulatory interactions after the licence.
• Build internal guidance to flag CASPs from jurisdictions under peer review or identified as fast-tracking licensing without sufficient checks.

ESMA Warns CASPs on Misleading “Halo Effect” in MiCA-Regulated Services

The European Securities and Markets Authority issued a public statement on 11 July 2025, cautioning that CASPs authorised under the MiCA regulation must not allow their licensed status to obscure that certain services they offer fall outside its regulatory perimeter. ESMA emphasised the risk of a so-called “halo effect,” whereby clients mistakenly assume that unregulated offerings, such as certain DeFi products, advisory or trading services not covered by MiCA, benefit from the same investor protection measures afforded to MiCA-authorised services. These protections include asset safeguarding, complaint handling, conflict of interest management, and ongoing oversight.

The regulator warned that it is misleading and may be unlawful for CASPs to present unregulated services alongside MiCA-regulated ones without making the distinction clear and prominent. ESMA expects that all points of client engagement, including marketing materials, onboarding processes, digital interfaces, client portals, and terms of use, must clearly and unambiguously differentiate between regulated and unregulated services.

Our recommendations:

• Update internal compliance checklists and disclosure policies to reflect ESMA’s expectations, and monitor advertising copy for language implying protections extend beyond the regulated sphere.
• Monitor and assess potential conflicts of interest where group entities offer unregulated products via the same technical or branding infrastructure as regulated services.

ESMA Publishes Final Guidelines on Staff Competence for MiCA Crypto-Asset Services

The European Securities and Markets Authority has introduced Final Guidelines establishing minimum standards for knowledge and competence among staff providing crypto-asset services under the MiCA framework. The requirements apply to individuals delivering either information or advice on crypto-assets.

Staff providing general information must have completed at least 80 hours of training or possess one year of supervised experience. Those advising clients are subject to stricter requirements, including 160 hours of training or equivalent qualifications, such as a relevant university degree.

Ongoing professional development is also required: at least 10 hours annually for information providers and 20 hours for advisers. Staff with at least one year of relevant experience may be deemed competent if the CASP can document their qualifications. Individuals who have not yet met the complete requirements may interact with clients under supervision for a transitional period of up to four years.

Our recommendations:

• Audit staff roles to distinguish those who merely provide information from those who offer advice, applying relevant competence criteria accordingly.
• Verify that all personnel meet ESMA’s prescribed thresholds, i.e., 80 hours or one year of supervised experience for information providers, and 160 hours or equivalent for advisers.
• Implement and maintain annual continuing professional development programmes, tailored to crypto-specific risks such as volatility, cybersecurity, smart contract vulnerabilities, and DLT transfer failures.
• Maintain formal documentation of competence assessments and supervision arrangements.

ESMA Clarifies Crypto Custody and Staking Rules under MiCA

In its July 2025 Q&A update, the European Securities and Markets Authority clarified key rules under the MiCA framework regarding crypto custody and staking.

If a CASP pre-funds client transactions using client-owned crypto, this activity qualifies as sub-custody and requires full compliance with Articles 70 and 75 of MiCA. Only CASPs authorised under Article 59 may hold assets for such purposes.

Additionally, CASPs are prohibited from staking clients’ crypto-assets for their benefit even with client consent. Staking-as-a-service is allowed only when all benefits accrue directly to the client.

Our recommendations:

• Review all pre-funding practices and ensure compliance with MiCA’s sub-custody framework.
• Ensure all staking-related costs, including third-party validator fees, are disclosed transparently.