The wide-ranging rules of the new EU crypto regulation

On April 20, 2023, the European Parliament adopted the long-awaited Markets in Crypto-assets Regulation (MiCA), legislation that will provide the basis for the creation of a harmonised and comprehensive European regulatory framework for crypto assets. 

Alongside MiCA, the legislators approved the recast Transfer of Funds Regulation, which implements into European law a controversial ‘travel rule’ developed by the Financial Action Task Force (FATF). 

Both pieces of legislation are yet to formally become law, which is expected to take place in June 2023 and will trigger the 18-month run-up period to their application. 

The relatively short implementation timeframe and complexity of a broader regulatory framework means that the crypto assets industry will face intense months ahead. 

Single European regulatory regime for crypto assets

MiCA sets out a harmonised EU-level framework governing the structure of and conduct in European crypto asset markets, addressing issues ranging from the issuance and placing on the market of crypto assets and stablecoins, requirements for crypto asset service providers, through to consumer protection and anti-market abuse measures for markets in crypto assets. 

Consequently, MiCA makes the issuance and offering of crypto assets to the public in the EU, as well as seeking admission for such crypto assets to trading, subject to a prescribed set of requirements. 

These include an obligation to publish a white paper containing a detailed description of the planned crypto asset offering or admission to trading, rules concerning marketing communications, as well as conduct and liability rules for issuers. 

A separate and more stringent set of provisions governs the issuance of asset-referenced tokens and e-money tokens (jointly referred to as ‘stablecoins’) and MiCA will require this type of activity to be authorised. 

Stablecoin issuers will have to comply with rules relating to conduct, marketing, governance, organisation and prudential requirements – including an obligation to have a reserve of assets, and rules regarding management and custody.

Prospectively relevant for the future distribution of stablecoins in the EU, MiCA includes restrictions on the use of such crypto assets as a means of exchange, applying limits concerning the number and value of transactions. 

The provision of services in crypto assets will become a regulated activity and subject to authorisation, either under MiCA or sectoral European financial services legislation. The scope of services covered by MiCA broadly mirrors MiFID-types of services and activities in financial instruments.

This includes, among other things, custody services, operating trading platforms for crypto assets, executing orders for crypto assets on behalf of clients, portfolio management and advice on crypto assets. 

MiCA-authorised providers of services in crypto assets will be subject to a range of requirements, including prescriptive organisational and disclosure rules, requirements concerning safekeeping of client funds and outsourcing, conduct rules and prudential requirements. They will benefit from a ‘passport’ right, allowing them to provide their services cross-border to other EU countries. 

MiCA does not provide a regime for third-country crypto asset service providers based outside the EU, so such entities would either have to seek authorisation or rely on a very narrow reverse solicitation exemption. 

MiCA also seeks to target manipulative behaviour in crypto asset markets by setting out a market abuse framework for crypto assets and including rules regarding inside information and the relevant prohibitions. 

Similar to the regime applicable to securities markets, any person professionally arranging or executing transactions in crypto assets will be required to have effective systems, procedures and arrangements to monitor and detect market abuse, as well as to report suspicious orders and transactions to competent authorities. 

Transparency of crypto asset transfers

Adopted together with MiCA and complementary to its provisions, the Transfer of Funds Regulation introduces an obligation for crypto asset service providers to collect and make accessible data concerning the originators and beneficiaries of the transfers of crypto assets they undertake, regardless of the amount of crypto assets being transferred. 

The legislation prescribes details regarding the type of information that the crypto asset service provider of the originator will have to obtain and verify prior to executing the transfer of crypto assets and requires crypto asset service providers to have in place effective procedures to detect missing information. 

Broader EU regulatory framework 

Importantly, while MiCA brings crypto assets and related activities within the regulatory regime, it also triggers the application of other pieces of European legislation to MiCA-authorised crypto asset market participants. 

This notably includes the recently adopted Digital Operational Resilience Act (Dora), legislation that alongside MiCA was part of a broader Digital Finance Package when originally published by the European Commission in 2020. 

Dora, which will become applicable in January 2025, introduces a harmonised framework on digital operational resilience for all types of European financial institutions, including MiCA-authorised crypto asset service providers and issuers of asset referenced tokens. 

It sets out a very prescriptive set of requirements concerning the management of information and communication technology (ICT) risks, including internal governance and control frameworks, incident management processes and testing, as well as management of ICT third-party risks. 

Ensuring compliance with Dora is expected to be a complex task, both for bigger and more sophisticated financial institutions whose documentation, systems and processes will have to be reviewed and possibly updated, but likely even more so for smaller firms with less advanced ICT management and outsourcing structures. 

European crypto asset market participants will also have to be aware of other rules that are currently under development and that will be relevant to their businesses, such as the revision of the European anti-money laundering and counter-terrorism financing framework, amendments to the Directive for Administration Cooperation concerning mandatory reporting of transactions in crypto assets of EU clients for tax purposes, as well as proposed amendments to the Capital Requirements Directive concerning the prudential treatment of banks’ exposures to crypto assets.

Finally, it is important to note that work on the new MiCA regime is not yet complete, as the European Commission, together with the European supervisory authorities, will have to develop, ahead of MiCA’s entry into application in early 2025, a set of secondary (‘Level 2’) legislation providing technical and operational details for some of its key provisions. 

That said, as with every piece of European financial services legislation, MiCA is expected to be subject to reviews and updates, in particular as it does not cover every type of activity related to crypto assets. Market participants should therefore continue to keep a close eye on all developments in the area.

Anna Carrier is a legal consultant in the Brussels office of international law firm Norton Rose Fulbright.