On 31 January 2025, ESMA published a supervisory briefing to guide NCAs in authorising crypto-asset service providers (CASPs) under MiCA. The document adopts a risk-based approach, classifying all CASPs as high-risk entities and establishing guidelines for governance, externalisation, suitability and business plans. NCAs must ensure ongoing compliance and proper supervision of CASPs. In Portugal, the definition of the NCAs and the implementation of the MiCA transitional measures are still pending.
Background
The European Securities and Markets Authority (ESMA) published on 31 January 2025, a supervisory briefing to guide National Competent Authorities (NCAs) in implementing a consistent and harmonised approach to authorising crypto-asset service providers (CASPs) under the Markets in Crypto-Assets Regulation (MiCA). To provide clarity to market participants and the broader public, ESMA published this shortened version.
This briefing outlines a risk-based approach, detailing key risk factors that NCAs should assess when authorising CASPs and includes connections with other regulatory areas, such as the provisions of anti-money laundering and combating the financing of terrorism (AML/CFT) and Digital Operational Resilience Act (DORA Regulation), that should be interpreted with specific technical standards, and guidelines to ensure completeness.
Our Legal Alert summarises the key elements of the briefing, which covers topics such as risk-based assessment, governance, outsourcing and ongoing compliance.
Key Insights and Potential Implications
I. Risk-Based Approach
ESMA considers all CASPs inherently high-risk compared to traditional financial entities, rejecting any low-risk categorisation. Their exposure to money laundering and financing of terrorism (ML/FT) risks is heightened by their business structure, cross-border operations, and the use of technologies enabling instant and often anonymous transactions.
In assessing MiCA authorisation requests, NCAs must evaluate key risk factors, including: (i) CASP’s size; (ii) Complexity of Group Structure; (iii) Cross Border Activity; (iv) Role in the Ecosystem; (v) Combination of Crypto-Asset Services; (vi) Combined Business Models; (vii) Outsourcing of Key Functions; (viii) Level and type of Outsourcing; and (ix) Supervisory History.
II. Substance and Governance
Substance and governance are crucial for CASPs in order to maintain effective oversight in the European Union (EU). They must implement local decision-making, with autonomous reporting and adequate in-country personnel, while NCAs must prevent key functions from being outsourced outside the EU.
By enforcing these governance and oversight measures, CASPs can ensure regulatory compliance, operational resilience, and effective risk management within the EU.
III. Outsourcing
Outsourcing functions should not dilute CASPs’ responsibilities or NCAs’ oversight. CASPs cannot become “letter-box” entities, and Information anc Communication Technology (ICT) outsourcing requires strict scrutiny under DORA. Non-EU outsourcing must be carefully assessed, with NCAs ensuring access to critical data. CASPs must maintain control, limit AML outsourcing, and prevent delegation of key functions. Supervisory access must be guaranteed, and custody outsourcing is restricted to authorised entities.
IV. Fit & Proper Assessment
The fit and proper principles aim to ensure that CASPs maintain a reliable executive management board and focuses on evaluating the technical capabilities of board members.
Larger or more complex CASPs require higher skill levels, with both individual and collective suitability taken into account. NCAs shall investigate past supervisory violations, assess risk levels, and engage with relevant authorities to determine whether board members have addressed past issues. Regular consultations with AML/CFT authorities help ensure continuous compliance, reinforcing board integrity, regulatory adherence, and effective governance.
V. Business Plan
CASPs should also provide a solid business plan based on realistic assumptions, considering the current activities as a starting point.
VI. Notifications
In relation to notification procedures, NCAs must ensure their official websites or national registers list entities authorised to provide crypto-asset services, including those operating under MiCA notification as well as information if an entity has been required to suspend services.
Additionally, it provides a timeline for incomplete notifications in relation to the notification procedure for certain financial entities, as established under article 60 of MiCA:
|
Stage |
Timeline |
Description |
|
Initial Notification Submission |
T-40 Days |
Entities must notify NCAs at least 40 days before starting to provide crypto-asset services. |
|
Initial Completeness Assessment |
Within 20 days upon receiving the notification. |
NCAs assess the submitted application for completeness. |
|
Additional Information Period (if needed) |
Up to 20 days |
If the initial submission is incomplete, an additional period of up to 20 days is granted for the entity to provide missing information (during this period, the original 40-day deadline is suspended). |
|
Final Assessment |
20 days after the additional period expires |
NCAs check again for completeness of the notification. |
|
Incomplete Notification Outcome |
After final assessment |
If the application remains incomplete: (i) NCAs must inform the entity that the notification is incomplete, and the entity is not authorised to start providing services. (ii) The entity must withdraw the notification and resubmit a complete application, restarting the timeline. |
Implications and Next Steps
NCAs are expected to apply the principles outlined in the supervisory briefing both during the authorisation process and in their ongoing supervision of authorised CASPs, in order to ensure continued compliance.
It should be noted that in Portugal the identification of the NCAs as well as the implementation of transitional measures under MiCA is still pending.
Beyond this Legal Alert, we also note that the Morais Leitão team is continuously monitoring all the communications and updates related to the MiCA Regulation.
