Introduction & Welcome

Delphine Forma

Hi everyone, and welcome to today’s webinar: “MiCA After One Year – What’s Working, What’s Breaking, and What Comes Next.” To discuss this topic, I’m joined by Ana Carlos de Oliveira, Chief Compliance Officer at Venga; Nathan Catania, Partner at XReg Consulting; and Tommaso Astazi, Policy Director at Blockchain for Europe.

We are now a little more than one year – almost 14 months – into MiCA. A handful of CASPs are authorised, many are still operating under transitional arrangements, and supervisors are already asking hard questions about firms that won’t make it. At the same time, there are still a lot of unresolved issues: clear gaps in supervisory convergence across member states. And the European Commission is already signalling potential changes, even as firms and supervisors are still trying to digest the framework.

This session covers how MiCA is operating in practice, CASP supervisory convergence and divergence and what that means, and what’s next on the EU agenda. Ana, do you want to give a brief introduction?

Ana Carolina Carlos de Oliveira

Yes. I am Chief Compliance Officer at Venga. We are based in Spain, in Barcelona, and we applied for the MiCA licence at the beginning of 2025. We are now in the fourth round of questions from the Spanish regulator – in fact, we replied to the latest round just yesterday. So this is a very live moment for the company and the compliance team. It’s great to be here with you all to discuss this. We are sometimes a bit alone on this road.

Nathan Catania

Hi, Nathan here, Partner at XReg Consulting. I’m based in Gibraltar, not too far from Spain and Barcelona. I used to be part of the regulatory team at the Gibraltar Financial Services Commission, authorising and supervising crypto companies back in 2018 when the DLT framework went live there. I left around six years ago to establish XReg Consulting. We’re a boutique consulting firm that advises on crypto-asset regulation and policy. We do a lot of work with public-sector clients – regulatory authorities around the world – building bespoke frameworks. But we also have a big focus on private-sector clients, largely around getting regulated across different jurisdictions. As you can imagine, MiCA in Europe has been a major area of focus for us over the past year.

Tommaso Astazi

Hi everyone, a pleasure to be here. My name is Tommaso Astazi. I am the Policy Director at Blockchain for Europe. For those who don’t know, Blockchain for Europe is a Brussels-based trade association representing the blockchain industry with European policymakers. It was founded in 2018, right at the start of the European Union’s considerations around blockchain technology and how to regulate the industry. Blockchain for Europe was founded to provide a platform for Web3, blockchain, and crypto companies to be represented at the European level and to influence the understanding of European policymakers when it comes to crypto assets and the best way to regulate them.

So I’m obviously very happy to be talking about MiCA, which is essentially what we do on a daily basis.

What’s Working and What Needs Improvement

Delphine Forma

Tommaso, as a policy expert, we are now more than one year in. I’d like your view: what is clearly working as intended, what is clearly breaking down in practice, and what does that tell us about what Brussels is likely to change next?

Tommaso Astazi

That’s the question everyone has on their mind right now. Together with our members, including Solidus Labs, we carried out an exercise analysing MiCA to assess what’s working well, what needs improvement, and what’s not in the MiCA framework but might be considered for inclusion in the next iteration – the so-called MiCA 2.0.

In terms of what’s working: overall, companies are getting licences and, thanks to those licences, are able to passport their services across the EU. That was one of the primary objectives of MiCA, and I think we can take it as a positive.

In terms of areas for improvement, there are several. Stablecoins are a big one – particularly the reserve requirements, which are considered quite bank-centric in how issuers need to hold reserves in commercial banks. There are also questions around the application of the payment-services framework to transfers of e-money tokens. Our members have also raised issues with sustainability requirements and white-paper requirements: while positive in their objectives of ensuring disclosure for investors, they can be complicated to comply with and could be made easier.

Proportionality is another issue. The rules apply more or less the same way regardless of a firm’s size, which is something the EU should reconsider – not just for MiCA, but as part of a broader simplification effort.

On what’s missing: we all know DeFi was not included in MiCA, and NFTs are another area where we expect potential future moves. The prohibition on granting interest on stablecoins is also notable, especially as other jurisdictions like the UK are exploring different approaches.

As for what to expect from Brussels: first, a public consultation from the European Commission on the whole MiCA framework, expected sometime in April – possibly after Easter. That will be significant, as it will invite input from everyone on MiCA 2.0, which is most likely coming around 2027. Second, there’s a European Parliament report on digital assets coming out soon. And third, the Market Integration and Supervision Package, which includes proposals on centralised supervision of CASPs and updates to the DLT Pilot Regime.

Ana Carolina Carlos de Oliveira

When Tommaso was listing those areas, I was checking the boxes. Those are exactly the difficulties I face. Prudential safeguards calculations, reporting requirements, stablecoins – it’s reassuring to know we’re all pointing in the same direction.

The Shift from AML-Only Frameworks to Full Regulation

Nathan Catania

I think it’s important to set the scene, because it explains some of the struggles we’re having with MiCA. When I started working in crypto regulation eight years ago at the Gibraltar Financial Services Commission, we were one of the first jurisdictions with a crypto regime. The FATF then clarified that crypto needed to be regulated, which triggered a huge drive for other jurisdictions to follow suit – but it was very much AML-focused. There were a few bespoke regimes – the US, Malta – but largely crypto was an AML-only framework.

MiCA completely rewrote the rulebook. It doesn’t even mention AML broadly. It sets standards you’d expect in highly regulated industries: prudential requirements, conduct standards, and a few things unique to MiCA, like environmental disclosures. Many firms initially expected the MiCA licensing process to be a similarly easy ride to an AML registration. They quickly realised it’s a very different level of authorisation. The application alone spans hundreds, sometimes thousands of pages. There are capital requirements and a big focus on local presence.

If I had to name the single biggest struggle, it’s this shift from AML-only to a full regulatory framework aligned to investment companies under MiFID or even banks. On MiCA-specific issues, regulators are still working to understand blockchain technology at a deep level. They still try to adapt traditional methods to things like custody – which works very differently on-chain – and the Travel Rule. It’s been a painful process, but a lot of it reflects the industry’s maturation.

The Licensing Process in Practice

Delphine Forma

Ana, you’ve been living and breathing MiCA for the past 14 months. What does the licensing process actually look like in practice?

Ana Carolina Carlos de Oliveira

For us, the licensing process has been a continuous process of building up alongside the regulator. The Spanish supervisor in January 2025 and the same supervisor in January 2026 – it’s a completely different conversation. The whole year has been a massive shift in accountability and culture. If you want to stay in the market, you need to start with compliance; product development needs to check with compliance first, against MiCA requirements.

We’ve developed a new relationship with the regulator. They understand our business better now, and we understand better what they want from us. I can develop ten controls in-house, but if those aren’t the ones the regulator wants to see to confirm MiCA compliance, I won’t pass the test.

Custody is a great example of the integration required between technology, banking regulation, MiCA, and supervisors. You need to explain a very different technology so the supervisor understands your custody system. We’ve aligned three pillars – supervisors, compliance, and product – so everything works smoothly. It’s a very collaborative process involving external consultants, internal product management, compliance, and the supervisor explaining what they want to see.

We’ve also seen shifts in how ESMA guidelines are interpreted, which has concrete impacts on the licensing process. Sometimes the supervisor reclassifies an activity under a different MiCA article, and you adapt.

Follow-Up Questions and Divergence Across NCAs

Delphine Forma

Nathan, from your experience working with many firms, what generally triggers follow-up questions from regulators?

Nathan Catania

It varies significantly depending on the business and the regulatory authority. One of the main challenges is presence – whether you have sufficient presence to run the business from Europe, particularly when you’re part of a larger group. Smaller jurisdictions tend to handle this better because they’re used to businesses outsourcing to the wider group. Larger jurisdictions put a lot more pressure on establishing a significant local presence.

We’re also seeing pushback on CASP requirements and a big area of focus is DORA and the IT risk-management framework. Many firms aren’t used to operating under such a heavily regulated IT framework, and the uplift required for DORA compliance is significant.

Tommaso Astazi

There’s always a difference between the legal text and implementation reality. Level 1 texts like MiCA get interpreted at national level in slightly different ways. When firms report back to us about these challenges, we try to intervene and understand where the divergence comes from.

ESMA’s guidelines are not legally binding – they’re meant to guide interpretation at the national level, but national competent authorities still retain leeway. Some NCAs are more accessible and provide genuine dialogue. In other cases, companies submit their application and don’t hear back for months.

We all saw the recent LinkedIn post from the founder of a Danish startup called PixelPay. They applied to the Danish FSA, provided all documentation, chased the regulator for clarity, and eventually decided to shut down because they couldn’t operate without knowing what was going to happen. That’s unfortunately happening too often across the EU.

Hungary is another example – they implemented national rules that went beyond MiCA, and the European Commission has opened an infringement procedure. So there’s a lot of fragmentation, which in turn causes regulatory arbitrage and different interpretations.

The Most Differently Interpreted Requirements

Ana Carolina Carlos de Oliveira

Operationally, the divergence doesn’t change a lot for us because we always planned to pursue our licence in Spain. But the licensing process across the EU is a difficult topic. We’ve completely transformed the company from what it was in 2023 to what it is in 2026, based 90% on MiCA. If you get the licence, you keep operating. If you don’t, you close. That’s a drastic consequence sitting on the shoulders of the compliance team.

Meanwhile, competitors who obtained their licence elsewhere through passporting can access customers across the EU. There’s no black and white in law, and different supervisors interpret things differently, which means different timelines and outcomes. Many companies are choosing jurisdictions specifically based on the licensing experience with the supervisor.

Nathan Catania

Presence is one that’s very broadly interpreted. The other key area is custody – and even the question of which MiCA activity category you need. Some regulators are flexible about activity classifications, while others will challenge whether you need one category or another.

There are also local requirements that supplement MiCA. In the Netherlands, for example, custody generally needs to be undertaken through a separate trust structure, which can fundamentally change your approach. Segregation of customer funds is another area where I’ve seen NCAs challenge how exchanges operate – questioning whether funds are commingled when there’s really no other practical way to run an exchange.

Centralised Supervision

Delphine Forma

Tommaso, the EU Commission has proposed to have ESMA as a centralised body for authorisation and supervision. What is your take on the timing?

Tommaso Astazi

This isn’t a new debate. The wider financial sector has been discussing how to achieve a single capital market for 10 to 15 years. The Commission’s proposal is a package of different proposals tied together. There are elements like the DLT Pilot Regime review where everyone broadly agrees we need to move fast, and more controversial elements like centralised supervision for the whole financial sector.

Among our members, there are companies in favour and companies opposed. On timing, we don’t believe this was the right moment to change the framework. We need to let the current framework become fully operational – finalise grandfathering periods, clarify implementation – before potentially moving everything to ESMA. But we understand why it’s being done this way.

My call to action is for everyone to monitor this space closely, because it will impact how your company deals with its regulator, whether national or eventually European.

Ana Carolina Carlos de Oliveira

For a mid-sized company, I see centralised supervision as positive. The tiered supervision model would bring the biggest companies – those licensed in jurisdictions with more streamlined processes – to the same level of supervision. The Anti-Money Laundering Authority (AMLA) has already identified CASPs as high-risk in its working programme.

If the goal of MiCA is protecting financial stability and customers, it makes sense to avoid situations where large companies operate under weaker supervisory authorities. Centralised supervision could also help harmonise reporting requirements, which would make life easier for all of us in compliance.

The E-Money Token and Payment Services Problem

Nathan Catania

I always give the same caveat: I’m not a lawyer, though I sometimes feel like half of one. I like to take a practical approach.

When the announcement came last June, I thought there were routes companies could take to stay outside of payments. But we’re seeing an overly broad interpretation of what payment services are. Very broadly, if you accept stablecoin deposits and custody stablecoins on behalf of clients, you likely also need a payment licence.

For new licensees applying from scratch, adding a payment permission is painful but manageable, especially where the same regulator handles both MiCA and payments. But that’s not always the case. For companies already operating under transitional provisions, being told they also need a PSD licence – potentially from a different authority that doesn’t understand crypto – and that they must obtain it quickly or stop activities, is extremely challenging.

Tommaso Astazi

Nathan explained it perfectly. To clarify: for entities still in the grandfathering period (ending July 2026 in some member states), the EBA indicated they should have applied for a licence by 2 March, but they’ll be allowed extra flexibility until the grandfathering period ends. Nobody wanted this double-licensing outcome. Even the EBA’s own no-action letter stated they didn’t believe it was the right situation.

There are two separate discussions. First, how PSD2 applies today – the no-action period ended on 2 March, so as of 3 March, PSD2 must be applied. Second, the legislative negotiations for PSD3 and PSR in trilogue, where we’re hoping to see an amendment that would allow licensed CASPs to continue providing payment services with e-money tokens until their payment licence is granted or refused, or for up to two years.

Until then, the situation is clear: if you’re a CASP providing transfer services of e-money tokens that are not for settlement or trading purposes, that is considered a payment service, and you need a PSD2 licence.

Ana Carolina Carlos de Oliveira

The EBA’s no-action letter mentions a “streamlined licensing process” twice, taking into account documents already submitted for the MiCA licence. But in Spain, we have one supervisor for MiCA and a different one for payments. We have no information about any streamlined process, which means we need to prepare a full licence application as if it were our first.

The likely outcomes are either firms stop offering the service, or we end up with massive market concentration – two or three large companies that hold both MiCA and PSD licences, and smaller firms must partner with them to offer stablecoin services. In Spain, a PSD licence could take around two years to obtain.

Delphine Forma

In the regulator’s defence, I don’t think they anticipated when writing MiCA that e-money tokens would qualify as funds with all the consequences we’re seeing today.

Three Things CASPs Must Prepare in 2026

Nathan Catania

First, prepare for supervision. We’re moving from application mode to supervision mode. It’s very easy to get consultants or law firms to prepare a compliant application, but as a business you need to put it into practice. As an ex-regulator, I expect enforcement action against firms that committed to doing things in their business plans but aren’t actually doing them.

Second, think carefully about new products. Crypto moves fast beyond traditional CASP activities – tokenisation, prediction markets, DeFi integration. Many of these products probably aren’t even covered by MiCA and sit in other areas of regulation. Plan ahead, because in Europe it can take six months to a year to get the authorisation you need.

Third, get ready for more politics.

Tommaso Astazi

Nathan is right on everything. My call to action is for companies to get involved. Join Blockchain for Europe or other associations working at the European level. You need to be aware of what’s coming and how your business might have to change. More importantly, you need to influence those decisions. We need developers, technical experts, and compliance professionals talking with policymakers so they understand what they’re regulating.

Ana Carolina Carlos de Oliveira

My three things are very practical. First, apply for the PSD licence – do not delay. While the European Commission and EBA may change their positions, you need to start now.

Second, prepare for reporting. Once you get your licence, there are extensive reporting obligations. Here in Spain, that means recording balances, transaction volumes, and being ready for internal, external, financial, DORA, and cybersecurity audits. Everything must be well-documented and audit-proof. Supervisors aren’t going to look at your policies – they’re going to look at how you behave.

Third, prepare due diligence over your service providers. This isn’t MiCA-specific, but it’s critical to ensure you’re working with solid partners who can navigate turbulent waters alongside you.

A final remark: we are slowly changing the reputation of the crypto market. MiCA gives us the protection and transparency to bring more people on board who’ve never invested in crypto before. The goal for compliance this year is to build trust, build transparency, report, commit, comply, and apply for licences.

Closing Remarks

Delphine Forma

Thank you so much for all your insights. I really enjoyed the conversation. I’m already looking forward to the next webinar – I think we’ll focus on DeFi and reporting, because reporting is a really underestimated topic. Thank you all.

‍