MiCA Compliance Checklist 2025: What Crypto Companies Need to Know

What Is MiCA and Why It Matters in 2025

The Markets in Crypto-Assets Regulation (MiCA, EU 2023/1114) represents the most significant regulatory shift in the crypto industry since the emergence of Bitcoin. Fully applicable since December 30, 2024, MiCA establishes a unified legal framework governing crypto asset issuance and service provision across all 27 European Union member states.

Before MiCA, European crypto companies operated under a patchwork of national regulations — or in many cases, regulatory grey areas. MiCA changes this fundamentally. Any company wishing to issue crypto assets to EU investors or provide crypto asset services to EU customers must now comply with a single, harmonized rulebook or face enforcement action by national regulators.

The stakes are substantial. The EU crypto market represents tens of millions of potential customers. Non-compliance risks include administrative fines of up to €5 million (or 3% of annual turnover), suspension of operations, and reputational damage in one of the world's most lucrative regulated markets.

This checklist covers the 15 key compliance requirements every crypto company must address, the special rules for stablecoin issuers, the CASP authorization process, and the pathway for Turkish companies to leverage their existing compliance infrastructure for EU market entry.

MiCA Timeline: Key Dates

Understanding MiCA's implementation timeline is critical for compliance planning:

• June 29, 2023: MiCA published in the Official Journal of the EU
• June 30, 2024: Titles III and IV apply — rules for asset-referenced tokens (ART) and e-money tokens (EMT) take effect
• December 30, 2024: MiCA fully applicable — all CASP requirements now in force
• 2024–2026: National Competent Authorities (NCAs) accepting CASP authorization applications; transition periods for existing operators vary by EU member state (typically 12–18 months)
• End of 2025: Most transition periods expire — unauthorized CASPs must cease EU operations

The EU Council formally adopted MiCA following extensive consultation with industry stakeholders, consumer protection groups, and financial regulators. The regulation builds on earlier frameworks including the 5th Anti-Money Laundering Directive (AMLD5) and FATF Virtual Asset guidance, creating a comprehensive and internationally aligned regulatory regime.

The 15-Item MiCA Compliance Checklist

The following checklist covers the core compliance obligations for Crypto Asset Service Providers (CASPs) under MiCA. Each item should be treated as a workstream requiring dedicated resources and expert oversight.

1. Legal Entity and Jurisdiction

Establish or designate an EU legal entity as the regulated entity for MiCA purposes. The entity must have a registered office in an EU member state and genuine business activity (substance) in that jurisdiction. Popular choices include Estonia (digital-forward regulation), Lithuania (fast processing), Germany (largest EU market), and the Netherlands. Action: Incorporate EU subsidiary; confirm substance requirements with local counsel.

2. Minimum Capital Requirements

MiCA establishes tiered capital requirements based on service categories:

• Class 1 (custody, transfer, order reception): Minimum €50,000 own funds
• Class 2 (exchange against fiat/crypto, portfolio management): Minimum €125,000 own funds
• Class 3 (underwriting, placement, advice + all other services): Minimum €150,000 own funds

Capital must be maintained at all times and reported to the National Competent Authority (NCA). Action: Determine service scope, calculate capital tier, arrange capitalization structure.

3. Crypto Asset Whitepaper

Any company offering crypto assets to the public in the EU must publish a MiCA-compliant white paper. The white paper must include: issuer identification, description of the crypto asset project, rights and obligations of holders, underlying technology description, risk factors, and specific regulatory disclosures. White papers must be filed with the relevant NCA before publication. Action: Engage legal counsel to draft MiCA-compliant white paper; submit to NCA prior to public offering.

4. Governance and Fit & Proper

MiCA requires CASPs to have robust governance arrangements. Senior management and board members must meet fit and proper criteria: good repute (clean criminal record), sufficient knowledge and experience in crypto and financial services, and commitment of adequate time. Compliance Officer, MLRO (Money Laundering Reporting Officer), and Risk Manager roles must be filled by qualified persons. Action: Conduct fit-and-proper assessments; prepare management CVs, criminal record certificates, and experience documentation.

5. AML/CFT Program

CASPs are obligated parties under the EU's AML framework (AMLD5/6) and must maintain comprehensive AML/CFT programs including: Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) procedures, transaction monitoring systems, suspicious activity reporting (SAR) to national FIUs, PEP and sanctions screening, Travel Rule compliance (FATF R.16), and staff AML training programs. Action: Deploy automated AML transaction monitoring; integrate sanctions screening; establish SAR reporting procedures.

6. Custody and Safeguarding Client Assets

CASPs providing custody services must maintain clear segregation between client and company assets. Client crypto assets must be held in segregated wallets, never co-mingled with company funds. MiCA requires CASPs to maintain liability coverage (through own funds or insurance) equivalent to the market value of crypto assets under custody. Hot and cold wallet segregation policies must be documented and tested. Action: Implement segregated custody architecture; document wallet management policies; arrange liability coverage.

7. Conflicts of Interest Policy

CASPs must identify, prevent, manage, and disclose conflicts of interest that may affect clients. This includes conflicts arising from proprietary trading alongside client order execution, advisory relationships, and affiliated entity transactions. A written conflicts of interest policy must be maintained, reviewed annually, and disclosed to clients. Action: Draft comprehensive conflicts of interest policy; implement information barriers where necessary.

8. Complaints Handling

MiCA requires CASPs to maintain free, effective, and transparent complaints handling procedures. Clients must be able to submit complaints without charge. CASPs must acknowledge complaints within defined timeframes and provide substantive responses. Complaints records must be maintained for regulatory inspection. Action: Implement complaints management system; train customer support staff; publish complaints procedure on website.

9. Business Continuity Plan (BCP)

CASPs must maintain documented and tested business continuity plans ensuring continuity of regulated activities in case of disruption. The BCP must cover IT system failures, key personnel absence, cyberattacks, and market disruption scenarios. Annual BCP testing with documented results is required. Action: Draft BCP covering all critical processes; conduct tabletop and technical testing; document results.

10. Cybersecurity and IT Security

MiCA requires CASPs to implement appropriate IT security measures proportionate to the risks. Requirements include: penetration testing (minimum annually), vulnerability management program, access control policies, encryption standards, incident response procedures, and reporting of major ICT incidents to the NCA within 4 hours of classification. Action: Commission annual penetration test; implement vulnerability management; draft incident response and ICT incident reporting procedures.

11. Market Abuse Prevention

MiCA prohibits insider dealing, unlawful disclosure of inside information, and market manipulation in crypto asset markets. CASPs must implement market surveillance systems to detect and report suspicious transactions. Policies on insider trading, information barriers, and personal account dealing must be maintained. Action: Deploy market abuse detection tooling; train staff on market abuse policies; establish suspicious transaction reporting procedures.

12. Client Communication and Marketing

All marketing communications by CASPs must be fair, clear, and not misleading. Risk warnings are mandatory in all marketing materials relating to crypto assets. The specific format and content of risk warnings is prescribed by European Securities and Markets Authority (ESMA) guidance. Cross-border marketing to EU clients by non-EU firms without MiCA authorization is prohibited. Action: Review all marketing materials; add prescribed risk warnings; train marketing staff on MiCA communication rules.

13. Prudential Reporting

CASPs must submit regular prudential reports to their home NCA covering: own funds levels and composition, assets under custody by category, transaction volumes, complaints statistics, and ICT incident reports. Reporting frequencies vary by item (monthly, quarterly, annual). Action: Build regulatory reporting infrastructure; assign compliance ownership for each report type.

14. Record-Keeping

MiCA requires CASPs to maintain records of all services, activities, orders, and transactions for a minimum of five years. Records must be stored in a format that allows the NCA to reconstruct the CASP's activities. For AML purposes, identity verification records must be retained for five years from the end of the customer relationship. Action: Implement compliant record-keeping architecture; confirm storage formats and access controls.

15. Regulatory Notifications and Ongoing Compliance

CASPs must notify their home NCA of any material changes to their business model, management, capital, or ownership within specified timeframes (typically 30 days). Passporting notifications are required before commencing operations in other EU member states. Annual compliance reviews and board-level risk assessments are considered best practice under MiCA. Action: Establish change management procedures; maintain regulatory calendar; conduct annual MiCA compliance gap analysis.

Stablecoin Issuers: EMT vs ART Requirements

MiCA creates two separate regulatory tracks for stablecoins:

E-Money Tokens (EMT)

EMTs are crypto assets that maintain stable value by referencing a single official fiat currency (e.g., a euro stablecoin). EMT issuers must be either an authorized credit institution (bank) or an e-money institution (EMI) under the EU's Electronic Money Directive (EMD2). Key requirements for EMT issuers include:

• E-money institution license or bank license as prerequisite
• 1:1 reserve backing — EMT holders have direct claims on the issuer
• Reserve assets must be held in segregated accounts at credit institutions
• Redemption at par value on request by any holder
• Prohibition on paying interest to EMT holders
• Significant EMTs (over €5B average outstanding value or 10M transactions/day) face additional requirements and ECB oversight

Asset-Referenced Tokens (ART)

ARTs are crypto assets referencing other assets — multiple currencies, commodities, or crypto assets (e.g., a basket-backed stablecoin). ART issuers face the most demanding MiCA requirements:

• Dedicated ART authorization from home NCA (not simply an existing financial license)
• Minimum own funds: €350,000 or 2% of average reserve assets (whichever is higher)
• Reserve asset composition rules and segregation requirements
• Independent audit of reserve assets at least annually
• Liquidity management policy for the reserve portfolio
• Significant ARTs (same thresholds as EMTs) face direct ECB oversight

CASP Authorization Process Under MiCA

Obtaining MiCA CASP authorization is a structured regulatory process. The typical timeline and steps are:

1. Jurisdiction selection (1-2 months): Choose EU member state based on regulatory environment, NCA processing times, and business considerations
2. Legal entity establishment (1-2 months): Incorporate EU subsidiary; appoint directors; open bank accounts
3. Compliance infrastructure build (3-4 months): Implement AML systems, custody architecture, IT security controls, governance policies
4. Application preparation (2-3 months): Draft comprehensive application dossier (business plan, financial projections, compliance policies, management CVs, IT security assessment)
5. NCA submission and review (3-6 months): Submit application; respond to NCA queries; possible interview of management
6. Authorization granted: Receive MiCA CASP authorization; activate passporting to other EU states as required

End-to-end timeline from initial planning to authorization: typically 9 to 14 months for a well-prepared applicant. Poorly prepared applications face significant delays.

Turkey-EU Bridge: How Turkish Companies Enter the EU Market

Turkish crypto companies are uniquely positioned to enter the EU market under MiCA. Turkey's SPK CASP registration framework, introduced under Law No. 7518 in 2024, shares significant structural overlap with MiCA's requirements in areas including AML/CFT, governance, capital adequacy, and customer protection.

Companies that have invested in robust compliance infrastructure for Turkish SPK registration have a strong head start on MiCA compliance. The key elements that translate directly include:

• AML program: Turkish MASAK-compliant AML programs closely mirror EU AML requirements
• KYC infrastructure: Identity verification systems built for Turkish compliance readily meet MiCA's CDD requirements
• Governance documentation: Management fit-and-proper procedures are structurally similar
• Technology infrastructure: Compliant exchange and custody systems can be adapted for EU operation

The recommended market entry strategy for Turkish companies:

1. Ensure Turkish SPK CASP registration is in place and compliance infrastructure is mature
2. Establish EU subsidiary in a MiCA-friendly jurisdiction (Estonia is popular for its digital-first approach and efficient NCA)
3. Conduct MiCA gap analysis identifying delta between Turkish and EU requirements
4. Build out EU-specific compliance elements (white papers if issuing tokens, EU record-keeping formats, ESMA reporting)
5. Submit MiCA CASP authorization application
6. Upon authorization, activate EU passporting to reach all 27 member states

io40's Turkey-EU dual licensing service handles this entire process, leveraging our Turkish regulatory expertise and our Tallinn office to deliver integrated compliance across both jurisdictions. See our MiCA compliance service page and VASP license service for details.

io40 MiCA Consulting Services

io40 provides end-to-end MiCA compliance and licensing services tailored to the needs of crypto companies at every stage of EU market entry:

• MiCA Readiness Assessment: Gap analysis comparing your current compliance infrastructure against MiCA requirements, with prioritized remediation roadmap
• EU Subsidiary Setup: Legal incorporation, director appointment, banking relationships, and substance establishment in your chosen EU jurisdiction
• Compliance Infrastructure: AML system deployment, custody architecture design, IT security assessment, governance policy drafting
• Authorization Application: End-to-end preparation and submission of CASP authorization application; management of NCA dialogue
• Passporting: Notifications and procedures for extending authorized activities across EU member states
• Ongoing Compliance: Regulatory reporting, annual compliance reviews, management of regulatory change

Our Tallinn office provides direct access to the Estonian Financial Supervision Authority (Finantsinspektsioon), one of Europe's most digitally progressive financial regulators. Combined with our Istanbul headquarters' SPK expertise, io40 is uniquely positioned to deliver dual Turkish-EU compliance programs.

FAQ: MiCA Compliance 2025

Q: What is the MiCA regulation?
MiCA (Markets in Crypto-Assets Regulation, EU 2023/1114) is the EU's comprehensive regulatory framework for crypto assets that became fully applicable on December 30, 2024. It covers crypto asset issuance, stablecoin issuers (EMT and ART), and crypto asset service providers (CASPs) with unified rules across all EU member states.

Q: Who needs MiCA compliance?
Any company that issues crypto assets to EU investors or provides crypto asset services (exchange, custody, transfer, brokerage, portfolio management, advice) to EU customers needs MiCA compliance. This includes companies based outside the EU that actively market to EU residents.

Q: What are the MiCA capital requirements?
MiCA capital requirements are tiered: Class 1 (custody, transfer) requires €50,000; Class 2 (exchange, portfolio management) requires €125,000; Class 3 (all services) requires €150,000. Stablecoin issuers face separate, higher requirements (€350,000 or 2% of reserves for ART issuers).

Q: Can Turkish companies enter the EU crypto market under MiCA?
Yes. Turkish companies can establish an EU subsidiary and obtain MiCA CASP authorization. Turkish regulatory experience with SPK CASP registration provides a strong compliance foundation. io40 provides end-to-end guidance for this dual-jurisdiction strategy.

Q: How long does MiCA authorization take?
MiCA CASP authorization typically takes 9 to 14 months end-to-end, including pre-application preparation (3-6 months) and the formal authorization process (3-6 months after submission). io40 targets the shorter end of this range for well-prepared applicants.