What is the difference between hot and cold wallet?

A hot wallet is connected to the internet for frequent transactions; a cold wallet stores assets completely offline in air-gapped hardware or vault-stored HSMs, protecting them from remote attackers.

How does MPC wallet eliminate single points of failure?

MPC wallets distribute key shares across multiple geographically separate nodes. A threshold of nodes must collaborate to sign any transaction, so no single compromised node can authorize transfers or reconstruct the key.

What certifications does io40 custody solution support?

io40 custody architectures support FIPS 140-2 Level 3 (HSM hardware), SOC 2 Type II, ISO 27001, GDPR/KVKK, and DORA-aligned operational resilience controls for MiCA compliance.

Can we integrate with existing exchange infrastructure?

Yes. io40 designs custody integrations connecting with existing exchange engines, OMS platforms, and settlement systems through standardized APIs with policy engine configuration and reconciliation.

What is the recovery process if hardware fails?

For HSM cold storage, recovery uses encrypted key backups in geographically separate facilities under multi-custodian control. For MPC architectures, a new node joins via cryptographic key refresh with no key reconstruction required.

How long does custody infrastructure setup take?

A basic MPC hot wallet integration takes 4-8 weeks. Full institutional custody infrastructure including HSM, key ceremony, cold storage vault, and SOC 2 readiness typically requires 3-6 months.

← Back to Services

MiCA Regulation Compliance — EU Crypto Asset Framework

End-to-end MiCA compliance consulting for crypto-asset service providers, stablecoin issuers, and token issuers targeting EU markets.

What is MiCA? The EU Crypto-Asset Regulatory Framework

The Markets in Crypto-Assets Regulation (MiCA) is the European Union’s landmark comprehensive regulatory framework governing crypto-assets, their issuers, and the service providers that trade, custody, and manage them. Adopted in 2023 and phased into full effect through 2024, MiCA represents the world’s most comprehensive jurisdiction-level crypto regulation, establishing a unified legal framework across all 27 EU member states. Before MiCA, crypto regulation in Europe was fragmented across national regimes — Germany had its own VASP framework, France its PSAN regime, Malta its VFA Act. MiCA replaces this patchwork with a single passport: a CASP authorization in one EU member state allows the holder to provide services across the entire EU without additional national licensing.

MiCA’s regulatory scope covers three categories of crypto-assets: Asset-Referenced Tokens (ARTs), which are stablecoins backed by baskets of assets or currencies; Electronic Money Tokens (EMTs), which are stablecoins backed by a single fiat currency; and a broad “other crypto-assets” category covering utility tokens, governance tokens, and most other non-security crypto-assets. Security tokens that qualify as financial instruments under MiFID II remain outside MiCA’s scope and are governed by existing securities regulation.

The timeline for MiCA implementation: rules for ARTs and EMTs took effect in June 2024; rules for CASPs (Crypto-Asset Service Providers) and utility tokens took effect in December 2024. This means that as of the beginning of 2025, all entities providing crypto-asset services to EU residents — whether headquartered inside or outside the EU — are subject to MiCA’s requirements.

Who Needs MiCA Compliance?

MiCA applies to a broad range of entities operating in or targeting European crypto markets.

Crypto-Asset Service Providers (CASPs)

Any entity providing crypto-asset services to EU residents must obtain CASP authorization under MiCA. Covered services include: operation of a trading platform for crypto-assets; exchange of crypto-assets for funds or other crypto-assets; execution of orders on behalf of clients; placing of crypto-assets; reception and transmission of orders; providing advice on crypto-assets; portfolio management of crypto-assets; and custody and administration of crypto-assets on behalf of clients. Each service category has specific capital requirements, governance requirements, and operational standards. io40 helps companies identify which service categories they fall under, determine the appropriate authorization pathway, and build the compliance infrastructure required to qualify for and maintain CASP authorization.

Stablecoin Issuers (EMT & ART)

Issuers of Electronic Money Tokens (EMTs) — stablecoins pegged to a single fiat currency — must be authorized either as a credit institution or as an electronic money institution (EMI) under existing EU financial law, in addition to complying with MiCA’s specific EMT requirements. Issuers of Asset-Referenced Tokens (ARTs) — stablecoins backed by baskets of assets — must obtain a specific ART issuer authorization from a competent national authority. Both EMT and ART issuers face requirements including minimum own funds (capital), reserve asset management rules, robust governance arrangements, a MiCA-compliant whitepaper, and ongoing reporting to regulators. Significant EMT and ART issuers (with more than 10 million token holders or 5 billion EUR in circulation) face enhanced supervision directly by the European Banking Authority (EBA).

Utility Token & Other Crypto-Asset Issuers

Issuers of utility tokens and other crypto-assets (that are neither ARTs, EMTs, nor financial instruments) must publish a MiCA-compliant crypto-asset whitepaper before any public offering or admission to trading on an EU platform. The whitepaper must be notified to the competent national authority of the member state where the issuer is established and must contain detailed disclosures covering the issuer, the project, the technology, the rights and obligations attached to the token, the associated risks, and the token economics. Issuers are liable for any loss suffered by investors due to a whitepaper that does not meet MiCA requirements, including misleading or omitted information. io40 assists issuers in drafting MiCA-compliant whitepapers, conducting legal review, and managing the notification process with competent authorities.

Key MiCA Requirements

Capital, governance, AML, whitepaper, and operational obligations for regulated entities.

Capital Requirements & Own Funds

MiCA establishes minimum capital requirements that vary by service category. CASPs providing only advice or order reception/transmission must maintain a minimum of €50,000 in own funds. CASPs operating trading platforms, providing custody, or executing orders face higher requirements of €125,000 to €150,000. These minimums must be maintained at all times and CASPs must have contingency plans for the orderly wind-down of operations if they fall below required thresholds. ART issuers must maintain own funds of at least 2% of the average amount of reserve assets, subject to a floor of €350,000. EMT issuers must maintain own funds equal to the higher of €350,000 or 2% of average outstanding EMTs. Reserve assets backing ARTs and EMTs must be legally segregated from the issuer’s own assets, held in custody, and managed according to strict investment rules designed to ensure liquidity and capital preservation. io40 advises on capital structuring, reserve asset management frameworks, and regulatory capital monitoring systems.

Governance, AML & Market Integrity

MiCA imposes comprehensive governance requirements on CASPs and issuers: management body members must demonstrate fitness and propriety (good repute and sufficient knowledge, skills, and experience), shareholders with qualifying holdings must be assessed for suitability, and entities must have robust internal controls, risk management frameworks, and remuneration policies. Anti-money laundering (AML) compliance is addressed through MiCA’s interaction with the EU’s Transfer of Funds Regulation (TFR, also known as the “travel rule”), which requires CASPs to collect and transmit originator and beneficiary information with crypto-asset transfers, and with the 6th Anti-Money Laundering Directive (6AMLD). CASPs must implement transaction monitoring systems, KYC/CDD programs, suspicious activity reporting, and record-keeping obligations aligned with FATF standards. Market integrity provisions prohibit insider trading, market manipulation, and unlawful disclosure of inside information in the crypto-asset market — mirroring equivalent provisions in the EU’s Market Abuse Regulation (MAR) for traditional securities. io40 designs and implements AML programs, governance frameworks, and market integrity compliance policies tailored to MiCA requirements.

MiCA vs National Regulations: Turkey VASP Comparison

Understanding how MiCA relates to Turkey’s domestic VASP regulatory framework.

Turkey VASP Framework

Turkey introduced its Virtual Asset Service Provider (VASP) regulatory framework through amendments to the Financial Crimes Investigation Board (MASAK) regulations, effective from 2021. Turkish VASPs must register with MASAK, implement comprehensive AML/CFT programs, conduct KYC on customers, monitor transactions, report suspicious activities, and comply with data retention requirements. The Capital Markets Board of Turkey (SPK) subsequently extended its jurisdiction to crypto-asset platforms, requiring crypto exchanges operating in Turkey to obtain SPK authorization to continue operating. Turkish regulation is primarily focused on AML compliance and consumer protection for domestic markets. It does not establish an EU-style passporting framework, meaning Turkish companies must obtain separate authorizations for each jurisdiction they wish to operate in. For Turkish crypto companies seeking to expand into European markets, MiCA represents both a compliance challenge and a significant commercial opportunity: a single MiCA CASP authorization in one EU member state unlocks access to the entire EU single market of 450 million consumers.

Dual Compliance Strategy

Turkish crypto companies targeting both domestic and EU markets face the need to maintain compliance with both Turkish VASP regulations and MiCA simultaneously. While the two frameworks share common ground in AML/KYC requirements — both drawing from FATF recommendations — MiCA imposes significantly more extensive requirements in areas including capital adequacy, governance, whitepaper disclosure, custody infrastructure, and market integrity. io40 designs dual-framework compliance programs that efficiently address both Turkish and EU regulatory requirements, identifying shared controls that can satisfy both regimes and isolating the incremental requirements specific to each. This approach minimizes the total compliance burden and allows companies to maintain a single integrated compliance function rather than operating separate domestic and international compliance programs. Key areas of overlap include customer due diligence, transaction monitoring, record-keeping, and management body fitness assessments. Areas requiring EU-specific investment include MiCA whitepaper preparation, EU capital structure, DORA-aligned operational resilience, and EU travel rule compliance systems.

Our MiCA Consulting Services

From gap analysis to CASP authorization and ongoing compliance maintenance.

MiCA Gap Analysis

io40’s MiCA gap analysis is a structured assessment of your current business model, operations, technology infrastructure, and compliance program against all applicable MiCA requirements. The gap analysis identifies which MiCA provisions apply to your specific activities, documents current controls and their alignment with MiCA obligations, and produces a prioritized remediation roadmap with estimated effort, timelines, and cost ranges. The output is a board-ready report that can also be shared with prospective investors or partners as evidence of regulatory preparedness. A MiCA gap analysis typically takes 2-4 weeks and serves as the foundation for all subsequent compliance implementation work.

CASP Authorization Support

Obtaining CASP authorization under MiCA requires preparing and submitting a comprehensive application package to a competent national authority (e.g., BaFin in Germany, AFM in the Netherlands, AMF in France). The application must include: a description of the applicant’s program of operations; a business plan; proof of initial capital requirements; a description of governance arrangements; a description of internal control mechanisms, risk management procedures, and AML/CFT procedures; a description of ICT systems and security protocols; descriptions of policies for safeguarding client assets; and fitness and propriety assessments for management body members. io40 prepares the full application package, working alongside local legal counsel to ensure jurisdiction-specific requirements are met, and manages the regulatory dialogue during the authorization review process.

Ongoing MiCA Compliance

MiCA compliance is not a one-time project but a continuous operational obligation. CASPs must maintain all authorization conditions on an ongoing basis, update their policies and procedures as regulations evolve, comply with new ESMA and EBA technical standards as they are published, submit regular regulatory reports, notify their competent authority of material changes to their business, and maintain evidence of ongoing compliance for supervisory inspection. io40 provides a MiCA compliance retainer service that includes: regulatory monitoring and updates when relevant ESMA/EBA publications are issued; quarterly compliance reviews; annual policy and procedure refresh; regulatory reporting preparation; and responsive compliance advice on new business initiatives or product launches.

Frequently Asked Questions

What is MiCA regulation? ▼

MiCA (Markets in Crypto-Assets Regulation) is the EU’s comprehensive regulatory framework for crypto-asset service providers and issuers. It covers CASPs, stablecoin issuers (ARTs and EMTs), and utility token issuers, establishing uniform rules across all 27 EU member states. CASPs must be authorized under MiCA to provide services to EU residents; authorized entities receive a single EU passport valid across the entire single market.

Who needs MiCA compliance? ▼

Any entity providing crypto-asset services (exchange, custody, portfolio management, trading platform, advisory) to EU residents, regardless of where the company is incorporated. Stablecoin issuers (EMT/ART) and token issuers conducting public offerings in the EU are also subject to MiCA. Turkish companies targeting EU customers need MiCA compliance even if they operate from outside the EU.

What is a CASP under MiCA? ▼

A CASP (Crypto-Asset Service Provider) is any entity providing one or more of the following services: operation of a trading platform, exchange of crypto-assets for funds or other crypto-assets, execution of orders, placing of crypto-assets, reception and transmission of orders, providing advice, portfolio management, or custody and administration of crypto-assets on behalf of clients. Each service category has specific authorization requirements under MiCA.

Does MiCA affect companies outside the EU? ▼

Yes. MiCA applies to any company providing crypto-asset services to EU residents, regardless of where the company is based or incorporated. Third-country entities providing services to EU customers on a reverse solicitation basis face strict limitations; in practice, companies actively marketing to EU customers must seek MiCA authorization. For Turkish crypto companies, establishing an EU subsidiary to obtain MiCA authorization is typically the clearest path to accessing EU markets compliantly.

What is the MiCA whitepaper requirement? ▼

Token and stablecoin issuers must publish a detailed MiCA-compliant whitepaper before any public offering or admission to trading. The whitepaper must cover: the issuer and its projects; the token’s features, rights, and obligations; the underlying technology; the risks associated with the issuer, token, and project; and the token economics including issuance, distribution, and redemption terms. The whitepaper must be notified to (and for ARTs, approved by) the relevant competent authority and issuers are liable for losses caused by non-compliant or misleading whitepapers.

How long does MiCA compliance take? ▼

A MiCA gap analysis takes 2-4 weeks. Full CASP authorization preparation — including policy development, AML program design, governance framework, whitepaper (if applicable), regulatory capital structuring, and the formal application submission — typically takes 3-9 months depending on the jurisdiction and the complexity of the business. Regulatory review periods by competent authorities add additional time on top of preparation.

Which EU member state is best for CASP authorization? ▼

Germany (BaFin), Luxembourg, Lithuania, and Malta are popular CASP licensing jurisdictions due to established crypto regulatory frameworks, efficient review processes, and experienced competent authorities. Germany offers the advantage of the largest EU market and strong institutional credibility; Lithuania offers a streamlined process and competitive operational costs; Malta has deep historical experience with crypto licensing. io40 advises on jurisdiction selection based on your specific business model, target markets, and operational preferences.

Can io40 represent us in regulatory submissions? ▼

io40 provides full documentation preparation, regulatory gap analysis, application package assembly, and coordination support for CASP authorization submissions. We work alongside local legal counsel in the chosen EU jurisdiction who provides formal legal representation to the competent authority. io40’s role is to prepare the technical compliance documentation, design the required frameworks and policies, and manage the project timeline to ensure a complete, high-quality application is submitted on schedule.

Ready to Start Your MiCA Compliance Journey?

Whether you are building a new CASP, issuing a token, or launching a stablecoin in the EU, io40 provides the expertise to navigate MiCA efficiently. Contact us for a free initial consultation.

Contact