When the European Council adopted MiCA in 2022, the crypto industry’s reaction was split between those who welcomed regulatory clarity and those who predicted that comprehensive regulation would drive innovation out of Europe. Three years later, the regulation is fully applicable, the transitional periods are closing, and we have enough real-world data to assess which camp was right.
The answer, as it often is with regulation, is both — and neither.
MiCA has done something that no previous regulatory framework achieved: it has created a single, comprehensive set of rules for crypto-asset service providers across 27 EU member states, with a single licensing mechanism (the CASP authorisation) that enables passporting across the entire bloc. Over 90 firms have been authorised as CASPs under MiCA. The number of registered VASPs in the EU has risen by 47%. Non-compliant exchanges have seen a 40% decline in EU-based users. Crypto-related scam reports have dropped by an estimated 58%.
These are real achievements. For the first time, a European crypto user can verify whether the exchange they are using is licensed, can rely on mandatory asset segregation and complaint-handling procedures, and can access transparent risk disclosures. The regulatory baseline that existed before MiCA — a patchwork of national registrations, most of which required little more than a form submission and a criminal background check — has been replaced by something meaningfully more robust.
But implementation has revealed friction, gaps, and unintended consequences that the regulation’s designers did not fully anticipate — and that the crypto industry, regulators, and users are now navigating in real time.
What MiCA actually changes
The most visible impact has been on stablecoins. MiCA’s stablecoin provisions — which became applicable in June 2024, six months before the full CASP regime — require that e-money tokens (EMTs) be issued by authorised credit institutions or electronic money institutions, maintain 100% reserve backing in liquid assets, provide redemption at par value, and submit to prudential supervision.
These requirements effectively excluded algorithmic stablecoins from the EU market. They also created compliance challenges for Tether’s USDT, which — as of early 2025 — had not obtained the required e-money authorisation in any EU jurisdiction. Multiple exchanges, including Coinbase Europe, delisted USDT for EU customers, redirecting trading volume toward MiCA-compliant alternatives. Circle’s EURC, which obtained electronic money institution authorisation in France, captured approximately 41% of the euro stablecoin market capitalisation — up from 17% a year earlier — filling the vacuum left by non-compliant competitors.
This is MiCA working as intended: a regulatory framework that sets a standard, forces non-compliant products out of the market, and rewards early compliance with market share. Whether the resulting market concentration — a small number of authorised issuers dominating euro-denominated stablecoins — is a feature or a bug depends on your perspective.
The second major change is the CASP licensing regime itself. Under MiCA, any entity providing crypto-asset services in the EU must obtain authorisation from a national competent authority. The authorisation requirements include governance standards, capital requirements, operational resilience measures, conflict-of-interest policies, and — critically — AML/KYC compliance obligations that are integrated into the licensing process rather than treated as a separate regulatory layer.
The passporting mechanism is the most consequential practical innovation. A CASP authorised in one EU member state can provide services across all 27 — without obtaining separate licences in each country. This eliminates the jurisdiction-shopping incentive that characterised the pre-MiCA landscape, where exchanges would register in the most permissive jurisdiction (often Estonia or Lithuania) and serve customers across Europe under a minimal-oversight regime.
The third change is the white paper requirement. Issuers of crypto-assets that are not EMTs or ARTs must publish a white paper that meets specified disclosure standards — including risk factors, the rights attached to the token, the underlying technology, and the issuer’s financial position. This is the crypto equivalent of a prospectus requirement, and while it does not impose the full rigor of securities registration, it creates a disclosure baseline that did not previously exist.
Where friction has emerged
The dual licensing problem is the most widely cited implementation challenge. MiCA requires CASP authorisation for crypto-asset services. But some crypto-asset services — particularly those involving EMTs — also trigger licensing requirements under the Payment Services Directive (PSD2). The overlap means that some firms need two licences, two compliance frameworks, and two supervisory relationships for what is functionally a single activity.
Industry participants have warned that this overlap increases compliance costs, creates regulatory uncertainty (which regulator takes precedence when obligations conflict?), and may undermine the competitiveness of EU-based euro stablecoins relative to their unregulated equivalents. The European Commission has acknowledged the issue and faces pressure to harmonise the two frameworks.
The DeFi exemption is the most significant gap. MiCA explicitly excludes “fully decentralised” crypto-asset services from its scope. If a protocol operates entirely through smart contracts, with no identifiable legal entity acting as a counterparty, MiCA does not apply. This exclusion was a pragmatic concession — regulating autonomous code is a conceptual challenge that MiCA’s designers chose to defer rather than resolve.
The problem is that “fully decentralised” is a spectrum, not a binary. Many protocols that describe themselves as decentralised have identifiable development teams, governance token holders who control upgrade paths, front-end interfaces hosted by specific companies, and treasury reserves managed by identifiable entities. The line between a regulated CASP and an unregulated DeFi protocol is unclear, and the lack of clear criteria creates both a compliance gap and a regulatory arbitrage opportunity.
Some protocols will genuinely qualify for the exclusion. Others will structure themselves to appear decentralised while retaining functional centralisation — what I have heard compliance lawyers describe as “decentralisation theatre.” MiCA’s successor legislation, expected to address DeFi more directly, will need to navigate this distinction. The companion legislation announced in late 2025 — which reportedly covers lending, borrowing, and staking with a “substance-over-form” approach to decentralisation — suggests the Commission is aware of the problem.
The Travel Rule implementation is another area of emerging friction. MiCA incorporates the EU’s Transfer of Funds Regulation (TFR), which requires CASPs to exchange personal data about senders and recipients for every crypto transfer — the crypto equivalent of the SWIFT messaging requirements for bank wire transfers. The TFR took effect alongside MiCA’s full application in December 2024.
The practical challenge is interoperability. For a CASP in France to exchange Travel Rule data with a CASP in Germany, both must use compatible messaging protocols. The industry has developed multiple competing solutions (TRISA, Notabene, Sygna, and others), and interoperability between them is incomplete. The result is that some cross-CASP transfers are delayed or rejected because the sending and receiving CASPs cannot exchange the required data.
What MiCA does not address
NFTs remain largely outside MiCA’s scope, except where they function as financial instruments or are issued in large, fungible series. The regulatory treatment of NFTs varies by member state, creating continued fragmentation in a market that MiCA was designed to harmonise.
Cross-border enforcement is structurally limited. MiCA creates an EU-internal framework, but the crypto market is global. A non-EU exchange serving EU customers without authorisation is violating MiCA, but enforcing that violation against a company with no EU presence, no EU assets, and no willingness to cooperate requires international cooperation that may or may not materialise. The cases where enforcement is most needed — unlicensed exchanges serving EU retail users from offshore jurisdictions — are precisely the cases where MiCA’s enforcement mechanisms are weakest.
And MiCA does not address the fundamental tension between regulatory compliance and privacy that I explored in my article on the mixer problem. The TFR’s data-sharing requirements, combined with MiCA’s AML obligations, create a crypto environment within the EU that is significantly more surveilled than the pre-regulation baseline. Whether that surveillance is proportionate — given the documented scale of crypto-enabled crime — or excessive — given the legitimate privacy interests of lawful users — is a question that MiCA answers implicitly (surveillance is necessary) rather than explicitly (here is where the line is).
An honest assessment
MiCA is the most comprehensive crypto regulatory framework in the world. It has achieved things that sceptics said were impossible: a unified licensing regime across 27 countries, mandatory reserve requirements for stablecoins, passporting for authorised providers, and a disclosure framework for token issuers. The fact that over 90 firms have been authorised — and that non-compliant exchanges have lost 40% of their EU user base — demonstrates that the framework is operational, not merely aspirational.
It is also imperfect, incomplete, and in some areas actively counterproductive. The dual licensing burden is real. The DeFi exclusion is a gap that will be exploited. The Travel Rule implementation is technically immature. And the framework’s silence on cross-border enforcement means that the worst actors — the ones MiCA is most needed to address — are the ones least likely to be affected by it.
But imperfect regulation that establishes a baseline is better than no regulation and a race to the bottom. MiCA’s value is not that it solves every problem. It is that it creates a framework within which problems can be identified, discussed, and addressed through amendment rather than ignored until the next FTX or Celsius or Terra forces a crisis response.
The rest of the world is watching. The United States, which has spent years debating crypto regulation without producing a comprehensive framework, is now in the position of responding to MiCA rather than setting the standard. Whether that produces better or worse outcomes remains to be seen. But the EU has demonstrated that comprehensive crypto regulation is possible, that the industry does not flee when it is imposed, and that the resulting market — while smaller and more constrained — is also more trustworthy.
For anyone in the financial crime field, the most important development is the integration of AML obligations into the CASP licensing process. Under MiCA, you cannot operate a crypto exchange in the EU without building an AML programme that meets regulatory standards. That is a structural improvement over the pre-MiCA world, where AML requirements existed in theory but were enforced unevenly — if at all — across member states. Whether it will be enough to prevent the next KuCoin or Bitzlato from operating in Europe is the test that lies ahead.