Since 1 July, the question asked by millions of European cryptocurrency users is no longer "What is MiCA?" , but something much more practical: Does my exchange really perform, or just seem so? The transitional regime that allowed for old national registries to operate has ended definitively in all 27 member states, and the number of platforms that have achieved full authorisation as a CASP (Crypto Asset Service Provider) remains surprisingly low: only a dozen and a half exchanges have the license allowing them to operate a real trading platform with custody of funds, compared to hundreds that previously operated under disparate national records.
This leaves many people with reasonable doubt: when an exchange says "we are regulated by MiCA," what exactly does that mean? What does a company have to prove to earn that seal? This article breaks down, step by step, the real requirements, leaving aside marketing, that an exchange needs to meet in order to operate legally in the European Union.
1. Have the correct CASP license (and not any license)
The first thing to understand is that "MiCA license" is not a single label. The regulation groups crypto-asset services into three prudential classes, each requiring a different minimum capital:
- Class 1: advice, order receipt and transmission. Minimum capital: €50,000. Does not include exchange and custody.
- Class 2: adds exchange of crypto for fiat money or other cryptoassets, order execution and placement. Minimum capital: €125,000.
- Class 3: adds custody and management of crypto assets on behalf of clients. Minimum capital: €150,000.
Here’s the nuance that confuses users the most: an exchange that allows its users to keep balance after trading is already in custody, even if it doesn’t call it that on their website. In practice, almost any centralized trading platform with the usual model of depositing, trading, and withdrawing at will requires a Class 3 license from day one, regardless of whether it charges specific fees to hold funds.
This explains why the number of exchanges actually authorized to operate a custodial trading platform is so small: out of over 200 CASP registered in the EU, only a minority has the Class 3 license that really covers the business model used by most retail traders. The rest are advisers, uncustodianed brokers or niche intermediaries.
2. Real equity, not working capital
The minimum capital is not a symbolic number that is declared in writing and forgotten. MiCA requires that continuing equity be permanently held as the higher of two digits: the minimum of its class, or one-quarter of the previous year’s fixed overhead expenses. In other words, the larger and more expensive the platform to trade, the more capital has to be immobilized, even if it exceeds the initial threshold by far.
In addition, that capital must be separate from customer money and the business’s operating treasury. It’s not worth mixing it with the funds that the company uses to pay payroll or marketing. This is precisely the kind of mix of funds that caused FTX to fall in 2022, something MiCA tries to make structurally impossible in Europe by requiring asset segregation at all times.
3. Segregation and safekeeping of client funds
This is probably the most symbolic requirement following the collapse of several exchanges in recent years. An authorized CASP must meet the following:
- Keep crypto assets and customer money separate from the company’s own assets, at all times without exception.
- Have a documented safekeeping policy: use of cold storage and hot wallets, multiple signature or MPC procedures, key generation ceremonies, and a disaster recovery plan.
- Be able to return funds to clients in the event of insolvency without those assets forming part of the company’s bankruptcy estate.
In other words: if an exchange goes bankrupt and is properly authorized under MiCA, your funds should not disappear in the process, as they should be legally isolated from the company’s assets. That’s the bottom difference between a licensed exchange and one that isn’t.
4. Governance and responsible individuals
MiCA does not settle for nice corporate paperwork. Articles governing governance require the board to have "good standing" and "appropriate knowledge, skills, and experience" for the complexity of the business it leads. In practice, this means:
- At least an executive director with effective residency in the European Economic Area who actually works from there, as traveling to meetings occasionally is not enough.
- A compliance officer dedicated to this function, without sharing it with another position or between different entities within the group. The cost of this figure is between 80,000 and 120,000 euros per year, and it must be contracted from the moment the application is submitted.
- Fit and proper cards for all senior positions, which are reviewed by the authorities on an individual basis.
5. KYC, AML and the Travel Rule
No exchange can operate under MiCA without a serious money laundering (AML) prevention and customer knowledge(KYC) program. This includes the following:
- Identity verification mandatory from the first euro traded with no small-amount exemption thresholds.
- Compliance with the Travel Rule under Regulation (EU) 2023/1113, which requires transfers of crypto assets to be accompanied by information about the payer and payee, as is the case for traditional bank transfers.
- Once authorized, the CASP automatically becomes a obligated entity under European anti-money laundering rules, with ongoing monitoring of suspicious transactions.
6. Technological resilience under DORA
Here another European regulation that overlaps with MiCA comes into play: DORA (Digital Operational Resilience Regulation). A licensed exchange must demonstrate the following:
- A documented record of all critical technology outsourcing including cloud hosting providers (AWS, Google Cloud), KYC providers, data on chain providers and custody services such as Fireblocks.
- Formal due diligence on each of these suppliers, with audit rights included in the contracts.
- A written exit plan for each critical dependency: if the exchange can’t explain how it would migrate from AWS to another provider if necessary, don’t pass the risk concentration assessment required by DORA.
- Incident management, access control and auditable logs as operational evidence, not just as policy on paper.
7. Transparency, market conduct and user protection
Beyond solvency and technology, MiCA imposes rules of behavior that seek to protect the retail user directly:
- Clear risk information before a client trades, including a non-technical summary of the risks of the crypto asset in question.
- Prohibition of market abuse practices: insider dealing, manipulating the order book, front running client orders themselves.
- Order flow payment ban that harms the customer’s optimal execution.
- A formalized and accessible complaints procedure with defined response times.
- For platforms that offer stablecoins, proof of reserves mechanisms are especially relevant following the challenges faced by several stablecoins in recent years.
8. The European passport: one licence, 27 markets
One of the things that users are often surprised by is that you don’t have to apply for a license in every country. A CASP authorized by any competent national authority, such as the CNMV in Spain, the BaFin in Germany, the AMF in France, the MFSA in Malta, or the FMA in Austria, automatically obtains the right to "passport" to provide services in all 27 Member States through simple notification, without having to initiate a separate authorisation process in each market.
This explains why major international exchanges have chosen very specific entry points: Malta has become the favorite home of large platforms like OKX or Crypto.com, Luxembourg has attracted global brands looking for fast passport, such as Coinbase or Bitstamp, Austria concentrates the European entities of Bybit and KuCoin, and the Netherlands combines payment fintechs with native exchanges like Bitvavo.
9. What MiCA doesn’t require (and why it matters)
To understand the framework well, it is also important to know what is left out:
- Decentralized exchanges (DEX), such as Uniswap or Curve, do not need a CASP license because they don’t hold third-party funds, since the user always retains control of their private keys.
- There is no equivalence regime for third countries. A company headquartered outside the EU cannot simply "recognize" its foreign license: it has to establish a physical subsidiary in a member state, with an actual resident director and a full CASP authorization from scratch.
- MiCA also does not regulate the tokenized financial instruments that already fall under MiFID II, to avoid regulatory overlaps.
10. Who really got the license (July 2026)
All of the above is theory. In practice, this is the list of exchanges that currently have confirmed MiCA authorization, with the date they obtained it and the country that acted as the competent authority. It’s a good exercise to see how many of the exchanges you’re likely to use appear here, and how many aren’t:
| # | Exchange | License | Headquarters |
|---|---|---|---|
| 01 | jun 2024 | Luxembourg | |
| 02 | jul 2024 | Luxembourg | |
| 03 | sep 2024 | Ireland | |
| 04 | dec 2024 | Netherlands | |
| 05 | dec 2024 | Malta | |
| 06 | dec 2024 | Malta | |
| 07 | dec 2024 | Finland | |
| 08 | jan 2025 | Netherlands | |
| 09 | jan 2025 | Netherlands | |
| 10 | jan 2025 | Austria | |
| 11 | jan 2025 | Malta | |
| 12 | jan 2025 | Sweden | |
| 13 | feb 2025 | Ireland | |
| 14 | mar 2025 | Germany | |
| 15 | apr 2025 | Malta | |
| 16 | may 2025 | Austria | |
| 17 | jun 2025 | Austria | |
| 18 | jun 2025 | Malta | |
| 19 | jul 2025 | Spain | |
| 20 | jul 2025 | Netherlands | |
| 21 | oct 2025 | Netherlands | |
| 22 | jun 2026 | Switzerland | |
| 23 | jun 2026 | Austria |
A pattern is obvious: Malta, Luxembourg, Austria, and the Netherlands concentrate most of the authorizations thanks to national authorities that have been especially agile in handling MiCA files. It should also be noted that several of these global brands operate in Europe through a European entity separate from their parent company (Bybit EU, KuCoin EU, Gate.io EU, Bitget EU), reinforcing the idea that the European passport is built from within the EU, and not by recognition of foreign licenses.
11. What if an exchange operates without meeting these requirements
The short answer is that nothing good, neither for the company nor for the user. Operating without a permit after July 1, 2026 is a direct violation of EU law, not an exploitable gap. Penalties can range from 5 to 15 million euros, or up to 12.5% of the company’s global turnover, depending on country and severity. Several national authorities, including the Spanish CNMV and the French AMF, have already publicly warned specific platforms about the obligation to comply before the deadline.
For the user, the practical risk is different but equally real: if the exchange you use never came to have the segregation of funds, the audited custody or the continuity plans that MiCA requires, your crypto assets could get stuck or lost in the event of operational problems or insolvency, exactly the scenario that regulation aims to avoid.
