What the ESMA Statement Is — and What Legal Force It Carries
On 23 June 2026 — eight days before the EU-wide MiCA transitional period expired — ESMA published a public statement (ESMA75-113276571-1710) setting out its expectations for crypto-asset service providers that had not secured authorisation under Regulation (EU) 2023/1114. The statement followed an earlier ESMA communication from April 2026 and was coordinated across national competent authorities (NCAs). It is addressed simultaneously to unauthorised CASPs, to authorised CASPs that might receive migrating clients, and to retail investors.
A public statement sits in ESMA's supervisory convergence toolkit alongside Q&As and opinions. It is not a directly binding legal act and does not itself create new legal obligations. The hard legal prohibition on operating without authorisation flows from Article 59 of MiCA — a pre-existing norm that the statement does not create but articulates expectations around. ESMA uses the language of expectation deliberately: it expects unauthorised firms to take immediate steps, and it expects NCAs to act consistently on that basis. That framing matters. Firms that treat the statement as merely advisory misread the supervisory dynamic: NCAs across the EU are expected to use it as a coordinated signal, meaning enforcement action in any Member State after 1 July 2026 is not a question of if but of sequencing and priority.
The practical consequence is this: the statement creates heightened enforcement risk from the date of publication onward, because it puts every NCA on notice that ESMA considers continued unauthorised provision incompatible with an orderly wind-down. That is different from saying the statement is itself self-executing law. Firms that ignored both the April and June 2026 statements have now exhausted any supervisory goodwill and face the full force of MiCA's sanctions framework applied through their national regulator — with no transitional cover remaining.
The Hard Legal Line: Article 59 MiCA and the End of the Grandfathering Window
Article 59 of MiCA is the norm at stake. It requires any legal or natural person providing crypto-asset services in the EU to be authorised by the competent authority of its home Member State. This is the provision that unauthorised operation violates. Article 62 and Article 63 are procedural: they govern the content of an authorisation application and the assessment process respectively — they are not the source of the prohibition itself. The authorisation application content RTS is further specified in Commission Delegated Regulation (EU) 2025/305. That distinction matters for how enforcement decisions will be framed and how firms should characterise any remediation steps taken.
Article 143(3) of MiCA provided the only lawful basis to operate without fresh authorisation during the transitional window. It allowed firms already providing crypto-asset services under national law before 30 December 2024 to continue until 1 July 2026, or until a decision on their authorisation application was granted or refused — whichever came first. From 1 July 2026, that derogation is exhausted EU-wide. There is no residual national discretion to extend it. As footnote 2 of ESMA's statement makes explicit, the prohibition applies irrespective of whether a given Member State has fully aligned its national law to MiCA: gaps in national implementation do not create a lawful operating space for unauthorised CASPs.
Member States were entitled to shorten the transitional window, and several did. Germany, Ireland, the Netherlands, and Poland applied windows of six to twelve months, meaning firms in those jurisdictions lost transitional cover well before 1 July 2026. Other Member States — including France — ran the full 18-month period. Firms operating cross-border should note that the shortest applicable national window governs their exposure in each jurisdiction, not the EU-wide outer limit. Any firm that has not confirmed the applicable cut-off in every Member State where it has actively provided services should treat that gap as an immediate compliance priority.
Client Communication Requirements: What You Must Tell Clients and When
ESMA's 23 June 2026 statement makes clear that client communication is not a courtesy — it is a compliance obligation. Unauthorised CASPs must notify clients clearly, promptly and repeatedly about three things: the wind-down plan itself, the deadline by which residual positions will be closed automatically if clients have not acted, and — critically — whether clients benefit from any MiCA-mandated protections. For clients of unauthorised CASPs, the honest answer to that last point is no. MiCA's client-asset safeguarding rules, complaint-handling requirements and best-execution obligations apply only to authorised CASPs. Clients must be told this explicitly; omitting it is not a neutral choice.
The two exit pathways that must be communicated are transfer to a MiCA-authorised CASP or withdrawal to a self-hosted wallet. Both require advance written notice with a firm deadline. Where a client is transferred to an authorised receiving CASP, that receiving firm must conduct its own full onboarding procedure — including customer due diligence and Regulation (EU) 2023/1113 Travel Rule checks — before accepting the transfer. This burden falls entirely on the receiving CASP, but the outgoing firm must factor this timeline into how much notice it gives clients. Transfers cannot be treated as instantaneous handoffs.
On the practical drafting side, a single email is not sufficient. Communications should go out across multiple channels — email, in-app notification, push alert — at multiple touchpoints as the deadline approaches. For EU retail clients, communications must be in the client's language. Every message must state the cut-off date unambiguously. Firms that have already made common deadline errors by underestimating the notice period required should treat ESMA's statement as the floor, not the ceiling. Document every communication and every client response; regulators will ask for this record if enforcement follows.
AML/CFT Obligations Do Not Pause During Wind-Down
There is no AML/CFT holiday during wind-down. The full compliance stack remains active from the moment a CASP decides to cease EU services until the last client record is closed and stored. That means continuous customer due diligence, ongoing transaction monitoring, real-time screening against EU restrictive measures and sanctions lists, filing of suspicious transaction reports where thresholds are met, and retention of records in line with applicable national transpositions of Directive (EU) 2015/849 as amended. None of these obligations are suspended by the fact that a firm is no longer onboarding new clients or has submitted a wind-down plan to its NCA.
Wind-down activity is, by its nature, high-risk from an AML/CFT perspective. Mass client withdrawals, large-value bulk transfers to third-party wallets or receiving CASPs, and accelerated asset movements are precisely the transaction profiles that trigger enhanced due diligence thresholds and heightened monitoring requirements. Firms that treat a winding-down period as a reduced-scrutiny environment are making an error that will be visible in their transaction data. Where client assets are being transferred to an authorised CASP, Regulation (EU) 2023/1113 — the Transfer of Funds Regulation as extended to crypto-assets — requires that originator and beneficiary information travel with the transfer. The outgoing firm must supply this data accurately and completely; the receiving CASP must verify it.
ESMA's statement explicitly requires that wind-down arrangements be implemented in compliance with all relevant EU and national conduct-of-business laws and AML/CFT obligations. Firms should also be aware that DORA obligations on ICT risk management do not disappear during wind-down either — operational resilience requirements remain in force for as long as the firm is processing transactions. The practical takeaway: staff your compliance function through the full wind-down period, do not redeploy or reduce it the moment a closure decision is made. Regulators have been explicit that cutting compliance resource ahead of formal closure is itself a conduct risk.
Frequently asked questions
Which MiCA article requires CASPs to be authorised — and which articles govern how to apply?
Article 59 of MiCA requires that any entity providing crypto-asset services in the EU must hold an authorisation from its home Member State's competent authority. This is the norm that unauthorised operation violates. Articles 62 and 63 are separate provisions governing the content and procedure of an authorisation application — they do not create the underlying obligation. Operating without authorisation from 1 July 2026 is a breach of Article 59.
Does the ESMA 23 June 2026 public statement itself create binding legal obligations?
No — a public statement is a supervisory convergence instrument, not a directly binding legislative act. The legally binding prohibition on providing crypto-asset services without authorisation flows from Article 59 of MiCA itself, which has applied since 30 December 2024 (with transitional relief under Art. 143(3) running until 1 July 2026). However, the statement creates strong supervisory expectations that NCAs are expected to act upon. Firms that ignore it face heightened enforcement risk, as ESMA and NCAs have confirmed they will coordinate action against non-compliant operators.
Can an unauthorised CASP continue to hold client crypto-assets after 1 July 2026?
Only to the limited extent strictly necessary to complete an orderly exit. ESMA's statement makes clear that custody of clients' crypto-assets may continue solely for the period required to transfer those assets to a MiCA-authorised CASP or to the client's self-hosted wallet. Any continuation of custody beyond what is strictly necessary for exit would be inconsistent with orderly wind-down and could attract NCA enforcement action.
What administrative penalties can NCAs impose on CASPs operating without authorisation after 1 July 2026?
Under Articles 111–115 of MiCA, NCAs can impose a graduated administrative penalty structure. For legal persons, fines can reach at least €5,000,000 or a percentage of annual turnover in a 3%–12.5% range — with some secondary sources indicating an upper ceiling of €15 million or 10% of annual turnover (whichever is greater) for certain breaches. For natural persons, the minimum threshold is €700,000. NCAs are also empowered to suspend or prohibit activities and to publish enforcement decisions under Article 114 MiCA. This is not an exhaustive list — national law may provide for additional measures.
Does the prohibition on serving EU clients apply to non-EU CASPs operating from outside the EU?
Yes. ESMA's statement explicitly reminds CASPs established outside the EU that they cannot provide MiCA-regulated services to EU clients or solicit EU clients after the transitional period ends. This applies equally in a business-to-business context — a non-EU firm cannot use a B2B relationship with an EU entity as a route to reach EU clients. Additionally, MiCA prohibits authorised CASPs from outsourcing or delegating certain services, notably custody, to entities that are not themselves authorised as CASPs.
What AML/CFT obligations apply during a CASP wind-down?
All of them. There is no regulatory holiday for AML/CFT during wind-down. CASPs must maintain effective controls throughout the process, including customer due diligence, transaction monitoring, screening against sanctions and restrictive measures lists, suspicious transaction/activity reporting, record-keeping, and compliance with the Travel Rule (Transfer of Funds Regulation) for crypto-asset transfers. Mass withdrawals and large-value asset transfers — typical of wind-down activity — heighten ML/TF risk and may trigger enhanced due diligence thresholds.