Comply-or-Explain, Not Hard Law: What the Guidelines Actually Bind You To
ESMA's Guidelines on knowledge and competence under MiCA (ESMA35-24871704-2922, published 28 January 2026, applying from 28 July 2026) are not hard EU law. ESMA's own Final Report (ESMA35-1872330276-2380, 11 July 2025) states explicitly that any reference to "requirements" within the guidelines should be read as "guidance." Their legal basis is Article 16 of the ESMA Regulation, which creates a comply-or-explain mechanism — not a directly applicable legislative obligation. The practical consequence is significant: the guidelines do not amend or override Regulation (EU) 2023/1114, and a breach of the guidelines is not, in itself, a breach of MiCA.
Their binding force is mediated through national competent authorities. Under the comply-or-explain framework, each NCA must notify ESMA within two months of the official translation publication whether it complies, intends to comply, or does not intend to comply with the guidelines. Where an NCA has declared compliance or intent to comply, the guidelines become the operative supervisory standard in that jurisdiction — non-conforming CASPs face real regulatory exposure. That two-month notification deadline is an obligation owed by NCAs to ESMA, not to CASPs. Its expiry does not create any form of compliance safe harbour. A CASP in a jurisdiction where the NCA intends to comply must build toward full conformity by 28 July 2026 regardless of whether the NCA has yet filed its formal notification with ESMA.
As a matter of due diligence, CASPs should check their NCA's public register or published supervisory statements to confirm the declared position — this is a sensible additional step, not a condition under which supervisory expectations shift in the CASP's favour. In the absence of a published non-compliance declaration, the prudent assumption is that the NCA will apply the guidelines. For CASPs still mapping their authorisation requirements, see our complete CASP licence requirements guide and the MiCA compliance deadlines overview for 2026.
Who Is In Scope: The Article 81(7) Trigger and ESMA's Extended Reach
Article 81(7) MiCA by its literal text applies to staff at CASPs that provide crypto-asset advice. That is a narrow starting point. ESMA, acting under the mandate in Article 81(15)(a) MiCA, extended the scope to cover staff providing information about crypto-assets as well. This is not regulatory overreach. In the consultation process preceding the final guidelines (ESMA35-24871704-2922, published 28 January 2026, applicable from 28 July 2026), ESMA took the deliberate policy position that any employee dealing directly with clients — whether giving a formal recommendation or answering a product question — poses equivalent investor-protection risk. The CNMV summary of the guidelines confirms this reading: the extension reflects ESMA's view that a weaker standard for information-only staff would create a systematic gap at the client-facing layer. CASPs cannot treat the extension as discretionary.
The scope trigger therefore covers two distinct categories of in-scope worker. First, staff who provide advice on crypto-assets — that is, personalised recommendations to clients in the sense used in Article 4(1)(16) MiCA. Second, staff who provide information about crypto-assets to clients or prospective clients, even where that information does not amount to a personalised recommendation. Both categories are subject to the knowledge and competence requirements under the guidelines, though the applicable entry routes and continuing professional development thresholds differ between tiers. Article 68(5) MiCA operates as a parallel hook: it requires CASPs to ensure that all relevant natural persons within the firm who provide services to clients possess the necessary knowledge and competence. Read together, Articles 68(5) and 81(7) create interlocking obligations that reach across the client-facing workforce, not merely licensed advisers. See the complete CASP licence requirements guide for how these fit within the broader authorisation framework.
The automated and semi-automated services rule closes a structural loophole. Where a CASP delivers information or advice through an algorithm, chatbot, or similar tool, the guidelines apply to the staff members responsible for determining the content of those communications — typically product managers, engineers, or content specialists who set the parameters, decision logic, or scripted outputs. The mere fact that a human is not present in the client interaction at the moment of delivery does not remove the obligation. A CASP that routes all retail-facing communications through an automated interface but leaves the underlying design team outside its competence framework will be non-compliant. This interpretation requires CASPs to map their workforce beyond the front-office sales and advisory functions and include technical roles that materially shape what clients receive. For the full staff-classification methodology, see the MiCA Article 81 staff knowledge and competence guide.
Drawing the Boundary: What Makes a Touchpoint 'Advice' Rather Than 'Information'
The boundary between information and advice under Article 81 of Regulation (EU) 2023/1114 is not a matter of job title or commercial framing — it is a matter of what the communication actually does. Information-tier staff provide factual content about crypto-assets, services, costs, risks, and processes without tailoring that content to a specific client's individual circumstances. This covers a broad operational footprint: onboarding teams, customer support agents, sales and account managers discussing product features, KYC reviewers, complaints handlers, trading-desk support staff, and personnel who review or approve marketing copy for factual accuracy. What these roles share is that their output is generic — the same answer could be given to any client in the same factual situation, regardless of that client's objectives, financial position, or risk tolerance.
Advice-tier staff are those who provide a personalised recommendation on a specific transaction linked to a client's individual circumstances, objectives, and risk tolerance. The operative test is straightforward: is the communication tailored to this client's particular situation? If the staff member is assessing what the client should do — buy, sell, hold, allocate — in light of information about that specific client, the interaction is advice, regardless of whether it occurs inside a formal portfolio management mandate or through an informal support channel. The advice tier is not confined to roles with "advisor" or "portfolio manager" in their title. It attaches to the function, not the label.
ESMA is explicit that blurred operational lines will not withstand supervisory scrutiny. A customer support agent who begins answering questions of the form "should I buy X given my situation?" is functioning as an advice-giver from the moment of that interaction — their onboarding paperwork as an information-tier employee is irrelevant. CASPs must therefore design role boundaries and escalation protocols that make the line structurally enforceable, not merely declared in a job description. This means scripted escalation triggers, documented call-monitoring criteria, and clear internal guidance on which question types require handoff to a qualified advice-tier employee. For a broader overview of the workforce competence framework these tiers sit within, see our guide on MiCA Article 81 staff knowledge and competence.
Grey-Zone Roles: How to Classify Staff Who Do Both
The information/advice boundary creates its sharpest compliance problems not at the extremes but in the middle: account managers who walk clients through trade options, trading support staff who flag "what other clients typically do in this situation," or human operators who can override an automated portfolio tool's output. The governing principle under ESMA's guidelines is unambiguous — classify a role by the highest-risk activity it performs, not by the proportion of time spent on each activity. A staff member who provides a personal recommendation even occasionally must satisfy advice-tier qualification and experience requirements in full. Partial or statistical arguments — "she only advises 10% of the time" — do not reduce the applicable standard.
To apply this in practice, CASPs should conduct a structured role-mapping exercise across every function that touches crypto-asset information or advice delivery. For each role: (1) list every client-facing activity the role performs; (2) apply the personal recommendation test — does the activity amount to a suggestion presented as suitable for that specific client, based on their circumstances? (3) document the reasoning and the conclusion; (4) flag any role where the answer could plausibly be "both," and default to advice-tier unless the CASP can demonstrate with documented evidence that the personal recommendation threshold is never crossed. The same logic applies to AI copilots or automated tools with human override capability: if the human's intervention can constitute a personal recommendation, that human's role is advice-tier. CASPs must be able to produce the classification rationale for each role on request from their NCA — a spreadsheet of job titles with no supporting analysis is insufficient.
Grey-zone classifications are not a one-time determination. ESMA's guidelines require the management body to review the knowledge and competence framework at least annually, and that review must encompass the role-classification logic itself — not just training records or CPD hours. Product launches, service expansions, or changes to client interaction workflows can silently push an information-tier role across the line. Building the role-mapping exercise into the annual management body review cycle, rather than treating it as a standalone onboarding task, is the practical mechanism for keeping classifications current. For the broader governance obligations attached to that annual review, see Guideline 4: training records, CPD, and governance, and for the underlying licence-level context see the complete CASP licence requirements guide.
Entry-Route Comparison: Information Tier vs Advice Tier at a Glance
ESMA's Guidelines under Article 81(7) MiCA (ref. ESMA35-24871704-2922) set out two distinct competence tiers, each with its own entry routes. The information tier is governed by Guideline 2. ESMA does not impose a fixed minimum — the obligation is to establish a standard proportionate to the complexity of the crypto-asset services provided. The illustrative examples given are: at least 80 hours of professional training plus at least 6 months of supervised experience, or alternatively at least 1 year of supervised experience without a formal training threshold. These figures are explicitly framed by ESMA as examples, not hard floors. Market commentary treats 80 hours and 6 months as a practical yardstick, but NCAs have not mandated these thresholds as formal benchmarks, and each CASP must calibrate its own proportionate standard and document that calibration.
The advice tier, governed by Guideline 3, offers four illustrative entry routes — all of which require supervised experience overseen by a supervisor who holds both appropriate qualification and appropriate experience; these two criteria are cumulative, not alternative, and appointing a supervisor who satisfies only one of them creates a compliance gap. The routes are:
- Route A: a tertiary-level degree of at least 3 years in a relevant field, plus at least 1 year of supervised experience.
- Route B: a secondary education qualification plus at least 3 years of recognised vocational or professional training, plus at least 1 year of supervised experience.
- Route C: at least 160 hours of vocational training, plus at least 1 year of supervised experience.
- Route D: at least 2 years of relevant experience under
MiFID IIorIDD, plus at least 6 months of supervised crypto-asset-specific experience.
Across all routes, supervised practice is subject to a 4-year cap. On an ongoing basis, information-tier staff must complete at least 10 hours of CPD per year; advice-tier staff must complete at least 20 hours — that 20-hour figure is not additive, and per footnote 12 of the Guidelines it already covers the 10-hour information-tier floor. A staff member with advice-tier CPD in place does not need a separate information-tier CPD programme on top of it. CASPs should document clearly which route each staff member qualifies under and retain evidence sufficient to demonstrate proportionality to their NCA during supervision.
Transitional Competence Recognition: Who Qualifies and What the CASP Must Still Do
ESMA's guidelines include a transitional presumption designed to avoid forcing established crypto firms to immediately re-qualify experienced staff. A CASP may treat a staff member as competent — without requiring them to first satisfy a formal entry-route qualification — where that individual was actively providing crypto-asset information or advice on a full-time equivalent basis for at least one year prior to 28 July 2026. The same presumption extends to staff who delivered equivalent services at a VASP operating under a pre-MiCA national licensing framework. However, the NCA retains discretion to differentiate the required duration of experience based on the individual's existing qualification level and the specific services they were providing — meaning a less-qualified staff member may need to demonstrate a longer track record to benefit from the presumption.
Transitional recognition is not automatic, and CASPs who treat it as self-executing face direct inspection risk. Even where the presumption clearly applies, the firm is still obligated to conduct and document a competence assessment for each individual before 28 July 2026. That assessment must be captured in the firm's knowledge and competence records and must be available for NCA review. A compliance file that simply lists tenure without a structured evaluation of whether the individual's knowledge and skills meet the relevant tier standard — information or advice — will not satisfy supervisory expectations. The documented assessment is the mechanism through which the presumption is invoked; without it, the presumption provides no procedural protection.
Part-time staff require particular attention. Only those who cumulatively worked a full-time equivalent in the relevant client-facing role during the qualifying period benefit from the transitional presumption; individuals whose involvement was partial or incidental do not qualify and must satisfy a standard entry route. CASPs should audit each staff member's actual activity — not job title — against the information/advice tier boundary described in the Article 81 staff competence guide before assigning presumption status. Firms still building their compliance framework should also review MiCA's 2026 compliance deadlines to confirm the 28 July cut-off applies in their NCA's jurisdiction.
Governance Obligations: Management Body Review, Record-Keeping, and NCA Demonstrability
Under Guideline 4, the management body of every CASP must assess — at least annually — whether the firm complies with Article 68(5) and Article 81(7) MiCA, and whether its internal policies and procedures for staff knowledge and competence remain adequate. That assessment is not a formality: where deficiencies are identified, the management body is required to adopt concrete remedial measures. This is a governance obligation that sits above the compliance or HR function — sign-off must be traceable to the appropriate body, not delegated away entirely. CASPs building their annual review cycle should treat this alongside other management body obligations under Article 68 rather than as a standalone HR process. See the broader governance framework discussed in our MiCA Article 81 staff competence guide.
The burden of proof rests entirely with the CASP. On request from the NCA, the firm must be able to demonstrate compliance — not merely assert it. Assessments may be conducted internally or by an external body; both routes are acceptable under the guidelines, but the output must be documented regardless of who conducts it. The minimum record set for each staff member in scope should include: full name and role, tier assignment (information or advice), qualification route relied upon with supporting evidence, date and outcome of the competence assessment, CPD log broken down by year, and — where the supervised-practice route is being used — the identity and qualifications of the supervisor, together with confirmation that the supervisor holds both an appropriate qualification and appropriate experience (these are cumulative requirements, not alternatives). For CPD specifically, attendance records alone do not satisfy the requirement: the guidelines require verification that knowledge was actually acquired, meaning assessment or testing outcomes must be captured and retained. Further detail on CPD record architecture is covered in our Guideline 4 training records and CPD governance article.
One operationally significant point that CASPs frequently overlook: where information or advice is delivered through automated or semi-automated tools — chatbots, robo-advisory interfaces, algorithmic information engines — the guidelines extend staff obligations to the engineers, content owners, and product managers who build and maintain those tools, not only to front-office staff who interact directly with clients. If your firm relies on such delivery mechanisms, the governance record must reflect which individuals are classified as in-scope for that channel and on what basis. Failing to map these roles before the 28 July 2026 application date creates a demonstrability gap that is difficult to close retrospectively. Review your firm's MiCA compliance deadlines to ensure the governance review cycle is sequenced correctly ahead of that date.
Before 28 July 2026: Six Steps to a Defensible Classification Framework
Compliance teams have until 28 July 2026 to build a classification framework that will withstand supervisory scrutiny. The six steps below are sequenced deliberately: each one creates the documented evidence base that the next step depends on. Skipping or abbreviating any step leaves a gap that an NCA inspection can exploit.
- Step 1 — Confirm your NCA's compliance status. NCAs are required to notify ESMA within two months of official translation publication whether they comply or intend to comply with ESMA's guidelines (ESMA35-24871704-2922). Check your NCA's public register or published supervisory statements for that confirmation. This is a useful due-diligence step — but the absence of a published NCA statement does not relieve your CASP of compliance obligations. Where your NCA has indicated intent to comply, build toward the 28 July deadline regardless of whether formal confirmation has been published.
- Step 2 — Complete a role inventory. Map every role that touches client-facing delivery of information or advice about crypto-assets or crypto-asset services, including automated and hybrid channels. The inventory must cover front-line staff, relationship managers, chatbot oversight roles, and any third-party staff acting on your behalf. Each role is a classification decision waiting to be made.
- Step 3 — Apply the personal recommendation test to each role. For every role in the inventory, assess whether the output could constitute a personal recommendation tailored to a specific client's circumstances. Document the reasoning — not just the outcome. A bare classification label without reasoning is not defensible if the NCA later disagrees with your line-drawing.
- Step 4 — Map advice-tier roles to qualification routes. For each individual in an advice-tier role, identify which of Routes A through D they satisfy: Route A (tertiary degree of at least three years plus at least one year of supervised experience); Route B (secondary education qualification plus at least three years of recognised vocational or professional training plus at least one year of supervised experience); Route C (at least 160 hours of structured training plus at least one year of supervised experience); or Route D (at least two years of relevant MiFID II or IDD experience plus at least six months of supervised crypto experience). Record any gap between an individual's current qualifications and the applicable route requirements, and assign a remediation timeline. Note that supervisors must hold both appropriate qualification and appropriate experience — these are cumulative, not alternative, criteria.
- Step 5 — Conduct and document competence assessments for transitional staff. Existing staff who were providing these services before the guidelines apply may benefit from a transitional presumption of competence — but that recognition is not automatic. Your CASP must conduct and document a formal competence assessment for each such individual before the deadline. Treat this as mandatory. An undocumented transitional claim is no claim at all under supervisory review. See our full Article 81 staff competence guide for assessment design detail.
- Step 6 — Establish ongoing governance infrastructure. Set up CPD tracking against the 10-hour floor for information-tier staff and 20-hour floor for advice-tier staff (the 20 hours satisfy the 10-hour information-tier requirement; they are not additive). Schedule at least annual management body review of the classification and competence framework. Maintain supervisor qualification records in a form that can be produced on request. For Guideline 4 implementation — training logs, CPD evidence, and record-keeping formats — see our training records and CPD governance guide. For the broader authorisation context in which these obligations sit, see our CASP licence requirements guide.
The framework only holds if it is living documentation. A classification made in April 2026 that is never revisited will drift out of alignment as roles evolve. Build a trigger mechanism — role change, service expansion, new product launch — that forces reclassification review before the change goes live, not after.
Frequently asked questions
Are ESMA's Article 81(7) knowledge and competence guidelines legally binding on CASPs?
Not in the same way as a directly applicable EU Regulation. ESMA's guidelines operate on a 'comply-or-explain' basis under Article 16 of the ESMA Regulation. Their practical binding force is mediated: national competent authorities (NCAs) must notify ESMA within two months of the official translation publication whether they comply or intend to comply. In jurisdictions where the NCA has declared compliance, supervisory expectations are effectively mandatory in practice. Importantly, the absence of a formal NCA notification does not create a safe harbour for CASPs — firms in jurisdictions where the NCA intends to comply must build toward compliance by 28 July 2026.
Which staff roles fall into the information tier versus the advice tier?
The information tier covers staff who provide factual information about crypto-assets, services, costs, or risks without making personalised recommendations — including onboarding teams, customer support, account managers, KYC reviewers, and trading support. The advice tier covers any staff member who makes a personal recommendation tailored to an individual client's circumstances, objectives, and risk tolerance. The test is the nature of the communication, not the job title: a support agent who advises a client on whether to buy a specific asset is operating as an advice-giver regardless of how the role is labelled.
What are the qualification routes for advice-tier staff under Guideline 3?
ESMA's guidelines set out four illustrative routes — not a closed legal list — for demonstrating advice-tier competence: Route A: a relevant tertiary degree of at least 3 years plus at least 1 year supervised experience; Route B: a secondary education qualification plus at least 3 years of recognised vocational or professional training, plus at least 1 year supervised experience; Route C: at least 160 hours of vocational training plus at least 1 year supervised experience; Route D: at least 2 years of MiFID II or IDD relevant experience plus at least 6 months of supervised crypto experience. In all routes, the supervisor must hold both appropriate qualification and appropriate experience — both criteria are cumulative.
Can a staff member who has been working at the CASP for over a year automatically be treated as competent?
No — transitional recognition is not automatic. CASPs may presume competence for staff who were providing information or advice on a full-time equivalent basis for at least 1 year before 28 July 2026, but the CASP is still required to conduct and document an assessment of each individual's competence. The presumption is a threshold condition, not a substitute for assessment. Part-time staff who did not cumulatively work a full-time equivalent year in the relevant role do not benefit from the presumption.
Do the guidelines apply to automated crypto-asset advisory tools and chatbots?
Yes. Where information or advice is delivered in an automated or semi-automated manner, ESMA's guidelines apply to the staff members responsible for determining the content of those communications — including the engineers, product managers, or content owners who set the parameters, algorithms, or response templates. The client-facing delivery channel does not affect the obligation; what matters is whether a natural person is responsible for the content that reaches the client.
How often must the management body review the firm's knowledge and competence framework?
At least annually. The management body must assess compliance with Articles 68(5) and 81(7) of MiCA, review the adequacy of the firm's policies and procedures for staff knowledge and competence, and adopt remedial measures for any deficiencies identified. This annual review must itself be documented as part of the firm's governance record, and the CASP must be able to demonstrate compliance to the NCA on request.