Guideline 2: Entry Requirements for Information Staff
Guideline 2 defines the substantive knowledge that staff providing information about crypto-assets or crypto-asset services must be able to demonstrate before engaging with clients independently. The required content covers seven distinct domains: the key characteristics, risks, and features of each crypto-asset service the firm actually offers; the functioning of distributed ledger technology and blockchain architecture; all costs and charges the client will bear; the applicable regulatory framework under Regulation (EU) 2023/1114 (MiCA), including investor-protection obligations; the operational mechanics of crypto markets — specifically 24/7 continuous trading, liquidity fragmentation across venues, and token-listing dynamics; basic valuation mechanisms relevant to the asset types in scope; and cybersecurity risks, including the threat of cyberattacks, theft of assets, improper private-key storage, and the permanent loss of funds from transfers to unsupported networks. Staff do not need encyclopaedic expertise, but they must hold working knowledge across all of these areas for every service line they support.
The guidelines' annex provides an illustrative example of how that knowledge standard can be met: at least 80 hours of professional training combined with a minimum of six months of supervised experience, or an equivalent combination. The word illustrative is load-bearing here. ESMA explicitly frames this as an example, not a binding legal minimum. The obligation that actually sits with the CASP is to determine, based on the complexity of its services and the risk profile of its products, what level of training and experience is adequate. A firm offering only order reception and transmission for liquid, high-cap tokens may reach the threshold with less; a firm offering transfer services for exotic or illiquid assets will need more. This judgment must be documented — supervisors cannot simply defer to a generic training programme and assume compliance.
Regardless of the qualification route chosen, no staff member may interact with clients independently before passing an internal assessment. The assessment must be designed to test the specific knowledge domains above, not generic financial-services competence. CASPs should record the outcome of each assessment, the date it was passed, and the basis on which the firm concluded the individual's knowledge was adequate for the services they will support. For firms building onboarding frameworks now, see also the complete CASP licence requirements guide and the broader MiCA compliance deadlines tracker to understand how Guideline 2 sits within the wider July 2026 obligations.
Guideline 3: Five Qualification Routes for Advice Staff
Guideline 3 applies to staff who provide advice on crypto-assets — a materially higher bar than Guideline 2. Advice staff must satisfy every Guideline 2 knowledge requirement and then demonstrate additional competence covering suitability assessment methodology, portfolio construction principles, diversification theory, and the practical ability to match specific crypto-assets to a client's individual financial circumstances, risk tolerance, and investment objectives. In practice, this means advice staff need a working command of concepts that information staff can reasonably leave to product documentation. The distinction between the two tiers is not cosmetic; putting an under-qualified person in an advice role is a supervisory breach, not merely a training gap.
The guidelines' annex sets out five illustrative routes through which the required qualification and experience can be demonstrated. All five are cumulative minimum examples — they are not an exhaustive closed list of legal pathways, and ESMA frames them as guidance rather than hard floors. Route 1: a relevant tertiary degree (economics, finance, law, or a closely related field) combined with a minimum period of supervised experience in crypto-asset advisory. Route 2: a three-year secondary or vocational qualification in a related field, plus supervised experience. Route 3: vocational or professional training of at least 160 hours, plus a minimum of one year of supervised advisory experience. Route 4: standalone supervised experience of sufficient length and substance, where the quality and breadth of that experience itself demonstrates competence without a formal qualification. Route 5 — confirmed in the CNMV International Bulletin review and independently in the Tevetoglu Legal analysis of ESMA's final guidelines — covers individuals with at least two years of professional experience providing advice within the scope of MiFID II or the Insurance Distribution Directive (IDD), supplemented by a minimum of six months of crypto-specific supervised experience.
For CASPs recruiting from traditional financial services, Route 5 is the most operationally accessible pathway and should be the documented default in HR onboarding policy. A qualified IFA, wealth manager, or insurance adviser with two years of relevant experience needs only a structured six-month crypto supervisory programme — not a full re-qualification. This materially reduces the cost of staffing an advice function from a TradFi talent pool. That said, the six months must be genuinely supervised and crypto-specific; a generic MiFID II refresher course does not satisfy it. Whichever route applies, the CASP must document the assessment basis, record when it was passed, and enforce the rule that no advice staff member handles client interactions independently before that assessment is completed. For context on how advice obligations interact with the MiFID II boundary, see MiCA vs MiFID II: which applies to your token, and for common implementation errors, the seven biggest MiCA compliance mistakes.
Frequently asked questions
Do ESMA's knowledge and competence guidelines apply to all CASPs, or only those providing advice?
Although Article 81(7) of MiCA literally refers only to CASPs providing crypto-asset advice, ESMA explicitly extended the scope of the guidelines to cover staff providing information at all CASPs — citing investor-protection grounds. In practice, any authorised CASP with client-facing staff who explain products, describe risks, or answer client questions about crypto-assets must comply with Guideline 2 (information staff). Only CASPs with zero client-facing interaction can argue the guidelines are irrelevant to them.
What is the fifth qualification route for advice staff, and who does it benefit?
The five illustrative qualification routes for advice staff under Guideline 3 include — alongside degree-based and training-hour paths — a dedicated route for candidates with prior MiFID II or Insurance Distribution Directive (IDD) advisory experience: at least two years of professional experience providing advice within the scope of MiFID II or IDD, combined with a minimum of six months of crypto-specific supervised experience. This route is specifically designed for TradFi hires or staff transitioning from investment firms or insurance distribution backgrounds, and is typically the fastest pathway for CASPs recruiting from established financial services.
Are the 10 and 15 CPD-hour figures hard legal minimums that satisfy supervisory expectations?
No. The guidelines state that CASPs must themselves determine an adequate minimum number of CPD hours, with ESMA providing 10 hours per year (information staff) and 15 hours per year (advice staff) as illustrative floor examples. CASPs offering complex products, high-volatility instruments, or multiple service lines should treat these figures as a starting point, not a ceiling. NCAs reviewing CPD frameworks will assess adequacy relative to the firm's specific service mix and product risk profile.
Does the grandfather clause exempt existing staff from CPD and annual review obligations?
No. The transitional provision — which applies separately to both information staff and advice staff — allows CASPs to recognise existing staff as competent if they have provided information or advice on a full-time-equivalent basis for at least one year before 28 July 2026. But this only addresses the initial entry-qualification requirement. From 28 July 2026, all grandfathered staff must immediately enter the CPD regime and are subject to the management body's annual competence review. The grandfather clause covers the 'entry gate'; it does not provide an ongoing exemption.
Do the guidelines apply to staff delivering advice or information through automated or AI-driven tools?
Yes. ESMA explicitly addresses this scenario: where advice or information is delivered in automated or semi-automated form, the guidelines apply to the staff responsible for the content of that information or advice. A CASP cannot bypass knowledge-and-competence requirements by routing client interaction through a chatbot or algorithm if human staff designed, maintain or oversee the content of those outputs.
When did the guidelines begin applying, and which CASPs are captured on day one?
The guidelines began applying on 28 July 2026 — six months after ESMA published official translations in all EU languages on 28 January 2026. They apply to CASPs that are fully authorised by that date, including those authorised through both the full licensing procedure under Article 62 and the notification procedure. CASPs that have filed an application but are not yet authorised are not captured on day one, but should treat the framework as a pre-authorisation readiness requirement given that supervisory assessments will scrutinise competence frameworks.