Abstract illustration of a regulatory hard stop: a structural barrier splitting active crypto network flows from darkness, lit by a cold blue shaft of light, representing the MiCA July 1 2026 enforcement deadline
Back to blog
Enforcement & Penalties

MiCA July 1, 2026: What Happens to Unlicensed CASPs After the Deadline

On 1 July 2026, Article 143(3) MiCA's grandfathering period expires across all 27 EU Member States. Any crypto-asset service provider still operating without an Article 63 authorisation is in breach of EU law. This article explains the exact enforcement toolkit NCAs now hold, how Article 111 penalties actually work, what a pending application does and does not protect, and the last-resort options still available to founders who are not yet licensed.

By Compliora AI Team 2026-06-16 11 min read
Contents
  1. The Legal Wall: Article 59 Prohibition and the End of Grandfathering
  2. The Tier System That Already Caught Many Firms: Shorter Windows by Member State

On 1 July 2026, Article 143(3) MiCA (Regulation (EU) 2023/1114) grandfathering expired. The transitional window that allowed firms operating under pre-MiCA national registrations — AML-only VASP registrations, French DASP status, German crypto-custody permissions under the old KWG — to continue offering crypto-asset services without a MiCA authorisation has closed. There is no mechanism in MiCA for a further extension. Any entity still relying on a pre-MiCA national status after that date is operating without legal basis under EU law. Article 59 MiCA is now unambiguous: providing crypto-asset services in the EU requires authorisation under Article 63 MiCA, full stop.

ESMA made the position explicit in its statement ESMA75-113276571-1679, published 17 April 2026: after 1 July 2026, any entity providing crypto-asset services to EU clients without a MiCA licence is in breach of EU law and must cease. That statement was not a warning about a future risk — it was a description of what the regulation already required. The obligation applies uniformly across all 27 Member States. No NCA has the power to grant informal continuations, and no national legislation can create a carve-out that overrides the Article 59 prohibition once grandfathering has lapsed.

The scale of exposure is significant. Of the 1,200-plus entities that held pre-MiCA VASP or equivalent registrations across the EU, roughly 83% had not converted to a MiCA authorisation by the deadline. That is not a compliance gap at the margins — it is the dominant position of the market. Many of those firms will have understood the deadline was approaching. What changes on 1 July 2026 is that awareness of the risk is no longer a mitigating factor: the prohibition applies regardless of whether a firm is actively seeking a licence, winding down, or simply slow to act. NCAs can now enforce without any preliminary grace-period argument available to the subject firm. The question from this point is not whether exposure exists — it does — but what NCAs will do about it and in what order.

The Tier System That Already Caught Many Firms: Shorter Windows by Member State

1 July 2026 is the EU-wide outer limit, not a shared starting gun. Article 143(3) MiCA permitted Member States to set shorter transitional windows, and a significant number did. The result is that firms in several jurisdictions had already lost their grandfathering cover months — in some cases over a year — before the EU deadline. According to the ESMA-confirmed list of national grandfathering periods, three distinct tiers emerged:

  • 6-month window (ended approximately June 2025): Netherlands, Latvia, Hungary, Poland, Slovenia, Finland. The Dutch AFM's decision to apply the shortest permissible window was among the most consequential, given the Netherlands' historically large VASP population.
  • 12-month window (ended 31 December 2025): Germany, Ireland, Lithuania, Austria, Slovakia. Germany implemented its shortened period through § 50(2) No. 3 KMAG (Kryptomarkteverordnungs-Begleitgesetz), the domestic MiCA-accompanying legislation.
  • Full 18-month window (to 1 July 2026): France, Spain, Malta, Luxembourg, Cyprus, Romania.

The practical consequences are serious and already crystallised. A CASP that held a Dutch AML registration and was still offering services to EU clients in June 2026 had been in breach of EU law for approximately twelve months before the EU-wide deadline arrived. A firm targeting German clients without BaFin MiCA authorisation lost its transitional cover at the end of 2025. Two points on Germany deserve particular attention. First, the KMAG transitional regime was specifically structured for entities that already held regulated permissions in Germany — credit institutions, investment firms, and licensed exchanges with permitted crypto-asset activities. Purely AML-registered VASPs, which held no regulated status beyond an anti-money-laundering notification, occupied a narrower and weaker position under the German framework; their argument for continued operation under the transitional period was materially more constrained. Second, Germany represents the largest crypto-asset market by volume in continental Europe, meaning BaFin's December 2025 cut-off affected a disproportionate share of institutional and retail-facing activity. Any compliance analysis that treats July 2026 as the single operative deadline without mapping the firm's home-state and target-market windows has already missed the point — and may have already missed the deadline.

Frequently asked questions

Does having a pending MiCA authorisation application allow me to keep operating after 1 July 2026?

No. Under Article 143(3) MiCA, the right to operate under grandfathering expired on 1 July 2026 — or upon a refusal decision under Article 63, whichever came first. ESMA confirmed in its April 2026 statement (ESMA75-113276571-1679) that a pending application is not a standalone basis to continue serving EU clients after the deadline. There is no MiCA mechanism for an NCA to grant informal continuation. Firms should assume EU client-facing services must cease until and unless authorisation is actually granted.

What are the maximum financial penalties for operating as an unlicensed CASP under Article 111 MiCA?

Article 111 MiCA sets the maximum administrative penalties that Member States must be empowered to impose — the legal concept is a 'minimum maximum' (a floor on the ceiling NCAs must have available). For legal persons, the ceiling is €5,000,000 or a percentage of annual turnover, whichever is greater — where the turnover percentage depends on the infringement category (3% for general crypto-asset breaches; 5% for CASP-specific breaches; up to 12.5% for ART/EMT-related breaches). For natural persons, the ceiling is €700,000. Member States may implement higher penalties than these MiCA maxima under Article 111(6). The level of any individual fine is at NCA discretion within the applicable range. Publication of enforcement decisions is separately required under Article 114.

Germany and the Netherlands had shorter grandfathering windows — are firms there already in breach?

Yes, if they were relying on pre-MiCA national registrations without obtaining Article 63 MiCA authorisation. Germany's KMAG (§ 50(2) No. 3) shortened the grandfathering period to 31 December 2025, meaning eligible entities lost grandfathering cover at year-end 2025. The Netherlands chose a 6-month window under Article 143(3), which expired around June 2025. A firm serving German or Dutch clients without a MiCA authorisation after those dates was already in breach of Article 59 — the EU-wide July 2026 deadline is the outer limit, not a second chance.

What does a credible MiCA wind-down plan actually require?

ESMA's April 2026 statement (ESMA75-113276571-1679) requires unauthorised CASPs to have implemented — not merely documented — wind-down plans that are credible, operational, and immediately executable by 1 July 2026. Key elements include: prior written notice to clients of service cessation; arrangements allowing clients to withdraw crypto-assets to self-hosted wallets or migrate to a licensed CASP; and no new EU-client onboarding. NCAs are expected to verify adequacy, not just accept submission. A plan that exists only on paper does not meet the ESMA standard.

Can a non-EU crypto firm continue serving EU clients under the MiCA reverse-solicitation exception after July 2026?

Only in very narrow circumstances. Article 61 MiCA (read with Article 61(3) and ESMA's guidelines of 26 February 2025) provides a carve-out where an EU client approaches a third-country firm entirely on the client's own exclusive initiative. However, ESMA's guidelines interpret 'solicitation' broadly and technology-neutrally — websites, apps, advertisements, social media, retargeting, affiliate campaigns, and SEO all constitute solicitation regardless of jurisdictional disclaimers. In practice, virtually any active EU-market presence will preclude reliance on this exception. Firms claiming reverse solicitation should obtain specific legal advice before continuing any EU-facing activities.

What are my remaining options if I am a founder still waiting for MiCA authorisation?

The realistic options — each requiring legal advice — are: (1) Cease EU client-facing services immediately and continue the authorisation application; if granted, services can resume. (2) Partner with an already-authorised CASP to white-label services under their licence during the application period, structured carefully to avoid circumvention concerns. (3) Transfer EU client assets and relationships to a licensed CASP in an orderly wind-down. None of these options removes the requirement to have ceased EU services by 1 July 2026 if unauthorised. There is no informal tolerance mechanism under MiCA.

Link copied to clipboard