What MiCA Title VI Covers — and Who It Applies To
Title VI of MiCA (Articles 86–92, Regulation (EU) 2023/1114) establishes the EU's market abuse framework for crypto-assets — and its scope is deliberately broad. The prohibitions apply to any person dealing in crypto-assets that are admitted to trading on an EU-authorised trading platform, or for which an admission request has been submitted. Critically, the regime is actor-neutral and behaviour-based: it captures natural persons, legal entities, validators, developers, and node operators alike. If your activity touches an in-scope crypto-asset, the conduct rules apply regardless of whether you hold a CASP licence or operate outside the traditional financial sector entirely.
The boundary with Regulation (EU) No 596/2014 (MAR) matters here. MAR governs financial instruments; crypto-assets that fall outside that definition — the majority of tokens in practice — were previously in a regulatory gap. Title VI closes that gap. There is also a DLT-specific extension that MAR never contemplated: the prohibitions in Articles 89–91 explicitly cover not only orders and executed transactions but also cancellations and consensus-mechanism events on distributed ledger technology. This means front-running via MEV or manipulative validator behaviour is within scope, though the precise legal classification of specific MEV strategies remains subject to ongoing regulatory interpretation. For a detailed comparison of where MiCA ends and MAR begins, see MiCA vs MiFID II: which applies to your token.
The most operationally significant concept in Title VI is the PPAET — persons professionally arranging or executing transactions. Under Article 92, PPAETs are the primary duty-bearers for market surveillance systems and suspicious transaction and order reporting (STOR). CASPs providing execution, reception and transmission, or exchange services clearly qualify. Custodians are not automatically PPAETs: a CASP providing pure custody and administration — holding assets without arranging or executing transactions — does not trigger Article 92 STOR duties on that basis alone. Where a custodian also facilitates or executes transactions on behalf of clients, that activity brings it within the PPAET perimeter, and the full surveillance obligation applies to those operations.
The Three Market Abuse Prohibitions: Articles 89, 90 and 91
Title VI of MiCA establishes three distinct market abuse prohibitions that apply across crypto-asset markets from 30 December 2024. They mirror the structure of Regulation (EU) 596/2014 (MAR) but are calibrated to crypto-asset market dynamics — including the 24/7 trading cycle, pseudonymous participants, and the absence of a central exchange for many assets. Each prohibition operates independently: a single act can breach more than one simultaneously.
Article 89 — insider dealing prohibits any person who possesses inside information (as defined by Article 87 MiCA) from using that information to acquire or dispose of crypto-assets to which it relates, whether directly or indirectly. The prohibition extends to cancelling or amending outstanding orders placed before the information was obtained — a critical detail for algorithmic desks that manage resting limit orders. Recommending or inducing another person to trade on inside information is equally prohibited; crucially, the "ought to know" standard applies here: a recommender is caught even without actual knowledge of the inside information's character, provided a reasonable person in that position would have known. Article 89(4) preserves a good-faith discharge proviso — certain conduct carried out in the course of legitimate market-making or in execution of a prior obligation does not automatically constitute insider dealing, but the burden of demonstrating good faith sits with the firm.
Article 90 — unlawful disclosure of inside information prohibits sharing inside information outside the normal course of employment, profession, or duties. This captures both deliberate leaks and careless disclosure — an analyst discussing non-public token metrics in a private Telegram group is squarely within scope. Article 91 — market manipulation reproduces the MAR Article 12 catalogue of manipulative behaviours (fictitious devices, false or misleading signals, price positioning, benchmark manipulation) and adds a crypto-specific scenario directly relevant to CASPs and influencers: taking a position in a crypto-asset, then using traditional or electronic media — including social platforms — to express a view on it without disclosing that position, and subsequently profiting from the resulting price movement. This statutory illustration of the "pump-and-dump via social media" conduct means compliance teams must treat content publication as a regulated act, not merely a communications matter.
| Prohibition | Covered conduct (MiCA) | Key difference vs MAR |
|---|---|---|
| Art. 89 — Insider dealing | Trading, cancelling/amending orders, or recommending trades on the basis of inside information (Art. 87 definition); "ought to know" standard for recommenders; Art. 89(4) good-faith discharge | Applies to crypto-assets regardless of whether traded on a regulated venue; no equivalent of MAR's "financial instrument" venue nexus requirement |
| Art. 90 — Unlawful disclosure | Sharing inside information outside normal professional duties, including informal channels (messaging apps, social media) | Scope extends to persons who are not issuers or regulated firms — any person with inside information is caught; no MAR-style safe harbour for accepted market practices in crypto context |
| Art. 91 — Market manipulation | Full MAR Art. 12 catalogue plus: using media/social platforms to advocate a position in a crypto-asset without disclosing a held position and profiting from the price effect | Explicit statutory pump-and-dump via social media illustration — absent from MAR text; MEV-style strategies potentially in scope, though legal classification of specific MEV practices remains subject to ongoing regulatory interpretation |
Inside Information Under MiCA: Article 87 and What It Means in Practice
Article 87 of MiCA defines inside information through a four-part cumulative test. Information qualifies as inside information only if it is: (1) precise — meaning it refers to circumstances that exist or may reasonably be expected to exist, or to an event that has occurred or may reasonably be expected to occur, and is specific enough to allow a conclusion on the likely price effect; (2) non-public — not yet generally available; (3) directly or indirectly relating to one or more crypto-assets, their issuers, or CASPs offering related services; and (4) likely, if made public, to have a significant effect on the price of those crypto-assets. All four elements must be satisfied simultaneously. If any leg fails, the prohibition on insider dealing under Article 88 MiCA is not engaged — though market manipulation under Article 91 may still apply independently.
The structure of Article 87 MiCA is deliberately modelled on Article 7 MAR (Regulation (EU) 596/2014), and compliance teams can draw on the substantial body of MAR supervisory guidance and ESMA Q&As to interpret each limb. One especially important carryover is the intermediate steps rule: where an issuer is negotiating a significant protocol upgrade, a major centralised-exchange listing, or a partnership that would materially affect token utility, each discrete material step in that process may itself constitute inside information before any final agreement is reached or announced. Legal teams should treat these milestones as triggering points for information-barrier controls, not just the public announcement.
Article 87 defines the concept of inside information — it does not independently impose insider-list obligations on CASPs. This is a meaningful distinction from the MAR regime, where Article 18 MAR explicitly requires issuers and persons acting on their behalf to draw up, maintain, and update lists of persons with access to inside information. MiCA contains no equivalent stated requirement for CASPs. Maintaining an insider list is best practice and may well be expected by individual NCAs as evidence of robust internal controls — but compliance teams should not present it as a direct MiCA obligation when it is not one. If your NCA has issued specific guidance on this point, that guidance governs; absent it, document your rationale and treat list-keeping as a voluntary control measure aligned with the spirit of Title VI MiCA.
Article 92 and the Delegated Regulation 2025/885: Core PPAET Surveillance Duties
Article 92 MiCA imposes two distinct, non-negotiable duties on persons professionally arranging or executing transactions (PPAETs): maintain effective surveillance systems, and report suspicions without delay. The surveillance obligation under Article 92(1) requires PPAETs to establish effective arrangements, systems, and procedures to prevent and detect market abuse across all crypto-assets within MiCA's scope. The reporting obligation requires that, upon forming a reasonable suspicion that an order or transaction may constitute market abuse, the PPAET submits a Suspicious Transaction and Order Report (STOR) to its home NCA — the competent authority of the jurisdiction where the PPAET is registered or has its registered head office. For branches operating cross-border, the relevant NCA is generally that of the member state where the branch is located, though cross-border PPAET jurisdiction rules should be verified against the precise text of Article 92(1) and applicable NCA guidance before relying on them in any specific structure. Custody-only providers should note that Article 92 applies to the extent they are also professionally arranging or executing transactions — pure custody without transaction execution does not automatically trigger PPAET status.
Delegated Regulation (EU) 2025/885, published in the Official Journal on 20 August 2025 and in force from 9 September 2025, translates these Article 92 duties into concrete operational requirements. It is modelled closely on the MAR RTS framework, providing practical continuity for firms already operating under MAR. Four requirements stand out. First, monitoring scope is comprehensive: firms must surveil all orders and transactions — placed, modified, cancelled, or rejected — whether executed on or off a trading platform, on-chain or off-chain, and must also monitor relevant aspects of DLT functioning including the consensus mechanism itself (which brings MEV-adjacent behaviours into the surveillance perimeter, though the legal characterisation of specific MEV practices remains subject to ongoing regulatory interpretation). Second, all arrangements must be documented in writing, including any changes or updates to systems and procedures. Third, an annual internal audit and review cycle is required. Fourth, proportionality applies explicitly: systems must be appropriate and proportionate to the scale, size, and nature of the PPAET's activity — a small advisory-only CASP faces materially different expectations than a large trading platform operator.
| Surveillance scope element | Required monitoring action | Proportionality note |
|---|---|---|
| Orders (placed, modified, cancelled, rejected) | Systematic capture and pattern analysis across all venues and instruments in scope | Automated alert thresholds should reflect firm's typical order flow volume |
| Executed transactions (on- and off-platform) | Post-trade surveillance for wash trading, layering, and price distortion patterns | Smaller CASPs may rely on manual review supplemented by basic rule-based alerts |
| On-chain / DLT activity | Monitor consensus-layer events and on-chain transaction patterns where PPAET has visibility | Scope limited to activity the PPAET can reasonably access; document monitoring boundaries |
| Surveillance documentation | Written records of all arrangements, systems, procedures, and any updates | Must be maintained and available for NCA inspection on request |
| Internal audit cycle | Annual review of surveillance effectiveness and calibration of alert parameters | Review findings must be documented; material gaps remediated within defined timeframes |
Filing a STOR: Process, Timing and the Mandatory Template
Under Article 92(1) MiCA, the obligation to file a Suspicious Transaction and Order Report (STOR) falls on the PPAET — the person professionally arranging or executing transactions. This means the CASP itself carries the filing obligation, not its end-client, and not a separate platform in the arrangement unless that platform independently qualifies as a PPAET. The trigger is forming a reasonable suspicion that an order or transaction relates to insider dealing, market manipulation, or attempted market abuse. Once that suspicion is formed, the report must be filed without delay — there is no safe harbour for holding the STOR pending completion of an internal investigation. Internal review processes must run in parallel, not sequentially.
Delegated Regulation (EU) 2025/885, which entered into force on 9 September 2025, specifies the mandatory STOR template that all PPAETs must use. Key fields include: identification of the PPAET filing the report; a factual description of the suspicious order or transaction; identification of the persons involved; the specific factual basis for the suspicion (not just a conclusion, but the underlying indicators); whether the relevant position remains open at the time of filing; and the market data supporting the suspicion. Filing an incomplete or narrative-light STOR — one that simply flags suspicion without evidencing it — is unlikely to satisfy NCA expectations as supervisory convergence increases under the ESMA guidelines.
Two procedural protections are built into the framework. First, Article 92 MiCA provides a liability shield: PPAETs and their employees acting in good faith are not liable for breach of confidentiality obligations when filing a STOR — including under contract, data protection law, or professional secrecy rules. Second, a tipping-off prohibition applies — the subject of the STOR must not be alerted that a report has been or may be filed. Note that ESMA75-453128700-1039 governs supervisory practices on the NCA side — how competent authorities handle, assess, and respond to STORs — and complements, rather than replaces, the PPAET-facing obligations set out in Article 92 and Delegated Regulation 2025/885. CASPs should be familiar with both layers: one governs what you file, the other governs how your regulator will evaluate it. For the broader CASP authorisation context, see our CASP licence requirements guide.
ESMA Supervisory Guidelines (July 2025): What NCAs Expect from Your Programme
ESMA published its Guidelines on supervisory practices to prevent and detect market abuse under MiCA — reference ESMA75-453128700-1039 — on 9 July 2025, exercising its mandate under Article 92(3) MiCA. These are not optional guidance: NCAs across all Member States are required to apply them within three months of publication, meaning supervisory expectations are now converging on a common EU-wide baseline. The guidelines span multiple supervisory principles and specific practices — covering proportionality of NCA oversight relative to PPAET size and risk profile, consistency of supervisory culture across Member States, integration of existing market integrity experience from MAR supervision, open stakeholder dialogue, market integrity initiatives, and mechanisms for ongoing NCA monitoring and oversight.
From a CASP compliance perspective, the most consequential aspect of the guidelines is what they signal about NCA inspection behaviour. Your home NCA is now working from a shared playbook. Expect examinations to focus on three things: whether your surveillance programme is documented in sufficient detail to demonstrate it is calibrated to your specific product set and transaction volumes; whether you conduct and record annual reviews of your surveillance arrangements (including after any material change to your crypto-asset offerings); and whether your STORs are substantive — i.e., whether they contain sufficient factual narrative to allow the NCA to assess the suspicion independently, rather than simply flagging a pattern without explanation.
The proportionality principle built into the guidelines means a small CASP with limited trading volumes will not face the same surveillance infrastructure expectations as a large exchange operating a trading platform. However, proportionality is not an exemption — it scales the requirement, it does not remove it. Every PPAET, regardless of size, must have systems and procedures capable of detecting the prohibited conduct in Articles 89–91 MiCA, and must be able to demonstrate those systems to its NCA on request. CASPs that have invested in DORA-compliant operational frameworks — see our DORA compliance guide for CASPs — will find that the documentation disciplines required there translate directly into what NCAs will assess under these market abuse supervisory guidelines.
On-Chain Surveillance: The DLT-Specific Dimension CASPs Cannot Ignore
Traditional market surveillance under MAR was built for order books, trade reports, and exchange timestamps. MiCA's Title VI extends those obligations into a fundamentally different environment. Delegated Regulation (EU) 2025/885 explicitly requires CASPs to monitor aspects of the functioning of the distributed ledger technology, including the consensus mechanism — a requirement with no direct parallel in MAR. This means surveillance systems cannot stop at the matching engine; they must reach into the DLT layer itself. For most CASPs, that requires integrating on-chain data feeds alongside traditional trade-surveillance tooling.
Three concrete dimensions define this DLT-specific obligation in practice. First, proof-of-stake networks require monitoring of validator sets and block-proposal patterns: unusual concentration of block proposals, timing anomalies, or validator behaviour correlated with large price moves on the CASP's platform can indicate front-running or information asymmetry. Second, where a CASP's trading platform interacts with on-chain liquidity — including decentralised exchange (DEX) routing or liquidity pools — that adjacent on-chain activity must be tracked as part of the surveillance perimeter, not treated as outside scope. Third, MEV (maximal extractable value) strategies — including sandwich attacks and transaction-order manipulation — fall within the market manipulation prohibition in Article 91 MiCA as an active area of regulatory attention. An important qualification applies here: the legal characterisation of specific MEV practices as market manipulation under MiCA remains subject to regulatory interpretation and ongoing development. Compliance teams should monitor ESMA guidance on this topic rather than treat any particular MEV pattern as settled law.
Building a credible on-chain surveillance capability means defining a concrete set of monitoring signals and reviewing them systematically. The following checklist reflects the categories most relevant to MiCA obligations:
- Validator anomalies: unusual block-proposal concentration, timing deviations, or validator activity correlated with platform price moves
- Large wallet movements pre-announcement: significant on-chain transfers to or from known wallets shortly before material price changes or token disclosures
- Wash-trading patterns: circular transaction flows between linked addresses inflating reported volume on the CASP's platform
- Cross-platform order spoofing: large orders placed and cancelled on the CASP's book in coordination with on-chain activity designed to move price
- DEX-adjacent front-running: mempool-observable transactions consistently executing ahead of large orders routed through or near the CASP's liquidity
- Wallet clustering signals: address-graph analysis suggesting coordinated control of accounts that individually appear unrelated
None of these signals is self-executing evidence of abuse — each requires context, thresholds calibrated to the specific asset and market, and documented escalation logic. What Regulation (EU) 2025/885 demands is that CASPs have systematic, documented procedures for capturing and reviewing these signals, not merely the technical capacity to pull blockchain data on request. NCAs examining a CASP's surveillance programme will expect to see detection scenarios mapped to specific on-chain event types, not a generic assertion that the platform "monitors the blockchain."
Enforcement: Article 111 Sanctions and NCA Powers
Article 111 MiCA sets the enforcement ceiling for market abuse violations significantly higher than many compliance teams assume. For legal persons, the maximum administrative fine is at least €15,000,000 or 15% of total annual turnover — whichever is higher. For natural persons, the ceiling is at least €5,000,000. These are the floors that NCAs must be empowered to impose; domestic law can go further. Where a market abuse breach generates identifiable profit or avoided loss, the competent authority may additionally impose a sanction of up to three times the amount of the gain or avoided loss — regardless of whether the standard ceiling has already been applied. Compliance teams should review the specific provision of Article 111 MiCA relevant to their infringement category, as the percentage-of-turnover component varies depending on the nature of the breach and the provision violated.
| Sanction type | Market abuse ceiling | Who can be sanctioned |
|---|---|---|
| Administrative fine | €15,000,000 or 15% of total annual turnover (higher applies) | Legal persons (CASPs, issuers) |
| Administrative fine | €5,000,000 | Natural persons (officers, managers) |
| Profit-based surcharge | Up to 3× profit gained or losses avoided | Legal and natural persons |
| Public decision publication | No monetary ceiling — reputational | Legal and natural persons (Article 114 MiCA) |
| Suspension or revocation of authorisation | Operational — full activity cessation possible | Authorised CASPs |
| Temporary management ban | Duration at NCA discretion | Natural persons in management roles |
Beyond financial penalties, NCAs retain a toolkit that includes issuing public warnings, requiring immediate cessation of conduct, and — in the most serious cases — suspending or revoking CASP authorisation under Article 64 MiCA. Publication of enforcement decisions under Article 114 carries its own consequences: named decisions are searchable and permanent, with direct effects on client trust and institutional relationships. With Delegated Regulation (EU) 2025/885 now in force as of September 2026 and ESMA's surveillance guidelines applied by NCAs from October 2025, the full regulatory framework is operational. Supervisors across the EU now hold both the technical standards and the formal legal tools to act — enforcement activity is expected to increase materially, and CASPs that have not yet formalised their surveillance and STOR programmes face the greatest exposure. See the CASP licence requirements guide for how enforcement risk connects to your ongoing authorisation obligations.
Frequently asked questions
Which CASPs are subject to the STOR reporting obligation under Article 92 MiCA?
The STOR obligation applies to 'persons professionally arranging or executing transactions' in crypto-assets (PPAETs), not automatically to all CASPs. This includes CASPs operating trading platforms, executing orders on behalf of clients, and receiving and transmitting orders. Pure custody providers are only within scope to the extent they are also professionally arranging or executing transactions — providing safekeeping alone does not automatically trigger Article 92 duties.
What does Commission Delegated Regulation (EU) 2025/885 actually require?
Delegated Regulation 2025/885, in force from 9 September 2025, requires PPAETs to have written, documented surveillance systems that monitor all orders and transactions (placed, modified, cancelled, or rejected — whether on or off a trading platform) as well as DLT-layer events including consensus mechanism activity. Systems must be reviewed at least annually, be proportionate to the firm's scale and nature, and use the mandatory STOR template for any suspicious activity report filed with the home NCA.
When must a STOR be filed and is there any liability protection for reporting?
A STOR must be filed 'without delay' once a reasonable suspicion of market abuse arises — there is no express waiting period while an internal investigation is concluded. Article 92 MiCA includes a good-faith liability shield: PPAETs and their employees are not liable for breach of confidentiality restrictions when a STOR is filed in good faith. A tipping-off prohibition applies — the person suspected must not be informed of the report.
Does MiCA require CASPs to maintain insider lists, as under MAR?
No. MiCA does not replicate MAR's explicit insider-list requirement for CASPs. Article 87 MiCA defines 'inside information' but does not independently impose an obligation on CASPs to maintain and update insider lists. Maintaining such a list is prudent best practice and some NCAs may informally expect it, but it is not a stated MiCA obligation in the same way as under MAR. Firms should monitor their home NCA's supervisory expectations on this point.
What are the maximum penalties for market abuse violations under Article 111 MiCA?
For legal persons, Article 111 MiCA provides for a maximum administrative fine of at least €15,000,000 or 15% of total annual turnover — whichever is higher. For natural persons, the maximum is at least €5,000,000. For market abuse breaches specifically, sanctions can also be set at up to three times the profit gained or losses avoided. NCAs may additionally publish decisions, revoke licences, and impose management bans.
What is the status of MEV (maximal extractable value) under MiCA's market abuse rules?
MEV strategies — such as sandwich attacks and front-running on-chain — are within the regulatory scope of scrutiny under Article 91 MiCA's market manipulation prohibition. ESMA guidelines draw attention to this area, and the consensus mechanism monitoring requirement in Delegated Regulation 2025/885 is directly relevant. However, the precise legal characterisation of specific MEV practices as market manipulation under MiCA remains subject to ongoing regulatory interpretation. Compliance teams should treat MEV monitoring as a live obligation and track ESMA guidance as it develops.