Cross-border crypto services in EU under MiCA: What you need to know in 2026

Since December 30, 2024, the MiCA regulation has completely changed how crypto companies operate across the European Union. No more patchwork rules. No more applying for licenses in every country. If you’re a crypto service provider and you want to serve customers from Germany to Portugal, you now get one license - and it works everywhere. That’s the power of MiCA’s EU passport system. But here’s the catch: it’s not easy to get, and if you’re outside the EU, the rules are even stricter.

How the EU crypto passport actually works

Before MiCA, a crypto exchange based in Estonia had to jump through separate hoops to serve customers in France, Spain, or Italy. Each country had its own rules, fees, and paperwork. That made scaling impossible for smaller firms. MiCA fixed that. Now, any crypto-asset service provider (CASPs) that gets licensed in one EU country - say, Ireland or the Netherlands - can automatically offer services across all 27 member states. No extra applications. No extra audits. Just a single authorization, backed by EU-wide rules.

To use this passport, the provider must notify their home regulator about their plans to expand. That’s it. The regulator then shares the info with other EU countries. From there, the service can legally operate - whether it’s trading Bitcoin, managing stablecoins, or holding wallets for clients. The key? You must be fully licensed under MiCA. No loopholes. No shortcuts.

What you need to qualify as a CASP

Getting licensed isn’t just filling out a form. MiCA demands real financial and operational muscle. Here’s what every CASP must have:

• Own funds: You need to keep capital on hand - at least €125,000, but often much more depending on your business size and risk profile.
• Insurance: Coverage for theft, hacking, or operational failure. Not optional.
• Client asset protection: Your customers’ crypto must be kept separate from your company’s funds. No commingling. Ever.
• Transparency: You must publish detailed white papers for any token you issue. That includes how the asset works, who backs it, and how it’s maintained.
• Market abuse controls: You need systems to detect insider trading, price manipulation, or wash trading. If you’re running a crypto exchange, this is non-negotiable.

What makes a CASP "significant"?

MiCA doesn’t treat all providers the same. If your company serves 15 million or more active users in the EU each year, you’re labeled a "significant" CASP. That triggers extra scrutiny. You’ll report directly to the European Securities and Markets Authority (ESMA), not just your national regulator. ESMA can demand stress tests, review your management pay, and even block new services if they think you’re a systemic risk.

This isn’t theoretical. By early 2025, at least three major global exchanges had already been flagged as significant under MiCA. One of them, based in the U.S., had to shut down its EU-facing operations until it set up an EU subsidiary. That’s how serious this is.

What about non-EU companies?

If you’re based outside the EU - say, in the U.S., Singapore, or Switzerland - you can’t just keep serving EU customers like before. MiCA shuts the door on that.

You now have two choices:

1. Set up an EU subsidiary: Register a legal entity inside the EU, get licensed as a CASP, and operate from there. This is what Coinbase, Kraken, and Binance did. They all opened new EU headquarters in 2024.
2. Wait for reverse solicitation: This is the loophole some tried to use. It means an EU customer contacts you on their own - no ads, no websites targeting them, no marketing. But ESMA’s guidelines in late 2024 made this nearly useless. If your website is in English and accepts EUR, or if you have a .eu domain, regulators will assume you’re actively targeting EU users. Reverse solicitation is basically dead for any serious business.

The result? Dozens of non-EU crypto firms lost access to the EU market. Others scrambled to relocate. The EU didn’t just regulate - it forced a geographic reset.

Stablecoins face even tougher rules

If you’re issuing a stablecoin - a crypto pegged to the euro or dollar - MiCA hits you harder. You need:

• Reserve transparency: Every euro backing your token must be clearly documented and held in regulated banks.
• Redemption rights: Users must be able to exchange your token for the underlying asset (like EUR) at any time, without delay.
• Liquidity buffers: You must keep enough cash or liquid assets to cover sudden mass redemptions.

Terra’s collapse in 2022 taught regulators a lesson. MiCA’s stablecoin rules are designed to make that impossible again. That’s why projects like USDT and USDC had to restructure their EU operations - and why new stablecoins are now rare in Europe.

Who’s affected the most?

The biggest changes hit three types of businesses:

• Crypto exchanges: Must now prove they can prevent market abuse and protect user funds.
• Custodial wallet providers: If you hold private keys for users (like a bank holding cash), you’re treated like a bank. No exceptions.
• Embedded finance platforms: Even companies that aren’t crypto-first - like a fintech app that lets users buy Bitcoin as a side feature - must get licensed if they offer crypto services to EU users.

The EU didn’t just regulate crypto. It redefined what counts as a financial service.

What about taxes and AML?

MiCA doesn’t replace anti-money laundering (AML) rules - it layers on top of them. All CASPs must follow the EU’s 6th AML Directive. That means:

• Know your customer (KYC) checks for every user
• Reporting suspicious transactions to national financial intelligence units
• Sharing data across EU regulators if fraud is suspected

This isn’t new for banks - but for crypto firms, it’s a massive shift. Many small providers couldn’t afford the compliance tech. Others shut down rather than adapt.

Is MiCA working?

So far, yes - but it’s messy. Fifteen EU countries chose to shorten their 18-month transition periods. That means some firms had to comply by January 2025, while others had until mid-2026. This created confusion. Some regulators are still building teams. Others are already shutting down non-compliant firms.

But the big picture is clear: the EU has built the world’s first unified crypto rulebook. And it’s working. Since MiCA went live, over 300 CASPs have been authorized across the bloc. The number is growing every month. The EU isn’t trying to kill crypto. It’s trying to make it safe, predictable, and scalable.

What’s next?

ESMA is still working on technical standards for stress testing, remuneration policies, and token issuance. More rules are coming. But the core framework is set. The EU is now the global benchmark. Countries like the UK, Japan, and even the U.S. are watching closely. MiCA isn’t just a regulation - it’s a blueprint.

For businesses, the message is simple: if you want to serve EU customers, you need to be in the EU. No exceptions. No workarounds. And if you’re already here? You’ve got a clear path - if you’re ready to play by the rules.