The MiCA Regulation is a European regulation (Regulation (EU) 2023/1114) whose aim is to harmonize the crypto and digital asset market. Published on May 31, 2023, its implementation is being phased in gradually to give the players concerned time to get up to speed. The text also aims to fill a legal void concerning this fast-growing sector, as well as to protect investors by providing a clear and transparent framework for the practices of the various players involved.
What is the timetable for implementing the MiCA regulation?
The rules applicable to crypto-assets have been rolled out gradually. The initial text published on May 31, 2023 saw its provisions concerning token issuers come into force on June 30, 2024. In turn, the provisions governing Crypto Asset Service Providers (CASPs) came into force on December 30, 2024. At the beginning of the year, the AMF reminded us that the transitional period will end on July 1, 2026, by which date all operators must have obtained PSCA approval (also known as a MiCA license) to continue operating legally in France.
MiCA: the main points of the regulation
Compliance with MiCA regulations is based on 4 fundamental pillars.
The first pillar imposes transparency of the offer via the mandatory publication of a white paper. This document engages the legal responsibility of the issuer and must detail the technical characteristics of the crypto-assets on offer, as well as the risks involved and the environmental impact.
The second pillar is dedicated to prudential and governance requirements for players. A distinction is made between two types of player: PSCAs (crypto asset service providers), which are pure crypto players (exchange platforms, crypto brokers) and which, until now, could be satisfied with a simple PSAN registration with no obligation to obtain approval; and traditional financial players who can provide crypto asset services after notification to the competent authority (in this case the AMF for France). PSANs must now obtain compulsory approval, prove their financial soundness via permanent capital reserves capable of absorbing any market fluctuations, and justify the good repute and competence of their managers.
The third pillar strives to protections for investors. To this end, the MiCA regulation imposes asset segregation, strict communication and advertising rules aimed at eliminating any misleading presentation of products or services, and calls for safeguards to be put in place to oblige platforms to act honestly, fairly and professionally. Providers must emphasize their duty to advise on complex products, carry out a suitability test based on the investor's profile, guarantee a free and rapid complaints and claims management procedure, and offer a right of withdrawal on certain offers.
Finally, the fourth pillar aims to protect the integrity of the ecosystem by transposing traditional finance rules on blockchain-related market abuse. Indeed, insider trading and price manipulation in crypto-assets have long tarnished the sector's image, and players now have an obligation to monitor transactions to detect suspicious behavior and report it without delay to the relevant authorities.
Crypto Asset Service Provider (CASP) status
With the MiCA regulation, the European Union is breaking new ground by introducing a harmonized European licensing regime for crypto-asset service providers, known by the acronym PSCA (or CASP in English, for Crypto-Asset Service Provider). This status replaces pre-existing national regimes, such as the PSAN status in France, instituted by the 2019 PACTE law. Whereas the PSAN regime was based on compulsory registration with the AMF with optional enhanced approval, the MiCA regulation imposes compulsory approval on all providers, obliging them to guarantee their transparency, compliance, governance and internal control systems.
To obtain PSCA approval, the applicant entity must be a legal entity established in the European Union, and submit an application to the competent authority in its home Member State. The competent authority in France is the AMF. It examines these applications in coordination with the ACPR. The application must demonstrate that the service provider meets a set of requirements covering governance, capital, organizational arrangements, management of conflicts of interest, protection of customer assets and information systems security as explained below.
One of the major advantages of this regime is the mechanism for cross-border provision of crypto-asset services (article 65 of the MiCA). A CSSP authorized in one Member State can provide its services throughout the European Union - under the freedom to provide services or through the establishment of a branch - after making a declaration to the competent authority, without additional authorization in each country. This facilitates cross-border deployment, while guaranteeing consistent supervision.
The cybersecurity dimension of the MiCA regulation
Cybersecurity is a key component of the MiCA regulation, reflecting the European legislator's awareness of the risks inherent in the digital nature of crypto-assets. In a sector where security incidents, platform hacks and massive losses of funds have punctuated recent history, the regulation imposes significant requirements in terms of IT security and operational resilience on both token issuers and service providers.
Indeed, MiCA not only regulates good business practices and the financial flows of the entities concerned; it also locks down the technological infrastructure by placing, de facto, all its players under the aegis of the DORA (Digital Operational Resilience Act) regulation. As indicated in Articles 34 (for token issuers) and 68 (for PSCAs), the management of ICT systems must comply with European Parliament Regulation (EU) 2022/2554 (which we present in this article). While conventional financial institutions were already prepared for this by their very nature, token issuers and PSCAs are discovering a new regime of cybersecurity requirements. All these players must now prove their ability to withstand, react to and recover from cyberattacks. This includes rigorous IT risk management including cloud and supply chain, systematic notification of major incidents to the authorities and regular resilience testing (including penetration testing but also advanced tests such as TLPT for the entities concerned).
À propos : Le blog d'AlgoSecure est un espace sur lequel notre équipe toute entière peut s'exprimer. Notre personnel marketing et commercial vous donne des informations sur la vie et l'évolution de notre société spécialisée en sécurité sur Lyon. Nos consultants techniques, entre deux tests d'intrusion ou analyses de risque, vous donnent leur avis ainsi que des détails techniques sur l'exploitation d'une faille de sécurité informatique. Ils vous expliqueront également comment sécuriser votre système d'informations ou vos usages informatiques particuliers, avec autant de méthodologie et de pédagogie que possible. Vous souhaitez retrouver sur ce blog des informations spécifiques sur certains sujets techniques ? N'hésitez pas à nous en faire part via notre formulaire de contact, nous lirons vos idées avec attention. Laissez-vous guider par nos rédacteurs : Alessio, Alexandre, Amine, Anas, Arnaud, Benjamin, Damien, Enzo, Eugénie, Fabien, Françoise, Gilles, Henri, Hicham, Jean-Charles, Jean-Philippe, Jonathan, Joël, Joëlie, Julien, Jéromine, Lucas, Ludovic, Lyse, Matt, Nancy, Natacha, Nicolas, Pierre, PierreG, Quentin, QuentinR, Sébastien, Tristan, Yann, Yannick, et bonne visite !