A new era of cryptocurrency regulation in the EU:

The European regulation MiCA (Markets in Crypto-Assets) brings major changes for all companies operating in the cryptocurrency sector from 2025. It is the first comprehensive regulatory framework for crypto-assets in Europe. MiCA aims to increase market credibility, protect investors and ensure financial stability, but it also imposes new obligations and strict compliance requirements on crypto firms. The hitherto relatively loose legal environment is thus gaining firm rules, similar to the traditional financial sector. Failure to comply with the new requirements can lead to heavy fines, loss of licence and damage to a firm's reputation.

Author of the article: ARROWS advokátní kancelář (Mgr. Jáchym Petřík, office@arws.cz, +420 245 007 740)

ARROWS specializes in financial law and fintech and has practical experience in implementing regulatory requirements, so it can help you navigate and implement these new regulations. In this article, we therefore provide an overview of the main obligations under MiCA, highlight the risks of non-compliance and provide advice on how to prepare for the changes.

MiCA implementation timeline (2023-2024). The MiCA regulation was formally approved in May 2023 and its requirements are being rolled out in two phases:

• stablecoin rules apply from 30 June 2024
• from 30 December 2024, all other provisions, in particular the regulation of crypto service providers

In practice, this means that from the beginning of 2025, the crypto industry will be subject to uniform rules across the EU, and national regulators (in the Czech Republic, the Czech National Bank) will take over the supervision of compliance.

Who is subject to MiCA?

All entities that issue cryptoassets or provide services related to cryptoassets in the EU - i.e. crypto exchanges, exchangers, custodians, trading platforms, crypto advisors, as well as issuers of new cryptocurrencies or tokens.

The exceptions are assets already regulated by other regulations (e.g. security tokens covered by securities laws) and unique NFTs, unless they are actually serially traded tokens. However, the vast majority of common cryptocurrencies (Bitcoin, Ethereum, etc.) and related services will now fall under MiCA.

Below, we look at the main new obligations that MiCA brings and the consequences of failing to comply with them.

Main duties under MiCA

If you are in the crypto business, you will face a number of new regulatory obligations from 2025. MiCA introduces requirements similar to those we are familiar with from the regulation of traditional financial markets (e.g. MiFID, MAR, PSD). Here is an overview of the key areas you need to prepare for:

Crypto Service Provider Licensing (CASP)

As of 1 January 2025, only an entity with a CASP (Crypto-Asset Service Provider) licence may operate a cryptocurrency exchange, exchange, brokerage, custody and other services related to cryptoassets in the EU.

This is a major change - while many crypto firms have been operating on a sole proprietorship basis, they will now be required to obtain a licence from the regulator (in the Czech Republic, the Czech National Bank). The CASP licence will be uniform across the EU (the European passport principle), so with one licence it will be possible to legally offer services in all member states.

However, the conditions for obtaining a licence will be strict: the applicant must have sufficient capital, trustworthy and qualified management, processes in place to protect client assets, measures against cyber-attacks, etc.

Companies that today operate only on the basis of trade licenses (typically small exchange offices) will have to transition to a fully regulated regime - this will require significant investments in compliance and possibly even changes in the structure of the business.

Failure to meet the conditions is expected to drive smaller players out of the market and consolidate the industry. Existing firms have the option of taking advantage of a transition period (until mid-2026) - if they fall within this period, they can continue to operate temporarily, but must apply for a licence in time or they will be forced to cease operations.

Whitepaper when issuing tokens

The MiCA introduces an obligation for anyone publicly offering a cryptoasset (other than stablecoins) or applying to list it on an exchange to publish an information document - a "crypto-asset whitepaper".

This document should contain clear information about the project, the rights associated with the token, the technology, the risks, etc. - similar to the prospectus of a security in an IPO. The whitepaper will only need to be notified to the regulator, it does not need prior approval, but the issuer is responsible for its accuracy and completeness.

There are some exceptions to this obligation - e.g. if the token offer is to less than 150 persons in each country or the total volume does not exceed €1 million in 12 months, whitepaper does not have to be made.

Caution: even in such cases, however, there are obligations to investors (e.g., to provide basic information and to follow fair communication rules). The whitepaper is an essential tool to protect investors from fraudulent or unsustainable projects, and its absence or deficiencies may lead to a ban on token offerings.

Stricter regime for stablecoins (ART and EMT)

A special chapter are the so-called stablecoins, i.e. tokens linked to the value of another asset. MiCA divides them into asset-linked tokens (ARTs) - for example, stablecoins backed by a basket of fiat currencies or commodities - and electronic money tokens (EMTs) - stablecoins linked 1:1 to a single fiat payment (functionally similar to electronic money).

These instruments are subject to an extremely strict regime because their potential instability would threaten the wider financial system.

A stablecoin issuer will need to obtain prior authorisation, meet capital requirements and be subject to ongoing oversight by regulators. For example, EMT issuers will need to be a bank or an e-money institution (i.e. licensed under e-money regulation), while ART issuers will need to obtain specific authorisation under MiCA.

Stablecoins will have to be fully backed by reserve assets, the issuer will ensure the right of holders to sell the tokens at any time (redemption) and will publish regular stability reports. For so-called significant stablecoins (meeting large volumes - see criteria such as over 2 million users or over €1 billion in circulation), the European Supervisory Authority (EBA) will take over supervision and special supervision fees will be payable.

No non-compliant stablecoin may be offered in the EU from mid-2024 - which is why, for example, some foreign issuers are withdrawing their stablecoins from the European market until they obtain the necessary permissions.

Customer protection and market integrity

Crypto service providers (CASPs) must act honestly, fairly and in the best interests of their clients. For example, the MiCA imposes an obligation to segregate client crypto-assets from their own (i.e. custody services must not commingle client funds with their own) and to establish rules for resolving customer complaints.

Firms will have to transparently disclose fees and highlight the risks associated with their products so that customers have a clear idea of what they are getting into.

In terms of market integrity, MiCA introduces a regime similar to that known from the traditional capital market: a prohibition on market manipulation and insider trading in cryptocurrencies.

Thus, practices such as artificially influencing the price of tokens, spreading fake news to move the price, insider trading, etc. will be prohibited - violations will be judged similarly strictly as in the case of stock trading.

AML/CFT and risk management

Crypto firms subject to MiCA will have to comply with anti-money laundering and counter-terrorist financing (AML/CFT) requirements to the same full extent as banks. This means the obligation to perform KYC, monitor transactions, report suspicious transactions to the Financial Intelligence Authority, etc. In addition, MiCA also emphasizes cybersecurity and operational resilience - firms must put in place system and data protection measures, disaster recovery plans, etc..

Custody providers, for example, will need to have secure wallets and backup mechanisms in case of technical problems. This requirement goes hand in hand with another new DORA regulation on digital operational resilience, which also applies to the fintech sector.

Overall, MiCA forces crypto firms to implement a robust risk management system - from financial to operational to legal risks.

Consequences of non-compliance with MiCA obligations

The introduction of MiCA will significantly raise the regulatory bar for the crypto business. Companies that do not comply with the new rules will not be able to continue legally - operating crypto services without a license will now be illegal and severely punished. Supervisory authorities (in the Czech Republic, the CNB) will gain broad powers to enforce order in the market thanks to MiCA.

What are the specific penalties for breach of the Regulation?

High financial penalties

Regulators will be able to impose fines of up to €20 million or 5% of a firm's total annual turnover (whichever is higher). These are amounts comparable to the most stringent penalties under the GDPR and signal the EU's intention to require strict compliance.

For example, the continued operation of an unregulated exchange in 2025 could lead to a fine of hundreds of millions of crowns. However, even minor violations can be punished severely - MiCA also provides for penalties for individuals (managers) of up to EUR 700,000.

A minimum fine of EUR 500,000 is even being considered for the illegal operation of a crypto exchange in the Czech Republic. For a smaller startup, a fine of tens of thousands of EUR could pose an existential threat, not to mention millions.

In addition, penalties can be cumulative - a firm that violates multiple obligations (e.g., not having a license and failing to comply with AML) can receive multiple penalties simultaneously.

Loss of licence and prohibition of activity

In addition to fines, the regulator threatens to suspend or revoke a firm's licence if it grossly or repeatedly breaches its obligations. It will not be possible to operate crypto services without a valid licence at all after 2025 - such activity will be deemed unauthorised and may be stopped immediately. The revocation of the license would effectively put an end to the crypto startup's business in the industry, as it is impossible to legally serve clients without a license. The license is therefore a matter of survival for the crypto firm.

Regulators can also issue a ban on a person - managers who are responsible for a breach can be banned from the industry (e.g. banned from serving as a CASP board member for up to several years). Even the threat of career loss is sure to make company executives cautious.

Criminal liability

As such, while violations of MiCA fall under administrative law (fines, regulator's measures), some related acts may constitute criminal offences.

Money laundering through crypto or organising a fraudulent ICO can lead to prosecution of those responsible. Managers who would deliberately ignore the warning signs and allow the proceeds of crime to flow through their platform could be charged with laundering the proceeds of crime.

Similarly, if a failure to perform duties (e.g., neglect of security or segregation of funds) leads to harm to clients - data leakage, loss of funds - there is a risk of lawsuits from aggrieved customers. Thus, management's personal freedom and assets may be at stake.

Reputational risk and loss of clients

Fintech and the crypto sector are built on customer trust. If it comes to light that a company has disregarded regulatory rules, underestimated security or client rights, it can cause irreparable reputational damage. For example, a leak of client data due to lax security, or the discovery of market manipulation, will lead to an exodus of users to competitors.

Especially for young crypto companies, such a loss of trust could be devastating - regaining trust is extremely difficult.

Reputational loss can be likened to a domino effect: it can scare away investors, business partners and talented employees. Therefore, compliance with MiCA is not only a legal obligation, but also a matter of business strategy and the long-term prosperity of the company.

In short, it does not pay to ignore MiCA. Penalties can reach devastating proportions and regulators are adding new enforcement tools. Financial penalties, license revocation, criminal prosecution and loss of reputation are all real threats.

On the other hand, companies that adapt in time will gain a competitive advantage and the opportunity to grow legally throughout the European market. So how to prepare for the new regulation and where can problems arise?

Contact our experts:

Where problems can arise and how to solve them (practical examples)

Putting MiCA into practice will bring a number of challenges. Below are specific scenarios where crypto firms are at risk of stumbling and how to overcome these pitfalls. For each problem, we offer recommended solutions - including the option of enlisting the expertise of ARROWS attorneys who have experience with similar situations.

Example 1 - Unlicensed cryptocurrency after 2025:

Imagine a smaller crypto exchange that ignored the obligation to apply for a CASP license and continued to trade cryptocurrencies underground after 1/1/2025.

Risk: The regulator (the CNB) will take a look at it very quickly. This could be followed by an immediate ban and a fine of millions of euros, not to mention reputational damage if it were publicly announced that the company was breaking the law. For its clients, this means freezing accounts and forced trading halts.

Solution: There is only one way to avoid such a situation - apply for a CASP licence on time. The company should prepare all the application documents and submit it to the CNB no later than 2024. The licensing process includes documenting capital, business plan, setting up internal controls, etc.

The use of legal experts (e.g. the ARROWS team) can greatly facilitate communication with the regulator and ensure that the application is complete and correctly filed. Existing exchanges that already have temporary registration (such as VASP) should take advantage of the streamlined regime and not wait until the last minute.

The key is not to delay - obtaining a licence is a challenging process and the sooner you start the better.

Illustration: crypto trading platform. Failure to comply with MiCA's licensing obligations (e.g., operating an exchange without a CASP license) will lead to regulatory intervention and the threat of heavy penalties.

Disclaimer: Unauthorized business in a crypt after the MiCA has taken effect will not be tolerated. Once MiCA is in effect, you must either be licensed or cease operations.

Our advice: Conduct an internal audit of your business - which of your services fall under the CASP definition? If almost any, take steps to license immediately. ARROWS can help guide you through the process smoothly - from analyzing the regulatory impact on your model to writing the application and representing you before the CNB.

Example 2 - Issuing tokens without a whitepaper:

The startup plans to issue its own cryptocurrency (token) and sell it to the public to fund the project, but will not prepare a whitepaper according to MiCA. Either he underestimates the obligation or believes it does not apply to him.

Risk: If it offers tokens to investors in the EU without an approved disclosure document, it commits an unauthorised offer of an investment instrument. The regulator may prohibit the distribution of the token, impose a fine and order compensation to investors. In addition, the company will lose credibility - investors may feel deceived and abandon the project.

Solution: A legal analysis should be performed before the token offering begins to determine whether it is a cryptoasset covered by MiCA and whether a whitepaper obligation arises. If so, prepare a whitepaper with all the MiCA requirements (project description, team, rights, tokenomics, risks...). Then notify the document to the relevant authority (in the Czech Republic, the CNB) before the sale.

Don't underestimate the quality - the whitepaper is the calling card of the project and a legal guarantee for investors. It is worth having it reviewed by experts to ensure it meets all requirements and that nothing essential is missing. If you want to avoid paperwork, consider whether you meet any of the exceptions (e.g. limited investors up to 150 people, etc.) - but apply these in consultation with a lawyer as the conditions are strict.

ARROWS attorneys have helped prepare whitepapers for clients and can provide you with a template and valuable practice advice.

Example 3 - Insufficient protection of customer assets:

The crypto exchange offers customers custody of cryptocurrencies but is unclear on the client money department. Client cryptocurrencies are held on a couple of shared wallets along with the firm's own funds. For example, it has not established a formal complaint handling process.

Risk: This practice is unacceptable according to MiCA, and in the event of an audit, the firm would not comply with its obligation to maintain separate custody of assets. In addition, if there were a hack and cryptocurrency leak, clients would likely lose everything, which would mean not only regulatory sanction but also legal liability for damages.

Solution: Modify internal processes to fully comply with MiCA's customer protection requirements. This includes: having clearly designated wallets (accounts) for client assets, separate from company operating funds; regularly reporting on the status of assets held; establishing guidelines for handling client complaints and claims; and transparently disclosing all fees and risks.

The firm should also develop an incident plan - what it will do if a crypt is stolen or service is down - to minimize the impact on clients. Many of these measures require detailed knowledge of the regulations, so we recommend conducting a compliance audit with the help of experienced professionals.

For example, ARROWS offers analysis of the impact of regulation on your business, identification of gaps and assistance with setting up the necessary guidelines. As a result, you'll not only meet the letter of the law, but also increase customer confidence that their funds are safe with you.

Example 4 - Stablecoin without sufficient cover:

The firm wants to issue its own euro-linked stablecoin, but it does not meet the capital requirements and has no clear reserve mechanism. Nevertheless, it will start offering the stablecoin on the market.

Risk: Under MiCA, such an issuer is in violation of the law - to issue an e-money token (stablecoin to fiat), it must be licensed as an electronic money institution and hold 100% coverage in reserves. Otherwise, the regulator will order it to cease operations. If a stablecoin suddenly loses its peg to the euro (called a depeg), it puts the token holder at risk and causes panic - the firm faces both sanctions from supervisors and lawsuits from investors.

Solution: Don't get into stablecoins without thorough preparation. You need to get the appropriate permissions - either to become a licensed electronic money institution (for fiat-pegged tokens) or to qualify for an asset-linked token. This entails having sufficient capital, ensuring separate and secure reserves, and setting rules for value maintenance and withdrawals. For more significant stablecoins, EBA supervision and mandatory fees must be taken into account.

For a company that does not have the capacity to do so, we recommend not to start your own stablecoin or to work with a partner that has a license. Alternatively, they may consider issuing a classic token (utility token) instead of a stablecoin. Again - legal advice beforehand is essential.

ARROWS experts can assess your stablecoin business plan and suggest how to bring it into compliance with MiCA, or what changes to make to make the project compliant with regulatory requirements (e.g. modify the model, get an investor for capital).

*Example summary: Each crypto-firm is unique, but the situations described above show typical problem areas: licensing, information obligations, internal processes and special regimes (stablecoins).

The key to successfully managing MiCA is proactivity - identifying weaknesses now and strengthening them early. If you're not sure where to start, get expert advice.

As the old saying goes, "Fortune favors the prepared." In the context of MiCA, we would add: the prepared will survive and grow, the unprepared may disappear from the market.

Team Arrows advokátní kanceláře

How ARROWS can help you

Navigating such extensive regulatory changes and implementing them correctly in practice can be challenging for crypto farms. ARROWS law firm offers comprehensive support and partnership in this area. Our team of lawyers specializes in financial law and fintech and closely follows the latest developments in European legislation, including MiCA. With extensive experience in implementing regulatory requirements with financial institutions, we know where to focus and where companies face the greatest risks.

How can we help you?

Analysis of the impact of MiCA on your business:

We will conduct a detailed audit of your services and processes in light of the new regulation. We will identify which specific MiCA obligations apply to your company and whether you are meeting all the requirements. We will highlight any compliance gaps and suggest what needs to be adjusted. You'll get a clear roadmap of what you need to do to comply with MiCA.

Turnkey implementation: we will help you create or modify all necessary internal guidelines, procedures and contractual documentation to meet the new requirements. For example, we can prepare new terms and conditions and client information materials (as per MiCA), guidelines for segregation and protection of client assets, market abuse prevention rules, updates to internal AML regulations, etc.

We will set everything up in accordance with Czech law and European standards so that you are covered as much as possible.

Training and workshops:

We provide hands-on training for your employees and management on their new responsibilities. We will teach your team how to recognize risk situations (e.g. cyber incidents, suspicious transactions) and how to react correctly according to legal requirements. This will minimize the risk of human error that could lead to a breach and a penalty.

Support in the licensing process:

If you need to obtain a new license (typically a CASP license for crypto services), we will guide you through the entire process with the CNB. We will prepare the application, all the necessary attachments and communicate with the regulator to make the process go smoothly. Likewise, we can assist with notification obligations - for example, prepare and file a whitepaper notification under MiCA. We also have experience with other licenses (payment institutions, e-money), so we know what the CNB expects.

Ongoing consulting and compliance monitoring:

Regulatory compliance is not a one-off event. We offer long-term cooperation in the form of external oversight of your compliance. We will monitor further changes in the law on your behalf, alert you to new obligations in a timely manner and consult you on specific situations (e.g. the introduction of a new technology or product).

We can help you identify a potential problem before it escalates into a sanction procedure. We become a partner you can rely on for legal and regulatory issues while you focus on growing your business.

Incident and dispute resolution:

If something unpleasant happens - such as a cyber incident, an inspection by a regulator or even the initiation of an administrative proceeding - we will represent your interests. We'll help with mandatory communications (reporting the incident, explaining the surveillance findings, preparing corrective actions) and advocate for your company so that the impact is minimized. Having an experienced legal team by your side can make a significant difference in the outcome of any litigation or proceeding.

Conclusion

The MiCA regulation will shake up the world of cryptocurrencies, but it will also move it closer to the mainstream. For crypto firms, it presents a challenge - they must invest time and resources to comply with the new rules. However, the risks of inaction are too great, as we described above. On the contrary, those who prepare early can reap a competitive advantage from the regulation: they will gain client trust, a head start over latecomers and open up the whole European market with a single set of rules.

Don't leave anything to chance. Start preparing for MiCA now - map the impact on your business, consult on contentious issues, adjust processes and apply for the licenses you need.

ARROWS is ready to give you a helping hand on this path to responsible growth. Get in touch with our team - together we will ensure your business is fully MiCA compliant in 2025 and ready to take advantage of all the opportunities that the new era of cryptocurrency regulation will bring.

Contact us today and let us help you successfully prepare for MiCA!

Don't want to deal with this problem yourself? More than 2,000 clients trust us, and we have been named Law Firm of the Year 2024. Take a look HERE at our references.