MiCA’s Transition Ends on 1 July 2026. Is Your Crypto Business Authorised to Continue?

On 1 July 2026, the final EU-wide transitional period under the Markets in Crypto Assets Regulation will expire.

The significance of this date should not be understated. Crypto-asset service providers (“CASPs”) that have continued operating under national registration or arrangements that allowed them to keep operating under old rules for a limited time (often called “grandfathering”) will no longer be permitted to conduct business as usual unless they have obtained the required authorisation under MiCA.

It is important, however, to describe the development accurately. MiCA enforcement does not begin on 1 July 2026. The Regulation has already been applying in stages: its provisions concerning asset-referenced tokens and e-money tokens have applied since June 2024, while the broader regime governing crypto-asset service providers, market conduct and other crypto-assets has applied since December 2024.

What ends on 1 July is the maximum transitional period under Article 143(3) of MiCA.

This represents the point at which the European crypto market moves decisively away from national transitional registrations and towards a fully operational, authorisation-based MiCA regime.

What does the 1 July deadline mean?

Article 143(3) permitted Member States to allow crypto-asset service providers that were lawfully operating before 30 December 2024 to continue temporarily under their existing national regimes.

That temporary permission could continue until:

• 1 July 2026,
• the date on which the provider obtained MiCA authorisation, or
• the date on which its application was refused,

whichever occurred first.

Some jurisdictions shortened or did not apply the full transitional period. In those countries, the deadline has already passed. The date of 1 July 2026 is therefore the final EU-wide backstop rather than the date on which MiCA first becomes enforceable.

MiCA has also been incorporated into the EEA Agreement, extending its relevance to the wider European Economic Area framework, including Iceland, Liechtenstein and Norway.*

A pending application is not an authorisation

Conversely, once authorised under MiCA, a CASP may benefit from passporting rights, enabling it to provide its authorised crypto-asset services throughout the EEA, subject to the applicable notification procedures. For many firms, obtaining MiCA authorisation is therefore not merely a regulatory obligation but a gateway to accessing the wider European market through a single authorisation.

One of the most important consequences of the deadline is that submitting a MiCA application is not, by itself, sufficient to preserve the right to operate.

A provider whose application remains pending on 1 July 2026 cannot assume that it may continue providing crypto-asset services until the regulator reaches a decision.

Unless the provider has actually obtained authorisation, or is otherwise entitled to provide the relevant services through one of MiCA’s specific notification routes, it must cease ordinary regulated activity and implement an orderly wind-down.

This distinction is critical. National registration, historical CASP status, an application reference number or an ongoing process with a competent authority does not amount to MiCA authorisation.

ESMA calls for immediate wind-down measures

In its public statement of 23 June 2026, ESMA adopted a clear and firm position regarding providers that will remain unauthorised when the transitional period ends.

ESMA expects unauthorised CASPs to take immediate steps to shut down their EU activities while safeguarding clients and mitigating risks to market integrity.

In practical terms, an unauthorised provider must:

• stop onboarding new EU clients,
• refrain from opening new accounts or client relationships,
• cease marketing, promotion and solicitation,
• limit its activities to those strictly necessary to sell or transfer assets, reallocate holdings or close positions,
• continue custody only for the period strictly necessary to complete an orderly exit, and
• communicate clearly and repeatedly with clients regarding applicable deadlines and the treatment of their assets.

Where residual positions may be closed automatically, clients should be given clear advance notice of the relevant deadline and the consequences of failing to act.

Shut down is not a continuation of ordinary business under another name. A provider cannot use an extended exit process as a means of maintaining commercial operations indefinitely. ESMA’s 23 June statement requires unauthorised CASPs to stop onboarding, marketing, and offering, restrict services to orderly exit activities, maintain AML/CFT controls and complete custody arrangements only as strictly necessary for wind-down. It also highlights third-country firms, B2B activity, reverse solicitation and unauthorised custody delegation.

AML, sanctions and Travel Rule obligations continue during wind-down

The expiry of the transitional period does not suspend regulatory obligations. An unauthorised CASP implementing a wind-down must continue to maintain effective controls concerning:

• customer due diligence
• transaction monitoring
• sanctions and restrictive-measures screening
• suspicious transaction and activity reporting
• record keeping, and
• the traceability requirements applicable to transfers of funds and crypto-assets.

Where clients are transferred to an authorised provider, the receiving CASP must conduct its own onboarding, due diligence and AML/CFT checks. A client cannot simply be migrated between group companies or platforms without the necessary regulatory and compliance procedures relevant client notifications and/or prior client consent.

This will be particularly relevant to groups proposing the large-scale migration of European customers from a non-EU platform to an EEA-authorised entity.

The Cyprus position

Cyprus adopted the full transitional period, allowing qualifying CASPs operating under the national regime to continue temporarily until 1 July 2026.

CySEC required providers wishing to pursue MiCA authorisation through Cyprus to submit their applications by 27 February 2026. Click here for the relevant Press Release.

CySEC has made clear that providers which did not apply by that deadline were required to prepare and submit a wind-down plan. It has also expressly stated that any continuation of crypto-asset services after 1 July 2026 is conditional upon obtaining the relevant MiCA authorisation.

Accordingly, a Cyprus national CASP registration will not, by itself, permit a provider to continue after the deadline. Nor does a pending CySEC application create an automatic extension of the transitional period.

Providers, counterparties and clients should verify the current regulatory status of the relevant entity through both the CySEC registers and ESMA’s central MiCA register. The registers are being updated regularly and the position may change as applications are approved, refused, withdrawn or otherwise concluded.

Third-country firms and the limits of reverse solicitation

The deadline is particularly important for crypto businesses established outside the EU and EEA.

ESMA has reiterated that a third-country firm cannot provide MiCA-regulated services to EU clients or solicit EU clients without the appropriate European authorisation.

This restriction applies not only to retail activity but also in a business-to-business context.

The reverse-solicitation exemption remains exceptionally narrow. It is intended to apply only where a client approaches the third-country provider entirely on the client’s own exclusive initiative.

It should not be treated as a general cross-border business model.  Reliance on reverse solicitation becomes difficult where the provider, its group or a person acting on its behalf has engaged in:

• targeted advertising
• affiliate or introducing-broker activity
• direct approaches to potential clients
• promotional events
• local-language campaigns
• relationship-management contact
• website or application targeting
• influencer activity, or
• other conduct intended to attract European customers.

Contractual wording stating that a service was provided on a reverse-solicitation basis will not cure underlying conduct that amounts to solicitation.

Group structures and outsourcing arrangements require review

International crypto groups should also review which legal entity actually provides each service.

MiCA authorisation attaches to a specific legal entity. It does not automatically extend to every company using the same brand, website, technology or group infrastructure.

ESMA has specifically warned against arrangements through which an authorised EEA entity appears to face the client while regulated functions are, in substance, performed by an unauthorised third-country group company.

Custody arrangements require particular attention. ESMA has emphasised that CASPs cannot use outsourcing or delegation structures that result in custody or other regulated services being provided to EU clients through unauthorised entities.

Groups should therefore review:

• the identity of the contractual service provider
• the entity holding client assets and private keys
• order-routing and execution arrangements
• operational access to wallets
• intra-group delegation
• technology and platform arrangements
• client disclosures
• complaints handling
• safeguarding responsibilities and
• business-continuity and insolvency arrangements.

A licence held by one group company does not create a regulatory umbrella for the entire group.

Authorisation must cover the actual service

It is not enough to confirm that a provider appears somewhere on a MiCA register.  MiCA authorisations are service-specific. Due diligence should verify whether the entity is authorised or notified to provide the particular service concerned, such as custody and administration of crypto-assets, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of orders, reception and transmission of orders, placement of crypto-assets, portfolio management, advice on crypto-assets or transfer services.

The relevant approved domains, trade names, host-state notifications and passporting position should also be reviewed.

Additionally, not every activity offered by a crypto platform necessarily falls within MiCA. Depending on the product and structure, other frameworks may apply, including MiFID II, PSD2, the electronic-money regime, the Transfer of Funds Regulation, DORA and national lending or consumer-protection rules.

What should businesses do now?

CASPs that have not obtained authorisation should immediately determine whether they are legally permitted to continue providing each service after 1 July.

Where authorisation will not be in place, the provider should implement a documented and operational wind-down plan addressing client communications, asset transfers, custody, open positions, complaints, AML/CFT controls, data retention, outsourcing and regulatory notifications.

Banks, electronic-money institutions, payment institutions, investment firms, funds and corporate clients using crypto providers should conduct their own counterparty review.

They should not rely solely on brand recognition or assurances that an application is pending. They should verify:

1. the precise legal entity providing the service,
2. its current authorisation or notification status,
3. the services covered by that status,
4. the jurisdictions into which it may provide services,
5. where and by whom client assets are held,
6. the involvement of non-EEA group companies, and
7. the contractual consequences if authorisation is absent or withdrawn.

Clients of an unauthorised provider may need to transfer their assets to an authorised CASP, move them to an appropriate self-hosted wallet or close their positions.

The beginning of active MiCA supervision

The end of the transitional period should be understood as more than an administrative deadline.

From 1 July 2026, national competent authorities are expected to take action against the unauthorised provision of crypto-asset services. ESMA and national regulators have indicated that they will coordinate their response, particularly in relation to significant cross-border providers.

The regulatory focus is likely to extend beyond clearly unlicensed businesses. It may also include:

• misleading claims concerning authorisation
• misuse of reverse solicitation
• unauthorised third-country involvement
• deficient client-migration arrangements
• non-compliant custody structures
• inadequate AML controls
• improper outsourcing
• services exceeding the scope of an authorisation and
• marketing through an entity other than the authorised CASP.

The question for crypto businesses is therefore no longer whether MiCA will apply. The question is whether the business model, legal entity, client relationship and operational structure are genuinely compliant with MiCA when the transitional permission disappears.

How AGPLAW can assist

AGPLAW advises crypto-asset businesses, financial institutions, fintech groups and investors on the application of MiCA and the wider EU financial-services framework.

Our Financial Services Regulatory team can assist with:

• MiCA regulatory-perimeter assessments
• CySEC authorisation and notification procedures
• remediation of pending or incomplete applications
• cross-border structuring and passporting
• reverse-solicitation assessments and advisory
• third-country and intra-group service arrangements
• custody and outsourcing reviews
• wind-down and client-migration plans
• AML/CFT and Transfer of Funds Regulation compliance
• DORA governance and ICT arrangements
• the interaction between MiCA, PSD2, and MiFID II
• regulatory due diligence on CASPs and counterparties, and
• engagement with CySEC and other competent authorities.

With the transitional deadline now imminent, CASPs and businesses exposed to crypto-asset providers should review their position without delay.

*Article 143 permits qualifying pre-existing providers to continue until 1 July 2026 or authorisation/refusal, while MiCA was incorporated into the EEA Agreement and is now in force there.

The information provided by AGPLAW | A.G. Paphitis & Co. LLC is for general informational purposes only and should not be construed as professional or formal legal advice. While every effort has been made to ensure the accuracy and reliability of the information contained herein, no representation or warranty is given. In no event will the author or any related parties be liable for any loss arising from reliance on this article.