Articles|Deep Briefs|
← Back to Archive
MiCA passport fragmentation across European Union
14 min read

MiCA's Passport Problem: Europe's Crypto Single Market Is Fracturing Before It Begins

MiCA promised one license for 27 countries. Reality: Italy imposes up to 4-year prison terms for unlicensed crypto activity while Malta fast-tracks approvals. Poland requires local directors for substantial business. The EU's unified crypto framework faces implementation friction - though passporting works, national enforcement varies significantly.

TL;DR

  • MiCA's passport mechanism enables one license for 27 EU markets, but national enforcement divergence creates implementation friction - Italy's criminal penalties (up to 4 years) for unlicensed activity vs Malta's streamlined approvals illustrates the variance
  • Criminal liability: Italy enacted Legislative Decree 129/2024 with 6 months to 4 years imprisonment for unauthorized CASP services. Poland and Germany require local directors for substantial business. These requirements apply to firms with significant local presence, not all passported entities
  • Transition period: Article 143 allows nationally-authorized firms to continue operating domestically until July 2026. Note: grandfathered VASPs cannot passport during transition - only MiCA-authorized firms gain full passport rights
  • Passporting works for market access. However, firms targeting substantial business in specific markets may face local substance requirements: resident directors (Poland, Germany for significant operations), local compliance oversight, and varying AML standards

No agenda. No noise. Just clarity.

Get the MCMS brief - digital assets, AI, and law explained with evidence, not hype.

Join 1,000+ professionals. Unsubscribe anytime.

Reader Navigation Guide

Jump to sections relevant to your role

Reader RoleRelevant Sections
Legal & Compliance
Click to view sections
Criminal Liability Fragmentation - Italy's 4-year terms, Poland's local requirements
The Passport Promise - Article 59 mechanism vs reality
Local Substance Requirements - Director residency, physical presence rules
Corporate Treasury & Finance
Click to view sections
Compliance Cost Reality - EUR 200-700K annual for pan-EU operation
Strategic Pathways - Hub-and-spoke vs local entity approaches
Transition Period Arbitrage - Grandfathering provisions until July 2026
Banking & Risk Management
Click to view sections
Criminal Liability Exposure - Cross-border prosecution risks
AML Enforcement Divergence - National FIU discretion
Stablecoin Issuer Requirements - Reserve and custody standards
Policy & Regulatory Analysis
Click to view sections
Single Market Theory - MiCA's design vs implementation
Enforcement Matrix - 27 approaches to one regulation
Three Scenarios Forward - Fortress Europe, ESMA pushback, UK alternative
Fintech & Infrastructure
Click to view sections
Licensing Strategy - Jurisdiction selection, hub-and-spoke models
Non-EU Operators - VARA, MAS, SFC license holders and the "gold-plated cage"
Build vs License - Cost analysis for market entry

This navigation framework is exclusive to MCMS members. Share this article to provide colleagues with the same analytical depth.

MiCA was supposed to end the chaos. One regulation, 27 countries, a single passport that lets crypto firms operate across the EU without re-licensing in each jurisdiction. The theory was elegant: obtain authorization in Malta, serve customers in Germany. Get licensed in Ireland, expand to France. The single market for crypto services, finally realized.

That was the promise. Here's what actually happened.

The Passport Promise

Article 59 of MiCA establishes the passport mechanism. A Crypto-Asset Service Provider (CASP) authorized in one member state can provide services throughout the EU by notifying the host state's regulator. No new license required. No duplicate capital requirements. Just paperwork and market access.

This mirrors how banking and investment services work under MiFID II. A German bank can serve French customers. A Dutch investment firm can operate in Spain. The framework has functioned for decades. MiCA promised to extend it to crypto.

"One license, 27 markets, 450 million potential customers. MiCA's passport was designed to create Europe's crypto single market. It's creating 27 different enforcement regimes instead."

The passport works on paper. In practice, national competent authorities retain discretion over:

ESMA and EBA issue binding technical standards. They cannot override national criminal law. They cannot mandate identical enforcement approaches. They cannot prevent Italy from imposing prison terms while Malta offers streamlined approvals.

What are Italy's criminal penalties for unlicensed crypto operations?

Italy's Legislative Decree 129/2024 (enacted September 2024) imposes 6 months to 4 years imprisonment for providing crypto-asset services without authorization, plus fines and potential asset confiscation. MiCA-authorized firms operating under valid passport should not face criminal exposure.

Criminal Liability: Italy's Implementation

Italy enacted Legislative Decree 129/2024 on September 14, 2024, implementing MiCA with criminal penalties for operating crypto services without proper authorization:

Italy went beyond MiCA's minimum requirements, which mandate "effective, proportionate and dissuasive" administrative sanctions but do not require criminal penalties. This represents a policy choice treating unlicensed crypto services similarly to unlicensed financial services.

What This Means for Passporting

Important clarification: Firms with full MiCA authorization operating under valid passport rights should not face criminal exposure in Italy for properly authorized services. The criminal penalties apply to firms operating without authorization.

However, questions remain about edge cases: services that may fall outside the scope of a firm's MiCA authorization, or disputes about whether specific activities require additional authorization. Cross-border enforcement creates jurisdictional questions that may require ESMA coordination to resolve.

The passport grants market access for authorized services. Firms should ensure their activities fall clearly within their authorization scope.

Which EU countries require local directors for MiCA passporting?

Poland requires at least one EEA/Polish resident management board member for substantial local business. Germany requires German-resident directors for significant German operations. Note: MiCA explicitly prohibits host states from requiring physical presence for passported CASPs - these requirements apply to firms with substantial local presence, not all passported entities.

Local Substance Requirements: Where They Apply

Important context: MiCA's draft regulation explicitly states that CASPs "cannot be required to have a physical presence" in host Member States for passporting. However, some member states interpret requirements for firms conducting substantial local business:

Poland

The Polish Financial Supervision Authority (KNF) requires:

These requirements apply even to passported firms targeting the Polish market.

Germany

BaFin interprets management suitability requirements to require:

France

AMF requires:

  • "Effective direction" from France for firms targeting French customers substantially
  • Enhanced PSAN (Digital Asset Service Provider) registration with local operational presence
  • French-resident responsible persons for consumer-facing services

Spain

CNMV imposes:

  • Advertising restrictions requiring local compliance oversight
  • Spanish-resident responsible persons for consumer-facing services
  • Enhanced local substance for marketing activity

How much does pan-European MiCA compliance cost?

Annual compliance costs for pan-European CASP operation are estimated at EUR 200,000-700,000. Licensing fees range from EUR 4,500 (Poland, Czech Republic) to EUR 100,000 (Netherlands maximum). The EUR 150,000 figure often cited represents minimum capital requirements for Class 3 CASPs, not licensing fees.

Realistic Cost Estimates

Based on industry data, annual compliance costs for pan-European CASP operation are estimated at EUR 200,000-700,000, not the EUR 2-5 million sometimes claimed. Key cost components:

RequirementNotesEst. Annual Cost
Local Directors1-2 for substantial local presenceEUR 80-240K
Physical OfficeHome jurisdiction only (MiCA prohibits host state requirement)EUR 6-30K
Compliance OfficersHome jurisdiction teamEUR 30-120K
Bank AccountsOperational accountsEUR 2-5K
Legal AdvisoryHome jurisdiction focusEUR 20-100K
Total Annual Compliance-EUR 200-700K

Licensing fees (one-time): EUR 4,500-100,000 depending on jurisdiction. The EUR 150,000 figure often cited represents minimum capital requirements for Class 3 CASPs, not licensing fees.

How does MiCA Article 143 grandfathering work?

Article 143 allows firms authorized under national regimes before December 30, 2024 to continue operating domestically until July 1, 2026. Critical: grandfathered VASPs cannot passport during transition - only firms with full MiCA authorization can exercise passport rights across the EU.

Transition Period Chaos

MiCA Article 143 creates an 18-month transition window running until July 1, 2026. Firms authorized under national regimes before December 30, 2024, may continue operating until their MiCA application is granted or refused.

This sounds reasonable. In practice, it creates a two-speed market.

The Estonia Problem

Estonia registered over 500 virtual asset service providers before tightening standards in 2022. Many remain authorized. Under Article 143, they can continue operating domestically until July 2026 - but they cannot passport across the EU. Only MiCA-authorized firms gain full passport rights.

This creates a two-tier market. Firms seeking pan-EU access must obtain full MiCA authorization, regardless of their pre-existing national licenses. A firm established in Estonia in 2021 can serve Estonian customers during transition, but must obtain MiCA authorization to expand elsewhere.

The Ireland Vacuum

Central Bank of Ireland had not issued any CASP authorizations by December 2024. Zero. Ireland's crypto market receives passported services from permissive jurisdictions while domestic firms navigate an approval bottleneck.

Regulator's Dilemma

Host state regulators face an impossible choice:

  1. Challenge passport notifications from permissively-licensed jurisdictions - creating trade friction and undermining MiCA's single market objective
  2. Accept competitive disadvantage for locally-authorized firms - undermining domestic compliance investment and creating regulatory arbitrage incentives

Neither option serves the regulation's stated purpose.

The Online Gaming Parallel

This pattern is not new. The EU's online gaming sector followed an identical trajectory in the 2000s-2010s. Despite theoretical service freedom under Article 56 TFEU, member states invoked "public order" and addiction prevention to erect national barriers. Poland's 2017 Gambling Act introduced ISP-level domain blocking - the same mechanism now being applied to crypto. Malta gaming licenses became operationally useless for serving Polish users.

FeatureOnline Gaming (2000s-2010s)MiCA Crypto (2025)
The TheoryEU Service Freedom (Art. 56 TFEU) enables cross-border accessMiCA Passporting (Art. 59) enables cross-border access
The Justification"Public Order" and addiction prevention justify national barriers"Investor Protection" (Art. 102) and financial stability justify national barriers
The ToolDomain blocking at ISP levelDomain blocking (Poland) plus criminal prosecution (Italy)
The Outcome27 separate national markets; "grey market" operatorsTiered market: "Premium" (compliant everywhere) vs. "Geofenced" (avoiding strict states)

The pattern is unmistakable. Just as online gaming evolved from theoretical passporting to practical national barriers, MiCA is following the same trajectory - faster.

AML Enforcement Divergence

MiCA establishes minimum AML requirements. National Financial Intelligence Units retain full authority over:

A passported CASP faces different AML expectations in each jurisdiction served. The German FIU's interpretation differs from France's Tracfin, which differs from Italy's UIF. Compliance systems must accommodate 27 variations - or risk enforcement action in any jurisdiction that finds the firm's approach inadequate.

Stablecoin Issuer Complications

For stablecoin issuers, fragmentation compounds. Asset-referenced tokens and e-money tokens face:

Circle's USDC - authorized in France - can theoretically passport across the EU. In practice, local banking relationships, custody arrangements, and redemption infrastructure require market-by-market negotiation.

Strategic Pathways Through Fragmentation

Given the landscape, three approaches emerge:

Hub-and-Spoke Licensing

Obtain primary authorization in a business-friendly jurisdiction (Malta, Ireland, Lithuania). Passport to high-value markets selectively. Avoid direct consumer services in criminal-penalty jurisdictions. Accept that some markets remain effectively closed.

Advantages: Lower compliance costs, regulatory certainty in home jurisdiction, flexibility to expand incrementally.

Disadvantages: Limited market access, potential host-state challenges to passport scope, concentration risk in home jurisdiction.

Local Entity Proliferation

Establish subsidiaries in major markets (Germany, France, Italy, Spain). Obtain separate authorization in each jurisdiction. Accept regulatory duplication cost for enforcement certainty.

Advantages: Full market access, clear local accountability, reduced cross-border enforcement risk.

Disadvantages: EUR 1-2 million annual compliance cost across multiple entities, duplicative capital requirements, operational complexity.

B2B Wholesale Focus

Avoid retail consumer exposure entirely. Provide infrastructure services to locally-authorized entities. Eliminate passport friction by never directly serving end consumers.

Advantages: Reduced regulatory surface area, simpler compliance, clearer liability boundaries.

Disadvantages: Limited addressable market, dependence on local partners, margin compression in competitive segments.

The Enforcement Matrix

MiCA created one regulation. National implementation created this:

JurisdictionCriminal PenaltiesLocal PresenceTransition Status
Italy6 months - 4 yearsRequiredStrict enforcement
PolandAdministrative + criminalRequiredActive supervision
GermanyAdministrative primarySubstantialRigorous review
FranceAdministrative primaryRequiredActive licensing
MaltaAdministrativeFlexibleStreamlined
EstoniaAdministrativeMinimal500+ VASPs
IrelandAdministrativeModerateZero authorized

Can a VARA or MAS license be used to operate in the EU?

No. MiCA contains no equivalence regime for third-country licenses. A VARA (Dubai), MAS (Singapore), or SFC (Hong Kong) license provides zero legal access to Europe. Firms must incorporate a fully capitalized EU subsidiary and apply for fresh MiCA authorization. Worse, holding a sophisticated foreign license may increase liability through the 'competent professional' doctrine.

What This Means for Non-EU Licensed Operators

For firms holding VARA (Dubai), MAS (Singapore), or SFC (Hong Kong) licenses, the fragmentation creates what might be called a "gold-plated cage." Unlike previous financial regulations such as MiFID II, MiCA contains no equivalence regime for third countries. A VARA license, however rigorous, provides zero legal access to Europe. To operate in the EU, a Dubai-licensed exchange cannot extend its existing authorization - it must incorporate a fully capitalized EU subsidiary and apply for a fresh MiCA license.

Worse, holding a sophisticated foreign license may increase liability rather than reduce it. Italian prosecutors applying the "competent professional" doctrine view VARA or MAS licensees not as ignorant startups but as sophisticated institutions that knowingly bypassed local rules. The six-month to four-year prison sentence for unauthorized activity applies regardless of what license you hold in Dubai.

Does reverse solicitation still work for serving EU clients?

No. ESMA's 2025 guidelines have systematically closed the reverse solicitation loophole. Any digital footprint - a website in an EU language, API calls from EU IP addresses, or referral codes used by EU residents - constitutes illegal solicitation. Active IP geofencing of EU users is now a compliance requirement for non-EU operators.

Reverse Solicitation: The Loophole That Closed

The reverse solicitation loophole - historically used by foreign firms to serve EU clients who approached them first - has been systematically closed. ESMA's 2025 guidelines declare that any digital footprint, including a website in an EU language, an API call from an EU IP address, or a referral code used by EU residents, constitutes illegal solicitation. A VARA-licensed firm can no longer maintain a global website open to all visitors. Active IP geofencing of EU users has become a compliance requirement.

Three Scenarios Forward

Scenario One: Fortress Europe Hardens

Italy and Poland's approaches spread. More member states layer criminal penalties onto MiCA's administrative framework. Domain blocking becomes standard. The EU crypto market splits into "premium" operators licensed everywhere and "geofenced" operators avoiding strict jurisdictions. Liquidity fragments. EU versions of global platforms offer fewer assets than their international counterparts. European users increasingly use VPNs to access global platforms - which those platforms must now actively police.

Scenario Two: ESMA Pushes Back

The European Securities and Markets Authority finds mechanisms to constrain national divergence. ECJ cases challenge criminal penalties as disproportionate barriers to single market freedoms. Member states are forced to recognize each other's authorizations without additional friction. This scenario requires political will that is not currently visible.

Scenario Three: The UK Emerges as Alternative

London's principles-based approach under FSMA attracts firms exhausted by 27-state fragmentation. The UK becomes the dominant Western crypto hub by default, not because its regulation is lighter, but because it is singular. EU competitiveness concerns eventually force Brussels to address implementation divergence - but not before significant market share migrates.

What Happens Next

ESMA is aware of the fragmentation. The authority can issue guidance, coordinate enforcement approaches, and escalate concerns to the European Commission. It cannot force Italy to repeal criminal penalties. It cannot require Poland to drop local director requirements.

The Commission could propose amendments. Any change requires European Parliament and Council approval - a multi-year process that won't address immediate transition-period challenges.

Market participants face a choice: wait for harmonization that may never come, or build compliance infrastructure for 27 different realities.

The Winners

  • Legal and compliance advisory firms billing EUR 500-1,000 per hour for jurisdiction-specific guidance
  • Malta and Ireland attracting licensing applications from firms seeking business-friendly home jurisdictions
  • B2B infrastructure providers avoiding retail exposure and passport friction entirely

The Losers

The Bottom Line

MiCA created a framework for the crypto single market. National implementation is dismantling it before the framework reaches full maturity. The passport exists on paper. In practice, operating across the EU requires navigating criminal liability exposure, local substance requirements, grandfathering inconsistencies, and AML enforcement discretion that varies by member state.

The regulation promised clarity. It delivered complexity with a harmonized vocabulary.

Firms entering European crypto markets should budget accordingly - not for one license, but for 27 different compliance frameworks wearing the same regulatory label.

Up Next: How stablecoin issuers are navigating MiCA's reserve requirements - and why Circle's USDC authorization in France creates more questions than it answers.

If you read this far, you're already ahead of most professionals.

Join 1,000+ readers who get institutional-grade insights - clear, concise, and verifiable.

No spam. Unsubscribe anytime.

If you found this useful, please share it.

Questions or feedback? Contact us

MCMS Brief • Classification: Public • Sector: Digital Assets • Region: Europe

References

  1. 1. European Parliament and Council - Markets in Crypto-Assets Regulation (MiCA) (June 9, 2023) [Link]
  2. 2. Italian Government - Italy Legislative Decree 129/2024 - MiCA Implementation (September 14, 2024) [Link]
  3. 3. European Banking Authority - MiCA Implementation Timeline and National Measures (June 1, 2024) [Link]
  4. 4. European Securities and Markets Authority - Crypto-Asset Service Provider Authorization Requirements (October 1, 2024) [Link]
  5. 5. Polish Financial Supervision Authority (KNF) - Poland Crypto Regulatory Framework Update (November 1, 2024) [Link]
  6. 6. Autorite des Marches Financiers - France AMF Crypto Service Provider Requirements (September 1, 2024) [Link]
  7. 7. Malta Financial Services Authority - Malta Virtual Financial Assets Framework (August 1, 2024) [Link]
  8. 8. Federal Financial Supervisory Authority - Germany BaFin Crypto Asset Requirements (October 1, 2024) [Link]
  9. 9. Estonian Financial Intelligence Unit - Estonia Virtual Asset Service Provider Licensing (July 1, 2024) [Link]
  10. 10. Central Bank of Ireland - Ireland Central Bank CASP Transitional Arrangements (November 1, 2024) [Link]
  11. 11. Comision Nacional del Mercado de Valores - Spain CNMV Crypto Advertising and Licensing (September 1, 2024) [Link]
  12. 12. Bank of Lithuania - Lithuania Bank of Lithuania VASP Requirements (August 1, 2024) [Link]

SOURCE FILES

Source Files expand the factual layer beneath each MCMS Brief — the verified data, primary reports, and legal records that make the story real.

MiCA Passporting Mechanism vs National Reality

The Markets in Crypto-Assets Regulation (MiCA) entered into force June 29, 2023, with stablecoin provisions effective June 30, 2024, and full CASP requirements from December 30, 2024. Article 59 establishes the 'passport' mechanism: a CASP authorized in one member state may provide services throughout the EU through notification to the host state regulator. The theoretical framework mirrors banking and investment services passporting under MiFID II - obtain one license, serve 450 million consumers. Reality diverges significantly. National competent authorities (NCAs) retain discretion over local enforcement, AML supervision, consumer protection standards, and criminal sanctions. ESMA and EBA issue binding technical standards but cannot override national criminal law or mandate identical enforcement approaches. The fragmentation manifests immediately in transition provisions. Article 143 allows firms authorized under national regimes before December 30, 2024, to continue operating until July 1, 2026, or until MiCA authorization is granted or refused. But 'authorized under national regimes' means different things across jurisdictions - Estonia's permissive VASP registration vs Germany's rigorous BaFin licensing create fundamentally different starting points for transition.

(MiCA Regulation Full Text|ESMA MiCA Implementation|EBA MiCA Oversight)

Italy's Criminal Liability Framework

Italy's Legislative Decree 129/2024 (Decreto Legislativo 129/2024), enacted September 14, 2024, implements MiCA with criminal penalties. The decree establishes imprisonment of 6 months to 4 years for providing crypto-asset services without proper authorization. Additional penalties include fines and potential asset confiscation. The law goes beyond MiCA's minimum requirements, which mandate 'effective, proportionate and dissuasive' administrative sanctions but do not require criminal penalties. Italy's interpretation treats unlicensed crypto activity similarly to unlicensed financial services. Implications for passporting: MiCA-authorized firms operating under valid passport should not face criminal exposure. However, firms operating without proper authorization or outside their authorization scope remain subject to Italian criminal law.

(Italy Legislative Decree 129/2024|MiCA Article 111 - Administrative Sanctions)

Local Presence and Director Requirements

MiCA's draft regulation explicitly states that CASPs 'cannot be required to have a physical presence' in host Member States for passporting. However, some member states interpret requirements for firms with substantial local operations. Poland: The KNF requires at least one EEA/Polish resident management board member for CASPs serving Polish customers substantially. Germany: BaFin interprets management suitability requirements to require German-resident directors for firms conducting significant German business. France: AMF requires 'effective direction' for firms targeting French customers substantially - though this may conflict with MiCA's prohibition on physical presence requirements. Cost reality: Licensing fees range from EUR 4,500 (Poland, Czech Republic) to EUR 100,000 (Netherlands maximum). Most jurisdictions charge EUR 10,000-25,000. The EUR 150,000 figure represents minimum capital requirements for Class 3 CASPs, not licensing fees. Annual compliance costs for pan-European operation are estimated at EUR 200,000-700,000, not EUR 2-5 million.

(KNF Poland Requirements|BaFin Germany Guidance|AMF France Framework|CNMV Spain Advertising)

Transition Period Arrangements

MiCA Article 143 establishes transitional arrangements allowing firms authorized under national law before December 30, 2024, to continue operating domestically until July 1, 2026 (or earlier if MiCA authorization granted/refused). Critical distinction: Grandfathered VASPs may continue serving their home market, but they cannot passport to other EU member states during the transition period. Only firms with full MiCA authorization can exercise passport rights. Jurisdictions with permissive pre-MiCA regimes (Estonia, Lithuania) authorized hundreds of VASPs under relatively light requirements. Estonia registered 500+ VASPs before tightening standards in 2022. Many licenses were subsequently revoked. Those remaining may continue domestic operations but must obtain MiCA authorization to passport. Jurisdictions with stricter regimes (Ireland) had not issued any CASP authorizations by December 2024. These markets receive services from MiCA-authorized firms passporting in. The transition period creates a pathway for existing operators to upgrade to MiCA authorization rather than an arbitrage opportunity.

(Estonia FIU VASP Data|Ireland Central Bank CASP Framework|Lithuania VASP Registry)

KEY SOURCE INDEX

  • European Parliament and CouncilLegislative authority establishing MiCA framework with Article 59 passporting mechanism and Article 143 transitional provisions for existing national authorizations
  • Italian GovernmentNational authority implementing MiCA with Legislative Decree 129/2024 (September 2024) establishing 6 months to 4 years imprisonment for unlicensed crypto-asset service provision
  • European Securities and Markets AuthorityEU-level supervisor issuing binding technical standards for CASP authorization, conduct requirements, and cross-border notification procedures
  • European Banking AuthorityEU authority overseeing stablecoin issuer requirements and significant asset-referenced token supervision under MiCA
  • Polish Financial Supervision AuthorityNational regulator imposing local director and resident compliance officer requirements for CASPs serving Polish market
  • German Federal Financial Supervisory AuthorityNational regulator requiring German-resident directors and enhanced governance for crypto custody providers
  • Malta Financial Services AuthorityNational regulator operating streamlined VFA licensing with established framework predating MiCA, positioned as EU crypto hub

Related Reading

Tags

MiCAEU regulationcrypto passportregulatory fragmentationcompliancecriminal liabilitystablecoinsCASPs

Disclaimer: This content is for educational and informational purposes only. It is NOT financial, investment, or legal advice. Cryptocurrency investments carry significant risk. Always consult qualified professionals before making any investment decisions. Make Crypto Make Sense assumes no liability for any financial losses resulting from the use of this information. Full Terms

← Back to ArchiveBrowse Glossary →