Here’s What Regulators Actually Want to See

MiCA Decoded is a 12-article weekly series for Bitcoin.com News, co-authored by LegalBison’s Co-Founding and Managing Directors: Aaron Glauberman, Viktor Juskin and Sabir Alijev. LegalBison advises crypto and FinTech companies on MiCA licensing, CASP and VASP applications, and regulatory structuring across Europe and beyond.

This week’s entry has been written by Krystian Lapka, Lawyer at LegalBison. Krystian specializes in cross-border corporate and commercial transactions, alongside strategic risk management at the intersection of civil and common law.

Most founders approaching their first CASP application understand, at least abstractly, that MiCA requires a real EU presence. What they underestimate is how the regulator defines “real.”

The typical early-stage setup looks coherent on paper: a registered office in a favorable EU jurisdiction, a director named in the governance documents, ICT systems either cloud-hosted or managed from the group’s global infrastructure, and paid-in capital sitting in a newly opened bank account.

From the inside, this feels like an EU company. From a National Competent Authority’s perspective, it may look like a letterbox with a director attached.

This article maps what MiCA’s substance requirements actually demand across personnel, technology, and financial resilience, and explains why regulators treat each category as a functional test rather than a documentation exercise.

The concern driving all of it is the same: preventing letterbox companies, entities that exist on paper in a favorable jurisdiction but lack any meaningful economic activity, human capital, or operational capacity within it.

The Myth: Presence Equals Substance

The regulatory logic here is older than MiCA. In the landmark Cadbury Schweppes ruling (Case C-196/04), the Court of Justice of the European Union established that the freedom of establishment cannot be used to create “wholly artificial arrangements” that lack genuine economic activity. MiCA codifies that principle directly into crypto-asset regulation.

Article 59(2) of MiCA states that authorized CASPs must have their registered office in a Member State where they carry out at least part of their crypto-asset services, must have their place of effective management within the Union, and must have at least one director resident in the Union. The provision is brief. What sits behind it is considerably more demanding.

ESMA’s Supervisory Briefing on Authorization of CASPs, while non-binding, signals clearly how NCAs are expected to interpret these requirements in practice.

The gap between the statutory text and the supervisory expectation is where many applications encounter friction.

Personnel: Who Is Actually Running This Entity

The minimum threshold under MiCA is one EU-resident director. Supervisory guidance raises that bar.

ESMA’s briefing anticipates at least two senior executives jointly overseeing daily operations. The rationale is straightforward: a single executive creates concentration risk and removes the internal checks that a functioning governance structure requires. Two executives with defined, overlapping responsibilities is the expected baseline.

Residency is not sufficient on its own. The guidance indicates that where a management body member is not resident in the NCA’s jurisdiction, that person should be capable of attending in-person meetings at the authority’s request within two business days.

For jurisdictions where physical proximity to the supervisor matters operationally, this is a practical constraint on how far from the home jurisdiction a director can effectively be located.

Time commitment is treated with similar seriousness. ESMA’s position, as articulated in its Supervisory Briefing on Authorization of CASPs, is that executive management board members should generally dedicate 100% of their professional time to the CASP role. Double-hatting, where the same individual serves in executive capacity at multiple entities, is permitted only in restricted circumstances. An executive who splits their attention between the CASP and another group company is likely to attract scrutiny during the fit-and-proper assessment.

Reporting lines matter as much as individual profiles. The management body must demonstrate that strategic and operational control sits within the EU entity, not with a parent company in a third country that makes the real decisions and issues instructions downward.

An EU subsidiary whose executives functionally serve as implementation agents for a non-EU headquarters is not, in the supervisory sense, an entity with genuine EU management.

The AML dimension reinforces this. The individual responsible for filing suspicious activity reports (the MLRO) must be physically present, hold genuine authority within the entity, and be able to interact directly with the local Financial Intelligence Unit. This requirement reflects a broader global trend: the FATF and OECD’s Crypto-Asset Reporting Framework (CARF) operates on the same logic, extending substance and transparency requirements beyond the EU.

MiCA’s personnel requirements and CARF are not unrelated developments; they reflect a converging international standard for what a regulated crypto entity must look like from the inside.

The collective suitability standard from Article 68(1) requires the management body to possess appropriate knowledge, skills and experience both individually and collectively. As covered in the previous installment of this series, that standard spans traditional financial markets regulation, DLT infrastructure and cybersecurity, and organizational governance. Each of those domains needs to be represented in the room.

A team drawn entirely from crypto-native backgrounds with no regulated financial services experience, or one with deep TradFi experience and no capacity to assess on-chain risk, carries structural gaps that the assessment process will surface.

Technology: Control, Not Just Hosting

DORA (Regulation (EU) 2022/2554) applies directly to CASPs and sets the framework for ICT resilience requirements. The question regulators ask about technology is not what infrastructure a firm uses. The question is who controls it.

Cloud infrastructure hosted by AWS, Azure, or similar providers is acceptable under current supervisory practice. The issue arises when the entity authorized in the EU lacks meaningful administrative control over the systems it depends on.

If encryption key management sits with a parent company’s global IT team, if access rights to client data are administered from outside the EU, or if the disaster recovery plan depends on approvals from a third-country headquarters, the EU entity cannot demonstrate genuine operational independence.

ESMA’s position, as reflected in its consultation materials, is that the EU management team must hold actual control over the ICT infrastructure relevant to the CASP’s operations. The business continuity policy and disaster recovery plans required under Article 68(7) must be owned and executable by the EU entity, not dependent on a global function that may or may not respond in a crisis.

The practical test is pointed: if the parent company’s global IT team became unavailable overnight, could the EU entity continue to operate, access client funds, and return assets to clients? If the answer is no, or not without significant escalation to non-EU personnel, the substance question has not been resolved.

GDPR compliance and data governance requirements layer on top of the DORA framework. Data processing arrangements, controller-processor relationships, and data residency considerations all form part of the technical architecture that regulators will examine.

Financial: Capital That Actually Works

Article 67 sets the minimum prudential safeguards. The capital tiers are defined by service class:

The minimum capital figure is the starting point, not the ceiling. Prudential safeguards must equal the higher of either the permanent minimum capital or one-quarter of the preceding year’s fixed overheads.

As a CASP grows and its fixed overheads increase, this second limb becomes the binding constraint. When overheads exceed four times the initial paid-in capital, the firm must transition to the overheads-based framework. That inflection point arrives faster than many operators anticipate, and regulators expect proactive monitoring rather than reactive adjustment.

A structural point worth noting: capital must be paid into an account held with a formal credit institution.

An EMI or payment service provider account does not satisfy this requirement. Establishing a banking relationship as a crypto business takes time and is not guaranteed. Beginning that process early, before the application is formally filed, is not optional. It is a sequencing constraint that affects the entire authorization timeline.

The requirement that financial statements used in the fixed overheads calculation be duly audited or validated by national regulatory authorities adds a further administrative dimension. Newly incorporated entities projecting their first twelve months of overheads must include those projections in their authorization application, with the methodology clearly documented.

Outsourcing and the Substance Threshold

Article 73 permits CASPs to outsource operational functions to third parties. The constraint is that outsourcing cannot hollow out the authorized entity. Responsibility remains with the CASP; delegation does not transfer accountability.

ESMA’s Supervisory Briefing on Authorization of CASPs identifies the percentage of total costs attributable to functions located outside the EU as a practical indicator of whether outsourcing has gone too far. A CASP whose majority of operational expenditure flows to non-EU service providers, even well-run and reputable ones, may face questions about whether the EU entity has sufficient internal capacity to qualify as a genuine service provider rather than a conduit.

The distinction the regulator draws is between CASPs that outsource specific functions while retaining control and CASPs that outsource everything substantive while retaining only the legal form. The latter is a shell, regardless of how the arrangement is described in the application.

Jurisdictional Variation: Same Law, Different Practice

MiCA is directly applicable across all EU member states. The substantive requirements are uniform. Supervisory practice is not.

Cyprus, through CySEC, has explicitly required that the majority of a CASP’s board of directors be physical residents of Cyprus. For a board of two executive and two non-executive directors, that means a minimum of three Cyprus-resident directors. This goes beyond what MiCA’s text requires and reflects national AML directives layered on top of the harmonized EU framework.

Estonia presents a different dynamic. Under the previous VASP registration regime administered by the Financial Intelligence Unit, Estonia became one of Europe’s most accessible licensing jurisdictions. The transition to MiCA shifted supervisory responsibility to the Estonian Financial Supervision and Resolution Authority, which brings a different institutional approach to review and ongoing oversight.

Poland’s legislative situation, covered in earlier installments of this series, has produced a structural gap where the domestic MiCA implementation law has not yet been enacted, leaving the KNF without formal designation as the competent authority and VASP holders without a viable domestic CASP application pathway.

These variations are not loopholes or administrative quirks. They reflect the reality that a harmonized legal framework still operates through national supervisory cultures, staffing constraints, and institutional histories. Selecting a jurisdiction for CASP authorization means selecting a regulator, with all the practical implications that entails.

What ‘Genuine Establishment’ Actually Requires