MICA AND CRYPTO REGULATION: potential change already and problematic ‘passporting’ issues on route?

Key Takeaways

• In a joint paper of 15 September 2025, French, Austrian, and Italian regulators make various proposals to strengthen MiCA.
• In order to avoid "regulatory shopping", a direct supervision of significant CASPs by ESMA is proposed, but criteria for identifying “significant CASPs” remain undefined.
• Stricter rules are suggested for global platforms and third-country activities, including mandatory use of MiCA-compliant or equivalent platforms for EU intermediaries.
• Delegation of core functions to third-country entities should be tightly controlled, with requirements for equivalent regulation and cooperation agreements.
• Mandatory, independent cybersecurity audits for CASPs are proposed before authorization and at regular intervals, along with a harmonized EU certification scheme for auditors.
• A centralized, ESMA-managed system for token offerings is proposed to streamline procedures and reduce administrative burdens.

On 15 September 2025, the French (the AMF), Austrian (the FMA), and Italian (CONSOB) financial markets authorities (the Authorities) jointly published a position paper (the Paper) outlining proposals to strengthen the EU’s regulatory framework for crypto-assets under the Markets in Crypto-Assets Regulation (MiCA). The Paper identifies key areas where MiCA provisions fall short in ensuring effective supervision, competitiveness of European players and investor protection.

Centralized Supervision of Major Crypto-Asset Service Providers

The Authorities advocate for a direct supervision of significant crypto-asset service providers (CASPs) by the European Securities and Markets Authority (ESMA). Currently, under the MiCA regime applicable to CASPs, national competent authorities (NCAs) report to ESMA, but this approach has led to fragmented oversight and regulatory arbitrage in addition to substantial costs for national competent authorities and players.

Drawing on the supervisory models for stablecoin issuers of significant importance supervised by the European Banking Authority (EBA) and the Single Supervisory Mechanism, the Authorities propose a transfer of supervisory powers of significant CASPs to ESMA (including powers of licensing, supervision and direct sanction over the players) in order to enable uniform application of MiCA regime, reduce supervisory costs, and enhance investor protection across the EU.

However, the concept of ‘significant CASPs’ is unclear, and the criteria that would be taken into account to classify CASPs in this category are not specified.

On the same day, the president of the French AMF told Reuters that France would not rule out the possibility of challenging the "passporting" in France of a license granted to a CASP by a different member state, arguing that CASPs "are doing their regulatory shopping all over Europe, trying to find a weak link that will give them a licence with fewer requirements than the others".

Stricter Rules for Global Platforms and Third-Country Activities

The Paper highlights risks posed by global crypto-asset platforms operating outside the EU but serving EU clients, often through complex intra-group arrangements. According to the Authorities, such structures can obscure regulatory responsibilities and limit investor protections by undermining the effectiveness of MiCA requirements.

Going beyond the ESMA opinion of 31 July 2024, the Authorities propose that all EU intermediaries executing crypto-asset orders on behalf of EU clients should do so on platforms compliant with MiCA or equivalent regulations. Such equivalence would be assessed by the European Commission and would take into account international standards (which are not specific by the Authorities).

Additionally, any delegation by a CASP of core functions to third-country entities should be subject to strict criteria, including the existence of equivalent regulatory frameworks and cooperation agreements with relevant supervisory authorities to prevent circumvention of MiCA. Alternatively, a third-country intragroup service provider should be allowed to subject itself to full extra-territorial supervision of the CASP's home NCA or of ESMA.

Enhanced Cybersecurity Requirements

Given the digital nature of crypto-asset markets, the Authorities emphasize the need for robust cybersecurity oversight. They recommend mandatory, independent cybersecurity audits for all CASPs prior to authorization, with periodic renewals to take account of changes in practices and of any new risks that may emerge. These audits should notably assess asset protection, data leaks, resilience to cyber-attacks, and incident management capabilities. A harmonized EU-wide certification scheme for cybersecurity auditors is also proposed to ensure consistency of standards and investor confidence.

A One-Stop Shop for Token Offerings

The current process for pan-European token offerings requires issuers or offerors to notify the NCA of their home member state that will in turn notify the NCA of the host member states, leading to administrative complexity and potential inconsistencies. The Authorities advocate for a centralized, ESMA-managed system for the filing and management of token offerings (excluding stablecoins) in order to streamline procedures, ensure uniform scrutiny of offering documents, and reduce administrative burdens for issuers or offerors and NCAs.

Conclusion

The proposed reforms seek to address the limitations observed in the initial implementation of MiCA, including supervisory fragmentation, regulatory arbitrage, and insufficient investor protection. The Authorities argue that by promoting centralized supervision, tightenedrules for global platforms, enhanced cyber-security oversight, and streamlined token offering procedures, they would foster a more robust, competitive, and secure EU crypto-asset market. Crypto-asset firms should closely monitor these developments and assess the potential impact on their compliance obligations and business models. It will also be interesting to see how other EU NCAs react to the Paper.

We question whether this paper demonstrates an integrated or transparent approach to crypto-asset regulation, or whether it highlights the current disparity between many NCAs. Furthermore, the timing of its publication in relation to MiCA must be questioned.