MiCA and Operational Resilience

Our latest update covers operational resilience requirements in the EU's Markets in Crypto-Assets regulations (MiCA). While parts of MiCA relating specifically to issuers of electronic money tokens (EMTs) and asset-referenced tokens (ARTs) became applicable on 30 June 2024, crypto asset service providers (CASPs) have just under six months to implement measures to comply with the remaining provisions in MiCA, which will apply from 30 December 2024.

MiCA Recap

MiCA hopes to achieve a balance. It creates a harmonised European regulatory and supervisory regime that seeks to promote innovation, while protecting investors and financial stability. More specifically, MiCA intends to:

• Bolster market integrity and reduce fraud risk by establishing requirements for CASPs and crypto asset issuers.
• Prevent insider trading and market manipulation by requiring certain IT security systems and procedures in the blockchain technology that underly crypto assets.
• Mitigate money laundering, sanctions evasion and terrorist financing risks.
• Ensure that customers and holders of crypto assets are properly informed about the characteristics, risks, and functions of the assets that they are purchasing.

As an EU-level regulation, MiCA has come into direct effect across the 27 member states of the EU. However, these member states can implement slightly different technical standards. National authorities have been given the power to decide matters such as:

• The nature of their supervision fee structure;
• The length of their grandfathering periods; and
• Which national institutions will be designated as MiCA supervisors.

Companies in non-EU member states will still be affected by the implementation of MiCA if they have business ties to EU jurisdictions. Firms offering their services or products to the EU will need to ensure that their business activities comply with MiCA and existing EU financial services legislation.

Although MiCA particularly focuses on stablecoins, it defines a crypto asset generally as "a digital representation of a value or of a right that can be transferred and stored electronically using distributed ledger technology, or similar technology". This broad definition encompasses EMTs, ARTs, utility tokens and other types of crypto asset, although MiCA's scope does not cover non-fungible tokens, crypto assets caught by existing EU financial services legislation, or crypto assets that do not meet the characteristics specified by the definition of crypto asset (for instance if they are not able to be transferred).

New requirements on ART / EMT issuers and CASPs established by MiCA include:

• Issuers of any crypto assets must publish a whitepaper ahead of the issuance.
• Marketing communications must be clear, fair and not misleading.
• EMT issuers must be authorised credit or e-money institutions and will be subject to the 2009 Electronic Money Directive.
• ART issuers and CASPs must obtain authorisation from their competent authority (subject to certain exceptions).
• Other obligations relate to prudential safeguards, governance arrangements, complaints handling and conflicts of interest.

Operational Resilience Requirements

From 30 December 2024, CASPs must comply with the operational resilience requirements set out in article 73 of MiCA. These include the following obligations:

• Take all reasonable steps to avoid additional operational risk.
• Have a policy on outsourcing, including contingency plans and exit strategies.
• Have written contracts in place with outsourced service providers setting out the rights and obligations of each party and giving CASPs the right to terminate.
• Ensure:
  • outsourcing does not result in delegation of responsibility;
  • outsourcing does not alter the relationship of CASPs with their clients or the obligations of CASPs towards their clients;
  • outsourcing does not alter the conditions of the CASP's authorisation;
  • cooperation of third parties involved in the outsourcing with supervisory authorities;
  • CASPs retain the expertise and resources needed to evaluate the quality of services they provide, supervise outsourced services effectively and manage outsourcing risks on ongoing basis;
  • CASPs have direct access to relevant information on the outsourced services; and
  • third parties involved in the outsourcing meet EU data protection standards.

MiCA will also bring CASPs and issuers of ARTs and EMTs within scope of the EU Digital Operational Resilience Act (DORA). DORA includes many new operational resilience requirements and some requirements that overlap with the MiCA requirements set out above. DORA will apply from 17 January 2025.

For further crypto asset related updates, please check out Crypto View. For further information about DORA, please click here.