MiCA Compliance Checklist 2026: CASP Authorisation, Travel Rule and Proof of Reserves

MiCA, the EU Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114), is now the baseline for any crypto-asset business that wants to operate in the European Union. This checklist maps every major MiCA obligation to the controls and software you need in place, whether you run a crypto-asset service provider (CASP) or issue tokens. It is a practical engineering checklist, not legal advice: your token classification and authorisation must be confirmed by qualified counsel.

Use it to scope a gap assessment, brief your engineering team or sanity-check a vendor. Each section below is a standalone checklist you can lift straight into your own readiness review. If you want the controls built into one auditable system, see our MiCA compliance software development.

Who needs to comply with MiCA, and by when

MiCA applies to two broad groups: crypto-asset service providers (CASPs) such as exchanges, custodians, brokers and wallet providers, and issuers of tokens. The rules arrived in stages, and the Travel Rule and operational-resilience obligations sit in separate regulations that apply in parallel.

A single MiCA authorisation can be passported across all 27 EU member states, so the controls you build for one national competent authority must hold up under every regulator in scope. Existing CASPs that operated under national law before 30 December 2024 may rely on a transitional period that runs until 1 July 2026 in most member states, though some states have shortened it. Dates are per ESMA.

CASP authorisation checklist

To be authorised as a CASP you must evidence an organisation a regulator can supervise. MiCA defines ten crypto-asset services, and you are authorised only for the specific services you provide. Each control below should produce examiner-ready evidence automatically rather than through manual collation.

• A programme of operations covering each crypto-asset service you provide
• Sound governance, fit-and-proper management and a clear organisational structure
• Minimum own funds per MiCA Annex IV: 50,000 euro, 125,000 euro or 150,000 euro depending on the services provided
• Safeguarding of clients’ crypto-assets and funds, segregated from your own assets
• Business continuity and ICT resilience aligned with DORA
• A complaints-handling procedure and a conflicts-of-interest policy and register
• An outsourcing policy and register for any critical or important functions
• Record keeping and an immutable audit trail for every client action

The ten services map cleanly to software modules, from custody and trading-platform operation to order execution and transfer services. See the full mapping on our MiCA compliance page.

KYC, AML and Travel Rule checklist

Anti-money-laundering controls sit underneath MiCA and are tightening under the EU AML single rulebook (AMLR) and the new authority AMLA. The crypto Travel Rule itself comes from the Transfer of Funds Regulation (Regulation (EU) 2023/1113), not from MiCA, and applies to crypto transfers from 30 December 2024.

• KYC and KYB onboarding with identity verification and customer risk scoring
• Sanctions and PEP screening at onboarding and on an ongoing basis
• AML transaction monitoring with explainable risk scoring and analyst alert triage
• Wallet and address screening (KYT) through Chainalysis, TRM Labs or Elliptic
• Travel Rule data exchange using IVMS101 over Notabene, 21 Analytics or VerifyVASP
• Counterparty VASP due diligence and risk-based handling of unhosted wallet transfers
• Suspicious transaction reporting to your national competent authority

The Travel Rule and GDPR pull in opposite directions: one forces you to exchange originator and beneficiary data, the other forces you to minimise it. Build IVMS101 payloads over encrypted VASP-to-VASP channels with strict retention limits and a lawful-basis register. Our crypto exchange development and RegTech teams wire these providers in.

Custody and proof-of-reserves checklist

If you hold client crypto-assets, MiCA requires you to safeguard and segregate them. Proof of reserves is an engineering obligation, not a marketing badge.

• Segregation of client crypto-assets and funds from your operational holdings
• A custody policy and clear liability terms for the loss of client crypto-assets
• Real-time reconciliation of on-chain balances against the internal ledger
• Signed wallet-ownership proofs and an append-only ledger
• Periodic Merkle-tree attestation for external assurance
• Integration with institutional custody such as Fireblocks or Copper where relevant

Market abuse and regulatory reporting checklist

MiCA Title VI extends the EU market-abuse regime to crypto-assets admitted to trading. A CASP operating a trading platform must prevent, detect and report abuse.

• Order-book and trade surveillance against statistical baselines
• Detection of wash trading, spoofing, layering and momentum ignition
• Detection of insider dealing around listings, delistings and token events
• Suspicious transaction and order report (STOR) generation for the national competent authority
• Regulatory reporting pipelines and an immutable audit trail feeding every report

Credible surveillance matters because most reported volume on unregulated venues is fabricated: an NBER study found more than 70% of reported crypto trading volume is wash trading.

Token issuer checklist: ART, EMT and the white paper

Token issuers face a different control set. The first job is classification, which sits with your legal counsel: an asset-referenced token (ART) references a basket of assets or rights, an e-money token (EMT) references a single official currency, and other crypto-assets are neither. Significant ARTs and EMTs fall under direct supervision by the European Banking Authority.

• Crypto-asset white paper drafting, version control and notification to the competent authority
• Reserve management and reserve-of-assets attestation for ART and EMT
• Redemption at par and clear redemption rights for holders
• Marketing-communications compliance aligned with the white paper
• Ongoing disclosure and reporting, with enhanced obligations for significant tokens

DORA and operational resilience checklist

DORA (Regulation (EU) 2022/2554) applies to financial entities including CASPs from 17 January 2025. It runs alongside MiCA and cannot be treated as an afterthought.

• ICT-risk management framework and governance
• Incident classification and reporting workflows for major ICT incidents
• A register of information for ICT third-party providers
• Digital operational resilience testing and evidence

How to build MiCA compliance into your software

The pattern that survives a regulatory review is simple: every control writes to one immutable audit trail, so authorisation evidence and regulatory reports are a query rather than a manual scramble. Build the gap assessment first, map your in-scope services and token types against MiCA, the Transfer of Funds Regulation and DORA, then build the controls in priority order. Wire named providers (Sumsub, Onfido, ComplyAdvantage, Chainalysis, TRM Labs, Notabene) behind clean abstractions so coverage is a configuration choice, not a rebuild.

If you want this delivered as one auditable system, Pharos Production builds MiCA compliance software for CASPs and token issuers, aligned with ISO 27001 and SOC 2. Run our MiCA readiness scorecard to see where your gaps are, or request a gap assessment for a fixed-scope estimate in 48 hours. For what it all costs, see our MiCA compliance cost breakdown. We are not a law firm: token classification and CASP authorisation must be confirmed by qualified counsel before launch.