The grandfathering window that allowed crypto businesses to keep operating across the European Union while they pursued authorisation is closing. On July 1 2026, the transitional regime under the Markets in Crypto-Assets Regulation (MiCA) expires in the member states that adopted the maximum runway, and any crypto-asset service provider (CASP) that has not secured full authorisation must cease regulated activity in the bloc or face enforcement from national competent authorities.
MiCA entered application for crypto-asset service providers at the end of December 2024, but the regulation permitted each member state to grant existing firms a transitional period of up to 18 months to continue operating under prior national regimes while their applications were processed. That maximum transitional period now runs out, and the firms that treated the runway as optional rather than urgent are out of road.
The scale of the authorisation bottleneck has become clear over the first half of 2026. More than 40 CASPs have now been fully authorised under MiCA, spanning exchanges, custodians and crypto-brokers, with national regulators in Germany, the Netherlands, Malta and France leading the early grants. But hundreds of firms that operated under national registrations are still waiting, and a meaningful share never submitted a complete application at all.
The prize for clearing the bar is substantial. A single MiCA CASP licence confers passporting rights across all 27 member states, allowing an authorised firm headquartered in one country to serve clients throughout the EU without seeking separate national approvals. That passport transforms the economics of European expansion and is precisely why well-capitalised exchanges and custodians moved early to lock in authorisation.
For non-compliant firms, the consequences are immediate rather than theoretical. National regulators have signalled they will move from supervisory engagement to enforcement, including orders to cease activity, public warnings, and referral of unauthorised solicitation to criminal authorities in some jurisdictions. Exchanges face the prospect of being forced to offboard EU clients, custodians risk losing the ability to hold client assets, and crypto-brokers may have their marketing channels shut down.
ESMA has been explicit about the supervisory posture. In its guidance to national competent authorities, the European Securities and Markets Authority stated that 'entities providing crypto-asset services without the required authorisation after the expiry of transitional measures are operating in breach of the regulation, and competent authorities are expected to take appropriate enforcement action.' The language leaves little room for firms hoping for further forbearance.
What firms must do now depends on where they sit in the process. Those with applications under review should be finalising substance requirements, governance documentation and prudential safeguards with their national regulator. Those without a viable path to authorisation must either wind down EU-facing activity in an orderly way, pursue acquisition by an authorised entity, or relocate to a non-EU jurisdiction and geo-block European clients. The one option that no longer exists is continuing as before.
Subscribe to our newsletter
Get regulatory and fintech intelligence delivered to your inbox. No spam, just signal.