ESMA Draws the Final Line on MiCAR Transition

Authorisation is no longer a trajectory, it is a condition of being in the market

There comes a stage in every regulatory rollout where transition stops being a matter of interpretation and becomes a matter of law.

For MiCA, that stage is approaching quickly.

The framework is still, in a technical sense, mid-implementation for certain firms, specifically those that were already operating before MiCA and have been using the transitional window to move into the new regime. New entrants, by contrast, have never had that flexibility. For them, MiCA compliance has been a day-one requirement.

That distinction is now starting to disappear.

With its April 2026 statement, ESMA is effectively closing that window. It is not revisiting the framework or adding new obligations, but clarifying how the end of the transitional period should be understood in practice, in terms of what firms can actually continue to do from 1 July 2026 onwards.

And once read in that light, the message is difficult to soften. After that date, providing crypto-asset services in the EU without MiCA authorisation is not a matter of being “in transition” or “pending approval”. It is a breach of EU law, and the expectation is that such activity stops.

The transitional period was a conversion mechanism, not a grace period

The MiCA transitional period was never intended as an open-ended buffer for firms to get ready at their own pace.

It was designed for a specific category of firms: those that were already legally operating under national regimes before MiCA entered into force. For them, the transitional framework created a pathway: either to obtain a MiCA authorisation, or, where relevant, to rely on existing financial permissions through notification mechanisms where national regimes allowed that.

But that pathway always had a defined endpoint.

The underlying assumption was not that firms could continue operating indefinitely while moving toward compliance. It was that existing activity would be converted into a MiCA-compliant setup within a limited window.

That distinction becomes critical now. Because what ESMA is making clear is that this is not a question of having applied for a licence, or being somewhere in the process by 1 July 2026. The relevant question is whether the authorisation is in place.

Pending status does not extend the transitional period. And this is also where some of the confusion in the market comes from.

Many firms have operated under AML registrations, Travel Rule obligations, or more recently DORA-related requirements, and have treated those as indicators of being “regulated”. But those frameworks were never designed to determine who is allowed to operate in the market.

MiCA does that. And from July 2026, access to the EU crypto market is conditional on MiCA authorisation being granted: not on partial compliance, not on parallel regimes, and not on being mid-process.

A fragmented rollout, but a single legal endpoint

The way the transitional period has been implemented across the EU has been anything but uniform.

Member States were given discretion in how they applied transitional measures, and the result has been a landscape where timelines diverged. In some jurisdictions, transitional regimes have already expired. In others, firms continue to operate under nationally defined transition frameworks.

But there are also cases where the situation is more structurally problematic.

In jurisdictions such as Poland, the issue is not simply timing. It is the absence of a fully operational national framework around MiCA. There is no complete local implementation layer, and more importantly, no fully designated and operational competent authority to receive and process MiCA authorisation applications.

This creates a fundamentally different kind of risk.

It is not a question of firms operating under temporary permissions or extended timelines. It is a situation where firms may not have a functioning supervisory entry point into the MiCA regime at all; meaning that, despite being expected to comply with MiCA from July 2026, they may not have had a clear procedural pathway to obtain authorisation in the first place.

ESMA’s statement does not accommodate this distinction.

The transitional period ends across the Union on 1 July 2026, irrespective of whether MiCA has been implemented at the national level.

The implication is direct and difficult to avoid. A lack of national infrastructure does not extend the transitional period, does not delay the application of MiCA, and does not create a safe harbour for continued activity. For firms caught in this position, the regulatory expectation and the institutional reality may not fully align but the legal endpoint remains unchanged.

Two states only: authorised or not, and pending is not a category

What sits at the centre of the statement is not a deadline, but a classification.

From 1 July 2026, firms fall into one of two categories. They are either authorised under MiCA, or they are not. There is no intermediate status for firms that have submitted applications, are in advanced discussions with regulators, or expect approval shortly thereafter. The statement does not recognise “pending authorisation” as a basis for continued activity beyond the transitional period.

Instead, it treats lack of authorisation as a trigger for exit. And that exit is expected to be structured.

ESMA requires unauthorised CASPs to have wind-down plans that are not only documented, but operational, credible, and immediately executable. These plans must ensure that clients are offboarded in an orderly way, that assets are transferred either to authorised providers or to self-hosted wallets, and that the process does not result in undue economic harm.

Crucially, by the time the deadline is reached, these plans are expected to have been implemented, not merely prepared.

The market does not disappear, it is reassigned

One of the more interesting aspects of the statement is that it does not treat the end of the transitional period as a contraction of the market. It treats it as a redistribution.

ESMA places explicit expectations on authorised CASPs to actively manage the migration of clients currently serviced by unauthorised providers, and to take the necessary steps to onboard those clients ahead of the deadline, applying full AML/CFT controls in the process.

This has two implications.

First, the transition is not limited to firms that are exiting. It also creates operational pressure on firms that remain, particularly in terms of onboarding capacity, compliance infrastructure, and client due diligence.

Second, it recognises that the risk at the end of the transitional period is not only non-compliance, but disruption (stranded clients, inaccessible assets, or rushed migrations that introduce financial crime or operational risks).

In that sense, ESMA is not only closing the door on unauthorised activity. It is also managing how the market reconstitutes itself inside the authorised perimeter.

Third-country models and group structures: where the statement becomes precise

The most technically significant part of the statement is not the deadline itself, but how ESMA approaches cross-border activity and intra-group arrangements.

The starting point is familiar: entities established outside the EU cannot provide MiCA services to EU clients, except under the narrow reverse solicitation exception.

But the statement does not stop there. It goes further, and this is where the practical impact becomes much sharper.

ESMA makes clear that this restriction also applies in a business-to-business context, because MiCA prohibits CASPs from outsourcing or delegating certain services, notably custody, to entities that are not themselves authorised.

This closes a line of reasoning that has been present in the market. A number of firms have assumed that it might be possible to operate an EU-authorised entity at the front end, while relying on non-EU affiliates for core functions on an intra-group basis.

What ESMA is effectively saying is that this distinction will not hold if, in substance, services are still being provided to EU clients through unauthorised entities.

The question is no longer where the legal entity sits in the contractual chain, it is where the service is actually performed, and by whom. And this is where the statement becomes less about formal compliance and more about functional analysis.

If custody is effectively controlled by a non-authorised entity, if execution is routed through a non-EU affiliate, or if the client relationship is, in practice, serviced outside the authorised perimeter, then the presence of an authorised EU entity at the surface level does not resolve the issue.

Reverse solicitation, in this context, is not presented as an alternative model. It is described as a narrow exception, and the framing suggests that any attempt to scale it into a systematic approach to EU market access will face scrutiny.

A warning to consumers that doubles as a warning to firms

The consumer section of the statement is framed in straightforward terms: verify your provider, check the ESMA register, understand which entity you are dealing with.

ESMA emphasises that MiCA protections apply only to the specific authorised legal entity in the EU, not to other entities within the same group, and not to non-EU affiliates operating under the same brand.

This matters because much of the crypto market has historically operated through unified branding across multiple legal entities.

What the statement is doing is separating brand from legal reality. If a client signs up through a platform that presents itself as a single service, but is in fact contracting with a non-authorised entity, the regulatory consequences follow that legal relationship, not the brand.

For firms, this places pressure on how they design onboarding flows, disclosures, contractual structures, and even user interfaces.

NCAs are being pointed to specific pressure points

The final section of the statement, addressed to national competent authorities, is relatively concise, but it is unusually targeted.

NCAs are not simply asked to supervise the transition, they are given a clear indication of where to look.

They are expected to verify the existence and adequacy of wind-down plans, to ensure those plans are implemented in a timely manner, and to take action against unauthorised service provision after the transitional period ends.

But more importantly, they are instructed to scrutinise client migration strategies and to ensure that authorised CASPs are taking timely steps to onboard EU clients currently serviced by unauthorised providers, including where those providers are part of the same group.

This last point is particularly important. It signals that supervision will not be limited to standalone firms operating outside the perimeter. It will extend to group-level structures, where unauthorised entities may continue to play a role in servicing EU clients indirectly.

In practice, this means NCAs are likely to focus on questions such as:

• Which entity is actually contracting with the client?

• Where are assets held and who controls them?

• Which entity performs execution, routing, or order handling?

• Are outsourcing arrangements masking continued reliance on non-authorised entities?

This is not a formal checklist, but it reflects the direction of travel. The emphasis is on substance over structure, and on identifying where business-as-usual models persist behind formally compliant setups.

Conclusion: the perimeter is no longer negotiable

What ESMA has done with this statement is not to introduce new rules, but to close interpretive space. The transitional period was always meant to end. What this document does is clarify what that ending looks like in practice.

From July 2026, the EU crypto market is no longer defined by a mix of national regimes, temporary permissions, and partial compliance frameworks.

It is defined by MiCA. And within that framework, participation is conditional:

• Authorisation must be obtained

• Operations must sit within the authorised entity,

• Client relationships must be properly migrated

• Cross-border or intra-group structures must not reintroduce unauthorised activity through the back door

There is no longer a spectrum of being “closer” or “further” from compliance. There is only the question of whether a firm is inside the system, or outside it.