Regulatory authorities call for reform of the MiCAR regulation

The European Regulation on Crypto-Assets (MiCAR) has been fully applicable for just over nine months. Transitional periods still vary depending on the EU Member State. However, discrepancies in the application of the regulation among Member States have already emerged. This development could have far-reaching consequences for market participants.

1. Regulator Shopping as a Systemic Risk

The dispute arose from differing supervisory practices among EU Member States, particularly regarding the licensing of crypto-asset service providers. Under MiCAR, providers that obtain authorization in one Member State are permitted to offer their services throughout the EU. Market participants wishing to provide crypto-related services in Europe must obtain authorization from the competent national supervisory authority—such as BaFin in Germany. Once granted, this authorization can be used across the entire European Economic Area through the so-called 'passporting' mechanism.

Regulatory authorities in several EU Member States are now asserting that there are significant differences in the application of MiCAR. Individual Member States impose varying levels of requirements that must be met to obtain such authorization. This facilitates 'regulator shopping'—the practice of selecting the jurisdiction or supervisory authority with the lowest regulatory thresholds for licensing. It has already been suggested that some Member States are considering no longer recognizing authorizations issued by other EU countries.

Due to the reported lack of uniformity and the potentially resulting risks, supervisory authorities from three EU Member States are now calling for initial reforms to crypto supervision. The three authorities are Austria’s FMA, Italy’s Consob, and France’s AMF.

2. The proposed reform

The three supervisory authorities have put forward four reform proposals for MiCAR, all of which aim at stricter regulation of crypto-asset service providers and a centralization of supervisory responsibilities.

The core demand is that ESMA should exercise direct supervision over significant crypto-asset service providers to ensure uniform application of MiCAR. Without such centralized oversight, it would not be possible to adequately prevent companies from circumventing the high licensing standards of certain Member States by establishing themselves in jurisdictions with lower regulatory requirements.

Furthermore, all intermediaries executing orders related to crypto-assets on behalf of clients should be required to do so exclusively through platforms that are subject to MiCAR or equivalent regulatory frameworks. This measure aims to improve oversight of platforms based in third countries that reach EU clients via intermediaries. The European Commission could be tasked with determining the equivalence of third-country regulations, with support from ESMA.

The supervisory authorities are calling for applicants to undergo an independent IT security audit before being granted authorization as a crypto-asset service provider. Such audits should also be conducted at regular intervals thereafter. The review should specifically assess resilience against cyberattacks, the protection of assets, and the management of security incidents. This measure is intended to enhance the security of crypto markets.

Lastly, a centralized European body within ESMA should be established to analyse crypto-asset white papers submitted by issuers, given that the majority of offerings are directed at citizens across multiple EU Member States.

These demands mark a turning point in European crypto policy—yet their implementation carries both opportunities and risks.

3. Opportunities and risks

The reform proposals put forward by the three supervisory authorities represent a shift in Europe’s position within the global crypto landscape. In the short term, they promise much-needed legal certainty and could help prevent chaotic 'regulator shopping.' Centralized standards would provide market participants with clear and uniformly applicable rules, thereby strengthening the confidence of institutional investors. Moreover, such reforms could prevent unilateral actions by individual supervisory authorities, such as refusing to recognize authorizations issued by other EU Member States.

However, the cost could be high. Excessive centralization risks stifling Europe’s regulatory flexibility, while increased isolation from third-country providers may provoke countermeasures from abroad. Start-ups and smaller providers could be pushed out of the market due to high compliance costs. Moreover, the necessity of an additional IT audit is questionable, particularly in light of the existing requirements under the DORA framework.

In the medium term, the question will be whether Europe can position itself as a secure yet attractive crypto jurisdiction, or whether overregulation will drive innovation and businesses toward more agile markets.

The current disagreements among regulators present both risks and opportunities. It is crucial for market participants not only to remain compliant, but also to be strategically well-positioned as Europe’s crypto landscape undergoes transformation.

With the kind support of Florian Liedtke – Research Assistant