In a previous alert, Crypto-Asset Services and Grandfathering Under MiCA: Clarity From ESMA, we noted that the provisions of the Markets in Crypto Assets Regulation (MiCA) governing crypto-asset service providers (CASPs) is due to come into effect on 30 December 2024.
As part of its ongoing efforts to put in place implementing measures for MiCA, the European Securities and Markets Authority (ESMA)1 on 16 October 2024 published an opinion urging the European Commission to give effect to ESMA’s original proposal for the MiCA Regulatory Technical Standards on CASP notifications and CASP authorisations (Draft RTS) by amending the text of MiCA itself.
The Draft RTS had contained requirements for CASP applicants to provide the results of an external cybersecurity audit, an assessment of the good repute of the members of the management body, and checks on the absence of penalties in areas other than commercial law, insolvency law, financial services law, anti-money laundering and counter-terrorist financing, fraud, or professional liability (additional requirements).
In putting forward its version of the Draft RTS, the commission scaled back these requirements to match the list in MiCA, which limits the information requirement to “the absence of penalties imposed under the applicable commercial law, insolvency law and financial services law, or in relation to anti-money laundering, and counter-terrorist financing, to fraud or to professional liability.”2
The commission noted that the additional requirements would create “a new obligation to conduct an external audit which is not foreseen under the [Digital Operational Resilience Act (DORA)]3 and which is not covered by the mandate under MiCA. In addition, this obligation links this cybersecurity audit with the threat-led penetration testing tests which are more specific and regulated under separate provisions under DORA.”
As we have discussed before, in ELTIF 2.0 RTS: Commission Orders ESMA to Think Again, this is not the first time in 2024 that the commission has pushed back on an ESMA proposal. It is clear that the commission is nervous about ESMA imposing burdens on the crypto industry that MiCA itself does not clearly mandate.
ESMA’s response is interesting in that it has said, in effect: “If that is what the law says, it needs to change.” Even if the MiCA text remains unchanged, there is a chance that the Draft RTS may still be adopted as ESMA had originally proposed because European Parliament and the Council will have three months to object to the commission’s version of the Draft RTS.
Background
MICA requires ESMA to submit RTS to further specify:
- The information to be included in a notification by certain financial entities of their intention to provide crypto-asset services
- The information to be included in an application for authorisation as CASPs
On 25 March 2024, ESMA published its first final report on draft technical standards
specifying certain requirements of MiCA and submitted it to the commission.
On 3 September 2024, the commission sent two letters informing ESMA that it intends to adopt the two RTS with amendments, which were included in an annex to the letters. The commission invited ESMA to submit new drafts of the Draft RTS that reflect the proposed amendments.
The opinion was published in response to the two letters.
The Opinion
While acknowledging the commission’s interpretation, ESMA reiterated the importance of the policy objectives outlined in its initial proposal, specifically the requirement for a cybersecurity audit conducted by a third-party cybersecurity auditor. To ensure that crypto-asset service providers undergo a thorough screening process before entering the crypto-assets market, particularly with respect to their ICT systems, ESMA recommended that the commission amend MiCA to include the requirement for a third-party cybersecurity audit at the time of authorization.
As to the assessment of good repute, ESMA’s view was that the further information requirements it suggested are “essential” and would enhance clarity for applicants on the specifics of what is required under Article 62(2)(g). ESMA also noted that this amendment does not prevent national competent authorities from requesting further clarifications on the information provided by CASP applicants.
ESMA noted the commission’s limitation of the information to request to the absence of a criminal record in respect to convictions and the absence of penalties imposed under applicable commercial, insolvency, and financial services law; or in relation to anti-money-laundering, counter-terrorist financing, fraud, or professional liability. It noted, however, that a broader review of penalties beyond commercial, insolvency, and financial services law was necessary for a more comprehensive assessment.
As to the need for information about third-party cybersecurity audits, ESMA stressed that technology, particularly distributed ledger technology, is central to the operations of crypto-asset service providers, posing significant risks during the authorization phase. These risks could be mitigated by requiring an external audit as part of the authorization process. The absence of such audits may lead to regulatory fragmentation across the EU due to variations in national frameworks. Therefore, ESMA urged the commission to amend Articles 60(7) and 62(2) of MiCA to ideally include a mandatory third-party cybersecurity audit as part of the notification or application process. ESMA noted that, alternatively, the commission could amend MiCA to allow NCAs to require such audits where justified under the proportionality principle.
How Goodwin Can Help With MiCA
At Goodwin, we are dedicated to helping companies navigate the complexities of new EU regulations, including MiCA. Our team of legal experts specializes in EU law and works closely with regulators across member states to ensure that businesses are fully compliant with the evolving regulatory landscape.
In any case, now is the time to start your compliance journey with MiCA, which is introducing a comprehensive and harmonized framework for the regulation of crypto-assets across the EU and the broader cryptocurrency industry.
The regulation will come fully into force by December 30, 2024, giving entities providing crypto-asset services a strict timeline for aligning their operations.
Waiting until the last minute could result in unnecessary risks because MiCA introduces new obligations and oversight mechanisms, particularly for stablecoins and service providers.
Early action ensures a smoother transition under the framework, minimizing disruption and ensuring full compliance by the deadline.
Understanding the challenges posed by this regulation, Goodwin provides tailored support to help businesses anticipate and meet their obligations under MiCA.
We are here to guide you through every step, ensuring your company is prepared for the regulation’s entry into force and compliant with its stringent requirements.
With our expertise, we ensure that your operations align with EU standards, safeguarding both consumers and businesses. Let us help you navigate this complex framework and turn regulatory challenges into opportunities for growth and innovation.
[1] ESMA is an independent authority accountable to European Union institutions and is responsible for securities and capital markets supervision. It aims to do so across financial sectors by working in collaboration with other European Supervisory Authorities competent in the field of banking and insurance and occupational pensions. ESMA takes into consideration the fundamental changes in the financial markets that are driven by the growing importance of sustainability and by accelerating technological innovation.
[2] See Articles 62(3)(a) and (c).
[3] See our most recent alert on DORA and our microsite that addresses DORA and the similar regime in the UK.
This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.
Contacts
- /en/people/h/henderson-andrew
Andrew Henderson
Partner
