The MiCA regulation entered into force in 2023 and became fully applicable to crypto-asset service providers on 30 December 2024, yet for most of the following eighteen months it remained possible to serve clients in the European Union without actually holding a MiCA licence. National grandfathering rules, permitted under Article 143(3), allowed firms already registered under domestic regimes to keep operating while their applications moved through the queue. That cover expired on 1 July 2026. Any entity providing crypto-asset services to clients in the Union without an authorisation is now in breach of EU law, and the European Securities and Markets Authority (ESMA) has been unusually direct about what it expects to happen next. This article covers what changed at the deadline, why firms established outside the Union are the most exposed, and which parts of the framework the European Commission has already reopened.

What the MiCA Transitional Period Actually Was

Article 143(3) of the MiCA regulation is the provision that made the past eighteen months possible. It allowed any firm that was providing crypto-asset services in accordance with applicable national law before 30 December 2024 to continue doing so until 1 July 2026, or until its MiCA authorisation was granted or refused, whichever came first. The clause was a bridge rather than a concession: it existed so that functioning national markets would not have to switch off on the day a new pan-European regime switched on.

Two details of that bridge are often missed. First, member states were free to shorten the window or to decline to apply it at all, and several did, publishing deadlines that closed well before the Union-wide date. ESMA maintains the list of national grandfathering periods precisely because they diverged. Second, the transitional cover was never available to everyone. Firms that had not been providing crypto-asset services under national law before 30 December 2024 could never rely on it, and neither could firms operating in member states whose own window had already shut. ESMA has also confirmed that the deadline applies irrespective of whether a given member state has finished adapting its national law to MiCA. There is no jurisdiction inside the Union where the clock stopped.

What ESMA Now Expects of Unauthorised Firms

In two public statements, one issued on 17 April 2026 and a second on 23 June 2026, ESMA set out what an unauthorised crypto-asset service provider is required to do rather than what it might reasonably consider doing. The expectation is that a wind-down plan was not merely drafted but implemented by 1 July. The obligations break down as follows.

  1. Stop onboarding, and stop marketing: Unauthorised firms must immediately cease opening new client relationships or accounts, and cease all marketing and solicitation directed at the Union.

  2. Narrow services to an exit path: Service provision must be limited to the actions necessary for clients to sell or transfer crypto-assets, reallocate assets, or close positions. Custody of client crypto-assets may continue only for the period strictly necessary to complete an orderly exit.

  3. Communicate clearly and repeatedly: Clients, both retail and institutional, must be told what is being done to safeguard their assets and by when they need to act. ESMA expects those communications to state a deadline after which any residual positions would be closed automatically.

  4. Keep the financial-crime controls running: Customer due diligence, transaction monitoring, sanctions screening, suspicious activity reporting, and transfer traceability obligations all continue throughout the wind-down. A firm exiting the market does not get to exit its anti-money-laundering obligations on the way out.

  5. Hand clients over cleanly: Where clients migrate to an authorised provider, the receiving CASP performs full onboarding and due diligence itself. The receiving firm inherits the client, not the departing firm's compliance record.

National competent authorities have a matching list. They are expected to verify that wind-down plans exist and are adequate, to take action against the unauthorised provision of crypto-asset services, and to scrutinise client-migration strategies so that an unauthorised group entity does not quietly continue business as usual through an authorised sibling. ESMA has said it will coordinate with the national authorities, the European Banking Authority, and AMLA, the Union's new anti-money-laundering authority.

Authorisation is also not the end of the compliance calendar. Since 1 January 2026, the eighth amendment to the Directive on Administrative Cooperation, which brings the OECD Crypto-Asset Reporting Framework into EU law, has required reporting crypto-asset service providers to collect and report user identity and transaction data to their national tax authority. The first reports are due in 2027, with automatic exchange between authorities following.

Why the MiCA Regulation Reaches Beyond the Union

For a Swiss firm, or any firm established outside the EU, the most consequential sentence in ESMA's June statement has nothing to do with wind-downs. ESMA reminded providers established outside the Union that they cannot provide MiCA services to EU clients or solicit EU clients at all, and that this applies in a business-to-business context as much as a retail one.

There is no third-country equivalence regime for crypto-asset service providers under the MiCA regulation. This is a structural difference from the way the Union treats third-country investment firms or benchmark administrators. A CASP must have a registered office in a member state and must be authorised there. The only opening is Article 61, the reverse solicitation exemption, which disapplies the authorisation requirement where a client established in the Union initiates the service at the client's own exclusive initiative. ESMA's guidelines construe that phrase very narrowly, treat the assessment as a factual one, and state plainly that contractual disclaimers cannot override contrary facts. Reverse solicitation is an exception for isolated cases. It is not an operating model.

Two consequences follow that are easy to overlook. The first is that custody cannot be outsourced around the problem: MiCA prohibits an authorised CASP from delegating certain services, custody among them, to entities that are not themselves authorised as CASPs. A European licence held by a subsidiary does not resolve the status of a group's non-EU custody stack. The second is that MiCA protections attach to the specific authorised legal entity, not to the brand above it. ESMA has warned clients directly that a familiar name operating across several companies and countries offers no guarantee that the entity on the other side of the contract is the authorised one.

The practical answer most Swiss providers have reached is the same: incorporate inside the EU or the EEA, and authorise there.

Where the MiCA Framework Still Breaks

The framework is now binding, which is not the same as finished.

The stablecoin picture is the clearest example. A modest number of e-money token issuers have been authorised, but not a single asset-referenced token issuer has been authorised anywhere in the Union. An entire title of the MiCA regulation has so far produced no market. The institutions also disagree openly about whether a stablecoin may be issued jointly by an EU entity and a third-country entity as a single fungible token. The Commission's own consultation states that MiCA does not currently prohibit such multi-issuance arrangements. The European Systemic Risk Board recommended in September 2025 that they be treated as not permitted, and the European Central Bank argued in an April 2026 paper against allowing them absent a restrictive equivalence regime. That disagreement remains unresolved.

Supervision is fragmented in a way the Commission has proposed to fix. Authorisations are granted nationally and then passported, and the distribution is lopsided: of roughly 280 crypto-asset service providers listed on ESMA's register in early July 2026, Germany accounts for the largest single share, while several member states have authorised none at all. On 4 December 2025 the Commission proposed transferring direct supervision of all CASPs from the national authorities to ESMA. The proposal is still in negotiation between the Parliament and the Council, and several member states have signalled reluctance to surrender supervisory powers. Nothing about it is settled.

The enforcement machinery, meanwhile, is younger than the deadline it is meant to police. MiCA's statutory maximum penalties are severe, reaching up to 12.5% of annual turnover for significant asset-referenced token issuers, but as of July 2026 the European Banking Authority was still consulting on the methodology for calculating fines. Firms may reasonably assume that enforcement will arrive. They should be equally sceptical of any published tally of what has supposedly been levied already.

Finally, the regulation itself is under review. The Commission opened a targeted consultation on 20 May 2026, now running to 30 September 2026, under the review mandate in Articles 140 and 142. It asks about the boundary between crypto-assets and financial instruments, stablecoin rules, CASP requirements, decentralised finance, staking, non-fungible tokens, and the legal treatment of tokens. The regulatory clarity that privacy-preserving blockchain design has been waiting for - a gap noted in the year on-chain got quieter - is being written inside that consultation rather than settled by it.

Institutions Worth Watching

The clearest signal of how the MiCA regulation is reshaping the Swiss market is the route Swiss providers have taken into it. In each case the licence sits with an EU or EEA entity, not with the Swiss parent.

  • SwissBorg: Authorised in France through its subsidiary BlockNodes SAS, licensed by the Autorité des marchés financiers in March 2026.

  • Bitcoin Suisse: Authorised in June 2026 through Bitcoin Suisse (Europe) AG in Vaduz, supervised by the Liechtenstein Financial Market Authority, using the EEA rather than the EU proper as the point of entry.

  • Sygnum: Authorised days later through Sygnum Europe AG, also in Vaduz and also under the Liechtenstein FMA, giving the bank a passportable European base alongside its Swiss banking licence.

  • AMINA Bank: Authorised in Austria through AMINA (Austria) AG in October 2025, described at the time as the first digital-asset bank to hold a MiCA authorisation for crypto-asset services.

Conclusion

The MiCA regulation has moved from a framework firms were preparing for into one they are either inside or outside of, with very little space between the two. The transitional period is gone, the reverse solicitation exemption is narrower than most offshore operators would like it to be, and ESMA has made clear that an unauthorised provider's remaining job is an orderly exit rather than a quieter version of the same business. At the same time, the framework being enforced has visible gaps: no authorised asset-referenced token issuers, an unsettled argument about multi-issuance stablecoins, supervision that may yet move to Paris, and a fines methodology still out for consultation. For teams building in Zug and selling into Europe, the sensible posture is to treat the licence as the beginning of the work rather than the end of it, and to follow the review closely. The rules are settled enough to build on, and unsettled enough to be worth influencing.