PROVIDERS 139 0 NEW CATEGORIES 28 28 ACTIVE SERVICES 304 0 NEW ODD 2 1.4% USERS 564 1 NEW AVG:RATING 3.7 0 RECENT VIEWS:TODAY 9 0 LAST HR INTROS 4 0 7D TOP:CATEGORY OTC DESK 66 ACTIVE:NOW 0 USERS
COUNTERPARTY CATALOGUE
Compliance

Overview and summary of EU MiCA custody compliance requirements

By DigOpp Updated June 20, 2025
Overview and summary of EU MiCA custody compliance requirements

EU MiCA is the EU’s 2023/1114 regulation that standardises crypto-asset markets. It sets clear rules for authorisation, custody, asset segregation, disclosure, AML/KYC, and prudential reserves to protect investors and ensure stable, transparent digital-asset operations.

EU MiCA establishes a comprehensive framework for crypto-asset activities in the EU. It mandates authorisation, operational requirements, asset segregation, and prudential safeguards for providers and token issuers.

  • Implement internal controls and risk assessment for AML/KYC.
  • Obtain authorisation as a legal entity.
  • Legally and operationally segregate client and reserve assets.
  • Maintain prudential safeguards (own funds, insurance, or guarantee).
  • Ensure third-party custody for asset-referenced token reserves.
  • Report periodically on asset-referenced token metrics and reserves.
  • Conduct independent audits of asset-referenced token reserve assets.
  • Establish systems to prevent and report market abuse.

Who does the EU MiCA regulation apply to, and what is its scope?

EU MiCA applies broadly to entities issuing, offering, trading, or servicing crypto-assets in the EU. It covers issuers, offerors, trading-platform operators, and crypto-asset service providers (CASPs), with specific exclusions. The rules also apply to any person involved in market abuse concerning covered crypto-assets.

  • Applies to entities issuing, offering, trading, or servicing crypto-assets in the EU.
  • Excludes central banks, insolvency administrators, and internal group services.
  • Persons offering or seeking trading admission must be legal persons.
  • Crypto-asset service providers must be authorised legal entities.
  • Issuers of asset-referenced tokens must be authorised entities or credit institutions.
  • Issuers of e-money tokens must be authorised credit or electronic-money institutions.
  • Market-abuse rules apply to any person concerning traded crypto-assets.

What are the Operational and Audit Requirements for EU MiCA Compliance?

Under EU MiCA, crypto-asset service providers and token issuers must meet specific operational and audit requirements. These include regular reporting on token metrics and reserves, conducting independent audits of reserve assets, and implementing market-abuse controls.

  • Report quarterly on large ART metrics (holders, value, reserves, volume).
  • Apply quarterly-reporting rules for ARTs to non-EUR e-money tokens.
  • Publicly disclose ART circulation, value, and reserve composition monthly.
  • Publish full and summary audit reports on ART reserve assets promptly.
  • Conduct independent audits of ART reserve assets every six months.
  • Notify authorities and publish results of six-monthly ART reserve audits promptly.
  • Establish systems to prevent, detect, and report market abuse for transaction services.

AML/KYC Requirements

Under EU MiCA, firms providing crypto-asset services must implement robust internal controls and risk-assessment frameworks to combat money laundering and terrorist financing. Competent authorities rigorously evaluate applications and ongoing compliance based on these measures, management suitability, and cooperation with AML authorities.

  • Submit internal-controls and risk-assessment frameworks with applications.
  • Ensure management and owners have no AML/CFT criminal records.
  • Cooperate with AML authorities during application and supervision.
  • Notify authorities of material changes to risk assessment.
  • Implement enhanced due diligence for high-risk third countries.
  • Prevent admission of crypto-assets with inbuilt anonymisation without identification.
  • Refuse or withdraw authorisation if serious ML/TF risks exist.

What are the rules for Control of Key Material and safe-keeping under EU MiCA?

Under EU MiCA, custody services explicitly include controlling private cryptographic keys. Reserve assets for asset-referenced tokens (ARTs) and significant e-money tokens (EMTs) must be held by separate, authorised third-party custodians, which are required to hold the keys for crypto-asset reserves.

  • Define custody services to include private cryptographic keys.
  • Require third-party custody for asset-referenced token reserve assets.
  • Mandate the custodian to be a separate legal entity from the issuer.
  • Require custodians of crypto-asset reserves to hold the keys.
  • Apply similar requirements to significant e-money-token reserve assets.
  • Allow authorised CASPs to use other authorised CASPs as sub-custodians.

What are the EU MiCA requirements for cryptographic key locality?

The reviewed MiCA documentation does not specify requirements for the locality of cryptographic keys used in signing operations.

What are some notes on idiosyncratic details under EU MiCA?

EU MiCA contains several specific provisions and exclusions, covering non-fungible tokens, certain decentralised services, withdrawal rights for retail holders, rules for white papers, and transition periods for existing entities.

  • Exclude unique and non-fungible crypto-assets (NFTs) from scope.
  • Allow white papers and trading rules in a customary international-finance language.
  • Grant retail holders a 14-day right of withdrawal under specific conditions.
  • Prohibit granting interest on asset-referenced and e-money tokens.
  • Safeguard EMT funds by depositing 30 % and investing the rest securely.
  • Prohibit trading platforms from admitting crypto-assets with inbuilt anonymisation unless holders can be identified.
  • Apply transition periods for existing national crypto-asset service providers and issuers.

Does EU MiCA specify requirements for Backup Keys?

Requirements regarding the backup of private keys for crypto-asset services under EU MiCA are not detailed in the reviewed documentation.

  • No specific requirements for backup keys are provided.

What are the prudential safeguards and insurance requirements for crypto service providers under EU MiCA?

Crypto-asset service providers, including custodians, must maintain prudential safeguards that can be satisfied through own funds, insurance, or a comparable guarantee. If using insurance, the policy must meet public-disclosure and coverage requirements for risks such as liability for loss of custodied assets.

What Bankruptcy-Remote and insolvency protections does EU MiCA require for crypto assets?

EU MiCA requires measures to protect client and reserve assets from provider or issuer insolvency, including segregation, safeguarding ownership rights, and ensuring assets are not used for the provider’s own account. An orderly-redemption plan is also mandated for asset-referenced tokens.

  • Legally and operationally segregate client crypto-assets from the provider’s estate.
  • Legally and operationally segregate asset reserve from the issuer’s estate.
  • Safeguard clients’ ownership rights to held crypto-assets.
  • Ensure client crypto-assets are not used for the provider’s own account.
  • Ensure reserve assets are not encumbered or pledged.
  • Protect reserve assets from claims by the custodian’s creditors.
  • Maintain a redemption plan for asset-referenced tokens in insolvency.

What are the requirements for Asset Segregation and client-asset protection under EU MiCA?

Firms handling crypto-assets or issuing tokens must segregate client and reserve assets from their own. This protects client ownership rights and ensures assets remain accessible, particularly in insolvency scenarios.

  • Segregate client crypto-assets and funds from own assets.
  • Protect client ownership rights, particularly in insolvency.
  • Prohibit using client assets or funds for the provider’s own account.
  • Maintain a custody policy ensuring reserve assets are segregated and accessible.
  • Legally and operationally segregate reserve assets for each token.
  • Use segregated accounts or registers identifying specific reserves.
  • Deposit a minimum percentage of e-money-token funds in separate accounts.

SOURCE LINKS

https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32023R1114

← Back to Articles