Cross-border crypto services in EU under MiCA: What you need to know in 2026

Before MiCA, if you ran a crypto exchange in Germany and wanted to serve customers in Spain, you had to apply for a separate license in Spain. Same for France. Same for Italy. It was slow, expensive, and messy. That changed on December 30, 2024, when the second phase of the Markets in Crypto-Assets (MiCA) regulation fully kicked in. Now, a single authorization from one EU country lets you offer crypto services across all 27 member states. It’s called the EU passport-and it’s rewriting the rules for how crypto businesses operate across borders.

How the EU crypto passport works

The passport isn’t a physical document. It’s a legal right. Once a crypto service provider (called a CASP-Crypto-Asset Service Provider) gets approved by its home country’s regulator-say, Germany’s BaFin-it can start offering services in any other EU country without reapplying. All it needs to do is notify its home regulator and the target country’s authority. That’s it. No extra fees. No extra paperwork. No waiting six months for approval in each new market.

This isn’t just convenient. It’s transformative. Before MiCA, startups had to choose: focus on one country and grow slowly, or try to juggle 27 different rulebooks. Now, a small team in Estonia can serve clients in Portugal, Poland, and Romania under one license. That’s the power of harmonization.

But here’s the catch: you can’t just apply anywhere. The passport only works if you’re based in an EU member state. And you can’t skip the rules. Every CASP must meet strict requirements: keep client funds safe, disclose all risks clearly, prevent market manipulation, and maintain enough capital to cover losses. If you’re serving more than 15 million active users in the EU, you’re labeled a “significant” CASP-and you answer directly to ESMA, the European Securities and Markets Authority.

What services need a license?

MiCA doesn’t just cover big exchanges like Binance or Coinbase. It applies to anyone offering crypto-related services to EU users-even if it’s not their main business. That means:

• Crypto exchanges (buying, selling, trading)
• Custodial wallet providers (holding your private keys)
• Token issuers (launching new coins or tokens)
• Stablecoin operators (like USDT or EURC)
• Platforms that let you earn interest on crypto
• Even fintech apps that embed crypto trading into their service

If you’re holding keys for users, you’re treated the same as a centralized exchange. No shortcuts. No “we’re just a tech company” excuse. If you’re handling crypto assets for EU customers, you need a CASP license.

What about non-EU companies?

This is where things get tough. If you’re based outside the EU-say, in the U.S., Singapore, or Dubai-you can’t just offer services to EU customers anymore. MiCA says: if you want to actively market or solicit EU clients, you must set up a legal entity inside the EU and get a full CASP license.

There’s one narrow exception: reverse solicitation. That means an EU customer finds you on their own-no ads, no emails, no website targeting EU users-and reaches out to you. Even then, ESMA’s guidelines make this nearly impossible to rely on. Most regulators treat it as a loophole, not a strategy.

Major international exchanges like Kraken and Bybit have already opened EU subsidiaries. Coinbase set up its EU headquarters in Ireland. Even smaller firms are opening offices in Malta, Lithuania, or Spain just to get the passport. If you’re not in the EU legally, you’re not in the EU market.

Stablecoins face extra scrutiny

Not all crypto-assets are treated the same. Stablecoins-tokens pegged to euros, dollars, or other assets-are under the microscope. MiCA requires them to:

• Hold reserves in liquid, low-risk assets
• Allow users to redeem their tokens for the underlying asset at any time
• Prove their reserves are fully backed, with regular audits
• Have contingency plans if the peg breaks

Tether (USDT) and Circle (USDC) had to adjust their reserve structures. New stablecoins like EURC (by Circle) were designed from the start to comply. If you’re launching a stablecoin today and want it to work in the EU, you need to build MiCA compliance into your code, not bolt it on later.

Anti-money laundering rules are tighter

MiCA doesn’t replace the EU’s Anti-Money Laundering Directive (AMLD)-it layers on top of it. That means CASPs must:

• Verify the identity of every customer (KYC)
• Monitor transactions for suspicious patterns
• Report anything unusual to national financial intelligence units
• Keep records for at least five years

This isn’t optional. Regulators now share data across borders. If a user is flagged in France, that alert follows them to Spain. If your system doesn’t catch it, you’re at risk of fines-or worse, losing your license.

What’s changed since December 2024?

The full rollout of MiCA’s second phase on December 30, 2024, marked the end of the transition period. As of January 2026:

• 15 EU countries have already closed their transitional periods ahead of schedule
• ESMA has issued detailed rules on capital requirements, stress testing, and executive pay for token issuers
• National regulators are setting up joint oversight teams for cross-border CASPs
• Over 80 firms have received full CASP authorization across the EU

The market is shifting. Smaller, non-compliant platforms have shut down or left the EU. Larger players are investing in compliance teams and legal infrastructure. The cost of entry is higher-but so is the reward. The EU is now the most predictable, transparent crypto market in the world.

Who wins? Who loses?

Big firms with deep pockets win. They can afford the legal teams, compliance software, and EU offices. They get the passport and scale fast.

Startups lose-if they don’t plan ahead. The cost of a CASP license can run into hundreds of thousands of euros. The paperwork is complex. The deadlines are strict. Many small players are stuck. Some are pivoting to non-EU markets. Others are partnering with licensed providers to use their passport as a backdoor.

The EU didn’t design MiCA to help startups. It was built to protect consumers, prevent financial crime, and bring crypto into the same regulatory box as banks. Whether that’s good or bad depends on your perspective. But one thing’s clear: if you’re doing crypto business in Europe, you’re now playing by EU rules.

What’s next?

MiCA isn’t the end. It’s the beginning. ESMA is already working on rules for decentralized finance (DeFi), non-fungible tokens (NFTs), and algorithmic stablecoins. The EU is watching how other regions-like the U.S., UK, or Japan-handle crypto. If those places move toward similar rules, MiCA could become the global standard.

For now, if you’re offering crypto services to EU customers, there’s only one path: get licensed. No shortcuts. No workarounds. No hoping the rules will change. The EU has spoken. And it’s not backing down.