MiCA Is Not Coming. It Is Here. And the Clock Has Nearly Run Out.

What most firms still misunderstand — and why it will cost them

The Markets in Crypto-Assets Regulation did not layer new rules on top of existing ones. It dismantled the entire national patchwork of VASP registrations and replaced it with a single, harmonized authorization regime across all 27 EU member states. The firms that treated this as an incremental compliance update are the firms now scrambling.

The most dangerous misconception we encounter is that an existing VASP registration carries over. MiCA does not provide a simple paperwork renewal. Firms must undergo a comprehensive authorization process. The new requirements are substantially broader than the AML-focused rules that underpinned national VASP regimes. The firms that discovered this late are now submitting applications under time pressure, which is precisely the condition under which regulators increase scrutiny.

The second misconception is that Germany’s transitional period provides breathing room. It does not. Germany chose a 12-month transitional period, meaning the window concluded by the end of 2025. If you are operating a crypto-asset service in Germany today without a MiCA license, you are already outside the transitional protection. The 1 July 2026 EU-wide deadline is not a new starting point. For German firms, it was never available in the first place.

MiCA is beginning to separate institutional-grade firms from firms that still operate like startups

Germany leads the EU in CASP licenses issued at 18, followed by the Netherlands at 14. The first wave of approvals landed on 30 December 2024. Peak months for new license issuances were May through July 2025.

That pipeline is not a coincidence. The firms licensed today started their applications 12 to 18 months ago. They understood something that late movers still resist: a MiCA license is not a document you submit. It is an operating structure you build and then demonstrate to a regulator who has every incentive to reject an application that looks assembled under pressure.

Those firms are now passporting across the EU. They are in conversations with institutional partners and corporate treasury teams that will not engage with unlicensed counterparties. They are capturing the stablecoin treasury opportunity that MiCA has unlocked. Every month you remain unlicensed is a month they extend that lead.

What regulators are actually looking for — and where firms fall apart

Most MiCA commentary focuses on checklists. That is the wrong frame entirely.

When BaFin reviews your application, there is one question underneath every other question: is there a real institution here, or is there a product with a governance structure built around it at the last minute? Regulators are experienced at distinguishing between the two. The answer is almost always visible within the first fifty pages of the application.

The firms that fail or stall are not failing on technical grounds. They are failing on structural ones, and the failure patterns are consistent.

Governance that looks correct on the organogram but does not hold up under questioning. Management teams that are technically qualified but where the independence of control functions from commercial operations is asserted rather than demonstrated. A compliance officer who reports to the CFO. An MLRO whose job description was written the week before submission. BaFin will find it.

AML and KYC frameworks that were designed for the business as it was, not as it is. A firm that has scaled from 1,000 to 100,000 customers on a framework written in an earlier phase is presenting a regulator with evidence that compliance has not kept pace with growth. The monitoring logic, the customer risk categorization, the escalation procedures, all of it needs to reflect actual transaction flows and actual customer profiles. Generic templates survive internal sign-off. They do not survive regulatory scrutiny. And regulators know the difference immediately.

Outsourcing and cloud arrangements that are operationally real but regulatorily invisible. Most crypto firms are deeply dependent on third-party infrastructure: cloud providers, custody solutions, screening tools, and data vendors. Under MiCA and DORA, every material dependency must be documented, risk-assessed, contractually governed, and actively monitored. Firms that treated infrastructure as an IT procurement decision rather than a regulatory obligation are now rebuilding that framework under deadline pressure. And rebuilding governance under regulatory pressure is always more expensive than building it early.

A business plan that reads like a pitch deck. Regulators are not your investors. They are not persuaded by market opportunity slides and user growth projections. They want a structured, detailed description of your operating model, your actual cost base including compliance costs, your capital maintenance logic, and a phased expansion plan that is internally consistent. A business plan that cannot answer the question “how does this firm stay solvent and compliant at twice its current scale” will generate questions your team cannot answer quickly.

The transition period trap — a closing door, not a safety net

There is a specific consequence of remaining in the transitional period that firms consistently underestimate.

Relying on the transition period is a high-risk strategy. It delays your ability to scale across the EU and forces you to compete against fully-licensed MiCA firms that can passport their services immediately. A firm operating under transitional protection in Germany is effectively a domestic firm. Even if your firm is grandfathered in its home state, you cannot use the EU passport to offer services in other member states until you receive your full MiCA license. Every month spent in the transitional window rather than in the licensed regime is a month of foregone EU market access, while your licensed competitors are already there.

And the window is narrowing in another direction too. ESMA has warned explicitly that last-minute authorization applications will be subject to heightened regulatory scrutiny, and that national regulators are expected to enforce against firms continuing to provide services without approval. This is not a bureaucratic warning. It means that an application submitted in June 2026 will be reviewed differently than one submitted in January 2026. The content may be identical. The regulator’s posture will not be.

The stablecoin opportunity — only for firms that are ready

Beyond the deadline, MiCA has created something that has not existed in European finance before: regulatory certainty for stablecoins at scale. The first meaningful integration of stablecoins into German corporate treasury operations is arriving in 2026, driven precisely by the clarity MiCA provides.

Corporate treasury teams do not experiment with unregulated infrastructure. They will not take a meeting with a counterparty that cannot demonstrate MiCA authorization. The opportunity is real, it is large, and it is structurally closed to unlicensed firms.

The firms that will capture corporate treasury relationships in the digital asset space are the firms that are already licensed. Not the firms that are planning to be.

The question is not whether you have time. It is whether your structure can support the application.

At msg for banking, we have supported CASP license applications with multiple European regulators in live regulatory processes, with real clients, over the past 24 months. We know what each authority expects at submission, how they engage during the review period, and where applications encounter difficulty.

What we consistently find is that the timeline pressure is real. The firms that prepared early still have room to execute, if the operating structure is right. What is not manageable is submitting an application built on governance that was assembled rather than grown, AML frameworks that were written rather than operated, and outsourcing arrangements documented for the first time shortly before submission. Regulators have reviewed enough applications to recognize the difference immediately.

The firms we work with arrive at submission with an operating model that regulators can interrogate, test, and ultimately find credible. That is what determines whether an application succeeds, whether it stalls for six months of back-and-forth, or whether it fails.

1 July 2026 is eight weeks away. A MiCA application takes months. The governance and control framework it requires takes longer to build than most firms expect, which is why the firms that waited are now the firms under the most pressure.