CASP Outsourcing 2026 — MiCA Article 73 Compliance Framework

What Article 73 covers

MiCA Article 73 sets the outsourcing framework for crypto-asset service providers. The article operates alongside DORA Articles 28-30 (ICT third-party risk management) and EBA Guidelines on outsourcing arrangements to create the EU-wide CASP outsourcing compliance landscape.

The framework has four core operational dimensions:

1. Scope of permissible outsourcing — what functions can vs cannot be outsourced
2. Contractual requirements — defined provisions in outsourcing contracts
3. Ongoing oversight obligations — operator’s continuing responsibility for outsourced function performance
4. Supervisor relationship — notification, reporting, supervisor access to outsourced operations

Each dimension produces operational compliance requirements. The framework is materially more demanding than pre-MiCA operators typically experienced.

What can and cannot be outsourced

Permissible outsourcing categories include most operational and ICT functions:

• ICT infrastructure (cloud computing, data centres, network services)
• Customer identity verification technology (Sumsub, Onfido, Jumio, IDnow)
• Sanctions screening services
• Blockchain analytics (Chainalysis, Elliptic, TRM Labs)
• Transaction monitoring technology
• Customer support and contact centre operations
• Accounting and bookkeeping
• Internal audit (with independence requirements)
• Marketing and customer acquisition activity
• Legal and tax advisory

Non-outsourceable functions include senior management responsibility:

• CEO and other senior management roles
• Head of Compliance and MLRO functions
• Board of directors decisions and oversight
• Risk management oversight (executive level)
• Customer asset segregation and protection responsibility
• Regulatory relationship management (executive)

The principle: outsourcing transfers operational performance to a third party, but regulatory responsibility remains with the operator. Senior management cannot delegate the responsibility itself.

Core functions

The Article 73 framework distinguishes core functions from other outsourcing. The distinction matters because core outsourcing triggers additional obligations.

Defining ‘critical or important.’ Functions where defective performance would materially impair CASP regulatory compliance, financial soundness, service continuity, or supervisor ability to oversee operations.

Examples of core outsourcing:

• Custody operations and wallet management
• Transaction execution infrastructure
• AML transaction monitoring system
• ICT infrastructure for core operations
• Customer asset segregation system
• Core banking integration

Additional obligations for core outsourcing:

• Pre-arrangement supervisor notification with detailed information
• Enhanced contractual requirements
• Documented risk assessment and concentration analysis
• Exit framework with realistic transition planning
• Audit rights for operator and supervisor
• Material change notification throughout arrangement

The operator must classify each outsourcing arrangement against the core-function test. Misclassification produces compliance exposure if supervisor later determines arrangement should have been treated as critical.

Contractual requirements

Article 73 and supporting EBA Guidelines require specific contractual provisions:

Data location and processing. Where customer data and CASP-operational data are processed. Restrictions on data movement. Compliance with EU data protection requirements.

Sub-contracting transparency. Provider’s sub-contracting must be disclosed. CASP must approve material sub-contracting. Sub-contractors face flow-down contractual obligations.

Audit and inspection rights. CASP retains audit rights over outsourced function. Supervisor has access rights to inspect outsourced operations. Audit framework specified contractually.

Service level provisions. Defined performance standards, monitoring framework, escalation procedures, service credits or remedies for shortfalls.

Security requirements. ICT security standards aligned with CASP’s broader security framework. Incident notification obligations. Information-security audit requirements.

Confidentiality and data protection. Provider obligations on customer data, CASP confidential information, regulatory information. GDPR controller-processor framework where applicable.

Termination and exit assistance. Termination rights including for breach, regulatory required termination, business reason. Exit assistance obligations including data return, transition support, knowledge transfer.

Cooperation with regulator. Provider cooperation with CASP supervisor including data access, audit support, information requests.

These provisions must be documented contractually rather than implied. Operators that work from informal arrangements with providers face supervisor concerns and operational exposure.

DORA overlay — ICT third-party risk

DORA Articles 28-30 add ICT third-party risk management framework on top of Article 73 outsourcing requirements. The combined framework applies to ICT outsourcing.

Article 28 — register of ICT third-party providers. CASPs maintain comprehensive register of all ICT third-party providers. The register includes provider information, services provided, criticality classification, contractual terms summary. Supervisor has access on request.

Article 29 — ICT third-party risk management framework. Documented framework for managing ICT third-party risks including:

• Provider selection criteria and due diligence
• Contract negotiation framework
• Ongoing monitoring of provider performance
• Concentration risk management
• Geographic distribution risk
• Exit planning for each material ICT provider

Article 30 — core ICT third-party providers (CTPPs). EU framework for designating CTPPs — ICT providers serving multiple regulated financial-services firms whose failure could create systemic risk. CTPPs face EU-level supervisor oversight by Lead Overseer (typically ESAs through joint framework). Once designated, CTPPs face direct supervisory obligations and EU-wide oversight.

Major cloud providers (AWS, Microsoft Azure, Google Cloud) are expected to be designated CTPPs. This creates additional supervisor visibility into CASP cloud arrangements even where the CASP itself is not directly affected by CTPP designation.

Supervisor notification framework

Article 73 supervisor relationship operates through notification rather than approval:

Core outsourcing pre-notification. Before entering core outsourcing arrangement, operator notifies supervisor with detailed information — provider identity, services, contract summary, risk assessment, exit planning. Supervisor has period to respond, can object or impose conditions.

Ongoing material change notification. Material changes to existing outsourcing arrangements require supervisor notification — provider change, scope change, contract modification, material performance issues.

Material incident notification. Material incidents in outsourced operations require supervisor notification, often through broader incident reporting framework. DORA incident reporting may apply for ICT incidents.

Periodic reporting. Some supervisors require periodic reporting on outsourcing arrangements as part of broader supervisory engagement. Format and frequency varies by member state.

The notification framework is less burdensome than approval would be but produces ongoing supervisor visibility. Operators that engage supervisors well on outsourcing avoid information request loops at authorisation and ongoing supervision.

Exit framework requirements

Article 73 expects realistic exit framework for outsourced functions. Operator must maintain ability to transition out of outsourcing arrangement with reasonable transition runway.

Exit triggers include:

• Provider performance failure
• Provider insolvency or business cessation
• Regulatory required termination
• Material change in provider circumstances (acquisition by third party, geographic change, etc.)
• Operator business decision

Exit planning documentation covers:

• Alternative provider options or in-housing scenarios
• Transition timeline and milestones
• Data return and migration framework
• Customer impact mitigation
• Service continuity during transition
• Cost estimates for exit

Exit testing at appropriate intervals (typically annually or biennially) to verify exit framework remains realistic. Test scenarios cover provider failure, contractual termination, regulatory required exit.

Exit framework is not theoretical compliance documentation. Supervisor expects realistic, tested arrangement. The framework intersects with broader CASP wind-down and business continuity planning under Article 84.

Practical takeaways

CASP outsourcing under MiCA Article 73 + DORA framework is operationally demanding and supervisor-tested. Three principles:

Classify outsourcing against core-function test from the start. Core outsourcing triggers additional obligations. Misclassification produces compliance exposure if supervisor later identifies arrangement as critical.

Build comprehensive ICT third-party register and risk management framework. DORA Article 28-30 framework requires documented register and risk management. Operators that build ICT outsourcing without DORA framework face material compliance gaps.

Plan exit framework realistically and test periodically. Exit framework is a contractual and operational requirement. Theoretical exit planning without realistic alternative providers or migration capability fails supervisor scrutiny.

For corrections, updates, or counsel referrals on CASP outsourcing under MiCA Article 73, email [email protected].