CASP outsourcing rules · MiCA + DORA
CASP Outsourcing Rules Under MiCA: What You Can and Can't Outsource
MiCA permits CASP outsourcing but bans the offshoring of senior-management substance. Where the line falls in practice is the most-asked operational question of 2026 — and supervisors give different answers.
CASP outsourcing under MiCA's outsourcing rule is the regime governing when and how a Crypto-Asset Service Provider may delegate operational functions to a third party — permitted for ICT, custody-tech, AML-tooling, and back-office functions, prohibited for the senior-management responsibilities of the CASP itself, and subject to the DORA Title V register requirement when the third party is an ICT services provider.
Quick facts
| Parameter | Value |
|---|---|
| Legal basis | MiCA's outsourcing rule (CASP outsourcing) + DORA Title V (ICT third-party risk) + EBA-level outsourcing guidance applied as supervisory reference |
| Permitted to outsource | ICT, custody-tech, AML transaction monitoring, chain analytics, KYC verification, back-office reconciliation |
| Prohibited to outsource | Senior management responsibility, MLRO function (with narrow exception), risk management oversight, compliance oversight |
| Notification requirement | Material outsourcing arrangements notified to home competent authority within 30 days |
| DORA register | All ICT outsourcing recorded in the DORA register of information; critical providers flagged |
| Strictest jurisdictions | Estonia, Malta — narrow reading of permitted outsourcing |
| Most flexible | Cyprus — accepts MLRO outsourcing for small firms; broader reading of permitted scope |
What the outsourcing rule actually says
MiCA’s outsourcing rule permits a CASP to use third parties for the performance of operational functions, provided the arrangement does not impair the quality of the CASP’s internal control or the supervisor’s ability to monitor the CASP’s compliance. The Article enumerates four conditions:
- The arrangement must be set out in writing.
- The CASP must retain the necessary expertise and resources to evaluate and supervise the outsourced functions.
- The arrangement must not be of a nature that delegates senior-management responsibilities.
- The CASP must take steps to avoid undue additional operational risk.
The text is short. The interpretive surface is large. The four conditions interact differently with different business models, and national supervisors have diverged on the operational reading.
What can be outsourced — the practical list
In 2026 supervisory practice across the major EU jurisdictions, the following are routinely accepted as outsourceable:
- ICT and cloud infrastructure. Standard. Subject to DORA Title V documentation.
- Custody-tech provider. A custody operating model often relies on Fireblocks, Copper, Anchorage, or similar. Supervisors accept this if the CASP retains key-management oversight.
- Exchange-tech provider. Order-matching and trading systems sourced from third parties — accepted with DORA documentation.
- KYC verification. Sumsub, Onfido, Veriff, similar. Outsourcing the verification step is permitted; the CASP retains the customer-acceptance decision.
- AML transaction monitoring. Chainalysis Reactor, Elliptic, TRM Labs — all routinely outsourced.
- Chain analytics. Chainalysis KYT, Elliptic Lens — same.
- Sanctions screening. Refinitiv World-Check, ComplyAdvantage — outsourcing the data feed is standard.
- Back-office reconciliation. External accounting and reconciliation services — accepted.
The common pattern is that the execution layer is outsourced while the decision and oversight layer remains in-house. The CASP buys tools and data; the CASP makes decisions and bears responsibility.
What cannot be outsourced
The outsourcing rule explicitly bars outsourcing of senior-management responsibilities. The supervisor expectation extends this beyond the literal management of the firm:
- Senior management decision-making. The CEO, CFO, COO, CTO functions must be in-house with documented authority.
- Risk management oversight. A risk committee or risk function with seniority sufficient to escalate within the firm.
- Compliance oversight. Compliance Officer function — except in narrow Cyprus small-firm circumstances.
- MLRO function — with narrow exceptions, see jurisdictional variation below.
- Internal audit oversight. Internal audit can be outsourced operationally (an external firm performs the audit) but the oversight responsibility — engaging, reviewing, escalating findings — must be in-house.
The boundary case: when does a function shift from “outsourceable execution” to “non-outsourceable oversight”? In every case, the answer is whether the CASP retains the authority to direct the function and the capability to evaluate its output. A KYC provider that the CASP cannot meaningfully evaluate is over-outsourced even if the contract is technically Article-73-compliant.
How does jurisdictional variation work for MLRO outsourcing?
The MLRO function is the most-debated outsourcing edge case. In 2026 supervisory practice:
- Cyprus — accepts MLRO outsourcing for small firms (typically below €5M revenue and €25M custody) with documented escalation paths to a CySEC-registered AML services firm. Outsourcing to non-registered providers is rejected.
- Lithuania — accepts narrow outsourcing of MLRO support functions (transaction-monitoring review, STR preparation) but the MLRO role itself must be a Lithuania-resident in-house person.
- Estonia, Malta, Ireland — practitioner-reported expectation is in-house MLRO function with no outsourcing. Combined or outsourced arrangements in above-threshold files are routinely flagged in supervisory correspondence.
- Czech Republic — formally permits outsourcing in regulation but ČNB supervisory practice has narrowed the acceptability since 2024 in practitioner reports. Treat as effectively in-house.
For multi-jurisdiction firms passporting from a permissive home to a strict host, the realistic answer is to plan to the strictest jurisdiction — i.e., in-house MLRO from day one, even if Cyprus would accept outsourcing.
DORA Title V — the documentation overlay
For any ICT outsourcing, DORA Title V layers additional requirements on top of the outsourcing rule:
- The DORA register of information — every ICT third party recorded with categorisation, materiality assessment, contract references, exit-trigger conditions.
- The DORA critical-provider identification — for providers whose failure would materially impair the CASP’s operations, additional risk-treatment, contingency, and supervisor-notification requirements apply.
- The ART operating-conditions rule contract requirements — specific contractual provisions required (audit access, exit rights, incident-notification, data-handling).
The most common 2026 supervisory deficiency in ICT-outsourcing reviews is incomplete the DORA register of informations. Many CASPs maintain only a partial register covering cloud and custody-tech, omitting KYC vendors, AML tooling, and chain analytics. Supervisors expect a comprehensive register.
What does a clean outsourcing file look like?
A 2026 supervisory file that passes review consistently includes:
-
Outsourcing policy. A board-approved document defining what may and may not be outsourced, materiality thresholds, approval workflow, oversight cadence.
-
Outsourcing register. A live spreadsheet (or system) listing every outsourced function, the provider, the contract reference, the materiality classification, the DORA register entry (if ICT), and the responsible internal owner.
-
Per-provider risk assessment. For each material outsourcing, a documented risk assessment covering operational, legal, regulatory, and concentration risks.
-
Per-provider exit plan. For each material outsourcing, a documented exit plan with triggers and timelines.
-
Quarterly oversight cadence. The Compliance Officer or risk function reviews each material outsourcing at least quarterly, with documented minutes.
The pattern is decision and oversight live in-house; the work itself can sit anywhere that DORA and the outsourcing rule permit.
Working with counsel on outsourcing structure
The diagnostic for counsel: ask how the firm’s typical CASP file structures the outsourcing register and the The DORA register. Counsel that gives an abstract answer (“we comply with applicable requirements”) has not handled enough recent files. Counsel that can describe specific supervisor pushback on specific outsourcing arrangements has the operational knowledge that matters at the edge cases. The firms in our index with relevant recent outsourcing files are listed below.
Pitfalls and nuances
1 Treating outsourcing as a cost-savings strategy without supervisory engagement
Practitioner experience indicates that applications proposing extensive outsourcing of operational functions are read by some supervisors as 'shell CASP' structures with insufficient internal substance. Outsourcing is permitted under the outsourcing rule but the firm must retain meaningful internal capability to oversee and direct what it outsources.
2 Importing UK / Singapore / UAE outsourcing patterns directly
Outsourcing arrangements that work under FCA, MAS, or VARA frameworks routinely fail MiCA's outsourcing rule review because the EU framework is heavier on senior-management substance retention. Counsel-led re-engineering of cross-border patterns is non-optional.
3 Underestimating DORA Title V documentation
Every ICT third party — cloud, custody-tech, exchange-tech, KYC vendor, chain-analytics tool — needs to be in the DORA register of information with a documented risk treatment. Many CASPs maintain only a partial register and discover the gap during the first supervisory review.
4 Outsourcing AML functions without retaining oversight
Outsourced KYC, transaction monitoring, and chain analytics are common and permitted. What's not permitted is outsourcing the responsibility for AML compliance — the MLRO must oversee and direct the outsourced functions, not delegate the responsibility itself.
5 Treating exit triggers as boilerplate
the outsourcing rule requires explicit exit-trigger conditions. Generic 'in case of material breach' language is insufficient. Supervisors expect specific triggers — service-level breaches, key-personnel loss at the provider, regulatory action against the provider — and a defined exit timeline.
Frequently asked questions
Can a CASP outsource its MLRO function?
In Cyprus, yes for small firms with documented escalation paths to a CySEC-registered AML services firm. In Estonia, Malta, Ireland — no. Default to in-house if multi-jurisdiction operation is planned.
What counts as 'material' outsourcing for notification?
Outsourcing affecting client funds, AML reporting, ICT continuity, or senior-management decision support is material. Routine vendor procurement is not. The materiality test is operational impact, not contract value.
Does outsourcing need a written contract?
Yes. The outsourcing rule requires the arrangement be set out in writing with explicit allocation of rights, obligations, audit access, exit triggers, and supervisor access to the outsourced function.
How does DORA Title V interact with MiCA outsourcing?
DORA Title V applies on top of the outsourcing rule for any ICT outsourcing. The CASP must maintain a register of ICT third-party providers, run a risk assessment per provider, and identify critical providers.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2023/1114 (MiCA), Article 73 — regulation
- Regulation (EU) 2022/2554 (DORA), Articles 28-30 (ICT third-party risk) — regulation
- EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) — supervisory reference — regulator
- ESMA — Markets in Crypto-Assets Regulation (MiCA) — official document