MiCA enforcement · First-year case tracker
First MiCA Enforcement Actions 2026 — Case Tracker
MiCA's first operational year has produced a working enforcement case base. Authorisation refusals across multiple NCAs, the first withdrawal proceedings, several administrative fines, multiple public warnings against unauthorised operators, and a handful of criminal referrals. The case base is small but the patterns are visible — and the operational lessons for compliant operators are real.
MiCA enforcement covers the supervisory and administrative-sanction framework operated by National Competent Authorities under Articles 64, 109 and following of Regulation (EU) 2023/1114, plus criminal-investigation referrals to national prosecutors where regulatory non-compliance discloses criminal conduct. The framework operates across authorisation refusals, conditional grants, withdrawal proceedings, administrative fines, public warnings, and criminal referrals.
Quick facts
| Parameter | Value |
|---|---|
| Enforcement framework | Articles 64 (withdrawal), 109 (sanctions), and national implementing legislation |
| Authorisation refusals (first 12 months) | Estimated 60-100 across all NCAs — actual numbers not centrally published |
| Withdrawal proceedings | Single-digit across all NCAs; principal grounds AML or governance |
| Administrative fines | Modest in volume; range EUR 50k-2m typical |
| Public warnings | Numerous across NCAs against unauthorised operators serving EU customers |
| Criminal referrals | Limited but present where regulatory non-compliance discloses fraud or market manipulation |
| Most common enforcement grounds | AML deficiency, governance gaps, ICT/DORA gaps, unauthorised operation, marketing compliance violations |
| ESMA register | Updated regularly with enforcement actions across the EU |
The first operational year of MiCA enforcement
MiCA went operational on 30 December 2024 for CASP authorisation provisions, with transitional arrangements running through July 2026. The first twelve months of operational supervision have produced a working enforcement case base across all 27 EU member states.
The case base is not yet large in absolute terms. Most enforcement activity has involved authorisation refusal during the application review process rather than withdrawal of granted authorisations. Withdrawal proceedings are slow and substantively demanding. Administrative fines are modest in volume and quantum. Public warnings against unauthorised operators are the most common public enforcement signal.
The patterns are visible. The supervisor focus is consistent across NCAs. The compliance lessons are operational.
Authorisation refusals — the most common enforcement
Authorisation refusal is the most common MiCA enforcement output in the first year. Practitioner estimates put EU-wide refusal volume at 60-100 across all NCAs in the first twelve months. Actual aggregate numbers are not centrally published — ESMA does not publish refusal data — but the practitioner case base across major jurisdictions supports the estimate.
The principal refusal grounds:
AML deficiency. Inadequate AML framework, weak customer due-diligence procedures, MLRO substance insufficient, FIU reporting framework not operational, sanctions screening inadequate. The most common refusal ground across all NCAs.
Governance gaps. Inadequate board composition, key-person fit-and-proper concerns, weak internal control framework, inadequate risk management governance. The second most common refusal ground.
ICT and DORA gaps. DORA framework not operational at filing, ICT third-party risk management inadequate, incident reporting infrastructure not in place, resilience testing framework absent. Increasingly common as supervisor expectations on DORA mature.
Substance inadequacy. Shell-company arrangements without genuine operational presence, key personnel non-resident or part-time, lack of host-state operational headcount, corporate-services-provider-driven jurisdictional choice. Particularly common ground for refusal in Estonia, Lithuania, and other CEE jurisdictions with substance discipline.
Beneficial ownership concerns. Opaque beneficial ownership, prior regulatory enforcement history against beneficial owners, group-structure concerns that prevent effective supervision. Recurring refusal ground.
The refusal patterns are consistent across NCAs. The supervisor focus is consistent. The operational lesson for new applicants: address the common refusal grounds in filing-preparation, not after the first information request.
Withdrawal proceedings — slow but real
Authorisation withdrawal under Article 64 is procedurally slow. The process requires:
Supervisor decision to commence proceedings. Based on identified non-compliance, ongoing supervisor concerns, or specific triggering events.
Notification to the CASP. Written notification of proceedings with reasons. The CASP has the opportunity to make representations.
Remediation opportunity. Where the supervisor identifies specific non-compliance, the CASP typically has opportunity to remediate. The remediation period varies by issue but typically runs months.
Formal withdrawal decision. Where remediation fails or is inadequate, the supervisor issues formal withdrawal with reasons. The decision is enforceable subject to appeal rights.
Appeal procedures. National administrative law procedures govern appeal rights and timing.
The first twelve months of operation have produced single-digit formal withdrawal proceedings across the EU. Several proceedings are in progress. The principal grounds are AML deficiency, governance failures, and unaddressed ICT gaps.
The slow procedural framework means withdrawal proceedings are an extreme outcome. Most CASPs facing supervisor concerns address them through remediation engagement before formal withdrawal proceedings commence. The operational lesson: treat supervisor concerns as early signals, not as late-stage enforcement risk.
Administrative fines — modest but increasing
Administrative fines under Article 109 and national implementing legislation are modest in the first year. The typical range is EUR 50k-2m per case. Larger fines are expected as enforcement matures.
Common fine grounds:
Unauthorised CASP operation. Operating CASP services without authorisation, typically during the transition period or by non-EU operators serving EU customers.
Marketing compliance violations. Breach of Article 74 marketing rules including misleading marketing, inadequate risk disclosure, or unauthorised promotional activity by non-licensed operators.
AML deficiency at registered or authorised operators. Where AML supervisory inspection identifies specific failings, administrative fines under AML implementing legislation are typical.
Reporting failures. Late or incomplete regulatory reporting to NCAs. Smaller individual fines but cumulative across multiple periods.
Conditions-of-authorisation breaches. Where authorisation was granted with specific conditions and the operator fails to meet the conditions, fines apply.
The fine framework is operational but the quantum is modest relative to other EU regulatory regimes. The framework is likely to mature toward higher quantum as enforcement coordination strengthens.
Public warnings — the operational enforcement layer
Public warnings against unauthorised operators are the most frequent MiCA enforcement signal. The warnings operate under Article 109 and national implementing legislation. The structure:
Warning publication. NCAs publish warnings on their websites listing operators offering CASP services in the member state without proper authorisation. The warnings include operator name, identified non-compliance, and reference to applicable regulation.
ESMA coordination. ESMA aggregates national warnings into an EU-wide framework. Warnings published by one NCA become visible across the EU.
Banking and counterparty impact. Banks routinely screen against warning lists during onboarding due diligence. Payment processors similarly. Warning-listed operators face account closure or refusal across multiple banking relationships.
Customer trust impact. Public warnings affect customer trust directly. Sophisticated customers screen against warning lists. Media coverage of warning lists amplifies the reputational impact.
The first year has produced numerous public warnings across most NCAs. Common targets: non-EU operators serving EU customers without authorisation, EU operators in transitional limbo continuing to serve customers without progressing toward authorisation, and clearly fraudulent operators.
Public warnings produce more operational damage than administrative fines in most cases. The reputational and banking impact is more lasting than fine quantum.
Criminal referrals
Where MiCA-supervisory investigation discloses conduct that may constitute criminal offence, NCAs refer to national prosecutors. The first year has produced limited but real criminal referrals.
Common referral grounds:
Fraud. Where supervisor investigation discloses misrepresentation to customers, misappropriation of client assets, or operational fraud.
Market manipulation. Where supervisor investigation discloses market manipulation under MiCA Title VI Articles 88-92.
Money laundering. Where AML deficiency or operational pattern discloses money laundering risk that warrants criminal investigation.
Unauthorised operation. Where ongoing unauthorised CASP operation continues despite supervisor warning and the conduct may constitute criminal regulatory non-compliance under national law.
Criminal proceedings operate under national criminal law procedures and timelines. The MiCA-supervisory framework feeds the referrals; the criminal proceedings operate separately and slowly.
The operational lesson: MiCA enforcement and criminal exposure can overlap. Operators that treat supervisor engagement as purely regulatory miss the criminal-exposure dimension where conduct warrants it.
Cross-NCA enforcement coordination
Article 88 information-sharing framework and ESMA coordination produce EU-wide enforcement visibility. Enforcement actions in one member state become visible across the EU through:
ESMA register updates. Authorisation refusals, withdrawals, and public warnings flow into ESMA-coordinated register data.
Bilateral NCA channels. Material enforcement actions trigger cross-NCA notification under Article 88 cooperation framework.
Cross-jurisdictional supervisor dialogue. Where an operator under enforcement in one member state has passport activity or affiliated entities elsewhere, host NCAs engage with the home supervisor on the matter.
The practical implication: enforcement in one jurisdiction has EU-wide consequences. Operators facing supervisor concerns in their home state face heightened scrutiny in passport jurisdictions. Operators with affiliated entities across multiple member states face cross-entity supervisor engagement.
The coordination framework is operational and produces EU-wide enforcement landscape. Member-state-by-member-state isolation strategy does not work.
Patterns and lessons
The first-year case base produces visible patterns:
AML is the most-tested aspect. The most common refusal ground, the most frequent administrative fine ground, and one of the most common supervisor inspection focuses. AML framework strength is the single most important compliance investment.
Governance discipline matters. Board composition, key-person fit-and-proper, internal controls, and risk management governance produce supervisor scrutiny disproportionate to their visibility in compliance budgets.
DORA framework is increasingly tested. Early enforcement focused on the core CASP framework. The 2026 enforcement cycle is increasingly testing DORA implementation as supervisor expectations on DORA mature.
Substance discipline is non-negotiable. Shell-company arrangements, non-resident senior personnel, and corporate-services-provider-driven jurisdictional choice produce refusals across multiple NCAs. The substance bar is real.
Public warnings affect operations more than fines. The reputational and banking impact of public warnings is consequential. Operators facing public warning find banking, customer trust, and counterparty relationships compromised faster than administrative fines would produce.
Cross-NCA visibility is operational. Enforcement actions in one member state produce EU-wide consequences through the coordination framework.
Practical takeaways
MiCA enforcement is operational and consequential. Three principles for compliant operators:
Invest in AML framework strength. The most-tested aspect of CASP compliance. The most common refusal ground. The most frequent administrative fine ground. AML investment pays back across multiple supervisor angles.
Build governance discipline alongside operational compliance. Supervisor focus on governance is consistent across NCAs. Strong governance discipline reduces refusal risk and supports clean supervisor dialogue across the operational life of the authorisation.
Treat supervisor concerns as early signals. Enforcement proceedings are extreme outcomes. Most supervisor concerns surface through information requests, supervisory dialogue, and inspection findings. Addressing concerns early produces clean remediation; ignoring early signals produces escalation to formal enforcement.
The enforcement case base will grow through 2026-2028 as supervisors complete initial authorisation review and shift focus to ongoing supervision. The patterns visible in the first year will sharpen. Compliant operators that learn from the case base position themselves cleanly for the maturing enforcement framework.
For corrections, updates, or counsel referrals on MiCA enforcement, email [email protected].
Pitfalls and nuances
1 Treating enforcement as remote risk
MiCA enforcement is operational. Supervisor inspections, information requests, and follow-up engagement happen routinely. Operators that treat enforcement as remote risk underinvest in compliance infrastructure and find themselves in supervisor dialogue without the operational discipline to manage it cleanly.
2 Underestimating public warning impact
Public warnings are reputationally consequential. Banks deny accounts to warning-listed operators. Payment processors decline relationships. Counterparties refuse business. Customer trust collapses. Public warning can produce more operational damage than administrative fines.
3 Ignoring cross-NCA enforcement coordination
Enforcement actions in one member state surface across the EU through Article 88 information sharing and ESMA coordination. Operators experiencing enforcement in one jurisdiction face supervisor scrutiny across passport jurisdictions. The enforcement landscape is EU-wide, not member-state-isolated.
4 Filing for authorisation without learning from refusal patterns
The first-year refusal case base is informative. Common refusal grounds — AML deficiency, governance gaps, ICT/DORA gaps, inadequate substance — show where supervisor scrutiny concentrates. Operators that file without addressing the common refusal grounds face avoidable supervisor concerns.
Frequently asked questions
How many CASP authorisation refusals have NCAs issued?
Aggregate numbers are not centrally published. Practitioner estimates put EU-wide refusal volume at 60-100 in the first twelve months of MiCA operation. Refusals concentrate in AML deficiency, governance gaps, and inadequate substance.
Have any CASP authorisations been formally withdrawn?
Single-digit cases across the EU in the first twelve months. Withdrawal proceedings are slow and substantive — they require formal supervisor decision, applicant notification, opportunity to remedy, and appeal rights. Several proceedings are in progress.
What administrative fines have been issued?
Modest volume; range EUR 50k-2m typical. Most relate to unauthorised CASP operation, marketing compliance violations under Article 74, or AML deficiency at registered or authorised operators. Larger fines are likely as enforcement matures.
How many public warnings have been issued?
Numerous. Most NCAs maintain public warning lists for unauthorised operators serving member-state customers in violation of Article 59 authorisation requirements. ESMA aggregates warnings into a coordinated EU-wide framework.
Have any criminal cases emerged from MiCA enforcement?
Limited but present. Where MiCA-supervisory investigation discloses fraud, market manipulation, money laundering, or other criminal conduct, NCAs refer to national prosecutors. Several criminal investigations are in progress, mostly involving alleged fraud or market manipulation.
Get matched
Working through a crypto-licensing decision?
Get an editorial shortlist of firms matched to your business — customer market, model, jurisdiction, and stage. Free, and not influenced by sponsorship.
Get a firm shortlist →Sources cited
- Regulation (EU) 2023/1114 (MiCA), Articles 64 and 109 — regulation
- ESMA — CASP register and enforcement coordination — regulator
- Various national NCA enforcement publication pages — regulator