Europe’s market watchdog has asked unauthorized providers of cryptoassets to shut down EU operations without delay. The European Securities and Markets Authority issued the directive as the transition period for the regulation on markets in cryptoassets expires on July 1, 2026.
MiCA is the EU’s landmark crypto regulatory framework. It requires any company offering crypto services to EU customers to have a formal authorization. A transition period allowed existing providers to continue operating under national schemes while they sought approval. That window closes on July 1.
Some firms secured approval before the deadline. Others did not. ESMA’s opinion is aimed at the second group.
According to the ESMA announcement, unauthorized companies face a clear set of obligations. They must stop hiring new EU customers. Marketing and solicitation to EU citizens must cease. New accounts cannot be opened.
Existing services must be narrowed in scope. Firms may continue to operate only to the extent necessary to assist clients in selling assets, transferring holdings, closing positions or exiting the platform.
Retention of client assets is only permitted for as long as it takes to complete an exit in good standing. Companies also need to communicate with customers. ESMA expects communication to be clear, fast and repeated.
Clients need to know the settlement timeline, what protections are in place and what will happen to remaining positions if nothing is done. A deadline for automatic closing of positions must be stated.
AML encryption rules still apply
ESMA emphasized that compliance obligations do not stop during a resolution. Companies must maintain anti-money laundering and counter-terrorism financing controls throughout the exit process. This includes customer due diligence, transaction monitoring, sanctions screening, suspicious transaction reporting and registration.
Where a client transfers to a MiCA authorized provider, the receiving company must carry out full onboarding checks. Authorization is not transferred from an old provider.
ESMA extended the warning to companies based outside the European Union. Non-EU CASPs cannot provide MiCA-covered services to EU customers, including in business-to-business agreements.
The regulator also noted that MiCA prevents companies from outsourcing custody services to entities that lack CASP authorization under the regulation.
ESMA issued a direct warning to retail users. Clients of unauthorized providers do not benefit from MiCA’s investor protection rules. There is no guarantee of asset protection under the framework if the provider is not licensed.
EU customers were advised to check whether their provider is authorized by consulting the ESMA Register, a public database of licensed CASPs.
The July 1 deadline marks the end of a year-long transition to a unified EU crypto rulebook.