MiCA July 1, 2026 CASP Checklist

ESMA stated on April 17, 2026 that the MiCA transition period expires EU-wide on July 1, 2026. Unauthorised CASPs serving EU clients after that date are in breach.

Firms should have wind-down or client migration plans where authorization is not in place. This is not a branding change. It is an operating boundary.

Start with the real customer journey. Web sign-up, Telegram onboarding, API access, affiliate flows, support intake, fiat partners, wallet top-ups, refunds, and manual exceptions all matter.

If an EU resident can receive a crypto service through the business, the compliance file must explain the legal route or the block.

MiCA readiness is weak if controls live only in policy documents. The control must appear where risk occurs.

Screen wallet deposits before credit. Screen withdrawals before release. Keep watchlists for counterparties. Record the decision, the reason, the operator, and the timestamp. A reviewer should be able to reconstruct why funds moved.

A CASP file should include authorization status, jurisdictions served, customer restrictions, AML policy, sanctions policy, Travel Rule process, risk scoring method at a business level, incident handling, outsourcing register, and audit logs.

Do not publish sensitive methods in marketing pages. Keep enough detail for supervisory review, but do not turn the public website into an abuse manual.

By June, each client segment should have one of three statuses: authorized service, migrated service, or closed access.

The plan should define user notices, final trading dates, withdrawal handling, data retention, support scripts, and escalation owners. Silence is not a plan.

A good MiCA transition file is boring. It shows who can use the product, under what permission, what risk controls run, what happens when data is missing, and how the team proves it.

That is what protects revenue. Not a paragraph saying the business takes compliance seriously.