CASP Regulatory Updates Under MiCA: What Changes After Authorisation?
- May 5
- 10 min read
Updated: 3 days ago
MiCA authorisation is not the end of regulatory work. It is the beginning of a different, ongoing type of work.
Before authorisation, the focus is usually on getting through the process: policies, governance, systems, capital, safeguarding, outsourcing, conflicts, complaints, custody, reporting and management body requirements.
After authorisation, the focus changes. The firm has to stay aligned with MiCA, national supervisory expectations and its own permission profile as the regime develops.
Firms still in transition face a different set of deadline risks, but once authorised the focus shifts to ongoing supervision.
That shift matters. Authorisation does not freeze the rulebook. ESMA materials, EBA updates, technical standards, Q&A, national competent authority guidance, register changes, enforcement actions and supervisory communications can all affect what authorised CASPs may need to monitor, assess or escalate internally.
Post-authorisation regulatory monitoring is best treated as part of the operating model, not as a side task for the compliance team.
What changes from application mode to supervision mode?
In application mode, the pressure is on satisfying the entry test.
In supervision mode, the pressure is on consistency between what the firm told the regulator, what it actually does day to day, and how the regulatory framework develops over time.
This is where some firms get caught out. They treat authorisation as the finish line. It is not. It is a change in status.
An authorised CASP should have a monitoring process that can pick up official source changes and ask practical questions:
Does this update affect our permission profile?
Does it affect an existing MiCA obligation or supervisory expectation?
Does it touch a policy, control, disclosure, client communication or reporting process?
Does it create a new governance, risk or escalation point?
Who internally should review it?
Not every update will require action. But without a structured process, a firm may miss the difference between background commentary and a development that deserves internal attention.
The comparison below shows how the regulatory focus shifts once authorisation is granted.
This change in mindset is critical for newly authorised CASPs.
The main source categories authorised CASPs should monitor
Post-authorisation monitoring should be narrower than general crypto news monitoring, but deeper than casual regulatory scanning.
The highest-signal categories are usually:
ESMA MiCA materials and Q&A
EBA updates, especially for ARTs, EMTs, reporting and prudential matters
Regulatory technical standards, implementing technical standards, guidelines and delegated acts
National competent authority guidance and supervisory communications
CASP registers and authorisation records
Enforcement actions, warnings and supervisory statements
Custody, safeguarding, outsourcing, complaints and client communication updates
The value is not in collecting every mention of MiCA. The value is in identifying official source changes that may affect the authorised firm’s controls, permissions, disclosures, reporting or operating model.
ESMA and EBA updates
ESMA remains a central source for MiCA materials, supervisory convergence, technical standards and Q&A. For authorised CASPs, ESMA updates may matter where they touch service classification, custody, order execution, complaints, conflicts, governance, marketing, disclosures or cross-border activity.
EBA materials are especially relevant where the firm’s activities touch asset-referenced tokens, e-money tokens, prudential matters or reporting flows. Not every CASP will have the same exposure to EBA material, but firms with stablecoin, token, reporting or prudential touchpoints should not treat it as background noise.
The practical point is simple: authorised CASPs need to know which EU-level updates are relevant to their actual services, not just whether another MiCA document has been published.
National competent authorities still matter
MiCA creates a harmonised EU framework, but national competent authorities remain central to authorisation, supervision and local regulatory engagement.
That means an authorised CASP should not monitor only ESMA and EBA. It should also monitor the national regulator or regulators relevant to its entity structure, authorisation, client base, product scope and cross-border activity.
A national competent authority may publish guidance, forms, FAQs, reminders, register updates, supervisory priorities or enforcement material that has practical relevance even if it does not rewrite MiCA itself.
For a CASP, that can matter because supervision is not only theoretical. It is applied through real regulators, real authorisation records, real communications and real follow-up.
Registers are operational sources, not static background
CASP registers should not be treated as static reference pages.
A new authorisation, refusal, withdrawal, restriction or register correction may affect competitor monitoring, counterparty due diligence, partnership review, outsourcing arrangements, group structures, client disclosures or market access assumptions.
Most register changes will not require urgent escalation. But they should be capable of being captured, reviewed and classified.
This matters because authorised status is not just a legal label. It can affect who a firm works with, how it describes counterparties, how it assesses service providers and how it monitors the market.
Key post-authorisation risk areas
A good monitoring process should be organised by business impact, not only by regulator.
For authorised CASPs, the most important monitoring areas will usually include the following.
Governance and management body oversight
Updates affecting governance, board oversight, conflicts, delegation, internal controls, risk management or reporting lines may be relevant because they touch the operating model approved during authorisation.
The question is not just “has the regulation changed?” It is “does this affect how we evidence governance and control?”
Custody and safeguarding
Custody is a high-signal area for CASPs. Updates affecting client asset segregation, wallet controls, reconciliation, withdrawal rights, safeguarding disclosures, incident handling or outsourcing can have practical importance.
For firms providing custody or related services, this is likely to be a core monitoring category.
Outsourcing and operational resilience
Many crypto firms rely on third-party providers for technology, custody infrastructure, cloud hosting, compliance tooling, analytics, liquidity, payments or operational processes.
Official updates touching outsourcing, ICT risk, operational resilience or third-party dependency may therefore matter even where they are not labelled as crypto-only updates.
The filter should remain strict. Generic operational resilience commentary is not enough. The update needs a direct connection to the firm’s activities, dependencies or control environment.
Complaints and client communications
Authorised CASPs are likely to need a way to monitor developments affecting complaints handling, disclosures, risk warnings, onboarding journeys, marketing material and client understanding.
This is especially important where a platform offers both regulated and unregulated products or services. The firm may need to check whether clients are receiving a clear impression of what is authorised, what is not, and which protections apply.
That is not just a marketing issue. It can become a conduct, governance and supervision issue.
Prudential, capital and reporting matters
Prudential and reporting updates can be easy to miss because they are often technical.
But they may affect finance, compliance, regulatory operations, risk and senior management. A firm should know who owns each reporting or prudential topic internally and how relevant source changes are escalated.
Conflicts of interest
Conflicts are not a one-off authorisation topic. They can evolve as a firm launches new services, changes pricing, adds affiliates, creates market-making arrangements, changes custody structures or expands product scope.
Post-authorisation monitoring should therefore be able to identify updates that may affect the firm’s conflicts inventory, disclosures, governance arrangements or internal controls.
Product and service perimeter
Authorised status does not mean every activity is covered in every form.
CASPs should stay alert to updates that affect service classification, permission scope, regulated versus unregulated products, cross-border activity, token types or ancillary services.
This is where careful internal communication matters. A firm should avoid assuming that “authorised CASP” is a blanket description covering every product, activity or jurisdiction.
Marketing and use of authorised status
Authorisation can be commercially valuable. That makes it tempting to use regulatory status prominently in marketing.
This is also a risk area. Supervisory material relating to misleading impressions, regulated versus unregulated services and client protection should be treated as high signal.
A firm may need to review whether its website, pitch decks, onboarding journey, risk disclosures, social media, affiliate material and client notices accurately describe the scope of authorisation.
The practical question is simple: if a regulator reviewed the firm’s public materials, would the distinction between authorised and unauthorised activity be clear?
Practical triage: CASP post-authorisation update types
Update type | Main source | Why it matters | Likely internal owner |
ESMA Q&A or supervisory statement | ESMA MiCA materials | May clarify service classification, custody, disclosures, governance or conduct expectations | Compliance, legal |
EBA reporting or token update | EBA MiCA materials | May affect ART, EMT, reporting or prudential processes | Finance, risk, compliance |
RTS, ITS or guideline change | ESMA, EBA, European Commission | May affect evidence, governance, reporting, disclosures or internal processes | Legal, compliance, risk |
NCA supervisory communication | Relevant national competent authority | May affect local expectations, authorisation conditions or supervisory engagement | Compliance, legal, local management |
Register change | ESMA or NCA registers | May affect counterparty due diligence, partnerships, competitor tracking or group monitoring | Compliance, business development, risk |
Enforcement or warning item | NCA, ESMA or other official authority | May reveal supervisory priorities or conduct risks with read-across | Compliance, legal, financial crime |
Custody or safeguarding update | ESMA, NCA, technical standards or Q&A | May affect wallet controls, client asset treatment, reconciliation or disclosures | Operations, custody, compliance |
Outsourcing or resilience update | NCA, ESMA or relevant EU material | May affect third-party oversight, ICT controls or critical service providers | Operations, risk, compliance |
Marketing or client communication update | ESMA, NCA, enforcement or warnings | May affect website wording, app journeys, risk disclosures or use of authorised status | Marketing, compliance, legal |
Complaints or investor protection update | ESMA, NCA, MiCA guidance or Q&A | May affect complaints handling, client treatment or disclosure processes | Compliance, customer operations |
This table is a practical triage tool, not legal advice. The aim is to make sure the right internal owner sees the right type of update before it becomes stale or buried in a generic regulatory round-up.
Materiality still applies
Not every MiCA update needs to become an internal project.
That is the point of materiality filtering. A serious monitoring process should separate official developments that may affect the firm’s operating model from generic commentary, duplicated alerts, background explainers or updates aimed at different business models.
Not every update requires action. Teams must first decide what counts as a material regulatory update.
For authorised CASPs, a material update is more likely to include:
An ESMA or EBA Q&A relevant to the firm’s services.
A technical standard or guideline affecting reporting, governance, custody, conflicts, complaints or disclosures.
A national competent authority communication affecting authorisation, supervision, register status, local operating conditions or client communications.
An enforcement or warning item with clear read-across to the firm’s business model.
A register change affecting a counterparty, competitor, partner, service provider or group entity.
A supervisory statement affecting how authorised status, regulated services or client protections should be described.
By contrast, a general article saying “MiCA is important” is not a material regulatory update. It may be useful context, but it should not be treated the same as an official source change.
What a post-authorisation monitoring note should include
An authorised CASP does not need long summaries of every MiCA development. It needs short, classified, source-based notes that make clear whether an update deserves attention.
The best way to communicate these updates internally is through a well structured crypto compliance briefing.
For each material item, the note should answer:
What changed?
Which official source changed?
Which service, entity, jurisdiction or control area may be affected?
Is the update binding, final guidance, supervisory commentary, administrative, consultative or only a policy signal?
What is the likely internal owner?
What may need to be checked next?
Is there a deadline, implementation date or reporting impact?
That structure keeps the briefing focused. It also reduces the risk of confusing useful context with an actual regulatory development.
Common post-authorisation monitoring mistakes
The first mistake is treating authorisation as the finish line. The better view is that authorisation moves the firm into a standing supervision environment.
The second mistake is relying too heavily on secondary commentary. Law firm updates and industry analysis can be useful, but authorised CASPs should still be able to trace material points back to official sources.
The third mistake is monitoring only EU-level sources. ESMA and EBA matter, but national competent authorities remain central to authorisation, supervision and local expectations.
The fourth mistake is escalating too much. If every update is marked urgent, nothing is urgent. A credible process needs exclusion discipline.
The fifth mistake is failing to assign ownership. A custody update should not sit unread in a general compliance inbox if the operations or custody team needs to review it. A reporting update should not be buried in a legal summary if finance or regulatory operations owns the process.
The sixth mistake is blurring the line between regulated and unregulated activity. Once a firm is authorised, there may be a commercial temptation to present the whole platform as regulated. That can create risk where some services, products or jurisdictions sit outside the authorised perimeter.
The difference between monitoring and advice
A monitoring process should identify official source changes, classify them and help the firm decide what may need further review.
It should not pretend to give a final legal answer on whether a firm is compliant.
That distinction matters. A monitoring note may say that ESMA has published a new Q&A relevant to a particular MiCA service category and that the item appears relevant to transfer, custody or exchange services. It should not casually conclude that the firm is or is not authorised for a specific activity unless that conclusion has been properly assessed by the firm’s legal, compliance or external advisory team.
Good monitoring reduces the chance that relevant source changes are missed. It does not replace legal interpretation, regulatory engagement or firm-specific compliance analysis.
A practical alternative
Not every authorised CASP has the time or internal resource to track ESMA materials, EBA updates, national competent authority communications, technical standards, register changes, warning notices and enforcement signals while applying a consistent relevance filter.
Crypto Regulation Desk monitors selected official regulatory and public authority sources across the UK/EU, Middle East and Singapore, then filters developments for direct relevance to crypto firms.
For authorised CASPs, the aim is to identify what changed, why it matters and what compliance, legal or regulatory teams may need to watch next.
Crypto Regulation Desk is not a law firm and does not provide legal advice. It is a source-based regulatory monitoring and briefing service designed to reduce the manual burden of reviewing selected regulator and public authority websites and help teams focus on updates that may be more likely to matter.
How to get started
You can start with a 14-day trial, or if you have seen the sample and are ready to proceed, you can subscribe through the pricing section of the site.
Paid subscriptions are monthly rolling and can be cancelled at any time.
MiCA authorisation changes the problem. It does not remove it.
For newly authorised CASPs, the hard work is no longer only about getting through the application process. It is about staying alert to source changes, supervisory signals and technical updates that may affect how the authorised business operates.
The firms that manage this well will not be the ones collecting the most commentary. They will be the ones with a clear source list, a strong materiality filter, named internal owners and a disciplined process for turning regulatory updates into practical monitoring points.