MiCA Regulatory Monitoring: Q&As, RTS and ITS CASPs Should Track After Authorisation
- 3 days ago
- 8 min read
MiCA authorisation is not the end of regulatory work. For CASPs, it is the point at which MiCA regulatory monitoring becomes more detailed.
Once a crypto-asset service provider is authorised, the main risk shifts. The question is no longer only whether the firm can enter the regime. The question becomes whether the firm is keeping pace with the technical standards, guidance, Q&As, national updates and supervisory interpretations that shape how the regime works in practice.
For CASPs, MiCA cannot be monitored as a single legal text. The regulation is the foundation, but the operational detail sits within a wider body of technical and supervisory material.
A firm may need to track Level 1 requirements, regulatory technical standards, implementing technical standards, ESMA guidance, EBA guidance, Q&As, national competent authority updates, register changes and enforcement signals. Some of these materials create direct obligations. Others clarify expectations, show supervisory direction, or affect how a firm should interpret an existing requirement.
That distinction matters. Treating every document as binding law is wrong. Treating every non-legislative update as unimportant is also wrong.
Why MiCA monitoring continues after authorisation
Many firms focus heavily on authorisation. That is understandable. Getting through the application process is a major project.
But authorisation does not freeze the rules.
After authorisation, CASPs still need to monitor how MiCA is being interpreted, implemented and supervised. The detail can affect policies, product design, custody arrangements, complaints handling, outsourcing, governance, prudential monitoring, reporting, marketing controls and cross-border services.
For more on that wider supervisory shift, see our article on CASP regulatory updates after authorisation.
A useful monitoring process should ask two questions:
What type of update is this?
Does it change anything the firm needs to review internally?
Those questions are simple, but they are often where weak monitoring processes break down.
The MiCA regulatory stack
MiCA-related updates do not all arrive in the same format. A firm may see a final technical standard, a consultation, a Q&A, a national notice, a register update or a supervisory communication. Each needs to be read differently.
Level 1 text
The MiCA regulation itself is the starting point. It sets the main legal framework for crypto-asset issuers, CASPs and certain crypto-asset activities in the EU.
For CASPs, the Level 1 text contains the core structure of the regime: categories of crypto-asset services, authorisation requirements, conduct obligations, governance expectations and headline duties.
But the Level 1 text does not answer every operational question. The more detailed and practical answers often emerge later through technical standards, guidance, Q&As and supervisory practice.
The Level 1 text tells firms the core framework. The surrounding materials often explain how parts of that framework should be applied.
RTS and ITS
Regulatory technical standards and implementing technical standards are among the most important MiCA materials for authorised CASPs and applicants.
Regulatory technical standards usually provide more detailed regulatory requirements under the main legislation. Implementing technical standards usually provide standardised implementation detail, such as templates, formats or reporting mechanics.
The distinction is not just academic. A CASP that monitors only headline MiCA developments may miss technical detail that affects how an obligation is implemented in practice.
Technical standards can be relevant to authorisation applications, governance, reporting, complaints, conflicts of interest, custody, prudential matters, white papers, market abuse controls and supervisory notifications.
A final RTS or ITS will usually require closer review than a consultation. But consultations should not be ignored. They can signal where supervisory expectations are heading and give firms time to assess whether systems, policies or controls may need to change.
The right response is not always immediate implementation. Sometimes the right response is to assign ownership, monitor finalisation, prepare a gap analysis and decide whether to respond to the consultation.
Guidelines
Guidelines are another important category.
They may not operate in exactly the same way as legislation or technical standards, but they can still be highly relevant to how supervisors expect firms to behave.
For compliance teams, the practical question is not simply whether a document is called “guidance”. The question is whether it contains a supervisory expectation that should be reflected in internal controls, policies or governance.
Guidelines may affect how firms think about governance, suitability, market conduct, complaints, conflicts, outsourcing, custody or disclosures. They may also help explain how regulators expect firms to apply more general MiCA requirements in practice.
A good monitoring process should classify guidance carefully. It should not overstate it as new legislation, but it should not dismiss it as optional background material either.
Q&As
MiCA Q&As can be especially important because they address practical interpretative questions.
A Q&A may not look as significant as a new rule or a final technical standard. It may be short and focused on one narrow point. But that point can still matter if it affects how a firm classifies a service, interprets a requirement or applies a rule to a real operating model.
CASPs should monitor both EBA MiCA Q&As and ESMA MiCA Q&As carefully.
Examples of Q&A topics that may matter include:
whether a particular activity falls within a crypto-asset service
how a requirement applies to e-money tokens or asset-referenced tokens
whether a white paper obligation applies in a specific case
how passporting or notification routes should be understood
which entity or regime is relevant to a particular activity
how a provision should be read alongside another EU financial services framework
The point is not that every Q&A is high priority. Most are not. The point is that some Q&As answer exactly the sort of question firms and advisers are trying to resolve internally.
A Q&A that clarifies service classification, token treatment or passporting can be more operationally useful than a long consultation with limited relevance to the firm’s business model.
National competent authority updates
MiCA is an EU regime, but national competent authorities still matter.
Firms need to monitor relevant national regulators because authorisation, supervision, transitional arrangements, local communications and register updates may sit partly at national level.
This is particularly important during the MiCA transition period, where the position may differ by member state and firms may still be dealing with legacy national VASP arrangements. For more detail on that point, see our article on MiCA transition period monitoring.
National updates may include application guidance, supervisory expectations, deadline reminders, register changes, local Q&A material, authorisation announcements, enforcement notices or practical communications to firms.
These updates should not be treated as secondary just because they are not EU-level materials. For a firm supervised in a particular jurisdiction, the national regulator’s position can be directly relevant.
Registers and authorisation status
MiCA monitoring is not limited to written guidance and technical standards. Material register-related developments can also matter.
CASPs may need to track material official register changes where they affect authorisation status, market access, transition progress or counterparty due diligence. A register update may indicate that a firm has obtained CASP authorisation, moved out of a legacy national regime, changed status, or become subject to a restriction or other relevant development.
Register monitoring is particularly important where firms rely on exchanges, custodians, brokers, stablecoin issuers, infrastructure providers or other crypto counterparties.
The key question is not only whether a firm is listed. It is whether the correct legal entity is listed for the relevant activity, in the relevant jurisdiction, under the relevant regime.
A CASP that is authorised still needs to know who it is dealing with.
How to classify MiCA updates
A good monitoring process should classify updates before deciding what to do with them.
Update type | What it usually means | Typical internal response |
Level 1 text | Core legal framework | Legal and compliance interpretation |
Final RTS or ITS | Detailed regulatory or implementation requirement | Gap analysis, policy review, operational implementation |
RTS or ITS consultation | Proposed technical detail | Assign owner, assess likely impact, consider response |
Guidelines | Supervisory expectations or interpretative guidance | Review against policies, controls and governance |
Q&A | Clarification of a specific interpretative issue | Assess whether internal interpretation or procedures need updating |
National regulator update | Local implementation, supervision or authorisation information | Review jurisdiction-specific impact |
Register change | Authorisation, status or counterparty information | Update due diligence, market access or internal records |
Enforcement or supervisory action | Practical signal of regulatory focus | Assess lessons for controls and risk appetite |
This classification step prevents two common mistakes: treating everything as equally urgent, and ignoring anything that is not a formal rule change.
The first creates noise. The second can cause firms to miss important interpretation and supervisory signals.
What should trigger internal review?
Not every MiCA update needs a full internal project. Some updates should simply be logged and monitored.
A stronger trigger for internal review exists where an update affects one of the following:
the scope of a crypto-asset service
authorisation or passporting position
custody or safeguarding arrangements
complaints handling
conflicts of interest
outsourcing or third-party arrangements
prudential or own funds requirements
white paper obligations
ART or EMT treatment
client communications or disclosures
reporting or notification requirements
market abuse controls
governance or senior management oversight
counterparty due diligence
The more direct the connection to the firm’s activities, the more likely the update should be escalated.
A Q&A on a narrow issue may be low priority for most CASPs but high priority for a firm whose business model depends on that issue. A technical standard may be important in general, but not immediately actionable until finalised. A national register update may be irrelevant to one firm and important to another because of a specific counterparty relationship.
Materiality is contextual.
What a useful MiCA monitoring note should include
A useful monitoring note should not simply say “ESMA published an update” or “EBA issued a Q&A”.
It should explain what type of document it is, what issue it addresses, whether it is final or consultative, which firms are most likely to care, and what should be monitored next.
Weak note: “EBA published a MiCA Q&A.”
Better note: “EBA published a final MiCA Q&A addressing how a specific requirement should be interpreted for a defined category of firm or activity. CASPs whose operating model relies on that interpretation should review whether their internal classification, procedures or legal analysis remain consistent with the final answer.”
That is the difference between a source alert and a crypto compliance briefing.
The source alert tells the reader something exists. The briefing tells the reader why it might matter.
Common mistakes in MiCA technical monitoring
Several mistakes appear regularly.
The first is monitoring only the main MiCA regulation and missing technical standards or Q&As.
The second is reading consultations as if they were final rules. Consultations can be important, but firms should be clear about legal status.
The third is dismissing Q&As because they are short. Some of the most practical clarifications are narrow.
The fourth is treating national competent authority updates as irrelevant because MiCA is an EU regulation. National authorisation and supervision still matter.
The fifth is failing to connect updates to internal ownership. A custody update may need operations and legal input. A complaints update may sit with compliance and client services. A prudential update may need finance or risk.
The sixth is keeping no record of excluded items. If a MiCA update is reviewed and judged immaterial, that decision should be recorded briefly. This avoids re-reviewing the same item later and helps evidence the monitoring process.
Final point
MiCA monitoring after authorisation is not just about watching for new rules.
CASPs need to track the full layer of materials that shape the regime in practice: RTS, ITS, guidelines, Q&As, national competent authority updates, register changes and relevant supervisory signals.
The value is in classification and judgement. A final technical standard, a consultation, a Q&A and a register change should not be treated the same way. Each may require a different response.
The strongest compliance teams will not simply ask whether MiCA has changed. They will ask what type of update has been published, which part of the business it affects, whether it changes internal interpretation, and whether it requires action now or continued monitoring.
Crypto Regulation Desk monitors selected official regulatory sources across the UK/EU, Singapore and the Middle East, including MiCA Q&As, RTS, ITS, guidance, material register-related developments and relevant supervisory updates. The service filters those sources for material crypto regulatory relevance.
To test a source-based monitoring process without building it manually, request a 14-day trial of Crypto Regulation Desk.
