What is changing for VASPs?

MiCAR imposes a specific authorisation regime for the provision of services relating to crypto-assets, which will be subject to the requirement to obtain a license as a crypto-asset service provider (CASP) by the competent national authority (i.e., in Luxembourg, the CSSF). The obtention of the CASP license is subject to the satisfaction of an extensive list of requirements (demonstrating adequate capital, sufficient governance arrangements, the suitability of the applicant’s shareholders and management, compliance with the applicable framework on anti-money laundering / counter-terrorist financing, etc.) and an application process closely resembling the one provided for investment firms under Directive 2014/65/EU (MiFID II). By contrast to the local VASP regime, the CASP license will be “passportable” across the EU.

MiCAR also provides for a “lighter” notification regime for credit institutions, investment firms and central securities depositories wishing to engage in crypto-asset activities.

Additionally, the offering and/or admission to trading of crypto-assets (similarly to the already applicable provisions regarding ART/EMT offerings) is subject to a strict offering and marketing framework, requiring the publication and notification of a white paper (subject to certain exemptions) and the  compliance of the offeror and/or the person seeking admission to trading with certain conduct of business obligations.

Who will be impacted?

Any entity wishing to provide or currently providing services in relation to crypto-assets (crypto-asset services) will be required, as from 30 December 2024, to comply with the CASP licensing requirement and the relevant regulatory obligations.

Crypto-asset services comprise:

  • custody and administration of crypto-assets on behalf of clients;
  • operation of a trading platform for crypto-assets;
  • exchange of crypto-assets for funds;
  • exchange of crypto-assets for other crypto-assets;
  • execution of orders for crypto-assets on behalf of clients;
  • placing of crypto-assets;
  • reception and transmission of orders for crypto-assets on behalf of clients;
  • advice on crypto-assets;
  • portfolio management on crypto-assets; and
  • transfer services for crypto-assets on behalf of clients.

Therefore, VASPs currently registered with the CSSF and providing any of the above services in relation to crypto-assets (currently referred to under the applicable AML Law as “virtual assets”) will be obliged to seek new authorisation as a CASP and will be subject to a full-fledged licensing application process.

Any entity wishing to offer and/or admit crypto-assets to trading (whether a VASP or not) will also have to adhere to the relevant process established under MiCAR.

Is there any transitional period for existing VASPs?

MiCAR offers Member States a “grandfathering option” for locally authorised entities already active in the crypto-asset sector under local laws. Such option is incorporated in the Luxembourg draft bill no. 8387 on the implementation of MiCAR, which is currently pending official adoption, in relation to CSSF-registered VASPs.

In particular, existing VASPs will be able to continue operating under their current status until 1 July 2026, or until they are authorised or refused authorisation as CASPs under MiCAR (the Transition Period), whichever comes sooner.

In a very recent Q&A (published on 2 October 2024), the European Securities and Markets Authority clarified that such entities will not qualify as CASPs (within the meaning of MiCAR) and will not be subject to the MiCAR regulatory obligations. In other words, VASPs may continue to provide services under the AML Law until the expiration of the Transition Period. MiCAR will only capture legally operating locally authorised VASPs upon their authorisation as CASPs.

What should VASPs do now?

In practical terms, VASPs wishing to continue their operations in Luxembourg upon the full application of MiCAR should start by considering whether:

  • they will apply for a CASP license in Luxembourg (i.e., request authorisation from the CSSF); or
  • they will opt to obtain the CASP license in a different Member State and then “passport” their services into Luxembourg (assuming they have active presence in other Member States).

The procedure and timeline for obtention of a CASP license is, in any case, the same in all EU Member States where MiCAR directly applies.

As a second step, and given the extent of the information/documentation required to be submitted to the CSSF as part of the CASP authorisation application, VASPs should already start working on the application process and consider how they will adapt their current governance structure and modus operandi to ensure compliance with MiCAR.

What about DORA?

CASPs are in-scope of the recently adopted EU Digital Operational Resilience Act (DORA), soon to become applicable in January 2025 and a key priority for the CSSF.

DORA imposes a series of regulatory obligations for in-scope entities in terms of internal governance and organisation, ICT risk management and ICT-related incident reporting, digital operational resilience testing and ICT third-party risk management for the purpose of establishing and maintaining a robust digital operational resilience framework. For more details on the extent of the requirements imposed under DORA for in-scope entities, please refer to our relevant previous publication: The Digital Operational Resilience Act has been adopted – time to start preparing

In view of the above, any entity seeking authorisation as a CASP upon the application of MiCAR should already ensure that it is fully compliant with the new DORA requirements.