Share via:
- Updated on: June 18, 2026
Key Takeaways
- On July 1, 2026, MiCA’s license application period ends. A crypto firm authorized in one EU member state can then passport its services into all 27.
- Authorization is now EU-wide, but anti-money-laundering supervision stays national. Those two facts do not line up.
- We speculate that firms may gravitate to the lightest-touch authorizer, while financial intelligence units in the markets they serve see less of their activity directly.
- That raises one question for crypto compliance and oversight: who actually watches the flows once a firm operates everywhere but answers to a single home regulator?
Crypto compliance under MiCA is often described as a single European rulebook, and on market conduct and authorization that is broadly true. But the part that decides whether illicit flows get caught, anti-money-laundering supervision, was never folded into that single rulebook. It stayed with each member state. From July 1, 2026, that split stops being a technicality and starts shaping where risk concentrates. This piece lays out what changes, where the gap opens, and what is worth watching, drawing on the public record from the European Securities and Markets Authority (ESMA).
A central supervisor is on the way, but not yet. The new Anti-Money Laundering Authority (AMLA) will directly supervise around 40 of the highest-risk cross-border firms, crypto-asset service providers included. That direct supervision begins in 2028, after AMLA selects those firms in 2027 and collects data from national supervisors through 2026. Until then, supervision stays shared and largely national, which is what makes the period from July 1 worth watching.
What does MiCA change for crypto compliance on July 1?
According to ESMA’s statement on the end of the transitional periods, the transitional period for crypto-asset service providers, the window for firms to apply for a CASP license, expires across the European Union on July 1, 2026, with no extension. After that date, any firm offering crypto-asset services without a full MiCA authorization as a CASP is operating outside EU law and has to stop.
The headline number is how few firms have crossed that line. ESMA reported that only around 17 percent of entities registered before MiCA had obtained CASP authorization as of May 2026, leaving more than 80 percent of formerly registered firms unlicensed with weeks left on the clock.
Authorization carries a second feature that matters more than the deadline itself: the passport. A CASP licensed in one member state can offer its services across the whole bloc without seeking separate approval in each country. One authorization, 27 markets. For a single market, that is the point. It is also where the supervision question begins.
Where does the supervision gap open?
MiCA harmonized who can authorize a crypto firm and on what terms. It did not harmonize who supervises that firm for money laundering and terrorist financing. Those duties remain with national competent authorities under the existing anti-money-laundering framework, and they attach to where a firm is established, not to every market it serves.
Put the two together and the gap is plain. A firm can be authorized in a small member state, passport into the largest economies in the bloc, and carry its home-state anti-money-laundering supervision with it. The authority with the most exposure to that firm’s customers is often not the authority watching its controls. A national financial intelligence unit can find that a meaningful share of the crypto activity reaching its citizens sits with firms it does not directly supervise.
That structure creates a familiar incentive. When authorization is portable but oversight intensity varies, firms have reason to seek out the authorizer that moves fastest and asks least, then passport outward. The lighter the touch at the point of authorization, the more attractive that base becomes. Any individual regulator can do its job well and the problem still holds, because it is structural: the system points the hardest-to-see firms toward the thinnest supervision.
None of this is hidden. ESMA has been explicit about the deadline and the authorization gap, and the dynamic has been discussed openly in policy circles since well before the application deadline. What is new is that it becomes live activity on July 1.
What’s worth watching from here?
This is not a checklist, and it is not advice on how to run a compliance program. It is a short list of the signals that will show whether the gap stays a structural quirk or becomes a real detection problem.
First, watch where firms choose to authorize. If authorizations cluster in a handful of smaller jurisdictions while the bulk of users sit elsewhere, that is the arbitrage pattern showing up in the data rather than in commentary.
Second, watch how home and host coordination works in practice. The framework assumes home-state supervisors and host-state authorities share information well enough to cover the seam. Whether that holds under real caseloads, across languages and legal traditions, is an open question. It is also part of the wider challenge of detecting illicit flows across chains and borders.
Third, watch the timeline on the Anti-Money Laundering Authority (AMLA). The EU is building AMLA to directly supervise around 40 of the highest-risk cross-border firms, crypto-asset service providers included. Direct supervision begins in 2028, after AMLA selects those firms in 2027 and collects data from national supervisors through 2026. That leaves a window between when passporting goes live and when central anti-money-laundering oversight arrives. The size and the handling of that window is the part most worth tracking.
The single rulebook was meant to end fragmentation. On authorization, it largely does. On the question of who watches the flows once a firm operates everywhere, July 1 is where we find out how wide the seam really is.
FAQ
What is crypto compliance under MiCA?
Crypto compliance under MiCA refers to the obligations crypto-asset service providers must meet to be authorized and operate legally in the European Union, covering authorization, conduct, disclosure, and consumer protection. Anti-money-laundering supervision sits alongside MiCA in the separate EU anti-money-laundering framework and is administered nationally, which is the distinction this article examines.
What happens on July 1, 2026?
Per ESMA, the transitional period ends. Firms without full CASP authorization can no longer provide crypto-asset services in the EU.
Does a MiCA authorization cover anti-money-laundering supervision across the EU?
No. The authorization passport covers market access. Anti-money-laundering supervision remains with national competent authorities tied to the firm’s place of establishment.
For informational purposes only. Not legal or compliance advice.
Crystal Expert gives compliance teams real-time screening across 330+ blockchains, with entity attribution covering 110,000+ entities and automated monitoring that flags IRGC-linked wallet clusters as they evolve. If you want to see how your current coverage holds up against this designation, talk to our team.
