MiCA Decoded: ‘We Have an EU Office’ Is Not Enough: Here’s What Regulators Actually Want to See

You have the entity. You have the address. You even have the capital. So why is the regulator still not satisfied? Because under MiCA, substance is an empirical test of whether your business genuinely operates from within the EU, and most applicants underestimate what that actually demands.

This week’s entry has been written by Krystian Lapka, Lawyer at LegalBison. Krystian specializes in cross-border corporate and commercial transactions, alongside strategic risk management at the intersection of civil and common law.

Most founders approaching their first CASP application understand, at least abstractly, that MiCA requires a real EU presence. What they underestimate is how the regulator defines “real.”

The typical early-stage setup looks coherent on paper: a registered office in a favorable EU jurisdiction, a director named in the governance documents, ICT systems either cloud-hosted or managed from the group’s global infrastructure, and paid-in capital sitting in a newly opened bank account.

From the inside, this feels like an EU company. From a National Competent Authority’s perspective, it may look like a letterbox with a director attached.

This article maps what MiCA’s substance requirements actually demand across personnel, technology, and financial resilience, and explains why regulators treat each category as a functional test rather than a documentation exercise.

The regulatory logic here is older than MiCA. In the landmark Cadbury Schweppes ruling (Case C-196/04), the Court of Justice of the European Union established that the freedom of establishment cannot be used to create “wholly artificial arrangements” that lack genuine economic activity. MiCA codifies that principle directly into crypto-asset regulation.

ESMA’s Supervisory Briefing on Authorization of CASPs, while non-binding, signals clearly how NCAs are expected to interpret these requirements in practice.

The gap between the statutory text and the supervisory expectation is where many applications encounter friction.

The minimum threshold under MiCA is one EU-resident director. Supervisory guidance raises that bar.

ESMA’s briefing anticipates at least two senior executives jointly overseeing daily operations. The rationale is straightforward: a single executive creates concentration risk and removes the internal checks that a functioning governance structure requires. Two executives with defined, overlapping responsibilities is the expected baseline.

Residency is not sufficient on its own. The guidance indicates that where a management body member is not resident in the NCA’s jurisdiction, that person should be capable of attending in-person meetings at the authority’s request within two business days.

For jurisdictions where physical proximity to the supervisor matters operationally, this is a practical constraint on how far from the home jurisdiction a director can effectively be located.

Reporting lines matter as much as individual profiles. The management body must demonstrate that strategic and operational control sits within the EU entity, not with a parent company in a third country that makes the real decisions and issues instructions downward.

An EU subsidiary whose executives functionally serve as implementation agents for a non-EU headquarters is not, in the supervisory sense, an entity with genuine EU management.

A team drawn entirely from crypto-native backgrounds with no regulated financial services experience, or one with deep TradFi experience and no capacity to assess on-chain risk, carries structural gaps that the assessment process will surface.

DORA (Regulation (EU) 2022/2554) applies directly to CASPs and sets the framework for ICT resilience requirements. The question regulators ask about technology is not what infrastructure a firm uses. The question is who controls it.

Cloud infrastructure hosted by AWS, Azure, or similar providers is acceptable under current supervisory practice. The issue arises when the entity authorized in the EU lacks meaningful administrative control over the systems it depends on.

If encryption key management sits with a parent company’s global IT team, if access rights to client data are administered from outside the EU, or if the disaster recovery plan depends on approvals from a third-country headquarters, the EU entity cannot demonstrate genuine operational independence.

The practical test is pointed: if the parent company’s global IT team became unavailable overnight, could the EU entity continue to operate, access client funds, and return assets to clients? If the answer is no, or not without significant escalation to non-EU personnel, the substance question has not been resolved.

GDPR compliance and data governance requirements layer on top of the DORA framework. Data processing arrangements, controller-processor relationships, and data residency considerations all form part of the technical architecture that regulators will examine.

The minimum capital figure is the starting point, not the ceiling. Prudential safeguards must equal the higher of either the permanent minimum capital or one-quarter of the preceding year’s fixed overheads.

As a CASP grows and its fixed overheads increase, this second limb becomes the binding constraint. When overheads exceed four times the initial paid-in capital, the firm must transition to the overheads-based framework. That inflection point arrives faster than many operators anticipate, and regulators expect proactive monitoring rather than reactive adjustment.

A structural point worth noting: capital must be paid into an account held with a formal credit institution.

The requirement that financial statements used in the fixed overheads calculation be duly audited or validated by national regulatory authorities adds a further administrative dimension. Newly incorporated entities projecting their first twelve months of overheads must include those projections in their authorization application, with the methodology clearly documented.

The distinction the regulator draws is between CASPs that outsource specific functions while retaining control and CASPs that outsource everything substantive while retaining only the legal form. The latter is a shell, regardless of how the arrangement is described in the application.

MiCA is directly applicable across all EU member states. The substantive requirements are uniform. Supervisory practice is not.

Poland’s legislative situation, covered in earlier installments of this series, has produced a structural gap where the domestic MiCA implementation law has not yet been enacted, leaving the KNF without formal designation as the competent authority and VASP holders without a viable domestic CASP application pathway.

These variations are not loopholes or administrative quirks. They reflect the reality that a harmonized legal framework still operates through national supervisory cultures, staffing constraints, and institutional histories. Selecting a jurisdiction for CASP authorization means selecting a regulator, with all the practical implications that entails.

That means executive leadership is physically reachable and legally responsible under EU law. It means ICT systems controllable by the EU entity without dependency on non-EU authorization chains. It means capital that is genuinely available and sized against actual operational risk.

And it means governance where the EU entity makes real decisions rather than implementing instructions issued from elsewhere.

Firms that approach this as a documentation exercise tend to find the process harder than expected. Firms that build the substance first and document what they have built tend to find it more straightforward. The application does not create the organization. It describes one that should already largely exist.

Sources: