Legal Update: EU Markets in Crypto-Assets Regulation (MiCA) – Part 2: General Requirements for Crypto-Asset Service Provider

The legal update on the Crypto-Assets Market Regulation (MiCA) in the EU outlines the general requirements for Crypto-Asset Service Providers (CASPs). CASPs must meet licensing, security, risk management, and data protection requirements, with a clear licensing process in place. MiCA sets minimum capital requirements for CASPs based on the type of services provided. Non-EU organizations offering services to EU residents must also comply with similar requirements. MiCA aims to create a unified legal environment for the crypto-assets market in the EU and is being prepared for implementation in Vietnam.

Introductory

Introduced by the European Commission as part of the Digital Finance Package, which includes other legislative proposals like the DLT Pilot Regime and DORA, Regulation (EU) 2023/1114 of 31 May 2023 on markets in crypto-assets (“MiCA” or “Markets in Crypto-Assets Regulation”) establishes a comprehensive and harmonized framework for regulating crypto-asset markets across the European Union (EU). By overseeing the issuance of crypto-assets and the provision of related services, MiCA sets the groundwork for a unified regulatory environment for crypto-assets in the EU. This regulation has been fully effective since 30 December 2024.
In Vietnam, the development of a legal framework to manage crypto-assets and digital currencies was emphasized by General Secretary Mr. To Lam at a meeting with the Central Policy and Strategy Committee on 24 February 2025. The General Secretary requested the National Assembly and Government agencies to institutionalize the management of this field, i.e. to research and apply a controlled “pilot” mechanism (sandbox) to establish a "trading floor" for crypto-assets and digital currencies related activities. On 05 March 2025, Deputy Minister of Finance Mr. Nguyen Duc Chi said that within March 2025, the Government will issue a resolution, allowing the pilot operation of a crypto-asset trading floor so that investors, organizations and individuals will soon have a safe-place to trade.
In this article, we introduce some key elements of the MiCA regime such as services related to Crypto Assets, licensing requirements for registering Crypto Asset Service Providers (CASPs) etc. so that Vietnamese investors can grasp relevant information and prepare to accompany with the construction of Vietnam’s legal framework on virtual assets, crypto assets which will be very soon to be introduced by the Vietnam Government.

General Requirements for Crypto-Asset Service Provider (“CASP”)

1.    Irrespective of the specific service provided, all Crypto-Asset Service Providers (CASPs) must adhere to certain overarching requirements:
(i)    To be authorized as a CASP, entities must meet specific legal and operational requirements. First, they must be registered as legal entities with a structure that ensures client protection and compliance with MiCAR regulations.
(ii)    CASPs must maintain a registered office in their licensed jurisdiction and demonstrate effective management within the EU. This includes having at least one EU resident director on the management team to adhere to local regulatory controls.
(iii)    MiCAR imposes stringent risk management and security requirements on CASPs. Companies must implement internal controls that include robust anti-money laundering (AML) and counter-terrorist financing (CFT) measures. This involves establishing procedures for customer identification, transaction monitoring, and risk assessment, as well as mechanisms to manage various operational, legal, and IT threats. 
(iv)    Furthermore, CASPs are obligated to protect customer data and assets through security measures like access controls, data encryption, and regular security audits. These measures ensure the confidentiality and integrity of sensitive information.
(v)    Applicants must demonstrate financial safeguards, such as insurance reserves or equity, to cover potential risks like privacy breaches and customer liabilities.
(vi)    They must also establish a business continuity policy with backup and recovery plans to ensure operational stability.
(vii)    Furthermore, CASPs need clear procedures for handling customer complaints promptly and transparently.
(viii)    To maintain trust and fairness, robust processes for identifying and disclosing conflicts of interest are essential.
(ix)    Finally, CASPs must apply for authorization with comprehensive information about their activities. Once licensed, they can offer crypto asset services across the EU without needing separate national authorizations.
(x)    Recordkeeping. The CASPs must keep records of crypto-asset services, activities, orders and transactions undertaken by the CASP to enable the competent authorities to fulfill their supervisory tasks and take enforcement measures. According to the European Securities and Markets Authority (ESMA), the CASPs will have the flexibility to maintain all the transaction data elements in the format they consider the most appropriate, provided that some of these elements can be converted into a specified format when competent authorities request information. The records shall be kept for a period of 5 years and, where requested by the competent authority before 5 years have elapse, for a period of up to 7 years.
According to MiCA, a CASP must be authorized by competent authorities in an EU member state to operate within the Union. MiCA specifies that only legal entities with a registered office in a member state can offer crypto asset services.
Notably, authorization as a CASP will be valid throughout the entire EU. An authorized CASP providing cross-border services will not need a physical presence in the host member state. This reflects MiCA’s aim to offer CASPs similar benefits to those available to traditional financial firms with EU passports.
Meanwhile, companies based outside the EU but providing crypto-asset services to EU residents will be subject to the same obligations as EU-based CASPs. These obligations include acting honestly and in the best interest of clients, meeting prudential requirements, providing information to competent authorities, safeguarding clients’ funds, and identifying, managing, preventing, and disclosing conflicts of interest. The obligations also include specific requirements based on the types of crypto-asset services provided.
Another provision of MiCA states that the European Securities and Markets Authority (ESMA) shall establish a register of all CASPs. This register will be publicly available on ESMA’s website.
2.    New capital requirements for Crypto-Asset Service Provider license
MiCA regulation introduces new capital requirements for crypto asset service providers (CASPs), qualifying them into three types depending on the services provided and the level of responsibility to clients:
•    CASP Class 1
A minimum capital of €50,000 is required for companies engaged in basic operations such as receiving and transmitting orders, advising and placing crypto-assets. These services involve lower risks, which determines the relatively low capital threshold.
•    CASP Class 2
Requires a capital requirement of €125,000 for companies that not only perform Class 1 functions but also engage in exchanging crypto assets for fiat money or other digital assets and operate trading platforms. These companies take a more active role in market transactions, so they require additional capital.
•    CASP Class 3
Companies that provide all Class 1 and Class 2 services and additionally handle the custody and management of crypto assets on behalf of clients have the highest capital requirement of €150,000. These companies have increased responsibility for client funds, which requires the highest level of financial stability.
3.    Crypto-Asset Service Provider licensing process
The authorization process for Crypto Asset Service Provider (CASP) under MiCA involves several steps and considerations, as follows:
•    Step 1: Preparation of documentation
A CASP must prepare a number of documents, including a business plan, program of operations, internal risk management, and AML/CFT policies and so on. A detailed description of IT systems and information security measures will be required, as well as details of key executives and shareholders.
•    Step 2: Selecting a jurisdiction for licensing
Although the MiCA sets out uniform requirements, some jurisdictions may have additional rules. CASPs should select the EU member state where the licensing requirements and procedures best fits its business model.
•    Step 3: Submitting an application
The application for licensing is submitted to the competent authority of the country selected for licensing. The application must include detailed information about the applicant CASP, such as: A business plan, including a description of intended services; Description of governance arrangements and internal control mechanisms; Technical documentation of ICT systems and security arrangements; Complaints-handling procedures etc. Applicants must provide proof that members of the management body and qualifying shareholders are of good repute.
•    Step 4: Audit and verification of documentation
Competent authorities audit the data and documents provided, assess compliance with MiCA requirements, and verify the applicant’s readiness to comply with regulations. It is noteworthy that competent authorities can refuse authorization if the management body poses a threat, there are impediments to effective supervision, or the applicant fails to meet requirements.
•    Step 5: Obtainment of CASP license and providing services
Once the application is approved, the CASP is licensed to operate in the EU and authorized to provide crypto assets services throughout the Europe. CASPs can provide cross-border services by submitting notifications to regulators in other EU countries where they plan to operate without the need for traditional authorization.
•    Step 6: Compliance with standing requirements
Licensed CASP must comply with ongoing MiCA requirements, including regular AML/CFT review, record keeping, timely updates to data protection, and other compliance.

ALTAS’ Services in Vietnam

(i)    Business Licensing Package: including Company Establishment, Investment Registration, and Post-Registration Compliance: We provide guidance on post-registration obligations, such as tax registration, social insurance registration, and Corporate Secretarial Services;
(ii)    Operational/ Specialized Licenses: We assist with obtaining operational licenses for specific business activities and regulated industries such as manufacturing, trading, services, e-commerce, Healthcare, Educational or Food & Beverage (restaurants) etc.;
(iii)    Tax & Accounting & Bookkeeping Services: We assist with all aspects of tax compliance, bookkeeping services, social insurance contributions, and compliance with labor regulations. We also assist with Tax Settlements and Tax Refund for businesses including negotiating with tax authorities and resolving any outstanding tax liabilities;
(iv)    Data Protection: We assist with compliance with data protection regulations including drafting, reviewing Data Protection Impact Assessments (DPIAs), Data Processing/Transfer Agreement, Privacy Policies and necessary documentation required by the Personal Data Protection Decree (PDPD);
(v)    Dispute Resolution including Litigation, Mediation, Arbitration; and
(vi)    Legal Retainer Services upon Client’s demand.

Conclusion

The MiCA aims to regulate and harmonize the crypto-asset market within the European Union. In Vietnam the Prime Minister has urged the National Assembly and the Government to promptly establish a legal framework for digital assets in May 2025. Thus, Vietnamese investors should get ready to support the development of Vietnam’s legal framework for crypto assets, which will soon be introduced by the Vietnamese Government.
ALTAS LAW is committed to supporting investors and businesses during this volatile period. Please contact Partner Chris Luong at chris.luong@altas.vn if you need further information or assistance.

Copyright © 2025 ALTAS LAW. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by ALTAS LAW (meaning ALTAS LAW, ALTAS CORP and its member firms). Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between ALTAS LAW and any person. Disclaimers: The Content provided is for informational purposes only and may not reflect the latest legal or regulatory developments. Summaries of laws, regulations, and practices are subject to change. This Content does not constitute legal or professional advice for any specific situation and should not be relied upon as a substitute for reviewing and complying with applicable laws, rules, regulations, or official forms. Always seek legal counsel before making any decisions or taking any action based on this Content. ALTAS LAW, along with its editors and contributing authors, make no guarantees regarding the accuracy of the Content and explicitly disclaim any liability for any consequences resulting from actions taken, allowed, or omitted, whether fully or partially based on any part of the Content. The Content may include links to external websites, and external sites may also link to it. ALTAS LAW is not responsible for the content or functionality of any such external websites and disclaims all liability for any issues arising from their content or operation. Please note: Past results do not guarantee similar outcomes.

Written: Luong Van Chuong - Partner Lawyer at  ALTAS Law & Tran Anh Hoang - Legal Senior Assistant

Date: 11/03/2025