MiCA Decoded is a 12-article weekly series for Bitcoin.com News, co-authored by LegalBison’s Co-Founding and Managing Directors: Aaron Glauberman, Viktor Juskin and Sabir Alijev. LegalBison advises crypto and FinTech companies on MiCA licensing, CASP and VASP applications, and regulatory structuring across Europe and beyond.
There is a version of the MiCA authorization process that founders talk about as if it ends the moment the license arrives. Apply, wait, get authorized, operate in the EU. The license is the finish line.
That framing misreads what MiCA actually authorizes. A Crypto-Asset Service Provider (CASP) license grants permission to provide specific crypto-asset services, defined in detail in the regulation. It does not grant permission to operate a payment institution, issue electronic money, or run a derivatives trading venue. Those activities sit under entirely different regulatory frameworks. And for many platforms whose commercial model depends on at least one of them, the MiCA license alone leaves a gap that is operationally significant and, if ignored, legally serious.
This tenth installment of MiCA Decoded maps that gap precisely, service by service.
The Myth: MiCA Covers the Full Stack of What a Crypto Exchange Does
The assumption is understandable. MiCA is comprehensive. It covers ten categories of crypto-asset services. Its scope extends to custody, exchange, execution, routing, advice, and portfolio management. For most retail crypto platforms, that covers a substantial portion of their business.
But “substantial” and “complete” are different things. The platforms most likely to discover a significant difference are not marginal operators. They are the ones running derivative products, enabling crypto-funded card payments, offering leveraged perpetual positions, or hosting prediction markets. These prediction markets have become a major trend for centralized exchanges (CEXes), yet they sit at a regulatory boundary that MiCA does not cross. Instead, they often fall under local iGaming regulatory frameworks. These are commercially significant product lines at major exchanges, and each one operates outside MiCA’s scope.
The regulation is specific about what it governs. Article 2(4) of MiCA explicitly excludes from its scope crypto-assets that qualify as financial instruments under Directive 2014/65/EU (MiFID II), deposits, funds as defined under the Payment Services Directive 2 (PSD2), and securitisation positions. These exclusions are not technical footnotes. They define the perimeter of MiCA’s authority. Anything falling on the other side of that perimeter requires authorization under a different framework entirely.
Where the CASP License Stops
Payment Services
MiCA authorizes the transfer of crypto-assets on behalf of clients, defined in Article 3(1)(26) as “providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another.” This is a crypto-native transfer service. It is not a payment service in the PSD2 sense.
The distinction matters enormously for platforms that want to offer crypto-funded card programs, fiat on/off-ramp integrations, direct bank transfers, or merchant payment acceptance in euros or other official currencies. Article 2(4)(c) excludes “funds” as defined in PSD2 from MiCA’s scope, except where they qualify as e-money tokens.
A platform that receives fiat or e-money tokens (EMTs) from a user, holds them, and transmits them somewhere is operating a payment service. This requires either a payment institution license or an Electronic Money Institution (EMI) license under Directive (EU) 2015/2366 (PSD2), rather than just a Crypto-Asset Service Provider (CASP) authorization. Because EMTs are legally deemed to be electronic money, CASP transfer services do not cover EMTs unless the activity falls under the “intermediation” exclusion.
A non-EMI CASP can transmit orders for EMTs only if the transaction stays within the CASP’s internal ecosystem or within a custodial account managed by an authorized licensed partner. If a service involves transmitting an order that triggers the transfer of an EMT to a third-party wallet or a private ledger, it constitutes the execution of a payment transaction or a money remittance service under PSD2/PSD3. Any CASP facilitating these external transfers after March 2026 must have its own EMI/PI license or use a licensed agent.
MiCA itself acknowledges this boundary. Article 70(4) states that crypto-asset service providers may themselves or through a third party provide payment services related to their crypto-asset service, but only where the provider or the third party is authorized to provide those services under PSD2. The regulation does not grant payment services capability through the back door. It requires that the capability be independently authorized.
For an exchange that wants to let users top up via SEPA transfer, settle redemptions in euros, or issue a branded debit card, a CASP license is a necessary piece of the structure. It is not sufficient.
Perpetuals and Futures
This is where the exposure tends to be sharpest for derivative-first platforms.
MiCA’s scope is defined around “crypto-assets,” which are digital representations of value or rights that can be transferred using distributed ledger technology. The regulation covers the services built around those assets: custody, trading on spot markets, exchange, execution of orders as well as routing of orders as a pure intermediary. What it does not cover is financial derivatives where the crypto-asset is the underlying instrument rather than the thing being traded.
Article 2(4)(a) removes from MiCA’s scope any crypto-asset that qualifies as a financial instrument under MiFID II. A perpetual futures contract on BTC/USD is not a crypto-asset. It is a derivative. It may settle in cryptocurrency, but the instrument itself, the contractual claim representing a leveraged position on the price of Bitcoin, is a financial instrument in the MiFID II sense. Operating a venue that allows EU clients to trade such instruments requires an investment firm authorization under MiFID II, or at minimum a trading venue authorization depending on the structure, not a CASP license.
Recital 97 of MiCA addresses this directly, noting that derivatives qualifying as financial instruments under MiFID II and whose underlying asset is a crypto-asset are subject to Regulation 596/2014 (the Market Abuse Regulation), not to MiCA. The market abuse provisions still reach the underlying crypto-asset. But the authorization framework for the derivative product itself sits under MiFID II.
Some exchanges attempt to structure perpetuals as crypto-to- crypto swap arrangements that they characterize as exchange services rather than derivatives. Regulators are familiar with this framing, and the classification question is ultimately one of substance over form. An instrument with leverage, a funding rate, and no delivery of the underlying asset is likely to face scrutiny as a derivative regardless of how it is labeled. The legal risk of getting this wrong is the provision of financial services without authorization.
Futures Contracts
The same analysis applies to dated futures. A futures contract obliging a counterparty to buy or sell an asset at a predetermined price on a future date is a financial instrument under MiFID II, specifically within the definitions covering derivatives on commodities, currencies, and other underlyings. Cryptocurrency futures, even where physically settled in BTC or ETH, are treated as financial instruments when they are traded on a multilateral basis.
Operating a trading platform for such instruments requires authorization as a regulated market, multilateral trading facility (MTF), or organized trading facility (OTF) under MiFID II. CASP authorization covers the operation of a trading platform for crypto-assets under Article 76 of MiCA, which defines a trading platform as a multilateral system bringing together multiple third-party purchasing and selling interests in crypto-assets, not derivatives on crypto-assets.
In practical terms, this means the CASP provides a venue where clients meet and trade with each other under clear operating rules defined and maintained by the CASP itself. The platform operator pools and matches client orders to facilitate price discovery rather than setting prices. The CASP does not take market risk, book trades on its own sheet, or deal on its own account. The only exception is matched principal trading, which the operator may engage in strictly with explicit client consent and monitoring by the competent authority.
Both frameworks impose strict limits on permitted trading models. Under MiFID II, multilateral trading facilities (MTFs) are entirely banned from executing client orders against proprietary capital or engaging in matched principal trading. Organized trading facilities (OTFs) are permitted to act as matched principals for specific instruments, such as bonds, structured finance products, emission allowances, and certain derivatives, but only with explicit client consent.
MiCA establishes similar restrictions for crypto-assets. Crypto-asset service providers cannot deal on their own account on the trading platforms they operate. MiCA allows matched principal trading as an exception, but only where the client has consented to the process. The provider must supply the competent authority with information explaining its use of matched principal trading. The competent authority then monitors the engagement to verify it continues to fall within the strict definition of matched principal trading and does not give rise to conflicts of interest between the provider and its clients.
Bitstamp, which holds MiCA authorization in Luxembourg under the Commission de Surveillance du Secteur Financier (CSSF), also holds a MiFID license permitting it to operate an MTF. That dual licensing structure is not an accident. It reflects the actual scope of the activity.
Why Operators Miss This
Several factors produce the misunderstanding.
First, the practical effect of pre-MiCA national VASP regimes varied significantly by jurisdiction and over time. While early registrations in some countries might have initially operated as a permissive baseline, regulators became increasingly stringent.
In Estonia, for example, the Financial Intelligence Unit (RAB) actively scrutinized the specific services provided by VASPs and investigated the provision of unlicensed financial services. By 2022, ahead of MiCA’s enactment, Estonia implemented strict amendments that explicitly banned the offering of futures and perpetuals under a VASP license. Operators received a short 60 to 90-day grace period to comply, which ultimately led to the mass revocation of thousands of licenses.
Second, the CASP register entries themselves are not always informative to founders reading them from the outside. An exchange listed as authorized for “operation of a trading platform” and “execution of orders” looks comprehensively authorized. Whether it is running derivatives products under a separate MiFID authorization requires reading beyond the CASP register entirely.
Third, many platforms offer derivatives on crypto-assets to non-EU clients, and EU clients make up a minority of users. The assumption is that the EU exposure is manageable. But the reverse solicitation rules discussed in earlier installments of this series apply equally to unauthorized derivative services. A platform marketing leveraged BTC perpetuals to global clients while simultaneously applying for a CASP license for its EU spot trading product may find that the two activities interact in ways the compliance team did not anticipate.
The Regulatory Junctions
Three regulatory frameworks converge around most full-service crypto exchanges:
MiCA governs spot trading, custody, transfer services, exchange, execution of orders, reception and transmission of orders, advice, and portfolio management on crypto-assets. The CASP license is required and sufficient for these activities when provided to EU clients.
PSD2 and the EMI regime govern payment services involving fiat. Any activity involving the receipt, holding, or transmission of euro-denominated or other official currency funds requires either a payment institution license (for payment initiation and money transmission) or an EMI license (where the platform stores fiat value electronically as a claim redeemable at par). An exchange that allows users to fund accounts by bank transfer and withdraw in euros is, at minimum, touching a payment service. Whether that requires PSD2 authorization depends on the specific flow and structure, but the question must be assessed deliberately, not assumed away.
MiFID II governs derivatives. Futures, perpetuals, options, and CFDs on crypto-assets are financial instruments. Operating venues for their trading, or providing investment advice and portfolio management in relation to them, requires MiFID II authorization. The specific authorization type, investment firm, regulated market, MTF, depends on the business model.
Platforms operating across all three categories need a structure that maps each product line to its authorizing framework. That is a multi-license, multi-entity architecture in some cases, not a single CASP application.
What the Compliance Gap Looks Like in Practice
Consider an exchange that:
- Offers spot BTC/EUR trading (CASP: exchange of crypto-assets for funds)
- Allows SEPA deposits and euro withdrawals (payment service, potentially PSD2)
- Runs BTC perpetual contracts with up to 20x leverage (derivative product, potentially MiFID II)
- Offers a crypto-backed Visa card that spends euro balances (payment institution capability, PSD2/EMI)
A CASP authorization, standing alone, covers the first item with reasonable confidence. The other three sit at the boundary. Whether they require independent authorizations, whether they can be structured as ancillary to the main crypto business, or whether they must be routed through licensed third parties are fact-specific questions. They are not questions the CASP license answers.
This is exactly the type of analysis regulators will apply when reviewing a business model during the authorization process. The application requires a programme of operations under Article 62(2)(d) of MiCA, which must set out the types of crypto-asset services the applicant intends to provide, including where and how those services are to be marketed. A business model that includes derivatives or payment services must address those elements in the application. Operators who treat the CASP application as covering the full scope of their business risk having the NCA identify the gap before they do, at the worst possible moment in the authorization process.
The Operational Consequence
For platforms already operating in the EU under grandfathering provisions that expire July 1, 2026, the regulatory gap has an immediate timeline consequence. A VASP registration does not solve the payment services problem any more than a CASP license will. These questions do not disappear with MiCA authorization; they persist and become more visible to regulators whose supervisory tools now match the formal authorization framework.
For platforms currently designing their EU market entry structure, the sequence matters. Mapping each product line to its authorizing framework comes before choosing the jurisdiction for the CASP application. The jurisdiction choice affects the CASP, but it also affects the feasibility of layering PSD2 and MiFID II authorizations on the same entity or within the same group.
Getting the architecture wrong is fixable. But it tends to be expensive to fix after authorization, and it tends to surface at the moment the platform is growing fast enough that the regulators start paying attention.
What This Article Decoded
- MiCA’s CASP license authorizes ten specific crypto-asset services. It does not authorize payment services under PSD2, derivative trading under MiFID II, or any activity that falls under the financial instruments exclusion in Article 2(4)(a) of the regulation.
- Perpetuals and futures on crypto-assets are financial instruments in the MiFID II sense when structured as derivative contracts. Operating trading venues for these products, or providing services related to them, requires MiFID II authorization independent of any CASP license.
- Fiat handling triggers PSD2. The receipt, storage, and transmission of euro-denominated or other official currency funds constitutes a payment service. A CASP license does not authorize payment services. This is a structural gap for any exchange offering direct bank funding, fiat withdrawal, or crypto-funded card products.
- Dual and triple licensing architectures are real. Major exchanges with MiCA authorization that also run derivatives and payment products typically hold MiFID II and PSD2/EMI authorizations alongside the CASP. The structure is not exotic; it reflects the actual scope of a full-service crypto exchange operating under EU law.
- The business model assessment happens before the application. NCAs reviewing CASP applications will examine the programme of operations. A business model that includes derivatives or payment services, unaddressed, creates exposure during the authorization review itself.
The CASP license is the necessary foundation for operating a crypto exchange in the EU. It is, in many cases, not sufficient.
This article is based on a study conducted by LegalBison in May 2026. The content is for informational purposes only and does not constitute legal advice.
No Comment! Be the first one.