Are You a MiCAR Entity? Why DORA Compliance is Not Optional.
Understanding your MiCAR classification is step one. Step two is realising that authorisation automatically brings you under DORA — with no exceptions and no grace period remaining.
Who is a Crypto-Asset Service Provider?
As the European crypto landscape matures under MiCAR, a critical question for many startups is: "Are we a Crypto-Asset Service Provider (CASP), or perhaps an issuer of tokens?" Understanding your classification is the first step. The second, equally crucial step is realising that a MiCAR authorisation automatically brings you under the scope of the Digital Operational Resilience Act (DORA).
The two regulations are to a large extent inseparable. MiCAR defines what you do; DORA defines how you must do it securely and resiliently. This article breaks down the key MiCAR entity types and why DORA compliance is a non-negotiable part of your licence to operate.
The 10 MiCAR-Defined Crypto-Asset Services
Under MiCAR, you are a CASP if you professionally provide any of the ten services listed below. It's not about the label you use, but the function you perform. As European regulators have clarified in recent Q&As, they will assess the "operational reality" of your activities — not just your marketing terms — to determine which licence you need.
-
1
Custody and Administration
Safekeeping or controlling clients' crypto-assets or their private keys.
Example: "SecureHold" offers a wallet service where they hold private keys for clients. ESMA confirmed (QA 2067) that staking-as-a-service platforms holding user assets are providing custody and require a CASP licence. -
2
Operation of a Trading Platform
Running a system that brings together multiple buyers and sellers of crypto-assets.
Example: "CryptoXchange" operates a platform where users place buy and sell orders and the engine matches them — a classic exchange model. -
3
Exchange of Crypto-Assets for Funds
Buying or selling crypto-assets directly with clients from your own capital.
Example: "InstaCoin" buys Bitcoin from clients at a quoted price using its own funds — making it the direct counterparty. ESMA (QA 2653) requires providers to execute orders at the displayed price. -
4
Exchange of Crypto-Assets for Other Crypto-Assets
Trading one crypto for another using your own capital.
Example: The same "InstaCoin" broker allows clients to swap Ethereum for Solana from its own inventory — also an exchange service. -
5
Execution of Orders on Behalf of Clients
Acting as an agent to conclude a purchase or sale of crypto-assets for a client.
Example: "CryptoPrime" connects to multiple venues to find the best price and executes trades on the client's behalf. ESMA (QA 2653) distinguishes this from exchange: they are an agent, not a principal. -
6
Placing of Crypto-Assets
Marketing newly-issued crypto-assets to purchasers on behalf of the issuer.
Example: "LaunchPad Pro" manages the initial token sale for a new blockchain project, marketing and selling the token to its user base. -
7
Reception and Transmission of Orders (RTO)
Receiving a client order and passing it to a third party for execution.
Example: "SimpleTrade" receives user buy orders via a mobile app but routes them to a larger licensed exchange rather than filling them itself. -
8
Providing Advice on Crypto-Assets
Giving personalised recommendations to a client about crypto transactions.
Example: "CryptoWealth Advisors" analyses a client's financial situation and suggests specific assets to buy or sell. ESMA (QA 2463) notes that copy-trading may qualify as advice if signals are presented as personalised recommendations. -
9
Providing Portfolio Management
Managing a client's crypto portfolio on a discretionary basis.
Example: "Digital Alpha" makes buy/sell decisions on clients' behalf. ESMA (QA 2463) also classifies copy-trading as portfolio management when trades execute automatically without client action per order. -
10
Providing Transfer Services
Transferring crypto-assets from one address to another on behalf of a client.
Example: "PayCrypto" enables merchants to accept crypto payments by moving funds from the customer's wallet to the merchant's wallet.
The company names used in the examples above (SecureHold, CryptoXchange, InstaCoin, etc.) are entirely fictitious and created for illustrative purposes only. Any resemblance to real entities is coincidental.
And What About Issuers of Asset-Referenced Tokens?
MiCAR doesn't just regulate service providers. It also creates a comprehensive framework for entities that issue asset-referenced tokens (ARTs) — crypto-assets that aim to maintain a stable value by referencing a basket of currencies, assets, or rights (but not pegged to a single official currency alone).
Example: "EuroStable" issues a token called EURS, backed by a reserve of 70% Euro-denominated bonds and 30% high-quality corporate debt. By issuing this token to the public, EuroStable is an ART issuer and requires MiCAR authorisation — and is therefore also in scope of DORA.
The Unbreakable Link: MiCAR Entities and DORA
Here is the critical connection, stated plainly:
Every CASP and every authorised issuer of asset-referenced tokens is also defined as a "financial entity" under DORA — Article 2(1)(f) of Regulation (EU) 2022/2554. There is no ambiguity. There are no exceptions.
Regulators view it this way: MiCAR grants you the licence to conduct your crypto business. DORA sets the mandatory technical and organisational standards you must meet to run that business safely. One without the other is not a complete authorisation.
Why Is This Link So Absolute?
- Systemic risk. A security failure at a major CASP or ART issuer — a custodian hack, or a de-pegging event caused by an operational failure — creates ripple effects across the entire digital asset market. DORA ensures every key player maintains resilience before that failure occurs.
- Harmonised standards. DORA creates a single high standard for digital resilience across all 27 Member States. It prevents a MiCAR-licensed entity from operating with weak cybersecurity, which would create a weak link in the chain for the whole ecosystem.
- Technology is your business. For any MiCAR-regulated entity, ICT isn't a back-office function — it is the core of the business. DORA ensures the management and security of that technology receive the seriousness they deserve.
The Time for Action Is Now
The DORA implementation deadline passed on 17 January 2025, with no grace period. If you are operating or planning to operate as a CASP or ART issuer under MiCAR, regulators expect your DORA framework — including your ICT risk management, incident reporting processes, and resilience testing programme — to be fully operational.
Understanding your MiCAR status is only half the battle. The other half is building and documenting your digital operational resilience before your regulator asks for it.
Our templates are designed specifically for micro-enterprise CASPs and ART issuers — mapped to the RTS/ITS, proportionate to your size, and used in live EU licensing processes.