Who is a Crypto-Asset Service Provider (CASP)?
As the European crypto landscape matures under the Markets in Crypto-Assets Regulation (MiCAR), a critical question for many startups is: “Are we a Crypto-Asset Service Provider (CASP), or perhaps an issuer of tokens?” Understanding your classification is the first step. The second, equally crucial step is realizing that a MiCAR authorization automatically brings you under the scope of the Digital Operational Resilience Act (DORA).
The two regulations are to large extent inseparable. In terms of crypto-asset services MiCAR defines what you do, and DORA defines how you must do it securely and resiliently. This article breaks down the key MiCAR entities and why DORA compliance is a non-negotiable part of your license to operate.
The 10 MiCAR-Defined Crypto-Asset Services:
Under MiCAR, you are a CASP if you professionally provide any of the ten services listed below. It’s not about the label you use, but the function you perform. As European regulators have clarified in recent Q&As, they will assess the “operational reality” of your activities, not just your marketing terms, to determine which license you need (if any).
1
Custody and Administration: Safekeeping or controlling clients’ crypto-assets or their private keys.
Case Study: “SecureHold” offers a wallet service where they hold private keys for clients. They are a CASP. In a Q&A (ESMA QA 2067), the European Commission confirmed that “Staking-as-a-Service” platforms that hold users’ assets to stake on their behalf are providing custody and require a CASP license.
2
Operation of a Trading Platform: Running a system that brings together multiple buyers and sellers of crypto-assets.
Case Study: “CryptoXchange” operates a platform where users can place buy and sell orders, and the platform’s engine matches them. This is a classic exchange model and a CASP.
3
Exchange of Crypto-Assets for Funds: Buying or selling crypto-assets directly with clients from your own capital.
Case Study: “InstaCoin,” a crypto broker, offers to buy Bitcoin from clients at a quoted price. Because InstaCoin is the direct counterparty using its own funds, it is providing an exchange service. According to ESMA guidance (ESMA QA 2653), providers of this service must have a clear commercial policy and execute orders at the displayed price.
4
Exchange of Crypto-Assets for Other Crypto-Assets: Similar to the above, but trading one crypto for another using your own capital.
Case Study: The same “InstaCoin” broker allows clients to instantly swap their Ethereum for Solana from its own inventory. This is also an exchange service.
5
Execution of Orders on Behalf of Clients: Acting as an agent to conclude a purchase or sale of crypto-assets for a client.
Case Study: A firm, “CryptoPrime,” connects to multiple venues to find the best price for a client’s large order. CryptoPrime then executes the trade on that venue on the client’s behalf. As clarified by ESMA (ESMA QA 2653), this makes them an agent providing execution services, not an exchange.
6
Placing of Crypto-Assets: Marketing newly-issued crypto-assets to purchasers on behalf of the issuer.
Case Study: A new blockchain project hires “LaunchPad Pro” to manage the initial sale of its token. LaunchPad Pro markets and sells the token to its user base. It is placing crypto-assets and is a CASP.
7
Reception and Transmission of Orders (RTO): Receiving an order from a client and passing it to a third party for execution.
Case Study: A mobile app, “SimpleTrade,” allows users to enter a buy order. The app doesn’t fill the order itself but routes it to a larger, licensed exchange. SimpleTrade is providing RTO services.
8
Providing Advice on Crypto-Assets: Giving personalized recommendations to a client about crypto transactions.
Case Study: “CryptoWealth Advisors” analyzes a client’s financial situation and suggests specific crypto-assets to buy or sell. This is advice, making them a CASP. ESMA has clarified (in ESMA QA 2463) that “copy trading” services are assessed case-by-case and may be considered advice if the signals are presented as personalized recommendations.
9
Providing Portfolio Management: Managing a client’s portfolio of crypto-assets on a discretionary basis.
Case Study: A firm called “Digital Alpha” manages investment portfolios for clients, making buy/sell decisions on their behalf. This is portfolio management. As per ESMA guidance (ESMA QA 2463), “copy trading” can also be classified as portfolio management if the service automatically executes trades without requiring client action for each one.
10
Providing Transfer Services: Transferring crypto-assets from one address to another on behalf of a client.
Case Study: “PayCrypto” is a service that allows merchants to accept crypto payments by transferring crypto from the customer’s wallet to the merchant’s wallet. This is a transfer service.
And What About Issuers of Asset-Referenced Tokens?
MiCAR doesn’t just regulate service providers. It also creates a comprehensive framework for entities that issue certain types of crypto-assets, specifically asset-referenced tokens (ARTs).
An issuer of an asset-referenced token is an entity that offers a crypto-asset to the public that aims to maintain a stable value by referencing several currencies, another value or right, or a basket of such assets/rights in combination (but not being referenced to the value of only one official currency).
- Case Study: “EuroStable” issues a token called EURS. The value of EURS is backed by a reserve of assets consisting of 70% Euro-denominated bonds and 30% high-quality corporate debt. By issuing this token to the public, “EuroStable” is an issuer of an ART and requires authorization under MiCAR.
Disclaimer: Please note that the company names used in the case studies in this article are fictitious (e.g., “SecureHold,” “CryptoXchange,” “InstaCoin”, etc.). They have been created for illustrative purposes only, and any resemblance to real entities is entirely coincidental.
The Unbreakable Link: MiCAR Entities and DORA Compliance
Now for the critical connection:
Every single CASP and every authorized issuer of asset-referenced tokens is also defined as a “financial entity” under the DORA regulation (Article 2(1.)(f) of Regulation (EU) 2022/2554 (DORA)).
There is no ambiguity. There are no exceptions.
DORA is the foundational layer of operational and cybersecurity rules for the entire EU financial system. Regulators view it this way: MiCAR grants you the license to conduct your crypto business, but DORA sets the mandatory technical and organizational standards you must meet to run that business safely.
Why is this link so absolute?
- Systemic Risk: A security failure at a major CASP or ART issuer—like a major hack of a custodian or a de-pegging event caused by an operational failure—can have a ripple effect, causing financial losses and eroding trust in the entire digital asset market. DORA aims to prevent this by ensuring every key player is resilient.
- Harmonized Standards: DORA creates a single, high standard for digital resilience across Europe. It prevents a situation where a MiCAR-licensed entity could operate with weak cybersecurity rules, creating a weak link in the chain.
- Technology is Your Business: For any MiCAR-regulated entity, information and communication technology (ICT) isn’t just a back-office function; it is the core of the business. DORA ensures that the management and security of this technology are treated with the seriousness they deserve.
The Time for Action is Now
The grace period for DORA implementation ended on January 17, 2025. If you are operating or are you planning to operate as a CASP or an ART issuer under MiCAR, regulators expect your DORA framework—including your ICT risk management, incident reporting processes, and resilience testing program—to be fully operational.
Understanding your status under MiCAR is only half the battle. The other half is taking immediate action to build and document your digital operational resilience.
Are you a (prospective) micro-enterprise CASP or ART issuer struggling with DORA?
Our store offers professionally designed templates of internal acts specifically tailored for the needs and scale of micro-enterprises. These tools can help you accelerate your compliance, build a defensible framework, and prove to regulators that you take the security and stability of your operations seriously.