MiCA Grandfathering Deadlines by Country
Most MiCA transitional periods for former VASPs expire by end of 2025. Once yours passes, MiCAR authorisation — and full DORA compliance — become mandatory. Here's exactly when your clock runs out.
What is MiCA grandfathering?
When the Markets in Crypto-Assets Regulation (MiCAR) became fully applicable on 30 December 2024, it didn't immediately force every existing crypto business to stop and apply for a new licence. Instead, Article 143(3) of MiCAR allowed Member States to grant existing crypto-asset service providers — those legally operating under national rules before MiCA — a transitional period to continue operating while they seek MiCAR authorisation.
This is the grandfathering regime. It is a time-limited bridge, not a permanent exemption. Once your country's transitional period ends, you must either hold a valid MiCAR CASP authorisation or cease operations. There is no extension mechanism.
The DORA connection: The moment your grandfathering period expires and you become a fully authorised CASP under MiCAR, you are simultaneously a "financial entity" under DORA (Article 2(1)(f)). Full DORA compliance — ICT risk framework, incident reporting, resilience testing, vendor register — becomes mandatory on that same day.
Deadlines by country
Member States chose their transitional period length — 6, 12, or 18 months from MiCA's applicability date of 30 December 2024. The table below reflects ESMA's official published list under Article 143(3) MiCA. Firms operating in multiple jurisdictions must comply with the earliest applicable deadline.
| Country | Transitional Period | Deadline | Status |
|---|---|---|---|
| Lithuania | ~5 months | ~May 2025 | Expired |
| Latvia · Netherlands · Poland · Hungary · Slovenia | 6 months | 30 June 2025 | Expired |
| Germany · Ireland · Greece · Spain · Italy · Austria · Slovakia | 12 months | 30 December 2025 | End of 2025 |
| France · Czechia · Denmark · Estonia · Cyprus · Malta · Luxembourg · Bulgaria · Croatia · Romania | 18 months | 30 June 2026 | June 2026 |
| Belgium · Portugal · Norway (EEA) | TBA | Not yet published | TBA |
Source: ESMA's official list of transitional arrangements under Article 143(3) MiCA. Dates are calculated from MiCA's applicability date of 30 December 2024. Confirm the current status with your national competent authority before relying on this table for compliance planning.
What happens when the period ends?
On the day your transitional period expires, three things happen simultaneously:
- MiCAR authorisation becomes mandatory. Operating without a valid CASP licence after this date is unlicensed activity — subject to regulatory action and potential criminal liability under national law.
- DORA becomes fully applicable. Your ICT risk framework, incident reporting process, resilience testing programme, and Register of Information must all be operational and documentable.
- Supervisory scrutiny begins. National competent authorities will be actively monitoring for newly-authorised CASPs, and early licence conditions often include ICT-related requirements tied directly to DORA.
For firms in the 12-month group (end of 2025)
If your deadline is 30 December 2025, you have months, not years. DORA compliance cannot be built in weeks — a credible ICT risk framework requires management-body approval, documented testing, and a functional Register of Information. Building that track record takes time. If you haven't started, starting today means you'll have something defensible by year end. Starting in November means you won't.
For firms in the 18-month group (June 2026)
The longer runway doesn't reduce the urgency — it provides the opportunity to build properly. Regulators will assess not just whether you have a framework in place, but how long it has been operating and how mature it is. A framework running since early 2025 with six months of incident reviews and testing records is far more defensible than one assembled in the weeks before your deadline.
Multi-jurisdiction note: If you hold licences or registrations in multiple Member States, your DORA obligation activates at the earliest applicable deadline — not the latest. Plan to the shortest clock.
What you need to have ready
By your grandfathering deadline, regulators expect:
- A documented ICT risk management framework approved by the management body
- An incident classification and reporting process meeting DORA RTS thresholds
- A complete Register of Information covering all ICT third-party providers
- Contracts with critical ICT providers reviewed for mandatory DORA clauses
- At minimum one resilience test cycle completed and documented
- A digital operational resilience strategy aligned to your business model
Our documentation set covers every DORA requirement listed above — pre-mapped to the RTS/ITS, scoped for micro-enterprise CASPs, and built to be defensible in live licence reviews.