MiCA Countdown: Unauthorized CASPs Face July 1, 2026 Deadline

A non-extendable deadline

The MiCA grandfathering period ends on July 1, 2026 across all 27 EU Member States and the three additional EEA states (Norway, Liechtenstein, Iceland). From that date, any crypto-asset service provider without a CASP authorization that continues to serve European clients is in breach of Union law. The Commission has repeatedly confirmed since February 2026 that no extension is being considered. The penalties provided for go up to 5 million euros or 5% of annual turnover, plus cease-and-desist orders, and effective bans on operating in the single market.

At D-22 from the deadline, the public tally of issued authorizations barely exceeds forty, concentrated in a handful of jurisdictions. The rest of the market must choose between obtaining a license in the remaining weeks, restructuring its geographic scope, or ceasing its EU activities.

Who obtained the license, and where

The most active national competent authorities to date are the German Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), the Dutch Autoriteit Financiële Markten, the Malta Financial Services Authority, and the Luxembourg Commission de Surveillance du Secteur Financier. The French Autorité des Marchés Financiers and the Spanish Comisión Nacional del Mercado de Valores have issued fewer authorizations, with a more demanding prudential approach to governance.

Among the beneficiaries, one finds mainly large-cap centralized exchanges (the usual European names, plus a few major international players that have segmented their European entity), institutional custodians, and a core of technical service providers (KYC vendors, trading infrastructure). Coverage of P2P platforms, DEXs and indie exchanges remains extremely low, by design (most of these services lack the legal structure and economic incentive to enter the MiCA perimeter).

Who will not make it

Three categories of services are in serious difficulty.

The first group comprises intermediate exchanges whose EU volume accounts for 15 to 40% of overall activity. For these structures, the cost of the license is too high relative to the margin generated, but a complete shutdown of the EU perimeter means losing a quarter to a third of their user base. The dominant solution has been the creation of a separate European entity, sometimes located in Malta or the Netherlands, with a reduced functional scope.

The second category covers niche services (cards, P2P, mixers, SMS services) that never had a compliance structure and could not obtain one within the allotted timeframe. These services have either already closed EU access (often via IP geo-blocking), or accepted to continue operating in a gray zone with residual legal risk.

The third category comprises non-EU operators that served EU users without a local license. These operators theoretically have two options: obtain a MiCA license through an EU entity, or cease serving EU users. In practice, many choose a third option, namely continuing as-is while accepting the enforcement risk.

The enforcement scenario after July 1

The ratio of actual enforcement is the critical unknown. ESMA does not have the operational capacity to pursue each unlicensed operator individually, and national NCAs will likely take a staggered approach. The probable pattern, based on post-PSD2 and post-AMLD5 enforcement, is an initial move against a few high-volume visible operators, followed by stabilization at a low but constant enforcement pace.

For the end user, this means an unlicensed service may continue to function technically after July 1, with no immediate risk signal. The risk becomes actual when enforcement occurs, which may take months. This delay is not a comfort, it is a zone of uncertainty that must be treated as such.

What this changes for the directory

Our catalogue is largely composed of services that were never intended to become MiCA-compliant. This lack of licence is not a flaw; it is a feature. The change in usage post-1 July will be marginal for non-EU users. For EU users, the situation is more nuanced. Several of the listed services have already announced access restrictions, sometimes via geo-blocking, sometimes via a simple notice on their homepage. Our team will verify each listing in July and adjust the entries accordingly.

• For an EU-based user. Prioritise services with a clear public stance (licensed or geo-blocked). Avoid grey-zone services, whose technical accessibility post-1 July says nothing about their sustainability.
• For a non-EU user. The MiCA deadline does not directly affect your scope. But it may indirectly affect, through a consolidation effect, the services you use.
• For a service operator. If you operate a service in our niche and still have room for manoeuvre, the pragmatic option is probably IP geo-blocking of EU users. It is an imperfect measure but it avoids the most visible enforcement scope.

Verdict

MiCA is not a catastrophe for the privacy niche. It is a regime change that clarifies the separation between compliant services that accept the European framework and services that remain outside the framework by design. This clarification has a cost in terms of accessibility from the EU, but it also has a benefit in terms of landscape readability. Our directory will continue to list out-of-framework services, explicitly flagging their status, as we already do for .onion and .i2p listings.