The authorisation math.
The headline number that no one has turned into a plain page: the overwhelming majority of firms that were active in the EU under national regimes did not convert into a MiCA authorisation. Estimates published through mid-2026 land in a consistent band.
Counts differ between trackers — authorisations are still being granted, and some sources count only trading-CASP permissions while others count every CASP service. We range it honestly: ~210–244 of 1,200+. Whichever end you take, the strategic fact is identical — being unauthorised on the deadline is the common case, not the exception, and regulators know it.
What ESMA now expects of the ~80%.
The most important shift in 2026 is that “we’ve applied” is no longer a holding position. ESMA has been explicit that firms which lost transitional cover must have already acted — a wind-down plan that exists only on paper is not enough.
Firms without the required authorisation must already have implemented an orderly wind-down; a plan that has not been put into effect “will not suffice.” They must cease onboarding new clients and stop marketing communications targeting the EU. National competent authorities may take coordinated action against the unauthorised provision of crypto-asset services.
Two of those three obligations are legal and operational — a job for counsel and your national competent authority. The third, stop EU-targeting marketing, sits squarely with the growth and comms function, and it is the one most firms leave running by accident: an EU-language landing page, a still-live geo-targeted ad set, an influencer contract that hasn’t been cancelled.
| Obligation | What it means in practice | Whose desk |
|---|---|---|
| 1. Implemented wind-down | An orderly wind-down actually in effect — clients notified, withdrawals and close-outs enabled, a timeline set. Not a document in a drawer. | Counsel + NCA |
| 2. Stop onboarding | No new EU clients accepted — signup and KYC flows for EU users closed, not merely de-emphasised. | Product + counsel |
| 3. Stop EU-targeting marketing | Every EU-facing acquisition surface switched off: EU-language pages, EU geo-targeted paid ads, EU influencer/KOL deals, EUR/SEPA promotion, EEA app-store pushes. | Growth & comms |
“We’ll just rely on reverse solicitation.”
The reflex answer for a non-EU platform is to keep serving EU users and lean on reverse solicitation. It is the most over-read exemption in MiCA, and the one most easily destroyed by your own marketing.
The exemption covers only a service provided at the client’s own exclusive initiative. It is to be understood narrowly, cannot be relied upon to circumvent the authorisation requirement, and does not extend to new crypto-assets or services marketed to that client.
Reverse solicitation is not a foundation to build EU revenue on. It is a narrow defence for demand a firm genuinely did nothing to create. The moment there is EU-targeting marketing, the “exclusive initiative” story collapses — the marketing is the evidence that the firm, not the client, initiated the relationship.
The two paths that actually remain.
If you are in the ~80%, the choice narrows to two honest positions. Everything else is a variant of one of them.
Complete the Article 63 authorisation, or transfer your EU book to / operate through a firm that already holds one. Until the licence is granted, do not claim “licensed,” “regulated,” or “MiCA-compliant” — including any status borrowed from a partner. “Application submitted” is a fact you may state; implied licensed status is a misleading-marketing finding under Article 88.
If you will remain unauthorised, the defensible position is a marketing surface that is demonstrably not aimed at the EEA — no EU-language localisation, no EU geo-targeting, no EU influencer activity, no EUR/SEPA promotion, no EEA app-store availability. This is exactly what a payment-rails, custody, or banking partner will want evidence of before they keep you onboarded. Evidence beats a signed declaration.
What the penalties actually range to.
MiCA’s penalty framework is worth stating precisely, because it is often quoted at only its ceiling. The regime carries a general administrative-penalty level and a higher ceiling for the most serious breaches.
- General level: up to €5 million or 3% of total annual turnover, whichever is higher, for many breaches (amounts and multiples vary by member state transposition).
- Higher ceiling (Art. 111): for the most serious infringements, up to €15 million or 12.5% of total annual turnover.
Alongside fines, NCAs can order a firm to cease the conduct, issue public warnings that name the firm, and coordinate action across member states against unauthorised provision. For most firms the reputational and rails-access consequences of a public warning bite harder than the headline number.
Related rules.
-
The decision tree: licence, cease, orderly wind-down, transfer clients, merge — and what each does to your marketing surface.
-
Enforcement posture by member state, what an unauthorised firm must already have done, and how to announce a wind-down compliantly.
-
The map of what remains permissible — and the EEA line reverse solicitation cannot cross.
-
The “clear, fair, and not misleading” bar every communication must clear — including any “licensed” claim.
-
MiCA, FCA, GDPR — the marketing rules, quoted and explained.
General information for marketing and communications teams, not legal advice and not a determination of any firm’s authorisation status. Authorisation counts are third-party estimates that differ between sources and change as licences are granted; we range them (~210–244 of 1,200+) rather than assert a single figure, and we never state that a specific firm is unauthorised without the ESMA/NCA register. For the binding text and your firm’s position, consult the Regulation, ESMA’s guidance, and qualified counsel in your client member states.