// EU · MICA ART. 143, 61, 88, 111 · THE AUTHORISATION GAP

Only ~1 in 5 crypto firms got a MiCA licence. What the other 80% must do now.

More than 1,200 crypto firms were registered or operating in the EU before MiCA. As of mid-2026, only roughly 210–244 (~17–20%) hold a full MiCA CASP authorisation. If you are in the ~80% that isn’t, a pending application is not cover — ESMA now expects your wind-down plan already implemented, onboarding stopped, and EU-targeting marketing switched off. Here is the math, the three obligations, the penalty range, and the two paths that actually remain.

Applies to: unauthorised CASPs Non-EU platforms serving EU users Rails, custody & banking partners Growth & comms teams

The authorisation math.

The headline number that no one has turned into a plain page: the overwhelming majority of firms that were active in the EU under national regimes did not convert into a MiCA authorisation. Estimates published through mid-2026 land in a consistent band.

1,200+
EU-registered / operating pre-MiCA
~210–244
Full MiCA CASP authorisations
~17–20%
Authorisation rate
~80%
Not fully authorised

Counts differ between trackers — authorisations are still being granted, and some sources count only trading-CASP permissions while others count every CASP service. We range it honestly: ~210–244 of 1,200+. Whichever end you take, the strategic fact is identical — being unauthorised on the deadline is the common case, not the exception, and regulators know it.

What ESMA now expects of the ~80%.

The most important shift in 2026 is that “we’ve applied” is no longer a holding position. ESMA has been explicit that firms which lost transitional cover must have already acted — a wind-down plan that exists only on paper is not enough.

// ESMA statements on unauthorised CASPs, 2026 · in substance

Firms without the required authorisation must already have implemented an orderly wind-down; a plan that has not been put into effect “will not suffice.” They must cease onboarding new clients and stop marketing communications targeting the EU. National competent authorities may take coordinated action against the unauthorised provision of crypto-asset services.

Two of those three obligations are legal and operational — a job for counsel and your national competent authority. The third, stop EU-targeting marketing, sits squarely with the growth and comms function, and it is the one most firms leave running by accident: an EU-language landing page, a still-live geo-targeted ad set, an influencer contract that hasn’t been cancelled.

ObligationWhat it means in practiceWhose desk
1. Implemented wind-down An orderly wind-down actually in effect — clients notified, withdrawals and close-outs enabled, a timeline set. Not a document in a drawer. Counsel + NCA
2. Stop onboarding No new EU clients accepted — signup and KYC flows for EU users closed, not merely de-emphasised. Product + counsel
3. Stop EU-targeting marketing Every EU-facing acquisition surface switched off: EU-language pages, EU geo-targeted paid ads, EU influencer/KOL deals, EUR/SEPA promotion, EEA app-store pushes. Growth & comms

“We’ll just rely on reverse solicitation.”

The reflex answer for a non-EU platform is to keep serving EU users and lean on reverse solicitation. It is the most over-read exemption in MiCA, and the one most easily destroyed by your own marketing.

// MiCA Art. 61 & ESMA reverse-solicitation guidance · in substance

The exemption covers only a service provided at the client’s own exclusive initiative. It is to be understood narrowly, cannot be relied upon to circumvent the authorisation requirement, and does not extend to new crypto-assets or services marketed to that client.

Reverse solicitation is not a foundation to build EU revenue on. It is a narrow defence for demand a firm genuinely did nothing to create. The moment there is EU-targeting marketing, the “exclusive initiative” story collapses — the marketing is the evidence that the firm, not the client, initiated the relationship.

The two paths that actually remain.

If you are in the ~80%, the choice narrows to two honest positions. Everything else is a variant of one of them.

// Path A · Get authorised (or operate under someone who is)

Complete the Article 63 authorisation, or transfer your EU book to / operate through a firm that already holds one. Until the licence is granted, do not claim “licensed,” “regulated,” or “MiCA-compliant” — including any status borrowed from a partner. “Application submitted” is a fact you may state; implied licensed status is a misleading-marketing finding under Article 88.

// Path B · Prove you are not marketing into the EEA

If you will remain unauthorised, the defensible position is a marketing surface that is demonstrably not aimed at the EEA — no EU-language localisation, no EU geo-targeting, no EU influencer activity, no EUR/SEPA promotion, no EEA app-store availability. This is exactly what a payment-rails, custody, or banking partner will want evidence of before they keep you onboarded. Evidence beats a signed declaration.

What the penalties actually range to.

MiCA’s penalty framework is worth stating precisely, because it is often quoted at only its ceiling. The regime carries a general administrative-penalty level and a higher ceiling for the most serious breaches.

  • General level: up to €5 million or 3% of total annual turnover, whichever is higher, for many breaches (amounts and multiples vary by member state transposition).
  • Higher ceiling (Art. 111): for the most serious infringements, up to €15 million or 12.5% of total annual turnover.

Alongside fines, NCAs can order a firm to cease the conduct, issue public warnings that name the firm, and coordinate action across member states against unauthorised provision. For most firms the reputational and rails-access consequences of a public warning bite harder than the headline number.

Related rules.

General information for marketing and communications teams, not legal advice and not a determination of any firm’s authorisation status. Authorisation counts are third-party estimates that differ between sources and change as licences are granted; we range them (~210–244 of 1,200+) rather than assert a single figure, and we never state that a specific firm is unauthorised without the ESMA/NCA register. For the binding text and your firm’s position, consult the Regulation, ESMA’s guidance, and qualified counsel in your client member states.