Fifteen Eighty Four

In our new book “The EU Law on Crypto-Assets” (Cambridge University Press, 2025, 560pp), we discuss the EU’s regulatory responses to the rapidly growing area of crypto-assets, framed against challenges during the so-called “Crypto Winter” of 2022-23 and the SEC decision of 10 January that prompted the institutionalisation of crypto in the US. During the Crypto Winter, millions of investors faced extensive losses due to technical failures, fraud, and misconduct within inadequately regulated crypto markets. The book aims to address these issues by examining the EU’s regulatory steps in the field of crypto and analysing whether the EU framework is fit for the institutionalisation of crypto recently observed.

Our book is structured into 16 chapters, discussing particularly the Markets in Crypto-Assets (MiCA) Regulation that came into force in large parts, on 1 January 2025, as well as the Pilot Regime for distributed ledger technology (DLT) infrastructures, Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) laws, and the Digital Operational Resilience Act (DORA), but also the private law dimension of crypto. 

The Markets in Crypto-Asset (MiCA) Regulation

Chapters 3 to 11 focus on MiCA.

A pertinent matter of MiCA is its scope, which we discuss at length in Chapters 3 and 4: MiCA fills regulatory gaps within the EU’s financial law system. This is achieved through a regulatory technique where MiCA at the outset applies to all crypto-assets but then explicitly excludes from all or some of its scope crypto-assets or institutions that are covered by various other parts of EU financial legislation, such as the regulation of MiFID financial instruments. This makes sense but creates difficult interface issues between the different sets of legislation. MiCA provides no solution to these issues but designs various tools to resolve them over time. We analyse the interface issues and propose some pragmatic ways to move forward (see below).

For in-scope crypto-assets, MiCA creates a bespoke regulatory regime by combining and tailoring concepts from existing EU law for financial instruments and banking assets, respectively:

Prospectus and transparency rules (Chapter 5): MiCA borrows from the EU Prospectus Regulation and applies a simplified framework that mandates the issuance of a “whitepaper” to provide transparency and protect investors when crypto-assets are offered to the public or admitted to trading.

Product Regulation of Stablecoins (Chapter 6): MiCA regulates stablecoins, categorising them into e-money tokens (EMTs) and asset-referenced tokens (ARTs). EMTs, backed by single fiat currencies, are subject to requirements similar to those in the E-money Directive. In contrast, ARTs, which are tied to multiple assets, face stricter requirements, such as stricter reserve management and own funds obligations, to safeguard against financial instability. EMTs and ARTs that qualify as “significant” face yet stricter rules. In essence, MiCA seeks to balance risk and innovation, yet for stablecoins that grow to pose significant risks to the broader financial system or challenge the central banks’ grip on monetary policy, MiCA is imposing substantial restrictions.

Regulation of Crypto-Asset Service Providers (CASPs) (Chapters 7 to 9): MiCA seeks to regulate crypto-asset services similarly to the existing rules for services in other financial markets. CASPs offering custody, exchange, and trading services, for example, must adhere to familiar licensing and operational standards, with additional focus on cybersecurity and anti-money laundering (AML) compliance. Custody rules under MiCA require that CASPs implement secure handling of client assets and keep them separate from company assets, addressing the specific risks of digital asset storage. MiCA also covers crypto investment funds, essentially establishing a new type of funds where the Alternative Investment Fund Managers Directive (AIFMD) applies in tandem with MiCA.

Market Abuse and Insider Dealing Rules (Chapter 10): MiCA adapts the EU’s Market Abuse Regulation (MAR) principles to prevent insider trading and market manipulation in the crypto sector. Given the pseudo-anonymous nature of blockchain transactions, enforcing these rules presents challenges, but combined with stricter Know Your Customer (KYC) requirements MiCA’s alignment with traditional market abuse frameworks aims to strengthen integrity in the crypto market.

Other EU Law on Crypto-assets

Our book further explores the EU’s pilot regime for distributed ledger technology market infrastructures as laid out in the DLT Pilot Regulation (PilotR), which provides a controlled “sandbox” environment for innovation with blockchain and DLT applications in the financial markets. We further cover Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) legislation, which is crucial for mitigating illicit financial activities in crypto markets. As the last part of the EU’s Digital Finance Package, we also cover the Digital Operational Resilience Act (DORA), which aims to improve cyber resilience in the financial sector, where we focus on the specific context of crypto and decentralised finance (DeFi). Finally, we also cover private law topics, such as ownership and transfer of crypto-assets, from a comparative perspective, as this field is governed by the laws of Member States rather than the EU as such.

Remaining Regulatory Challenges

Despite the advancements brought by MiCA and the other EU regulatory initiatives, the novelty, rapid evolvement, and unique aspects of crypto markets imply that several challenges remain:

Same Risks, Same Rules: This principle suggests that similar risks should be regulated in the same manner for crypto as in traditional financial systems. However, crypto’s partial decentralisation complicates enforcement and MiCA’s scope is thus aimed at centralised entities, posing difficulties in applying consistent rules to DeFi platforms.

New Risks, New Rules: New risks unique to crypto require specific rules that current frameworks may not adequately cover. For instance, the decentralisation of services often leads to the evasion of traditional regulatory definitions and enforcement methods. Furthermore, environmental concerns related to crypto mining—particularly with energy-intensive cryptocurrencies like Bitcoin—fall outside existing sustainability disclosure rules such as the Sustainable Finance Disclosure Regulation (SFDR).

Classification of Assets under MiCA: MiCA has ambiguous definitions concerning asset classes, which could lead to regulatory arbitrage. Expanding MiCA’s scope or introducing supplementary legislation to cover these areas could help close these regulatory gaps​. For instance, we suggest treating most crypto-assets by default as MiFID financial instruments, unless financial supervisors are convinced of another classification.

Reverse Solicitation and Cross-Border Issues: MiCA’s focus on EU-licensed entities restricts its enforceability on third-country service providers, which may offer services to EU residents. The rules allow third-country firms to provide services if the client initiates contact (reverse solicitation), yet this has led to indirect marketing tactics, making enforcement challenging. We need a more rigorous approach to cross-border regulation, particularly in monitoring “Finfluencers” and other ways to encourage clients to contact third-country firms.

Pilot Regime Limitations: The PilotR’s narrow scope restricts its potential as a learning tool for future regulatory adaptations. The regime applies to specific asset classes and authorised entities only (not start-ups). It also has limitations on cross-sectoral exemptions, which hinders innovative models that do not fit neatly into existing regulatory categories.

Challenges in DORA Compliance for DeFi: While DORA mandates the hierarchical implementation of cyber risk management, DeFi sets out to achieve the same result but via horizontal financial infrastructures, distribution of functions across many very small participants, and automated contracting. Carve-outs for de minimis entities and adaptions to the rules on third-party risk management are necessary for DORA to function in a DeFi context.

Conclusion

The above challenges and opportunities outlined in our book indicate that while MiCA and its related regulations represent a major advancement in the EU’s crypto regulatory framework, they are not all-encompassing solutions. The evolving landscape of crypto-assets and DeFi will continue to test the adaptability and robustness of these regulations. Addressing the challenges may require future regulatory revisions, the creation of complementary legislation, and increased international regulatory cooperation to effectively manage the risks inherent in digital finance while maintaining an openness to innovation so that the EU crypto innovators and service providers remain competitive while ensuring that EU clients and investors participate in the benefits provided by crypto.