Home Business
3

How MiCA Affects Crypto Exchanges and On-Ramps in 2026

Compliance
By Konstantin Vasilenko
Updated:
How MiCA Affects Crypto Exchanges and On-Ramps in 2026
Key Takeaways

  • CASP authorisation starts a permanent compliance relationship with the regulator. Supervision runs indefinitely from the moment the licence is granted.
  • Fund segregation and fee transparency are legally enforced on every licensed exchange and on-ramp under MiCA.
  • AML monitoring runs in real time across all transactions, every day. It is a permanent operational function built into the licence conditions.
  • The Travel Rule requires sender and recipient data on every crypto transfer above €1,000 between CASPs.
  • DORA applies to all CASPs from January 2025. Major IT incidents must be reported to regulators within hours.
  • First-year MiCA compliance costs: €500K–€2M for exchange-scale operators, €250K–€500K for startups.
  • An unlicensed on-ramp creates counterparty risk for any business that integrates it. The Paybis on/off-ramp handles the compliance layer under full CASP authorisation.

Getting a MiCA licence was the hard part for most exchanges and on-ramps. What comes after is different: a permanent shift in how the business has to run. July 1, 2026 closed the window for operating on legacy registrations. What opened in its place is a framework that treats crypto exchanges the same way it treats banks, with active supervision running continuously rather than only appearing at licence renewal.

Whether you operate an exchange directly or integrate an on-ramp into your product, this article covers what changed and what it means for your operations.

What Does MiCA Require From Exchanges and On-Ramps at a Baseline Level?

Every CASP must meet six baseline obligations from the moment authorisation is granted. These apply to every licensed exchange and on-ramp in the EU, regardless of size or the services offered.

The six baseline requirements under MiCA for all CASPs:

  • Client fund segregation. Customer crypto and fiat assets must be held separately from the company’s own funds at all times. Using client funds for operations or treating them as company property in insolvency is a licence condition breach.
  • Fee transparency. The full cost of every transaction must be disclosed before confirmation. Hidden spreads and post-execution fee reveals are prohibited.
  • AML and KYC program. A documented, risk-based AML program must be in operation covering both onboarding verification and ongoing transaction monitoring. The crypto compliance guide covers each layer in detail.
  • Governance and management standards. A qualified compliance officer must be appointed with genuine authority. Governance structures must be documented and demonstrably operational.
  • Complaint handling. A formal, documented complaint process must be in place, with defined response timelines and escalation routes.
  • Ongoing regulatory reporting. Regular submissions on transaction volumes, business changes, and material incidents go to the national competent authority that issued the licence.

These baseline obligations apply to every CASP. Additional requirements layer on top depending on the specific services offered.

How Does MiCA Change Day-to-Day Exchange Operations?

MiCA redefined what running an exchange in the EU means at the operational level. The licence is the entry point. The ongoing requirements are the substance.

Before MiCA, exchanges operating under national AML registrations faced basic KYC and suspicious transaction reporting requirements. Governance, IT security, and capital adequacy were checked at the licensing stage, if at all. Day-to-day operations ran largely without ongoing regulatory scrutiny.

Under MiCA, the dynamic changes:

  • AML monitoring runs continuously. Transaction surveillance must cover all activity in real time. Reviewing alerts and filing suspicious transaction reports with the relevant financial intelligence unit are daily operational functions.
  • Token listing decisions carry compliance weight. MiCA requires white papers for crypto-assets offered to EU investors. An exchange listing a token whose issuer has not published a compliant white paper carries regulatory risk for that listing decision. Due diligence on new listings has tightened considerably as a result.
  • Stablecoin trading faces specific restrictions. Exchanges can only freely trade stablecoins whose issuers hold authorisation under MiCA’s e-money token or asset-referenced token frameworks. Several widely-traded stablecoins face restrictions on licensed EU platforms in 2026 because their issuers have not obtained the relevant authorisation.
  • Market abuse rules now apply. MiCA prohibits insider trading, market manipulation, and unlawful disclosure of inside information on crypto exchanges. These are enforceable obligations with real consequences. Exchanges must have surveillance systems capable of detecting prohibited conduct.
  • Record-keeping standards are formalised. ESMA has published technical format requirements for order book records and transaction data. These standards govern how exchanges store and submit data to regulators, and compliance requires ongoing data quality management alongside the technical infrastructure.

How Does MiCA Specifically Affect On-Ramps?

On-ramps, meaning platforms that convert fiat currency into crypto, are CASPs under MiCA and face the same baseline obligations as exchanges. In one respect they face more scrutiny, because fiat entry points are where AML enforcement is concentrated.

Financial crime in crypto usually begins at the fiat entry or exit point. Money that enters the crypto ecosystem through an on-ramp that has weak KYC or limited transaction monitoring is considerably harder to trace once it has moved on-chain. Regulators know this. The AML and KYC expectations for on-ramps under MiCA and the accompanying TFR (Transfer of Funds Regulation) reflect it.

Specific operational impacts on on-ramps:

  • Enhanced due diligence at onboarding. On-ramps handling fiat conversions face higher baseline expectations on customer verification. Source of funds checks apply at lower thresholds than on peer-to-peer crypto transfers.
  • Fiat payment method oversight. The payment rails an on-ramp uses connect the crypto system to regulated banking infrastructure. Maintaining those connections requires the on-ramp to demonstrate compliant AML practices to the banking counterparties on the other side.
  • Continuous monitoring across conversion pairs. Every fiat-to-crypto and crypto-to-fiat conversion requires ongoing monitoring against the customer’s profile. A pattern inconsistent with a customer’s stated purpose triggers the same review and reporting obligations as any other suspicious transaction.
  • Travel Rule compliance on outbound transfers. When an on-ramp sends crypto to another CASP on behalf of a customer, it must transmit sender and recipient information alongside the transfer for amounts above €1,000. The receiving platform must be able to verify that information. Technical integration between platforms is required, beyond policy documentation alone.

What Does the Travel Rule Mean for On-Ramps in Practice?

The Travel Rule requires on-ramps to pass identifying information about the sender and recipient on every crypto transfer above €1,000 to another VASP or CASP. It reshaped how on-ramps handle outbound transfers at the technical level.

The rule gets its name from its FATF origins, where the same obligation applied to wire transfers between banks. For on-ramps, implementation requires:

  • A technical system for collecting and transmitting Travel Rule data alongside each qualifying transfer
  • A process for verifying the identity of the receiving VASP and confirming it is a legitimate, regulated entity
  • Screening of recipients against sanctions lists before transfer execution
  • Record retention of Travel Rule data for a minimum of five years

The practical challenge is that Travel Rule infrastructure is not standardised globally. Different protocols exist, and compliance depends on the receiving platform’s ability to accept and respond to Travel Rule data. Transfers to unhosted wallets face additional scrutiny and may require enhanced due diligence on the customer before the transfer is permitted.

On-ramps that handled Travel Rule compliance loosely before MiCA are rebuilding at a technical and operational level. Those that had already invested in compliant infrastructure are simply confirming that investment was correct.

How Do DORA Requirements Affect Crypto Exchange Operations?

DORA, the Digital Operational Resilience Act, has applied to all EU-licensed financial entities including CASPs since January 17, 2025. It adds a layer of IT risk management and incident reporting obligations that sit alongside MiCA’s licensing requirements.

DORA’s practical requirements for exchanges and on-ramps:

  • IT risk framework documentation. Every CASP must maintain a documented IT risk framework that identifies and assesses technology risks across their operations. It must be reviewed and updated on a regular cycle.
  • Third-party vendor oversight. Exchanges and on-ramps depend on external vendors for custody, hosting, payment processing, and monitoring. Under DORA, each critical vendor relationship must be formally assessed, with contracts that include audit rights, incident notification obligations, and exit procedures.
  • Incident reporting with strict timelines. Major outages, data breaches, or system failures affecting client assets must be documented and reported to the relevant regulator immediately, with timelines measured in hours. DORA’s technical standards define exactly which incidents cross the reporting threshold.
  • Penetration testing. DORA requires regular operational resilience testing, including scenario-based exercises for larger entities.

Exchanges that had already built robust IT security infrastructure before DORA find the regulation formalises what they were doing. Exchanges that had not face a structured rebuild of how technology risk is governed and reported.

What Does MiCA Compliance Actually Cost?

The compliance cost of operating as a CASP under MiCA is significant and front-loaded in the first year. After the licence is granted, costs shift from setup expenses to recurring operational overhead rather than reducing.

First-year costs:

Cost category Exchange-scale Startup-scale
Licensing and legal €100K–€400K €80K–€200K
Annual audit and external review €50K–€150K €30K–€80K
Compliance officer salary €80K–€150K €80K–€120K
IT security investment €50K–€200K €30K–€100K
Minimum capital (locked) €125K–€150K €50K–€150K
Total year one €500K–€2M €250K–€500K

These figures reflect the industry data from coinlaw.io and represent ranges rather than fixed figures. The binding cost constraint for most established businesses is the fixed overhead floor on minimum capital, which scales with the actual cost base of the business rather than the statutory minimum.

Cybersecurity investment specifically increased by approximately 40% across the industry in 2025 as firms upgraded infrastructure to meet both MiCA and DORA requirements simultaneously. This was a genuine one-time step-up cost on top of the ongoing annual burden.

The cost structure is why smaller platforms have exited the EU market rather than pursue authorisation. Fixed compliance costs are largely the same for a small business as for a large one, so the burden as a percentage of revenue is heaviest for firms in the early stages of growth.

What Does MiCA Mean for Businesses That Integrate On-Ramps?

If your business integrates an on-ramp to offer crypto buy, sell, or swap functionality to your users, the regulatory standing of that on-ramp is now a compliance question for your business as much as for the on-ramp provider.

Before MiCA, integrating a crypto on-ramp was largely a commercial and technical decision. Now it carries a regulatory dimension that affects due diligence, counterparty risk, and end-user protection.

Regulators and auditors reviewing a business that has integrated a crypto on-ramp will ask to see the on-ramp’s regulatory credentials. An on-ramp without CASP authorisation creates counterparty risk that reflects on your own compliance posture. This matters particularly for businesses in fintech, payments, or banking, where compliance counterparty standards are already established practice.

If the on-ramp your product integrates does not hold CASP authorisation, your users lose MiCA’s fund segregation, fee transparency, and complaint handling protections when they use your product. That creates reputational and potentially legal exposure for the business offering it.

A CASP-licensed on-ramp reverses this. Your users get the full protection framework. Your compliance program passes counterparty due diligence on the on-ramp relationship. The crypto compliance layer is handled by a licensed specialist operating under active regulatory supervision.

For more on what CASP authorisation actually requires from an on-ramp provider, the crypto exchange regulations guide covers the ongoing operational obligations in detail.

How Does Paybis Operate Within MiCA’s Framework?

Paybis holds the MiCA CASP licence and the PSD2 Payment Institution licence, both issued by the Bank of Latvia in May 2026. Every operational obligation described in this article applies to Paybis’s operations.

In practice, that means:

  • Client funds are held separately from Paybis’s own assets
  • All fees are disclosed before any transaction is confirmed
  • AML monitoring runs continuously across all transactions
  • Travel Rule compliance is implemented for qualifying transfers
  • DORA obligations are met, including IT risk framework documentation and incident reporting
  • An appointed compliance officer oversees the full program
  • Annual audits review AML effectiveness and capital maintenance

For B2B partners integrating the Paybis on/off-ramp, this means the crypto compliance layer of their product is handled by a CASP-licensed provider. The integrating business benefits from that regulatory standing without building the infrastructure independently.

The Paybis Corporate On/Off Ramp handles institutional-scale operations, including KYB for corporate clients and AML monitoring at higher volumes. For global payout operations, Paybis Send runs under the same licensed framework.

The official MiCA and PSD2 licence announcement covers what the authorisation process involved. For ongoing regulatory developments and what they mean for platform operators, the Paybis MiCA content hub covers the landscape as it evolves.

Bottom Line

MiCA changed what it means to operate a crypto exchange or on-ramp in the EU. Client verification, fund custody, transaction monitoring, incident reporting, and technology risk management are all now defined by regulation rather than platform policy. The July 1, 2026 transition deadline made that mandatory. For operators, the compliance infrastructure this requires is substantial and does not reduce after launch. For businesses integrating on-ramps, whether that partner holds CASP authorisation has moved from a commercial preference to a compliance question with direct consequences for user protection and regulatory standing.

FAQ

How does MiCA affect crypto exchanges differently from traditional financial firms?

MiCA brings crypto exchanges under a framework that closely parallels the obligations of regulated investment firms and payment institutions, with some differences. The capital requirements are lower than those for traditional banks, reflecting the earlier stage of the industry. But the governance, AML, market abuse, and operational resilience requirements largely mirror what applies to traditional finance. The primary difference is the addition of crypto-specific provisions, including white paper requirements for token listings and restrictions on trading stablecoins whose issuers lack the relevant MiCA authorisation.

What happens if a CASP fails to meet its ongoing MiCA obligations?

Non-compliance with ongoing MiCA obligations can lead to formal warnings, escalating fines of up to €15 million or 12.5% of annual turnover, and ultimately revocation of the CASP licence. Regulators treat ongoing non-compliance as a serious risk. National competent authorities are actively conducting supervisory reviews and spot checks in 2026 to confirm that licensed CASPs are maintaining the standards under which they were approved.

Are DeFi protocols affected by MiCA in the same way as exchanges?

MiCA primarily targets centralised entities with an identifiable legal operator. Fully decentralised DeFi protocols with no identifiable intermediary largely fall outside MiCA’s direct scope. However, the on-ramps and off-ramps connecting DeFi to fiat currency are CASPs and face the full MiCA framework. Exchange-operated DeFi products and platforms that are nominally decentralised but have an identifiable operating entity are increasingly treated as within scope. ESMA’s review process for MiCA’s coverage gaps, expected by December 2025, is expected to address how the regulation applies to the DeFi borderline.

What is the Travel Rule threshold in the EU?

The Travel Rule under the EU’s Transfer of Funds Regulation applies to crypto transfers above €1,000 between CASPs and VASPs. Below that threshold, certain simplified transfer processes apply. No de minimis exemption removes AML monitoring entirely. Monitoring applies to all transactions. The €1,000 threshold specifically triggers the requirement to transmit sender and recipient identity information alongside the transfer.

How does integrating a CASP-licensed on-ramp protect my business?

A CASP-licensed on-ramp carries demonstrable regulatory standing that passes counterparty due diligence reviews. Your regulators, auditors, and banking partners can verify the on-ramp’s authorisation directly on ESMA’s register. MiCA’s fund segregation and fee transparency obligations are legally enforced on the on-ramp’s side of the relationship. The crypto compliance layer that would otherwise require your business to build and maintain its own infrastructure is handled by the on-ramp provider under active regulatory supervision.

Disclaimer: Don’t invest unless you’re prepared to lose all the money you invest. This is a high‑risk investment and you should not expect to be protected if something goes wrong. Take 2 mins to learn more at: https://go.payb.is/FCA-Info

Written by

Post author
Konstantin Vasilenko
Konstantins is a blockchain and digital payments executive with over 20 years of IT experience. He co-founded Paybis in 2014, helping build it into a global crypto platform serving users across 180+ countries. He brings deep technical and business expertise to Paybis' growth and partnership strategy. He is also a co-founder of the Latvian Blockchain Association and is a regular speaker at major industry events, where he represents Paybis' vision of making crypto accessible and useful for both individuals and businesses worldwide.