All posts
SecurityJune 25, 2026

MiCA enforcement is here. Is your infrastructure ready?

RS
Raz SchenirerStation70

The EU’s Markets in Crypto Assets Regulation has been discussed and debated for years, but as of July 1, 2026, the conversation ends. The transitional period closes, and any entity providing crypto asset services in the EU without MiCA authorization is operating outside the law. This is not a soft deadline.

What MiCA actually requires

MiCA establishes a single licensing regime across all 27 EU member states. Crypto asset service providers, including exchanges, custodians, brokers, and wallet providers, must obtain authorization from a national competent authority to operate legally. That authorization grants passporting rights across the entire Union. Without it, there is no legal basis to serve EU clients.

DORA adds another layer

MiCA does not exist in isolation. The Digital Operational Resilience Act applies in parallel for financial entities and CASPs operating in the EU. Where MiCA sets the authorization conditions, DORA sets the operational standards that must be met and maintained.

Together they make one thing clear: operational resilience is no longer a best practice. It is a regulatory requirement. CASPs must be able to detect, respond to, and recover from ICT incidents, including outages at custodians and wallet providers, while maintaining continuous access to client assets. Documented and tested business continuity plans, defined recovery time objectives, and mitigation of concentration risk are all now in scope.

It is no longer enough to say that recovery is possible. Now firms have to prove it.

The gap nobody is talking about

Most of the industry’s attention has focused on licensing, getting authorized, and securing the passport. That is the right starting point, but MiCA compliance does not end at authorization. It only begins there.

The regulation requires CASPs to maintain operational resilience as a condition of continued authorization. Systems must remain available, incidents must be reported, and recovery processes must exist and work. National competent authorities are now conducting supervisory reviews, spot checks, and investigations. Regulators are not waiting for something to go wrong before they look.

Compliance as infrastructure, not documentation

Many CASPs have done the paperwork. They have written the policies, mapped the governance, and submitted the applications. What is less common is the underlying infrastructure to back those policies up: systems that can demonstrate continuity under pressure, authentication that does not create single points of failure, and recovery processes that have been tested and can be evidenced.

MiCA does not distinguish between institutions that had good intentions and institutions that had working controls. Regulators will assess what your systems actually did, not what your policies said they would do. This is the shift from policy level resilience to evidence based recoverability. Controls must be tested. Recovery paths must be independent. Audit evidence must be regulator ready.

Operational resilience is not a checkbox. It is the difference between a CASP that holds its authorization through its first regulatory review, and one that does not.

What institutions should do now

There is no grace period after the July 1 deadline. Institutions that are not authorized must cease operations. The immediate priorities are clear: verify authorization status, audit operational controls against ESMA’s published guidelines on system security and continuity, and stress test recovery processes before a regulator does it for you.

Where Station70 fits

Station70 is vetted by Lloyd’s of London insurers through the Native Risk Collective. That vetting reflects a level of operational scrutiny that aligns directly with what MiCA regulators are now applying. MiCA and DORA’s operational requirements map to three infrastructure problems most CASPs have not fully solved.

Authentication and approval controls
MiCA requires CASPs to demonstrate that transaction approvals and system access are governed by documented, enforceable controls, not dependent on any single individual.
Agentic controls
The moment a team connects an AI tool to a real system, it takes on a third party dependency the compliance program cannot see. Under DORA, every ICT third party must be governed, monitored, and entered in the register. Gatekeeper sits between any AI tool and sensitive credentials, enforcing policy on every action before it executes. The AI never holds the underlying key.
Recovery and continuity
MiCA and DORA ask whether a recovery plan has been tested, and whether the evidence is ready for an auditor. Most CASPs have written the policies. Few have the infrastructure to back them up.

Bunker, Station70’s disaster recovery platform built specifically for digital asset infrastructure, maps to four obligations directly.

Safekeeping of keys (MiCA Art. 75)
Keys are encrypted before they reach Station70. Zero trust architecture, 3 of 3 Shamir, YubiKey quorum. Station70 never holds the underlying key material.
Tested continuity (MiCA Art. 68.7)
Recovery drills run in minutes, on the client’s cadence. Every drill produces proof of completion. A continuity plan that has never run is not a continuity plan.
Recovery objectives (DORA Art. 11 and 12)
Recovery is measured in minutes, not vault hours. Timeframes are realistic, tested, and documented. Running on Nitro Enclave, audited annually.
Audit logs and evidence (MiCA Art. 68.9)
Every event produces cryptographic attestation, retained for the five year period regulators require. Ready for auditors without preparation.

Regulators are no longer asking for the plan. They are asking for proof it ran. The question is no longer whether MiCA applies. It is whether the infrastructure holds when it matters.

Security for what you can least afford to loseLearn how Station70 protects keys, identities, and access.
Learn more