Skip to content
DecrypteBot
GB English
FR Français GB English ES Espanol BR Portugues (BR)

Blog

MiCA explained 2026: complete guide for crypto trading bots in Europe

By Sam Okonkwo Published 2026-05-28 Updated 2026-05-28 2920 words

TL;DR: Regulation (EU) 2023/1114, known as MiCA, has applied to crypto-asset service providers since 30 December 2024 across all 27 EU member states. For crypto trading bots that touch European retail flow, the binding requirement is now CASP authorisation under Article 59, not voluntary adoption. This guide walks through the legal text, the ESMA technical standards published in 2024 and 2025, the transition arrangements that expire between July 2025 and July 2026 depending on the member state, and the operational changes that follow: custody segregation, conflicts of interest disclosure, complaints handling, prudential capital requirements, and ongoing supervision. No bot is named or recommended. The objective is to give an operator or a sophisticated user the precise references needed to verify any platform’s claims of MiCA compliance.

Why MiCA is the regulation that finally binds crypto bots in Europe

Before MiCA, crypto bot operators serving European customers operated under a patchwork of national registrations: PSAN in France, OAM in Italy, BaFin notification in Germany, registration with the Bank of Spain, and so on. Some operators avoided any registration by routing flow through Estonian, Maltese, or non-EU entities. The result was uneven consumer protection, inconsistent capital requirements, and no common rulebook for cross-border service.

Regulation (EU) 2023/1114, adopted on 31 May 2023 and applied in full from 30 December 2024 (Title V provisions on crypto-asset service providers), replaces that patchwork. The text was published in the Official Journal on 9 June 2023 and is directly applicable in every member state without national transposition. The European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Central Bank produced supporting technical standards and Q&As that progressively clarified the implementing detail.

For a deep dive into ESMA’s interpretive guidance, see our ESMA Q&A 2026 MiCA impact analysis. The text below is the operational synthesis, not a substitute for the legal references cited at the end.

Scope: which crypto trading bots fall under MiCA

MiCA defines a crypto-asset service provider (CASP) as a legal person that provides one or more crypto-asset services on a professional basis (Article 3(15)). Article 3(16) enumerates ten such services. The ones most relevant to trading bots are:

  • Reception and transmission of orders for clients (RTO): when the bot routes a client order to a third-party execution venue.
  • Execution of orders on behalf of clients: when the bot is the executing entity, including via aggregated venue access.
  • Portfolio management of crypto-assets: when the bot makes discretionary investment decisions on behalf of clients with allocated capital.
  • Providing advice on crypto-assets: rare for bots, but applicable if the bot publishes personal recommendations.
  • Custody and administration of crypto-assets on behalf of clients: when the bot platform holds client keys, deposits, or settled balances.

The first three apply to the bulk of bot platforms. The custody dimension is the most consequential because it triggers higher prudential capital and segregation requirements (Article 67 of the Regulation and Articles 70 to 75 on operational requirements).

When a “self-hosted” bot is out of scope

A purely client-side bot that does not handle client funds, does not route orders through the operator’s own infrastructure, and does not exercise discretion on behalf of a third party may fall outside the CASP definition. The relevant test is whether the operator provides a service to a third party on a professional basis. Open-source bots distributed without an associated service relationship, like the typical Hummingbot or Freqtrade setup that a user installs and runs locally with their own exchange API keys, are not CASPs.

The grey area is hosted SaaS platforms that describe themselves as “tools” but in practice route orders, manage subscriptions, store API keys server-side, and provide ongoing operational support. ESMA’s Q&A document published in early 2025 was explicit that a “tool” framing does not exempt a platform from the CASP definition when one of the regulated services is provided in substance.

For an in-depth review of how French regulators applied this test before MiCA, see our PSAN AMF 2026 list of registered providers (English summary in the regulation guide).

CASP authorisation: the process under Article 62

A bot operator that qualifies as a CASP must apply for authorisation in one member state, after which the authorisation passports across the entire EU under the single market principles (Article 65). The authorisation application is reviewed by the national competent authority (NCA) of the home member state: AMF in France, BaFin in Germany, CNMV in Spain, CONSOB in Italy, CSSF in Luxembourg, CBI in Ireland, and equivalents in the other 21 member states.

The application file required under Article 62 includes:

  1. Programme of operations: types of services, target customer segments, geographic markets, expected order volumes.
  2. Governance arrangements: management body composition, fit-and-proper assessments, organisational charts.
  3. Prudential information: own funds, capital adequacy projections, and the relevant Class as defined in Article 67.
  4. Internal control framework: complaints handling (Article 71), conflicts of interest (Article 72), outsourcing (Article 73), business continuity (Article 68).
  5. Custody arrangements: where applicable, segregation policies, key management, and the operational risk management framework.
  6. Market abuse and AML controls: aligned with Regulation (EU) 2023/1113 on transfers of funds and crypto-assets, and with the existing AMLD framework (now AMLR/AMLD6).

The NCA has up to 40 working days from a complete file to decide, extendable by another 20 days for additional information (Article 63). The decision is positive, negative, or subject to conditions.

Minimum capital under Article 67

The Regulation distinguishes three classes of CASP based on the services provided:

  • Class 1: providers offering only reception and transmission of orders, execution of orders, placement, advice, portfolio management without custody, transfer services. Minimum capital: EUR 50,000.
  • Class 2: providers offering custody and administration, plus any Class 1 services. Minimum capital: EUR 125,000.
  • Class 3: operators of a trading platform for crypto-assets. Minimum capital: EUR 150,000.

A bot platform that holds client funds (Class 2) faces 2.5x the capital requirement of a pure execution platform (Class 1). The capital is computed on the higher of the fixed minimum or one quarter of fixed overheads of the previous year (Article 67(2)).

Operational requirements that change how bots are built

The pre-MiCA practice of many bot platforms relied on light operational documentation: a terms of service, a privacy policy, and a security page. Title V of MiCA imposes substantive process requirements. The five with the highest impact on bot design and operations are:

1. Complaints handling (Article 71)

A CASP must establish and maintain procedures for the prompt, fair, and consistent handling of complaints from clients. The procedure must be publicly available, accessible without charge, and supported by a permanent record of each complaint and its resolution. The ESMA RTS on complaints handling, published in 2024, specifies acknowledgement deadlines (within 10 working days) and final response deadlines (within 35 working days from receipt, extendable in justified cases).

For a bot operator, this means a structured ticketing system with audit trail, response-time monitoring, and a designated complaints officer. Email-only support with no SLA does not meet the standard.

2. Conflicts of interest (Article 72)

A CASP must identify, prevent, manage, and disclose conflicts of interest. For bot platforms, the typical conflicts are:

  • The platform receives rebates from one of the connected exchanges and may route flow preferentially.
  • The platform sells access to “premium signals” generated by an in-house team while also offering execution services.
  • The platform offers a proprietary token whose price could be influenced by user activity.

Each conflict must be documented in a register, with the mitigation in place. Where the mitigation is insufficient, the conflict must be disclosed to the client before the service is provided.

3. Custody safeguarding (Article 75)

If the bot platform holds client crypto-assets, those assets must be segregated from the platform’s own funds at all times. The Regulation requires a custody policy, a register of holdings, and the capacity to identify each client’s holdings at all times. Hot-wallet exposure must be minimised; the policy must describe key management, including the cold-storage ratio and key recovery procedures.

EBA guidelines published in 2024 on operational resilience for crypto-asset service providers further specify ICT risk management, third-party dependency assessment, and incident reporting (DORA Regulation (EU) 2022/2554 also applies in parallel).

4. Outsourcing (Article 73)

When a CASP outsources critical operational functions, the contract must include audit rights, performance metrics, exit arrangements, and the obligation for the service provider to cooperate with the NCA. Cloud providers, custody sub-providers, and market data vendors are all in scope.

5. Marketing communications (Article 7)

Marketing communications must be clearly identifiable, fair, clear, and not misleading. They must be consistent with the information in the white paper for the relevant crypto-asset (where applicable) and must include risk warnings. Past performance claims must include the period covered, the methodology, and a warning that past performance is not indicative of future results. Cherry-picked time windows and survivorship-biased leaderboards are non-compliant.

Transition arrangements: who can still operate without full authorisation in 2026

Article 143 provides a transitional regime for entities that were already lawfully providing crypto-asset services in a member state before 30 December 2024. Those entities can continue to provide their services until 1 July 2026 or until the moment they are granted (or denied) a CASP authorisation, whichever comes first.

However, Article 143(3) gave member states discretion to shorten this period. Several have used it:

  • France: the AMF maintained an 18-month transition window from 30 December 2024, ending 30 June 2026.
  • Germany: BaFin set a 12-month transition window, ending 30 December 2025.
  • Italy: CONSOB published guidance aligned with the full 18-month window.
  • Spain: CNMV set a 12-month window in coordination with the Bank of Spain.
  • Netherlands: DNB took a stricter position, with a 6-month effective window.

As of May 2026, the transition is closed in Germany, Spain, and the Netherlands. France, Italy, Luxembourg, Ireland, and most other member states are within the final two months of their transition. A bot platform claiming MiCA “compliance” in mid-2026 must either hold a CASP authorisation or evidence of an ongoing application under the transitional regime in a specific member state. Anything else is marketing, not compliance.

For the French-specific picture, see our MiCA 2026 changes for crypto bots in France (English summary available on request).

Cross-border passporting and host-state notifications

Once authorised in a home member state, a CASP can provide services across the entire EU under the freedom to provide services (Article 65) or by establishing a branch (Article 66). The host-state NCA must be notified before the cross-border activity starts. The notification triggers a 10 working-day review window for the host NCA to raise objections.

For a bot platform with French authorisation marketing to Italian retail clients, the practical consequence is that CONSOB must be informed and may impose host-state marketing rules in addition to the AMF’s home-state supervision. The same applies in reverse for any CASP authorised in another member state and marketing to French clients.

The European single market in crypto-asset services is therefore not automatic. It requires an explicit notification per host member state, plus compliance with any host-state conduct rules that go beyond the harmonised MiCA baseline.

How retail bot users can verify MiCA compliance claims

A bot platform’s marketing page is not evidence of compliance. The verification sequence below produces a defensible answer.

Step 1: locate the authorisation reference

A CASP authorisation produces a public register entry. ESMA maintains a central register of CASPs at the ESMA registers page. Each NCA also publishes its own register: the AMF register, the BaFin register, the CNMV register, and so on. A platform that claims CASP authorisation must appear in at least one of these registers, with a name, address, services covered, and the home member state.

Step 2: cross-check the registered services

The register lists the specific services for which the CASP is authorised. A platform authorised for “reception and transmission of orders” is not automatically authorised to provide “custody and administration” or “portfolio management”. Marketing claims must match the authorisation scope.

Step 3: check for restrictions or warnings

NCAs publish enforcement actions, warnings, and restrictions on the same registers. A platform that has been the subject of a public warning or a restricted authorisation is not equivalent to one with clean unconditional authorisation.

Step 4: confirm host-state notification

If you reside in a member state different from the platform’s home state, look for the host-state notification on your NCA’s register or, failing that, request a copy from the platform. Cross-border provision without notification is a regulatory breach by the platform.

Step 5: review the platform’s MiCA disclosures

Compliant platforms publish a dedicated MiCA disclosure page covering scope of authorisation, complaints handling, conflicts of interest policy summary, custody arrangements, marketing communication framework, and contact details for regulatory enquiries. The absence of such a page is a strong signal of non-compliance.

What MiCA does not cover for crypto bots

MiCA is comprehensive but not exhaustive. Three areas remain outside its perimeter:

  • Fully decentralised protocols: Recital 22 explicitly excludes services provided in a fully decentralised manner without any intermediary. A bot interacting with a DEX through smart contract calls, with no human intermediary, is not in scope. The grey area is whether the front-end operator is the intermediary, and ESMA Q&A has signalled this remains under analysis.
  • NFTs that are not fungible: Article 2(3) excludes unique and non-fungible crypto-assets. Bots trading NFTs as collectibles fall outside MiCA, although AMLR/AMLD6 may still apply.
  • Tax treatment: MiCA harmonises conduct and prudential rules but does not touch national tax regimes. A bot user in France remains subject to French capital gains rules; a German user to the German Steuerrecht; and so on. Our crypto bot tax guide for France 2026 covers the French dimension.

ESMA, EBA, and ECB: the technical standards landscape

MiCA Title V references 38 mandates for level-2 measures (regulatory technical standards or RTS) and level-3 measures (guidelines and Q&As). The most operationally important for bots are:

  • ESMA RTS on the content of the application for authorisation (Article 62(5)): published 2024.
  • ESMA RTS on conflicts of interest (Article 72(5)): published 2024.
  • ESMA RTS on complaints handling (Article 71(5)): published 2024.
  • EBA RTS on prudential safeguards and own funds (Article 67(8)): published 2024.
  • EBA Guidelines on operational resilience: published 2024, in parallel with DORA.
  • ESMA Q&A on MiCA: updated continuously, including the early 2025 update on the scope of “tools” versus services.

These documents are the binding implementing detail. A bot operator’s compliance file should explicitly map its controls to each relevant RTS clause.

FAQ on MiCA for crypto trading bots in 2026

Does my self-hosted bot require CASP authorisation?

No, provided you use it only for your own account, manage your own keys, and do not provide a service to a third party. The CASP definition turns on the professional provision of a service to others. A solo trader running Freqtrade against their personal Binance account is outside scope.

Can a non-EU bot platform legally serve EU users?

Only via reverse solicitation strictly interpreted, or by obtaining CASP authorisation via a subsidiary or branch in a member state. Active marketing to EU residents without authorisation is a breach. Recital 73 and Article 61 set out the third-country regime, which is more restrictive than the pre-MiCA national patchwork.

Is “MiCA-ready” or “MiCA-compliant” marketing meaningful?

Only when accompanied by a specific NCA register entry. “Ready” without a register reference means an intention to apply, which has no legal status. Always look for the authorisation reference and the date.

What changes if my bot platform loses its CASP authorisation?

Article 64(3) sets out the process. The NCA can withdraw authorisation for serious or repeated breaches, after which the entity must cease the regulated activity. Wind-down obligations include orderly return of client assets and continuity arrangements for outstanding orders. As an operator, your priority is to identify the wind-down plan in the platform’s disclosures before this scenario arises.

Are stablecoin trading bots affected differently?

Yes. Stablecoins are covered by Titles III and IV of MiCA (asset-referenced tokens and e-money tokens), with separate issuer obligations. A bot trading stablecoins under Title V CASP rules must additionally verify that the stablecoin issuer holds the relevant Title III or IV authorisation, including the published white paper. Trading an unauthorised stablecoin against EU clients exposes the bot operator to compliance risk regardless of its CASP status.

Sources and references

  1. Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets (MiCA). Official Journal L 150, 9 June 2023. https://eur-lex.europa.eu
  2. European Securities and Markets Authority (ESMA): MiCA framework and technical standards. https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-in-crypto-assets-regulation-mica
  3. European Banking Authority (EBA): Operational resilience and prudential RTS. https://www.eba.europa.eu
  4. Regulation (EU) 2022/2554 (DORA): Digital Operational Resilience Act, applicable in parallel. https://eur-lex.europa.eu
  5. Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets. https://eur-lex.europa.eu
  6. NIST AI Risk Management Framework (AI RMF 1.0): relevant for any bot using AI signal generation. https://www.nist.gov/itl/ai-risk-management-framework
  7. OECD principles on artificial intelligence: cross-applicable to algorithmic trading systems. https://oecd.ai/en/ai-principles

Internal resources

Available in other languages:

Closing notes

MiCA is not a marketing label. It is a binding legal framework with specific operational requirements, supervised by named national authorities, with public registers and enforceable obligations. For a retail bot user, the practical takeaway is that the question “is this platform safe” is now partly answerable through public records. For a bot operator, the takeaway is that compliance is a continuous process built on documented controls, not a one-off certification.

The next 12 months will reveal which platforms have built their operations on a real compliance foundation and which were trading on marketing claims. The public registers will tell that story. Read them.

This article is for informational purposes only and does not constitute legal or investment advice. Crypto trading involves significant risk of loss. Past bot performance does not guarantee future results. Consult a qualified legal advisor for the specifics of your jurisdiction.