MiCA CASP License Gap: Payments and Perps Sit Outside Scope

Most founders pursuing a MiCA license assume they are solving their EU regulatory problem. They are solving part of it. The rest depends on which services they actually offer.

There is a version of the MiCA authorization process that founders talk about as if it ends the moment the license arrives. Apply, wait, get authorized, operate in the EU. The license is the finish line.

That framing misreads what MiCA actually authorizes. A Crypto-Asset Service Provider (CASP) license grants permission to provide specific crypto-asset services, defined in detail in the regulation. It does not grant permission to operate a payment institution, issue electronic money, or run a derivatives trading venue. Those activities sit under entirely different regulatory frameworks. For many platforms whose commercial model depends on at least one of them, the MiCA license alone leaves a gap that is operationally significant and, if ignored, legally serious.

This tenth installment of MiCA Decoded maps that gap precisely, service by service.

The CASP License Covers Spot Crypto, Not Payments or Derivatives

The assumption is understandable. MiCA is comprehensive. It covers ten categories of crypto-asset services. Its scope extends to custody, exchange, execution, routing, advice, and portfolio management. For most retail crypto platforms, that covers a substantial portion of their business.

"Substantial" and "complete" are different things. The platforms most likely to discover a significant difference are not marginal operators. They are the ones running derivative products, enabling crypto-funded card payments, offering leveraged perpetual positions, or hosting prediction markets. These prediction markets have become a major trend for centralized exchanges (CEXes), yet they sit at a regulatory boundary that MiCA does not cross. Instead, they often fall under local iGaming regulatory frameworks. These are commercially significant product lines at major exchanges, and each one operates outside MiCA's scope.

The regulation is specific about what it governs. Article 2(4) of MiCA explicitly excludes from its scope crypto-assets that qualify as financial instruments under Directive 2014/65/EU (MiFID II), deposits, funds as defined under the Payment Services Directive 2 (PSD2), and securitisation positions. These exclusions are not technical footnotes. They define the perimeter of MiCA's authority. Anything falling on the other side of that perimeter requires authorization under a different framework entirely.

Why a CASP License Does Not Authorize Payment Services

MiCA authorizes the transfer of crypto-assets on behalf of clients, defined in Article 3(1)(26) as "providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another." This is a crypto-native transfer service. It is not a payment service in the PSD2 sense.

The distinction matters enormously for platforms that want to offer crypto-funded card programs, fiat on/off-ramp integrations, direct bank transfers, or merchant payment acceptance in euros or other official currencies. Article 2(4)(c) excludes "funds" as defined in PSD2 from MiCA's scope, except where they qualify as e-money tokens.

A platform that receives fiat or e-money tokens (EMTs) from a user, holds them, and transmits them somewhere is operating a payment service. This requires either a payment institution license or an Electronic Money Institution (EMI) license under Directive (EU) 2015/2366 (PSD2), rather than just a CASP authorization. Because EMTs are legally deemed to be electronic money, CASP transfer services do not cover EMTs unless the activity falls under the "intermediation" exclusion.

A non-EMI CASP can transmit orders for EMTs only if the transaction stays within the CASP's internal ecosystem or within a custodial account managed by an authorized licensed partner. If a service involves transmitting an order that triggers the transfer of an EMT to a third-party wallet or a private ledger, it constitutes the execution of a payment transaction or a money remittance service under PSD2/PSD3. Any CASP facilitating these external transfers after March 2026 must have its own EMI/PI license or use a licensed agent.

MiCA itself acknowledges this boundary. Article 70(4) states that crypto-asset service providers may themselves or through a third party provide payment services related to their crypto-asset service, only where the provider or the third party is authorized to provide those services under PSD2. The regulation does not grant payment services capability through the back door. It requires that the capability be independently authorized.

For an exchange that wants to let users top up via SEPA transfer, settle redemptions in euros, or issue a branded debit card, a CASP license is a necessary piece of the structure. It is not sufficient.

Perpetuals and Futures Sit Under MiFID II, Not MiCA

This is where the exposure tends to be sharpest for derivative-first platforms.

MiCA's scope is defined around "crypto-assets," which are digital representations of value or rights that can be transferred using distributed ledger technology. The regulation covers the services built around those assets: custody, trading on spot markets, exchange, execution of orders as well as routing of orders as a pure intermediary. What it does not cover is financial derivatives where the crypto-asset is the underlying instrument rather than the thing being traded.

Article 2(4)(a) removes from MiCA's scope any crypto-asset that qualifies as a financial instrument under MiFID II. A perpetual futures contract on BTC/USD is not a crypto-asset. It is a derivative. It may settle in cryptocurrency, the instrument itself, the contractual claim representing a leveraged position on the price of Bitcoin, is a financial instrument in the MiFID II sense. Operating a venue that allows EU clients to trade such instruments requires an investment firm authorization under MiFID II, or at minimum a trading venue authorization depending on the structure, not a CASP license.

Recital 97 of MiCA addresses this directly, noting that derivatives qualifying as financial instruments under MiFID II and whose underlying asset is a crypto-asset are subject to Regulation 596/2014 (the Market Abuse Regulation), not to MiCA. The market abuse provisions still reach the underlying crypto-asset. The authorization framework for the derivative product itself sits under MiFID II.

Some exchanges attempt to structure perpetuals as crypto-to-crypto swap arrangements that they characterize as exchange services rather than derivatives. Regulators are familiar with this framing, the classification question is ultimately one of substance over form. An instrument with leverage, a funding rate, and no delivery of the underlying asset is likely to face scrutiny as a derivative regardless of how it is labeled. The legal risk of getting this wrong is the provision of financial services without authorization.

The same analysis applies to dated futures. A futures contract obliging a counterparty to buy or sell an asset at a predetermined price on a future date is a financial instrument under MiFID II, specifically within the definitions covering derivatives on commodities, currencies, and other underlyings. Cryptocurrency futures, even where physically settled in BTC or ETH, are treated as financial instruments when they are traded on a multilateral basis.

Operating a trading platform for such instruments requires authorization as a regulated market, multilateral trading facility (MTF), or organized trading facility (OTF) under MiFID II. CASP authorization covers the operation of a trading platform for crypto-assets under Article 76 of MiCA, which defines a trading platform as a multilateral system bringing together multiple third-party purchasing and selling interests in crypto-assets, not derivatives on crypto-assets.

Why Founders Misread the CASP Scope

Several factors produce the misunderstanding.

First, the practical effect of pre-MiCA national VASP regimes varied significantly by jurisdiction and over time. While early registrations in some countries might have initially operated as a permissive baseline, regulators became increasingly stringent.

In Estonia, for example, the Financial Intelligence Unit (RAB) actively scrutinized the specific services provided by VASPs and investigated the provision of unlicensed financial services. By 2022, ahead of MiCA's enactment, Estonia implemented strict amendments that explicitly banned the offering of futures and perpetuals under a VASP license. Operators received a short 60 to 90-day grace period to comply, which ultimately led to the mass revocation of thousands of licenses.

Second, the CASP register entries themselves are not always informative to founders reading them from the outside. An exchange listed as authorized for "operation of a trading platform" and "execution of orders" looks comprehensively authorized. Whether it is running derivatives products under a separate MiFID authorization requires reading beyond the CASP register entirely.

Third, many platforms offer derivatives on crypto-assets to non-EU clients, EU clients make up a minority of users. The assumption is that the EU exposure is manageable. The reverse solicitation rules discussed in earlier installments of this series apply equally to unauthorized derivative services. A platform marketing leveraged BTC perpetuals to global clients while simultaneously applying for a CASP license for its EU spot trading product may find that the two activities interact in ways the compliance team did not anticipate.

The Three-Regulatory-Framework Structure for Full-Service Exchanges

Three regulatory frameworks converge around most full-service crypto exchanges:

MiCA governs spot trading, custody, transfer services, exchange, execution of orders, reception and transmission of orders, advice, and portfolio management on crypto-assets. The CASP license is required and sufficient for these activities when provided to EU clients.

PSD2 and the EMI regime govern payment services involving fiat. Any activity involving the receipt, holding, or transmission of euro-denominated or other official currency funds requires either a payment institution license (for payment initiation and money transmission) or an EMI license (where the platform stores fiat value electronically as a claim redeemable at par). An exchange that allows users to fund accounts by bank transfer and withdraw in euros is, at minimum, touching a payment service. Whether that requires PSD2 authorization depends on the specific flow and structure, the question must be assessed deliberately, not assumed away.

MiFID II governs derivatives. Futures, perpetuals, options, and CFDs on crypto-assets are financial instruments. Operating venues for their trading, or providing investment advice and portfolio management in relation to them, requires MiFID II authorization. The specific authorization type, investment firm, regulated market, MTF, depends on the business model.

Platforms operating across all three categories need a structure that maps each product line to its authorizing framework. That is a multi-license, multi-entity architecture in some cases, not a single CASP application.

A CASP authorization, standing alone, covers the first item with reasonable confidence. The other three sit at the boundary. Whether they require independent authorizations, whether they can be structured as ancillary to the main crypto business, or whether they must be routed through licensed third parties are fact-specific questions. They are not questions the CASP license answers.

This is exactly the type of analysis regulators will apply when reviewing a business model during the authorization process. The application requires a programme of operations under Article 62(2)(d) of MiCA, which must set out the types of crypto-asset services the applicant intends to provide, including where and how those services are to be marketed. A business model that includes derivatives or payment services must address those elements in the application. Operators who treat the CASP application as covering the full scope of their business risk having the NCA identify the gap before they do, at the worst possible moment in the authorization process.

Timeline Pressure from Grandfathering Expiry and Reverse Solicitation

For platforms already operating in the EU under grandfathering provisions that expire July 1, 2026, the regulatory gap has an immediate timeline consequence. A VASP registration does not solve the payment services problem any more than a CASP license will. These questions do not disappear with MiCA authorization; they persist and become more visible to regulators whose supervisory tools now match the formal authorization framework.

For platforms currently designing their EU market entry structure, the sequence matters. Mapping each product line to its authorizing framework comes before choosing the jurisdiction for the CASP application. The jurisdiction choice affects the CASP, it also affects the feasibility of layering PSD2 and MiFID II authorizations on the same entity or within the same group.

Getting the architecture wrong is fixable. It tends to be expensive to fix after authorization, and it tends to surface at the moment the platform is growing fast enough that the regulators start paying attention.

You have the entity. You have the address. You even have the capital. The CASP license is the necessary foundation for operating a crypto exchange in the EU. It is, in many cases, not sufficient.

This article is based on a study conducted by LegalBison in May 2026. The content is for informational purposes only and does not constitute legal advice.

MiCA CASP License Gap: Payments and Perps Sit Outside Scope

The CASP License Covers Spot Crypto, Not Payments or Derivatives

Why a CASP License Does Not Authorize Payment Services

Perpetuals and Futures Sit Under MiFID II, Not MiCA

Trading Model Restrictions Differ Between MiCA and MiFID II

Why Founders Misread the CASP Scope

The Three-Regulatory-Framework Structure for Full-Service Exchanges

Timeline Pressure from Grandfathering Expiry and Reverse Solicitation

Explore More

More from AlphaScala

Trading Q&A

Asset Profiles