MiCA's 2-Day Summons, Capital Traps: Why Your EU Office Isn't Enough

The simple market read is that MiCA requires a registered office and a director. The better market read is that regulators are running an empirical test on who actually runs the business, where decisions happen, and whether capital is genuinely available when something breaks.

Firms that filed for a Crypto-Asset Service Provider (CASP) authorization assuming a letterbox setup with a locally hired director will find the supervisory process far more demanding than the statute alone suggests. The risk event here is not a sudden price move or a protocol exploit. It is a slow-moving regulatory filter that can turn a funded, operational crypto platform into an unlicensed entity unable to market services in the EU, with customer assets and liquidity suddenly gated behind a jurisdictional wall.

This article maps the substance requirements that ESMA and national competent authorities are applying today, based on a study conducted by LegalBison in May 2026. For traders and investors, the watchlist question is straightforward: which platforms have built the organizational, technological, and financial core that survives the test, and which are still hoping that a registered address and a compliance consultant will suffice.

The Letterbox Trap: From Cadbury Schweppes to ESMA's Functional Test

The regulatory principle is older than MiCA. In Cadbury Schweppes (Case C-196/04), the Court of Justice of the EU ruled that freedom of establishment does not protect "wholly artificial arrangements" that lack genuine economic activity. MiCA codifies that directly into crypto regulation.

Article 59(2) of MiCA requires a CASP to have its registered office in a Member State where it carries out at least part of its crypto-asset services, to have its place of effective management within the Union, and to have at least one director resident in the Union. The statutory language is brief. The supervisory architecture built around it is not.

ESMA's Supervisory Briefing on Authorization of CASPs signals what national competent authorities are expected to probe: the functional reality behind the legal form. The gap between the minimum statutory requirement and what supervisors actually demand is where applications stall.

Personnel: Two Executives, 100% Dedication, and the 2-Day Summons

MiCA sets a floor of one EU-resident director. The supervisory guidance raises that floor to at least two senior executives jointly overseeing daily operations. The logic is governance resilience. A single executive creates concentration risk and removes internal checks. Two executives with defined, overlapping responsibilities is the expected baseline.

Residency alone does not satisfy. The guidance indicates that when a management body member is not resident in the NCA's jurisdiction, that person must be capable of attending in-person meetings at the authority's request within two business days. For jurisdictions where physical proximity matters operationally, this limits how far a director can be located from the home jurisdiction without creating a regulatory risk.

Time commitment is treated with equal seriousness. ESMA's position is that executive management board members should generally dedicate 100% of their professional time to the CASP role. Double-hatting, where the same individual serves in an executive capacity at multiple entities, is permitted only in narrow circumstances. An executive splitting attention between the CASP and another group company is likely to attract scrutiny during the fit-and-proper assessment.

Reporting lines reveal where control actually sits. The management body must demonstrate that strategic and operational control rests with the EU entity, not with a parent company in a third country that makes the real decisions and issues instructions downward. An EU subsidiary that functions primarily as an implementation arm for a non-EU headquarters is not, in the supervisory sense, an entity with genuine EU management. The MLRO (the individual responsible for filing suspicious activity reports) further reinforces this: the person must be physically present, hold genuine authority, and be able to interact directly with the local Financial Intelligence Unit.

Technology: Who Controls the Encryption Keys?

DORA (Regulation (EU) 2022/2554) applies directly to CASPs and sets the ICT resilience framework. The regulatory question is not what infrastructure a firm uses. The question is who controls it.

Cloud infrastructure hosted by AWS, Azure, or similar providers is acceptable. The problem arises when the EU entity lacks meaningful administrative control over the systems it relies on. If encryption key management sits with a parent company's global IT team, if access rights to client data are administered from outside the EU, or if the disaster recovery plan depends on approvals from a third-country headquarters, the entity cannot demonstrate genuine operational independence.

ESMA's position, as reflected in consultation materials, is that the EU management team must hold actual control over the ICT infrastructure relevant to the CASP's operations. The business continuity policy and disaster recovery plans required under Article 68(7) must be owned and executable by the EU entity, not dependent on a global function that may or may not respond in a crisis.

The practical test is harsh: if the parent company's global IT team became unavailable overnight, could the EU entity continue to operate, access client funds, and return assets to clients? If the answer requires escalation to non-EU personnel, the substance question has not been resolved. GDPR compliance and data governance arrangements add another layer. Data controller-processor relationships and data residency must all form part of the technical architecture that regulators examine.

Capital: The Bank Account Requirement and the Overheads Inflection

Article 67 sets minimum prudential safeguards tied to service class. The permanent minimum for a Class 2 CASP is EUR 125,000; for Class 3 it is EUR 150,000. Those figures are the starting point, not the ceiling. Prudential safeguards must equal the higher of either the permanent minimum capital or one-quarter of the preceding year's fixed overheads.

As a CASP grows and its fixed overheads increase, the overheads limb becomes the binding constraint. When overheads exceed four times the initial paid-in capital, the firm must transition to the overheads-based framework. That inflection point arrives faster than many operators anticipate, and regulators expect proactive monitoring, not a reactive capital top-up after the fact.

A structural detail that catches firms off guard: capital must be paid into an account held with a formal credit institution. An EMI or payment service provider account does not satisfy the requirement. Establishing a banking relationship as a crypto business takes time and is not guaranteed. Starting that process early, before the application is formally filed, is a sequencing constraint that affects the entire authorization timeline.

Newly incorporated entities projecting their first twelve months of overheads must include those projections in their authorization application, with the methodology clearly documented. The financial statements used in the fixed overheads calculation must be duly audited or validated by national regulatory authorities, adding administrative weight to what might otherwise seem a straightforward arithmetic exercise.

Jurisdictional Friction: Cyprus Demands Three Residents, Poland Has No Law

MiCA is directly applicable across all EU member states. The substantive requirements are uniform. Supervisory practice is not.

Cyprus, through CySEC, has explicitly required that the majority of a CASP's board of directors be physical residents of Cyprus. For a board of two executive and two non-executive directors, that means a minimum of three Cyprus-resident directors. This goes beyond what MiCA's text requires and reflects national AML directives layered on top of the harmonized framework.

Estonia's transition from the old VASP registration regime to MiCA brings a different dynamic. The domestic implementing law has not yet been enacted, leaving the KNF without formal designation as the competent authority and existing VASP holders without a viable domestic CASP application pathway. Poland's legislative gap means entities that hold a VASP registration today cannot simply convert it into a CASP authorization, creating a structural risk of operational disruption.

These variations are not administrative quirks. They reflect the reality that a harmonized legal framework still operates through national supervisory cultures, staffing constraints, and institutional histories. Selecting a jurisdiction for CASP authorization means selecting a regulator, with all the practical implications that entails for timelines, requirements, and ongoing oversight.

The watchlist implication is that regulatory risk in crypto is not monolithic. Platforms that looked fully compliant under a lower standard earlier this year may now face a slow-motion squeeze. For investors and traders, the second-order effects matter: a platform that loses its ability to operate in Estonia or Poland could freeze withdrawals, disrupt liquidity, or shift its user base abruptly. The stablecoin yield structures that proliferated during the last cycle have already demonstrated how quickly an entity that lacks regulatory substance can become a trapped capital event for customers. The same risk now applies to a much broader set of operators as MiCA's substance requirements are enforced.

The core takeaway is not that regulation is becoming harder. It is that the test has moved from documentation to function. An application that assumes the right organizational chart and a registered address will suffice is already behind the supervisors' expectations. The firms that build the operational core first and document what they have built will find the process more straightforward. The ones that treat this as a paperwork exercise will face the same question repeatedly: if something goes wrong, can the regulator reach the people who actually control the money?