The European Securities and Markets Authority issued a directive ordering unlicensed crypto-asset service providers to exit EU operations without delay. The order arrives as the Markets in Crypto-Assets Regulation enters its final enforcement phase on July 1, 2026.

MiCA requires any firm offering crypto services to EU residents to hold formal authorization. A transitional window allowed existing providers to operate under national rules while seeking approval. That window closes July 1. Firms that secured authorization can continue. Those that did not face mandatory wind-down.

What unauthorized firms must do

ESMA's directive sets strict operational limits. Unauthorized providers must stop taking on new EU clients, cease marketing to EU residents, and halt new account openings. They can only continue serving existing clients for the specific purpose of helping them sell assets, transfer holdings, close positions, or exit the platform entirely. Custody of client assets is permitted only as long as necessary to complete an orderly exit.

Firms must communicate clearly and repeatedly with clients about wind-down timelines, asset protections, and what happens to any residual positions if clients fail to act. A deadline for automatic position closure must be stated.

Compliance continues during exit

Anti-money laundering and counter-terrorism financing obligations do not pause during wind-down. Firms must maintain customer due diligence, transaction monitoring, sanctions screening, suspicious transaction reporting, and record-keeping throughout the exit process. When a client transfers to a MiCA-authorized provider, the receiving firm must conduct full onboarding checks. Authorization does not carry from one provider to another.

ESMA also warned non-EU crypto providers against offering MiCA-covered services to EU clients, including in business-to-business arrangements. The regulator flagged that MiCA prohibits firms from outsourcing custody services to entities lacking CASP authorization.

No protection for users of unauthorized providers

ESMA issued a direct warning to retail users. Clients of unauthorized providers do not benefit from MiCA's investor protection rules. There is no guarantee of asset safeguarding under the framework if the provider is unlicensed. EU clients can verify their provider's status using the ESMA Register, a public database of licensed crypto-asset service providers.

The July 1 deadline marks the end of a years-long transition to unified EU crypto rules. How many firms remain unauthorized and what volume of EU client assets they hold remains unclear from published ESMA statements. The directive sets the operational floor, but enforcement pressure on non-compliant operators is expected to intensify as the date approaches.