By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: Breaches & IncidentsSource: SumSub

TL;DR: The European Banking Authority has outlined a draft method for calculating MiCA fines, with penalties for significant ART issuers capped at 12.5% of annual turnover and significant EMT issuers at 10%, according to SumSub. That enforcement posture turns regulatory passporting, disclosures, and organisational controls into immediate governance priorities rather than back-office compliance tasks.


At a glance

What this is: The EBA has drafted a MiCA fines methodology that ties penalties to seriousness, duration, intent, financial strength, and aggravating or mitigating factors.

Why it matters: For IAM and governance teams, this raises the cost of weak controls around issuer accountability, access oversight, and regulated operational discipline across crypto programmes.

By the numbers:

  • The proposal sets maximum administrative fines of up to 12.5% of annual turnover for significant asset-referenced token issuers.
  • The proposal sets maximum administrative fines of up to 10% of annual turnover for significant e-money token issuers.

👉 Read SumSub's coverage of the EBA MiCA fines framework


Context

MiCA enforcement is moving from principle to penalty calculation, and that changes how crypto firms should think about control design, evidence, and accountability. The primary issue is no longer whether obligations exist, but how regulators will score infringements when disclosures, organisational failures, or passporting gaps occur.

For identity and governance programmes, the relevant lesson is that regulated access and operating authority now carry a measurable financial consequence. When the management body, issuer controls, or disclosure practices fail, the enforcement model rewards strong documentation, traceability, and timely remediation rather than informal assurances.


Key questions

Q: What fails when a regulated crypto issuer cannot secure its MiCA passport on time?

A: The failure is not only administrative. It shows that the issuer has not aligned operating authority, approvals, and regulatory readiness well enough to keep supervised activity lawful. Under a fines framework, that kind of lapse can trigger both financial penalties and operational disruption, especially when organisational failures or unauthorised disclosures are involved.

Q: Why do annual-turnover fines change the governance model for crypto issuers?

A: Because the penalty scale links compliance failure to enterprise size, the cost of weak controls rises with the business, not just with the incident. That pushes teams to treat identity governance, approvals, and evidence retention as risk controls that directly affect financial exposure rather than as formalities.

Q: What do security and compliance teams get wrong about regulatory passporting?

A: They often treat passporting as a one-time filing exercise. In practice, it is a lifecycle problem that depends on continued control over disclosures, approvals, and organisational changes. If the control state decays after approval, the organisation can still end up exposed to fines or forced interruption.

Q: Who is accountable when MiCA enforcement cites negligence in a crypto issuer?

A: Accountability can extend beyond the legal entity to management body members when the draft framework finds intentional or negligent infringement. That means teams need evidence showing who reviewed, approved, or delegated each high-risk action, because liability may be tested at the individual level.


Technical breakdown

How the EBA is turning MiCA infringements into a scoring model

The draft framework uses a multi-step penalty method rather than a flat sanction. It weighs the seriousness of the infringement, how long it persisted, whether the conduct was intentional or negligent, the issuer's financial strength, and any aggravating or mitigating circumstances. That matters because regulatory penalties become more predictable and more defensible when the authority can map behaviour to a structured methodology. For practitioners, the technical issue is not only the fine rate. It is the evidentiary model behind it, which depends on records, ownership, and the ability to show that controls were operating as intended.

Practical implication: map regulatory obligations to control evidence so you can show intent, duration, and remediation context if challenged.

Why passporting and organisational failures now have direct financial exposure

The draft explicitly links enforcement to issuers that fail to secure regulatory passports by the deadline, alongside infractions such as unauthorised disclosures and organisational failures. That widens the operational scope beyond technical compliance checks and into the governance of who can act, approve, disclose, and attest on behalf of the issuer. In practice, this means identity lifecycle, delegation, and approval evidence can become part of the enforcement record. A weak operating model is now not just a process gap. It is a penalty input.

Practical implication: tighten approval chains and offboarding evidence for roles that can influence disclosures, filings, or passporting status.

Why management body accountability sits inside the enforcement model

MiCA enforcement under this draft is not limited to the issuer as an entity. It also covers management body members who commit infringements intentionally or through negligence, which places personal accountability inside the governance framework. That creates a stronger demand for auditable decision paths, segregation of duties, and documented review of high-risk actions. When accountability is personal as well as organisational, identity controls stop being a back-office convenience and become part of the legal defence posture.

Practical implication: retain decision and approval evidence for high-risk actions so individual accountability is traceable without ambiguity.


Threat narrative

Attacker objective: The objective is regulatory leverage, using MiCA enforcement to compel compliance or impose penalties when issuers fail to meet supervised obligations.

  1. Entry occurs when a significant ART or EMT issuer operates without securing its regulatory passport by the deadline, leaving the business exposed to enforcement action.
  2. Escalation follows when organisational failures, unauthorised disclosures, or negligent conduct accumulate and increase the severity score under the draft methodology.
  3. Impact is regulatory and financial, with the EBA able to propose fines tied to annual turnover and, in some cases, operational halts.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

MiCA enforcement is becoming an identity governance problem, not just a legal one. The draft methodology turns issuer conduct, management-body accountability, and disclosure discipline into measurable enforcement inputs. That means access to act on behalf of a regulated issuer is now inseparable from proof of control, review, and traceability. Practitioners should treat governance evidence as a regulated asset, not an audit afterthought.

Regulatory passporting failure is a control-state failure. When firms miss the passporting requirement or cannot evidence organisational discipline, the issue is not simply delayed paperwork. It shows that authority, timing, and accountability were never cleanly governed across the operating model. The practical conclusion is that regulated permission to operate depends on lifecycle control, not just registration status.

Personal accountability inside the management body raises the stakes for delegation chains. The draft extends liability to intentional or negligent infringement by individuals, which means approval trails and decision ownership matter as much as the policy itself. In regulated crypto operations, a vague delegation chain is no longer defensible when enforcement tests who knew what, when, and under which authority. Practitioners should assume governance evidence will be examined at the individual level.

MiCA is validating a broader market shift toward provable governance over informal compliance. Penalty frameworks increasingly reward the organisations that can demonstrate control operation, not the ones that merely claim policy coverage. That pattern will pressure crypto firms to align identity, approval, and disclosure workflows with evidentiary standards that stand up under supervision. The field should expect more regulatory models that translate governance failure directly into financial exposure.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
  • NHI Lifecycle Management Guide shows why offboarding and revocation speed matter when access must be withdrawn under regulatory pressure.

What this signals

MiCA enforcement will expose weak lifecycle governance faster than policy decks can conceal it. When penalties can track seriousness, duration, and negligence, organisations need evidence that privileges, approvals, and disclosures were governed as living controls, not static policy text. The next maturity gap is likely to be in revocation speed, delegation clarity, and auditability, especially where regulated access crosses business and legal boundaries.

Regulated crypto firms should expect a convergence between compliance evidence and identity governance tooling. The programmes that can prove who approved what, when access changed, and how exceptions were handled will be better placed to absorb supervisory scrutiny without turning every review into a manual reconstruction exercise.


For practitioners

  • Document passporting-critical approval paths Record who can approve filings, disclosures, and operating changes for each regulated token product, then review the chain against segregation-of-duties expectations.
  • Tie enforcement exposure to control evidence Maintain dated evidence for disclosures, policy exceptions, and remediation actions so you can show duration, intent, and mitigation if the regulator questions the programme.
  • Review management body delegation limits Define which decisions require named executives, which can be delegated, and how that delegation is revoked when roles change or oversight breaks down.
  • Prepare turnover-based sanction scenarios Model the impact of fines expressed as a percentage of annual turnover and test whether current controls would reduce the severity classification of a breach.

Key takeaways

  • The EBA’s draft MiCA fines model turns governance failures into measurable financial exposure.
  • Passporting, disclosures, and management-body accountability now need evidence that survives regulatory scrutiny.
  • Crypto compliance teams should treat approval chains, delegation, and remediation records as enforcement-grade controls.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access and authorization governance affects regulated issuer accountability.
NIST Zero Trust (SP 800-207)Zero Trust reinforces continuous verification for regulated operational authority.
NIST CSF 2.0GV.RM-01Regulatory risk management is central when fines depend on governance failure.

Apply continuous verification to roles that can approve disclosures or operating changes.


Key terms

  • Regulatory Passporting: Regulatory passporting is the permission a firm needs to operate across jurisdictions under a common rule set. In practice, it depends on accurate filings, ongoing supervision, and continued compliance with the obligations attached to the permission.
  • Management Body Accountability: Management body accountability is the principle that senior decision-makers can be held responsible for intentional or negligent governance failures. It matters because delegated authority does not remove the need for traceable oversight, documented approval, and evidence of review.
  • Enforcement Methodology: An enforcement methodology is the structured way a regulator turns a breach into a penalty. It typically weighs seriousness, duration, intent, mitigation, and the scale of the regulated entity so the sanction reflects both conduct and context.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SumSub: EU Watchdog EBA outlines fines under MiCA enforcement framework. Read the original.

NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org