MiCA’s final transition period is testing crypto governance

At a glance

What this is: This is an analysis of MiCA’s final transition period and the operational pressure it creates for EU crypto firms.

Why it matters: It matters because practitioners must treat regulatory authorisation, customer offboarding, and access continuity as governed identity outcomes, not just legal paperwork.

By the numbers:

• Only around 194 crypto firms had obtained MiCA authorization by May, compared with more than 3,000 crypto businesses registered across the EU before the new regime was introduced.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

👉 Read SumSub’s analysis of the MiCA deadline and crypto firm authorisation

Context

MiCA is the EU’s crypto-asset rulebook, and the immediate issue is not abstract regulation but whether firms can keep serving customers once transitional permissions end. For identity and access teams, that turns authorization into an operating control problem: who can continue to act, under what licence, and how the business winds down if approval is not in place.

The governance gap here is broader than compliance filing. Firms need to prove that customer access, asset transfer, service suspension, and operational offboarding are all controlled before the deadline. That is a lifecycle problem for non-human identities, privileged access, and customer-facing operational workflows, not just a legal deadline.

Key questions

Q: How should crypto firms prepare for MiCA-driven service restrictions?

A: They should treat MiCA as an operating-state change, not only a legal deadline. That means mapping every customer-facing service to authorisation status, defining suspension triggers, and rehearsing customer withdrawal and transfer flows before approval lapses. The goal is to ensure access, assets, and evidence can be governed in sequence rather than improvised under pressure.

Q: Why does MiCA create an identity governance issue for crypto firms?

A: MiCA changes who is allowed to operate, which makes access to customer services conditional on authorisation. Once that happens, lifecycle controls matter: which accounts can act, which services must stop, and how assets are transferred or withdrawn. Without those controls, compliance becomes a static filing exercise instead of an enforceable operating model.

Q: What do organisations get wrong about regulatory wind-downs?

A: They often assume a wind-down is mostly a legal or customer communications task. In practice, it is a governance exercise that requires revoking access, preserving records, separating roles, and protecting exit paths for users. If identities and service accounts are not managed as part of the shutdown, the business can remain exposed even after operations stop.

Q: Who is accountable when a crypto firm loses its right to operate?

A: Accountability sits with the organisation that controlled the customer assets, the operating identities, and the wind-down plan. Regulators may set the deadline, but the firm owns the execution. That means leadership, compliance, IAM, and operations need a shared closure model that proves services can be suspended or transferred without leaving access behind.

Technical breakdown

MiCA authorisation as an access control boundary

MiCA changes the operating boundary for a crypto firm from national registration to bloc-wide authorisation. That matters because the permission to serve customers becomes conditional, time-bound, and regulator-enforced. From an identity perspective, the firm must be able to distinguish approved operating activity from activity that should be frozen, transferred, or shut down. The practical challenge is not only proving compliance at a point in time, but aligning service access, transaction processing, and customer communications with the licence state of the business.

Practical implication: map business services to authorisation status so suspension or wind-down actions can be executed without delay.

Wind-down planning depends on lifecycle governance

When a firm loses the right to operate, it still has to manage identities, credentials, and access long enough to let customers withdraw or transfer assets. That requires lifecycle controls across people, systems, and service accounts, including offboarding, revocation, and access segregation. In identity terms, this is where governance becomes operational continuity. The risky pattern is assuming that closing the business is a legal event only, when it is also a controlled deprovisioning exercise across accounts, keys, and customer pathways.

Practical implication: treat wind-down plans as lifecycle runbooks that revoke access, preserve audit evidence, and protect customer exit paths.

Consolidation pressure follows from compliance cost

The article points to a likely consolidation effect because smaller firms may find authorisation costs and control expectations harder to absorb. That is a market structure issue with direct identity consequences: fewer licensed operators, more third-party dependence, and higher scrutiny on who controls customer assets and admin access. For security teams, consolidation increases the importance of vendor oversight, privileged access review, and third-party lifecycle controls because failure in one licensed provider can cascade into many customer relationships.

Practical implication: reassess third-party access, admin entitlements, and offboarding controls before relying on a licensed provider for customer operations.

NHI Mgmt Group analysis

MiCA turns regulatory authorisation into an identity governance problem. The article is not just about licensing pressure. It shows that firms need a provable operating state, not only a legal filing, before they can continue serving customers across the EU. That makes entitlement control, service continuity, and deprovisioning part of the compliance boundary. Practitioners should treat authorisation as a live governance state, not a paperwork checkpoint.

The real failure mode is ungoverned wind-down capability. If a firm cannot suspend services, revoke access, and hand off customer assets in a controlled sequence, it has not governed the end of the lifecycle. That is a non-human identity problem as much as a regulatory one, because service accounts, keys, and transfer processes often outlive the business decision to stop operating. The implication is that offboarding must be designed as an operational control, not an afterthought.

Consolidation increases identity concentration risk. The article suggests that costly compliance may push smaller operators out and concentrate customer relationships in fewer licensed firms. That changes the attack surface and the oversight burden at the same time. More assets, more delegated access, and more third-party dependencies end up inside fewer control planes. Practitioners should expect a sharper need for privileged access review and third-party lifecycle governance.

MiCA accelerates the shift from registration-based trust to evidence-based trust. Old registration regimes could mask weak operational control because market access was easier to obtain. Under MiCA, the market is moving toward proof that authorisation, offboarding, and customer protection are all enforceable in practice. That is a useful direction for governance maturity, but it also exposes firms that have not invested in lifecycle discipline. Teams should assume that evidence, not intent, will decide operating continuity.

From our research:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The lifecycle problem does not end at revocation, so teams should also use NHI Lifecycle Management Guide to design offboarding that actually closes access.

What this signals

MiCA will expose whether your operating model can survive a forced access boundary. If a licence is withdrawn or delayed, the business needs immediate clarity on which systems pause, which identities are revoked, and which customer actions must remain available. That is why lifecycle runbooks and service-state mapping belong in the same control conversation as regulatory compliance.

Regulatory pressure is pushing crypto firms toward evidence-based governance. The market will increasingly reward firms that can prove they can stop, transfer, or continue services in a controlled sequence. For identity teams, that means tighter coordination between access reviews, service ownership, and offboarding evidence.

Consolidation raises the value of a named concept we call the compliance exit window. This is the short period in which a firm can still act, revoke, transfer, and preserve records before authorisation expires. If that window is not operationally designed, the organisation loses control faster than it loses licence status.

For practitioners

• Tie service continuity to licence status Build an operational control matrix that maps each customer-facing service to its current authorisation state, then define what must pause, transfer, or remain active if approval is lost.
• Run a wind-down offboarding exercise Test whether customer withdrawals, asset transfers, admin revocation, and audit preservation can happen in sequence before operations cease, using the same owners who would execute a real exit.
• Review third-party access before consolidation hits Identify providers, custodians, and outsourced operators with standing access to customer assets or admin functions, then verify who can revoke them if the business relationship changes.
• Separate compliance evidence from operational dependency Document which controls prove authorisation and which controls keep the business functioning, so a failed filing cannot be confused with a still-valid access model.

Key takeaways

• MiCA makes authorisation a live operating condition, so identity governance now sits inside the compliance boundary.
• The main scale signal is the gap between roughly 194 authorised firms and more than 3,000 prior registrants, which points to broad market disruption.
• The most important control is a tested wind-down process that can revoke access, preserve evidence, and protect customer exits before operations stop.

Key terms

• Authorisation state: The current regulatory condition that determines whether a firm is allowed to operate, serve customers, or continue specific activities. In practice, it becomes a governance input to access, service continuity, and shutdown decisions, especially when a licence can expire or be withdrawn.
• Wind-down plan: A controlled sequence for ending operations while preserving customer access, records, and accountability. It usually includes service suspension, asset transfer, access revocation, and evidence retention so the organisation can close without creating avoidable security or compliance exposure.
• Identity lifecycle governance: The discipline of managing accounts, keys, credentials, and permissions from creation through use, review, rotation, and revocation. For regulated businesses, it also includes the ability to offboard identities and services when the business relationship or operating right ends.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by SumSub: EU crypto firms race to meet the MiCA deadline. Read the original.