TL;DR: The European Banking Authority has outlined a draft method for calculating MiCA fines, with penalties for significant ART issuers capped at 12.5% of annual turnover and significant EMT issuers at 10%, according to SumSub. That enforcement posture turns regulatory passporting, disclosures, and organisational controls into immediate governance priorities rather than back-office compliance tasks.
NHIMG editorial — based on content published by SumSub: EU Watchdog EBA outlines fines under MiCA enforcement framework
By the numbers:
- The proposal sets maximum administrative fines of up to 12.5% of annual turnover for significant asset-referenced token issuers.
- The proposal sets maximum administrative fines of up to 10% of annual turnover for significant e-money token issuers.
Questions worth separating out
Q: What fails when a regulated crypto issuer cannot secure its MiCA passport on time?
A: The failure is not only administrative.
Q: Why do annual-turnover fines change the governance model for crypto issuers?
A: Because the penalty scale links compliance failure to enterprise size, the cost of weak controls rises with the business, not just with the incident.
Q: What do security and compliance teams get wrong about regulatory passporting?
A: They often treat passporting as a one-time filing exercise.
Practitioner guidance
- Document passporting-critical approval paths Record who can approve filings, disclosures, and operating changes for each regulated token product, then review the chain against segregation-of-duties expectations.
- Tie enforcement exposure to control evidence Maintain dated evidence for disclosures, policy exceptions, and remediation actions so you can show duration, intent, and mitigation if the regulator questions the programme.
- Review management body delegation limits Define which decisions require named executives, which can be delegated, and how that delegation is revoked when roles change or oversight breaks down.
What's in the full analysis
SumSub's full news article covers the regulatory detail this post intentionally leaves for the source:
- The draft methodology for calculating fines under MiCA, including the weighting factors used by the EBA.
- The consultation process and timeline for feedback before the final technical standards go to the European Commission.
- The specific categories of issuers and management-body members covered by the enforcement framework.
- The maximum administrative fine percentages referenced in the draft proposal.
👉 Read SumSub's coverage of the EBA MiCA fines framework →
EBA MiCA fines framework: what crypto compliance teams need now?
Explore further
MiCA enforcement is becoming an identity governance problem, not just a legal one. The draft methodology turns issuer conduct, management-body accountability, and disclosure discipline into measurable enforcement inputs. That means access to act on behalf of a regulated issuer is now inseparable from proof of control, review, and traceability. Practitioners should treat governance evidence as a regulated asset, not an audit afterthought.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when MiCA enforcement cites negligence in a crypto issuer?
A: Accountability can extend beyond the legal entity to management body members when the draft framework finds intentional or negligent infringement. That means teams need evidence showing who reviewed, approved, or delegated each high-risk action, because liability may be tested at the individual level.
👉 Read our full editorial: EBA MiCA fines framework raises the stakes for crypto compliance