MiCA deadline pressure: what it means for identity and access teams

TL;DR: Thousands of EU crypto firms face service disruption as MiCA’s final transition period ends, with only about 194 firms authorised by May versus more than 3,000 previously registered businesses, according to SumSub’s summary of legal and industry estimates. The regulatory squeeze is now a governance problem as much as a compliance one, because operating rights, customer access, and exit planning all depend on provable control.

NHIMG editorial — based on content published by SumSub: EU crypto firms race to meet the MiCA deadline

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

Questions worth separating out

Q: How should crypto firms prepare for MiCA-driven service restrictions?

A: They should treat MiCA as an operating-state change, not only a legal deadline.

Q: Why does MiCA create an identity governance issue for crypto firms?

A: MiCA changes who is allowed to operate, which makes access to customer services conditional on authorisation.

Q: What do organisations get wrong about regulatory wind-downs?

A: They often assume a wind-down is mostly a legal or customer communications task.

Practitioner guidance

• Tie service continuity to licence status Build an operational control matrix that maps each customer-facing service to its current authorisation state, then define what must pause, transfer, or remain active if approval is lost.
• Run a wind-down offboarding exercise Test whether customer withdrawals, asset transfers, admin revocation, and audit preservation can happen in sequence before operations cease, using the same owners who would execute a real exit.
• Review third-party access before consolidation hits Identify providers, custodians, and outsourced operators with standing access to customer assets or admin functions, then verify who can revoke them if the business relationship changes.

What's in the full analysis

SumSub's full article covers the regulatory and market detail this post intentionally leaves for the source:

• The legal basis for MiCA authorisation and how the transition period changes operating rights across the EU.
• The practical implications of the July 1 deadline for firms that may need to suspend services or transfer customers.
• The consolidation scenario described by the legal commentary, including why compliance cost may push smaller firms out of the market.

👉 Read SumSub’s analysis of the MiCA deadline and crypto firm authorisation →

MiCA deadline pressure: what it means for identity and access teams?

Explore further

View Full Forum →  |  NHI Foundation Course →