TL;DR: MiCA’s grandfathering period is still active in some jurisdictions, but full licensing will be required across the EU from July 1, 2026, and SumSub’s guide focuses on scope, licensing milestones, and AML/CFT obligations that sit alongside MiCA rather than inside it.
NHIMG editorial — based on content published by SumSub: MiCA licensing readiness and AML/CFT obligations under the regulation
By the numbers:
- The guide notes that full licensing will be required across the EU from July 1, 2026.
- MiCA’s timeline in the guide runs from AMLD5 adoption in 2018 to European Parliament approval in April 2023 and entry into force in June 2023.
Questions worth separating out
Q: How should CASPs prepare for MiCA licensing without missing AML/CFT obligations?
A: CASPs should separate the licensing work from the underlying control work.
Q: Why do MiCA readiness programmes fail in practice?
A: They usually fail when teams treat the application as paperwork instead of governance evidence.
Q: What should compliance teams do when MiCA and AML rules seem to overlap?
A: They should draw a clear boundary between the two and assign obligations accordingly.
Practitioner guidance
- Map MiCA obligations to control owners Break the programme into authorisation, identity verification, screening, recordkeeping, and oversight tasks.
- Separate MiCA from AML/CFT control design Document which requirements come from MiCA and which come from AMLD, TFR, and national laws.
- Build an evidence pack before submission starts Collect policy, approval, exception, and review artefacts in the same format regulators will expect.
What's in the full article
SumSub's full guide covers the operational detail this post intentionally leaves for the source:
- A clearer breakdown of MiCA scope across CASPs, issuers, ARTs, and EMTs.
- The licence-preparation checklist regulators use to assess governance and operational readiness.
- Practical guidance on AML/CFT, Enhanced Due Diligence, and Travel Rule obligations.
- The application pack materials needed to evidence compliance in practice.
👉 Read SumSub's guide to MiCA licensing readiness and AML/CFT obligations →
MiCA for CASPs: what identity and compliance teams need to do?
Explore further
MiCA compliance is an identity governance problem as much as a legal one. The guide is useful because it shows that CASP readiness depends on how reliably an organisation verifies identity, documents decisions, and preserves control evidence. Licensing is the visible checkpoint, but the underlying discipline is whether identity and compliance operations can produce defensible records at the pace regulators expect. Practitioners should treat MiCA readiness as control orchestration, not document collection.
A few things that frame the scale:
- 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to 2025 State of NHIs and Secrets in Cybersecurity.
- 91% of former employee tokens remain active after offboarding, which shows how quickly lifecycle gaps become access risk when governance is weak.
A question worth separating out:
Q: How do organisations know if their MiCA application pack is strong enough?
A: A strong pack shows that governance, control execution, and evidence retention all line up. If approvers, reviewers, and exception handlers can be traced through documented workflows and retained artefacts, the pack is far more likely to survive regulator scrutiny. Weak packs tend to lack consistency, ownership, or proof that the controls actually ran.
👉 Read our full editorial: MiCA licensing readiness for CASPs depends on identity controls