top of page
Search

Global Regulatory Developments in Digital Assets and Markets: H1 2025 Strategic Impact Analysis

Executive Summary


The first half of 2025 represents a pivotal inflexion point for the digital asset sector, characterised by a structural shift from regulatory ambiguity to comprehensive legislative oversight. The operationalisation of the European Union's Markets in Crypto-Assets (MiCA) regulation and the Digital Operational Resilience Act (DORA) has established a global precedent, compelling a fundamental re-architecture of digital asset business models. This report analyses the key regulatory developments and their strategic implications for firms.


The dominant theme is the mandatory maturation of the industry. The key impacts on firm strategy and operations are:


  • Formalisation of Market Entry and Conduct: The era of permissive market entry has concluded. MiCA establishes a rigorous, harmonised authorisation regime for Crypto-Asset Service Providers (CASPs) and token issuers, predicated on robust governance, prudential requirements, and detailed conduct of business obligations analogous to those under MiFID II.

  • Operational Resilience as a Condition of License: DORA elevates ICT and security risk management from a technical function to a board-level strategic imperative. Its stringent requirements for risk management, incident reporting, and third-party dependency oversight impose significant operational costs and liabilities, making resilience a non-negotiable aspect of business viability.

  • The Industrialisation of Tokenisation: While regulatory frameworks for Decentralised Finance (DeFi) remain nascent, a clear institutional and regulatory consensus is forming around the tokenisation of real-world assets (RWAs). Analyses from the IMF, BIS, and significant financial institutions signal a strategic shift towards integrating DLT-based assets with traditional financial market infrastructure, creating new opportunities in issuance, custody, and secondary market liquidity provision.

  • Global Regulatory Convergence Amidst Jurisdictional Fragmentation: While the EU's comprehensive approach leads, other major financial centres are advancing their frameworks. The United Kingdom is developing a bespoke regime focused on economic stability and consumer protection. At the same time, the United States continues to navigate a complex interplay between federal agency enforcement actions and legislative initiatives. Despite differences in implementation, a global convergence on core principles—such as reserve requirements for stablecoins, custody standards, and market abuse prevention—is evident.


For market participants, future success is contingent upon the proactive integration of compliance architecture into core business strategy, significant capital allocation towards technology and security infrastructure, and the strategic alignment of product development with the evolving, and increasingly stringent, global regulatory perimeter.

ree

🇪🇺 Europe: The MiCA and DORA Implementation


The EU has cemented its position as the first primary jurisdiction to implement a comprehensive regulatory framework for crypto-assets. The entry into force of detailed MiCA and DORA technical standards in H1 2025 is transforming the operational and legal landscape for all firms in the sector.


1. Markets in Crypto-Assets (MiCA): Establishing the Regulatory Framework


The publication of numerous Regulatory Technical Standards (RTS) has translated MiCA's high-level principles into granular, binding requirements.


  • Authorisation and Prudential Oversight: The final RTS on authorisation applications (Regulations 2025/305, 2025/306) and the assessment of qualifying holdings (Regulations 2025/413, 2025/414) mandate a rigorous licensing gateway.

    • Firm Implication: The application process requires extensive documentation covering governance arrangements, ICT systems, security protocols, business continuity plans, and the segregation of client funds. This necessitates a significant upfront capital and resource investment in non-revenue-generating functions. The strategic trade-off is securing a pan-EU passport, which permits licensed entities to operate across all member states, offering significant scalability.

  • Conduct of Business and Market Integrity: A suite of regulations imposes MiFID-like conduct obligations. This includes RTS on conflicts of interest (Regulations 2025/1141, 2025/1142), complaint handling (Regulations 2025/293, 2025/294), and a new market abuse regime.

    • Firm Implication: Business models must evolve to embed client protection and market integrity at their core. This requires implementing sophisticated market surveillance systems to detect insider dealing and market manipulation, establishing formal policies to manage conflicts of interest (e.g., functional separation of proprietary trading from brokerage activities), and creating effective customer redress mechanisms. These requirements directly increase operational expenditure and necessitate specialised legal and compliance expertise.

  • Stablecoins (ARTs and EMTs): Issuers of asset-referenced and e-money tokens are subject to stringent prudential and governance standards, including rules on the composition and custody of reserve assets, liquidity management policies, and remuneration policies (Regulations 2025/418, 2025/419).

    • Firm Implication: The stablecoin issuance business model is now highly regulated and capital-intensive, resembling that of an e-money institution or asset manager. Issuers must maintain a liquid reserve, conduct rigorous stress testing, and ensure orderly redemption plans. This will inevitably drive market consolidation, favouring large, well-capitalised financial entities.


2. Digital Operational Resilience Act (DORA): Mandating Cyber and Operational Fortitude


DORA's horizontal application imposes a demanding framework for technology and cyber risk management, with a profound impact on digital-native firms.


  • ICT Risk Management and Incident Reporting: DORA mandates a comprehensive and documented ICT risk management framework. The final RTS on major incident reporting (Regulation 2025/301) and the updated TIBER-EU framework for threat-led penetration testing (TLPT) create a stringent supervisory regime.

    • Firm Implication: Firms must make substantial investments in their cybersecurity infrastructure and governance. This includes conducting mandatory, regular TLPT for significant entities, establishing formal incident classification and response protocols, and implementing systems for reporting tremendous incidents to regulators according to strict criteria and timelines. The cost of security and resilience has become a substantial and non-discretionary operational expense.

  • Third-Party Risk Management: The RTS governing ICT third-party providers (TPPs) imposes significant oversight obligations on firms.

    • Firm Implication: Business models reliant on outsourcing critical ICT functions (e.g., cloud infrastructure, security operations) face heightened due diligence and management burdens. Firms remain fully liable for the resilience of their supply chain and must maintain a detailed register of all ICT TPP arrangements. The direct oversight powers granted to European Supervisory Authorities over designated "Critical ICT TPPs" introduce a new layer of systemic risk management that firms must incorporate into their vendor strategies.


🇬🇧 United Kingdom: Constructing a Bespoke Financial Services Regime


The UK is pursuing a distinct regulatory path, aiming to integrate crypto-assets into its existing financial services framework (FSMA) to foster innovation while ensuring economic stability.


  • Future Regulatory Framework: HM Treasury's near-final legislative order for new crypto-asset regulated activities, alongside FCA consultations on a prudential regime, stablecoin issuance, and custody, indicates a comprehensive UK framework is imminent.

    • Firm Implication: Firms with UK operations must prepare for a new licensing regime that will leverage existing financial services principles (e.g., CASS for custody, IFPR for prudential requirements). The FCA's focus on a dedicated prudential sourcebook implies that capital adequacy, liquidity, and wind-down planning will become central to the business models of UK-based crypto firms.

  • Consumer Protection: The FCA's Consumer Duty and its stringent Financial Promotions regime are the cornerstones of its approach.

    • Firm Implication: Marketing and product governance must be fundamentally reoriented. Firms must be able to evidence that they are delivering good outcomes for retail clients across four key areas: products and services, price and value, consumer understanding, and consumer support. Business models predicated on the aggressive promotion of high-risk, unregulated products are untenable.


🇺🇸 United States: Navigating Regulatory Fragmentation and Enforcement


The US regulatory landscape remains a complex patchwork of federal agency oversight and ongoing legislative debate, creating significant legal uncertainty.


  • Regulation by Enforcement: The Securities and Exchange Commission (SEC) continues to utilise enforcement actions to assert its jurisdiction, applying the Howey Test to various crypto-assets and business models, including staking and lending.

    • Firm Implication: Legal and regulatory risk is a primary business constraint. The ambiguity over which assets constitute securities creates existential litigation risk. Business models, particularly those involving token issuance, yield-bearing products, or DeFi protocols, require intensive legal analysis and structuring to mitigate the risk of violating securities laws.

  • Legislative Initiatives: While multiple bills (e.g., GENIUS Act) are being debated, a comprehensive federal framework for digital assets has not yet been enacted. Key points of contention include the jurisdictional boundaries between the SEC and CFTC and the specific requirements for stablecoin issuers.

    • Firm Implication: Firms must engage in strategic scenario planning and proactive government relations. The future regulatory architecture will be heavily influenced by the outcome of these legislative and jurisdictional battles, impacting everything from product design to capital markets strategy.


🌍Financial Crime Compliance: A Heightened Global Priority


The first half of 2025 witnessed a significant intensification of Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) efforts globally. The focus has decisively shifted from policy formulation to implementation and supervisory enforcement, making FinCrime compliance a critical pillar of any digital asset business model.


  • FATF and the "Travel Rule" Implementation: The Financial Action Task Force (FATF) has increased pressure on member jurisdictions to implement its standards for virtual assets fully. The June 2025 targeted update and the accompanying report on supervision underscore a global move towards assessing the effectiveness of national regimes. The "sunrise period" for implementing Recommendation 16 (the "Travel Rule") is effectively over, with supervisors now actively examining CASPs for compliance.

  • EU's AMLA Framework Takes Shape: In Europe, the EBA's consultation on RTS under the new AML Authority (AMLA) Regulation signals the operationalisation of the EU's new, centralised AML/CFT supervisory architecture. This body will have direct supervisory powers over certain obliged entities, including significant CASPs. This is complemented by the EBA's work to formally extend the scope of the 4th Money Laundering Directive (MLD4) to explicitly cover CASPs, ensuring a consistent application of AML rules.

  • Industry Guidance and Risk Assessment: The publication of guidance from bodies like the Wolfsberg Group on defining digital assets for AML/CTF purposes provides crucial clarity for traditional financial institutions and digital asset firms alike. This, combined with detailed analyses like the "2025 Crypto Crime Report," provides a more transparent framework for conducting enterprise-wide risk assessments, which are a foundational expectation of regulators.

  • Firm Implication: Compliance with AML/CFT obligations has become a significant operational and financial burden.

    • Technology & Integration: Firms must invest in sophisticated RegTech solutions for transaction monitoring, sanctions screening, and compliance with the Travel Rule's data-sharing requirements.

    • Increased Costs & Expertise: The operational expenditure on specialised legal and compliance personnel, along with the necessary technology stack, has risen substantially.

    • Intrusive Supervision: Firms must be prepared for detailed, intrusive inspections from regulators focused on the design and operational effectiveness of their AML/CFT control frameworks. The risk of significant fines, license restrictions, or revocation for non-compliance is now acute.


🌍 International and Thematic Imperatives


Beyond jurisdictional specifics, several global themes are shaping the strategic agenda for digital asset firms.

  • Tokenisation of Real-World Assets (RWAs): This represents a significant evolution, moving beyond native crypto-assets. Reports from the IMF and BIS highlight the potential for efficiency gains but also underscore the profound challenges related to legal finality, interoperability between DLT systems and traditional financial market infrastructures, and the creation of robust governance frameworks.

    • Firm Implication: This trend opens a substantial market for firms capable of providing institutional-grade tokenisation infrastructure. Success requires a multidisciplinary approach that bridges the legal, regulatory, and technical divide between off-chain asset ownership and on-chain representation.

  • Artificial Intelligence (AI) Governance: The increasing use of AI in financial services is attracting regulatory scrutiny. Frameworks proposed by BIS and ESMA emphasise the need for robust model risk management, validation, transparency, and explainability, particularly for AI used in algorithmic trading, risk management, and compliance functions.

    • Firm Implication: Firms deploying AI must move beyond a "black box" approach. They must invest in robust AI governance frameworks, validation processes, and audit trails to demonstrate control and mitigate risks of bias or model failure, mirroring the standards for model risk management in traditional finance.

  • Financial Crime (FinCrime) Compliance: The global focus on combating illicit finance remains intense. The FATF's continued push for the implementation of Recommendation 16 (the "Travel Rule") and enhanced guidance from bodies like the Wolfsberg Group are increasing compliance burdens.

    • Firm Implication: Compliance with AML/CFT obligations is a foundational requirement. Business models must integrate sophisticated transaction monitoring and identity verification systems capable of complying with the Travel Rule's data exchange requirements. This often necessitates partnering with specialised RegTech providers and significantly increases the cost of compliance.



 
 

Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page