SwanFS 2026 Risk and Compliance Framework for EU Crypto-Asset Service Providers: Navigating the Supervisory Trinity of MiCA, DORA, and AMLA

Executive Summary

2026 marks a pivotal year for EU Crypto-Asset Service Providers (CASPs), marking the culmination of a multi-year effort to establish comprehensive regulation for digital assets. The transitional “grandfathering” period under MiCA, as per Article 143(3), ends on July 1, 2026, removing legacy buffers and implementing a uniform licensing and conduct system across the Union. Meanwhile, the Digital Operational Resilience Act (DORA), which has been effective since January 17ry 17, 2025, enters its second year, with supervisory expectations shifting from policy to practical resilience. The new EU Anti-Money Laundering Authority (AMLA), which has been operational since mid-2025, will coordinate national supervisors and enforce AML/CFT standards in the cryptocurrency sector.

This convergence of regulatory development forms what can be called the “Supervisory Trinity”—MiCA, DORA, and AMLA—a set of interconnected frameworks that require a coordinated, rather than isolated, approach to compliance. The 2026 Work Programme of the Joint Committee of the European Supervisory Authorities (ESAs), published on October 16, 2025, provides the strategic perspective needed to understand this evolving landscape. While not explicitly naming crypto-assets as a standalone priority, the programme’s core pillars—ensuring the effective operation of the DORA Oversight Framework, conducting joint cross-sectoral risk analyses, and enhancing consumer protection—are all closely associated with supervising the crypto-asset market.

For CASPs, 2026 presents serious and complex risks. The end of the MiCA transition creates an “enforcement cliff-edge,’ risking hefty penalties for non-compliant firms. Systemic risks from non-MiCA-compliant stablecoins pose a threat to business models that haven’t transitioned to regulated options. DORA’s oversight of CTPPs introduces ‘regulatory contagion,” with actions against large tech vendors cascading down, requiring operational and contractual changes. The ‘AMLA effect” will be seen through increased scrutiny from NCAs eager to impress the new EU regulator, despite supervisory delays.

This report presents a risk and compliance framework for 2026, enabling senior management, legal, and compliance leaders at EU CASPs to navigate the new era. It details each pillar of the Supervisory Trinity, reviews technical standards and guidelines, and integrates these into a cohesive strategy. The aim is to shift from checklist compliance to a proactive risk management culture that is resilient, sustainable, and aligned with European supervisory expectations.

Section 1: The 2026 EU Supervisory Landscape: Interpreting the Joint Committee’s Priorities

The 2026 Work Programme of the European Supervisory Authorities (EBA, EIOPA, and ESMA), published on 1 October 2025, serves as a strategic blueprint for a cross-sectoral supervisory focus within the EU. For CASPs, understanding it is crucial for anticipating supervisory priorities. The programme shows the EU’s digital finance strategy is maturing, shifting from creating rules to monitoring the ecosystem. Although “crypto-assets” is not a prominent term, the sector remains the implicit focus of the ESAs’ key 2026 initiatives.

Analysis of the 2026 Joint Committee Work Programme

The Work Programme outlines several key areas of collaboration, three of which have profound and direct implications for every CASP operating in the Union. These priorities are not abstract goals but represent concrete workstreams that will translate into specific information requests, thematic reviews, and potential enforcement actions.

Priority 1: DORA Oversight Framework

The programme aims to effectively operate the Oversight Framework for critical third-party ICT providers under DORA, making 2026 the year of active supervision of Europe’s financial technology backbone. The first CTPP cohort is expected to be designated in 2025, after data has been collected from all entities, including CASPs. By 2026, ESAs’ JETs will be fully operational, conducting in-depth reviews of major cloud providers, data analytics firms, and technology vendors.

For CASPs, this priority has significant downstream effects. The resilience and compliance of a CASP are closely connected to those of its critical vendors. The ESAs’ direct engagement with CTPPs means that supervisory findings—whether related to security vulnerabilities, inadequate business continuity planning, or concentration risk—will not stay confined to the CTPP. Instead, they will cascade down the supply chain through mandated remediation actions, new contractual requirements, and potentially, restrictions on certain services. CASPs must therefore see their technology dependencies not only as an operational issue but also as a key source of regulatory risk.

Priority 2: Joint Risk Analysis

The ESAs have committed to conducting “joint risk analyses amid ongoing geopolitical tensions and heightened uncertainties.” This priority indicates a proactive, macroprudential approach to supervision, focused on identifying and reducing systemic risks before they materialise. Although the scope is broad, the crypto-asset market is a natural and essential focus for this workstream. The European Systemic Risk Board (ESRB), an independent EU body responsible for the macroprudential oversight of the financial system, has already issued a warning, publishing a significant alert in late 2025 about the interconnected sources of systemic vulnerability from stablecoins, crypto-investment products, and complex “multi-function groups”.

The ESAs’ 2026 joint risk analysis will build on this foundation. Supervisors will map how crypto shocks could transmit to the traditional financial system. They will scrutinise stablecoin reserves, asset concentration by large custodians, and significant shifts of bank deposits into e-money tokens affecting real-economy lending. CASPs, especially larger platforms and ART issuers, should expect detailed info requests and reviews on risk management, liquidity, and cross-border exposures. This activity will be data-driven, using reporting frameworks from MiCA.

Priority 3: Consumer Protection

The Work Programme’s focus on advancing “financial education and consumer protection” remains a key theme for the ESAs. Nonetheless, in 2026, it gains renewed significance within the fully applicable MiCA framework. The ESAs have consistently issued warnings to consumers about the risks of crypto-assets, emphasising the limited protection available for certain products and providers. With MiCA’s comprehensive conduct-of-business rules entirely in force, 2026 will be the year when supervisors will rigorously assess their implementation.

This will lead to increased scrutiny of CASPs’ client-facing activities. Supervisors will focus on the clarity, fairness, and accuracy of marketing communications to prevent misleading consumers about risks and returns. They will also review suitability assessments for advisory and portfolio services to ensure CASPs collect sufficient client information on knowledge, finances, and risk tolerance. Additionally, handling complaints and conflict-of-interest policies will be closely examined, as these are vital for MiCA’s investor protection.

The Implicit Crypto-Asset Agenda

A superficial reading of the 2026 Work Programme might suggest that crypto-assets have been deprioritised in favour of broader themes such as operational resilience and systemic risk. However, this interpretation would be a serious strategic error. In reality, the programme does not indicate a move away from crypto but rather its full integration into the core of European financial supervision. The crypto-asset market is no longer a niche sector to be managed by a specialised framework; it has become a fundamental part of the economic ecosystem, with its risks and opportunities being addressed through the ESAs’ primary, cross-sectoral supervisory tools.

This integration is evident when examining the relationship between the stated priorities and the realities of the cryptocurrency market.

First, the DORA oversight framework, the programme’s top priority, is of paramount importance to CASPs, which are explicitly within DORA’s scope and are often heavily reliant on third-party ICT infrastructure. The stability of the entire crypto ecosystem depends on the operational resilience of its underlying technology providers.

Second, the joint risk analysis will inevitably focus on the unique and evolving risks posed by digital assets. The ESRB’s 2025 warning provides a clear roadmap for supervisors, highlighting stablecoin stability, cross-border contagion, and the opaque structures of large crypto conglomerates as key areas of concern. These are not peripheral issues; they are central to the mandate of ensuring financial stability in an increasingly digitalised economy.

Third, the consumer protection workstream is fundamentally linked to MiCA’s primary objective. The regulation was conceived to address the significant investor protection gaps that existed in the crypto market. The ESAs’ focus in 2026 will be on ensuring that the promises of MiCA—transparency, disclosure, and fair treatment of clients—are being delivered in practice.

Therefore, CASPs must interpret the 2026 Work Programme as a clear signal of deep and sustained supervisory engagement. The focus on DORA, systemic risk, and consumer protection is not a distraction from crypto; it is the very language through which crypto supervision will be conducted. In 2026, CASPs will not be on the periphery of the ESAs’ activities; they will be at the very centre of them, as supervisors work to embed the new regulatory frameworks and manage the risks of this innovative but volatile sector.

Section 2: Navigating the Post-Transition MiCA Framework

1uly 1, 2026, marks the definitive end of the transitional period for Crypto-Asset Service Providers under the Markets in Crypto-Assets Regulation. The “grandfathering” clause of MiCA Article 143(3), which allowed entities providing services under national law to continue operating until December 300, 2024, will expire. From this date forward, any entity providing crypto-asset services in or from the EU must hold a full MiCA authorisation. This transition from a fragmented, nationally supervised landscape to a harmonised, pan-European regime represents a seismic shift.

This deadline marks a shift in supervisory approach by NCAs and ESAs, from processing applications and promoting convergence to verifying ongoing compliance of newly authorised entities. The ESAs’ 2026 mandate for joint risk analysis provides a framework to identify firms with governance, operational, or market conduct weaknesses. By late 2026, the first significant wave of Mica enforcement actions is expected, with firms that see the deadline as an end rather than a start of ongoing supervision facing fines, restrictions, or licence suspension. Managing this enforcement cliff requires a clear understanding of the MiCA regime.

2.1 Prudential and Governance Imperatives: Beyond the Application Form

The foundation of a MiCA-compliant CASP is a robust prudential and governance framework. Supervisors in 2026 will look beyond the information provided in the authorisation file to assess whether these frameworks are effectively implemented and embedded in the firm’s culture and operations.

Capital Adequacy

MiCA imposes stringent and continuous prudential safeguards under Article 67. CASPs must maintain their own funds that are, at all times, equal to or greater than the higher of a fixed minimum capital requirement or a variable requirement based on operational expenses. The fixed minimum is tiered according to the services provided, creating a clear link between risk-taking and capital holdings.

In 2026, supervisors will not only verify the adequacy of capital on a static basis but also scrutinise the methodologies used to calculate fixed overheads for the variable requirement. CASPs must have robust financial forecasting and accounting procedures in place to ensure this calculation is accurate and auditable. Any significant operational changes, such as business expansion or outsourcing, will need to be assessed for their impact on fixed overheads and, consequently, on capital requirements.

Governance and Suitability

MiCA requires a transparent and responsible governance framework. A CASP must be a legal entity with its registered office and effective management located within an EU Member State, and at least one director must reside in the EU. These are not just formalities; they are intended to guarantee that the firm has a tangible presence and a “mind and management” within the Union’s supervisory jurisdiction.

Supervisory focus in 2026 will be significantly shaped by the Joint EBA/ESMA Guidelines on the suitability assessment of management body members and qualifying shareholders, which became applicable in February 2025. These guidelines set out standard criteria for evaluating the knowledge, skills, experience, reputation, honesty, and integrity of key individuals. CASPs must be ready to demonstrate not only that their board and senior management met these criteria at the time of authorisation but also that their suitability is regularly monitored. This involves having processes for reassessing suitability based on any new information, such as legal proceedings or poor conduct.

Conflicts of Interest

A core principle of MiCA’s rules is managing conflicts of interest. CASPs must create, maintain, and disclose policies to identify, prevent, manage, and disclose conflicts involving the firm, managers, employees, shareholders, clients, or between clients. ESMA’s standards specify content and disclosure requirements. In 2026, supervisors will review how CASPs handle conflicts, such as acting as both principal and agent, managing proprietary trading alongside client orders, and structuring remuneration to avoid incentivising poor behaviour. Policies alone are insufficient; firms must demonstrate evidence through training records, compliance reports, and audits that show effective conflict management.

Asset Safeguarding

The protection of client assets is arguably the most critical operational requirement under Mica. The rules aim to ensure that client assets are safeguarded at all times, especially in the event of the CASP’s insolvency. Key requirements include the strict separation of client crypto-assets and funds from the firm’s own assets. This is not merely an accounting separation; MiCA mandates that clients’ crypto-assets be held on separate addresses on the distributed ledger from the CASP’s own holdings. Additionally, client funds (in the form of fiat currency) must be deposited with a credit institution or central bank and kept separate from the CASP’s own funds.

In 2026, supervisors will carry out detailed reviews of custody arrangements. This will involve analysing on-chain data to verify address segregation, reviewing contracts with banking partners to confirm the segregation of client funds, and testing the resilience of internal controls related to private key management and access protocols. The adequacy of insurance policies covering theft or loss of assets will also be examined. Any failure in this area will be regarded as a serious breach, given its direct impact on consumer protection and market confidence.

2.2 Market Integrity and Abuse Prevention: The Era of Proactive Surveillance

MiCA’s Title VI introduces a market abuse regime for crypto-assets that mirrors the framework for traditional financial instruments, prohibiting insider dealing, unlawful disclosure of inside information, and market manipulation. The challenge for CASPs in 2026 will be to demonstrate that they have moved beyond policy-setting to implement sophisticated, technology-driven surveillance systems capable of detecting abuse in the unique context of crypto markets.

Obligations for Persons Professionally Arranging or Executing Transactions (PPAETs)

Article 92 of MiCA places a significant burden on PPAETs—including exchanges, brokers, and trading platforms—to establish systems and procedures for preventing and detecting market abuse. These systems must monitor all orders and transactions in real-time to identify suspicious activity. The requirement extends beyond traditional off-chain order book data to include oversight of the functioning of distributed ledger technology, explicitly requiring monitoring for crypto-specific abuse patterns, such as Maximal Extractable Value (MEV), where miners or validators can manipulate transaction order for profit. This necessitates sophisticated analysis of both on-chain and off-chain data.

Suspicious Transaction and Order Reports (STORs) and Supervisory Tools

When a PPAET has a reasonable suspicion of market abuse, it is obligated to file a Suspicious Transaction and Order Report (STOR) with its NCA without delay. The European Commission has adopted Regulatory Technical Standards (RTS), developed by ESMA, that specify the content and template for these reports, ensuring a harmonised approach across the EU.

By 2026, a CASP’s submission volume and quality of STORs will be key measures of surveillance effectiveness. Supervisors will expect firms to have efficient procedures for classifying, analysing, and escalating alerts from monitoring systems. NCAs will utilise advanced supervisory tools guided by ESMA, which encourages a data-driven approach. This approach combines public and private data, integrates on-chain and off-chain analysis, leverages AI for pattern recognition, and monitors social media and web platforms for evidence of market manipulation. CASPs must operate under the assumption that their activities and platforms are subject to highly sophisticated surveillance, exceeding pre-MiCA levels.

2.3 Consumer Protection and Conduct of Business: The End of “Caveat Emptor”

MiCA fundamentally shifts the paradigm for consumer protection in the crypto space from “let the buyer beware” to a regime of clear disclosures, fair conduct, and provider accountability. In 2026, demonstrating compliance with these rules will be a cornerstone of any supervisory examination.

Marketing Communications

All marketing materials issued by a CASP must be clearly identifiable as such and must be fair, transparent, and not misleading. Information about the CASP, the crypto-assets, and the associated risks must be presented in a balanced way, avoiding the downplaying of risks or the exaggeration of potential returns. Supervisors will actively monitor websites, social media channels, and advertising campaigns for compliance. This includes scrutinising the use of influencers and promotional content to ensure it adheres to MiCA’s standards.

Reverse Solicitation

The “reverse solicitation” exemption under MiCA, which allows a non-EU firm to provide services to an EU client at the client’s “own exclusive initiative,” has been a significant area of concern for regulators. ESMA has issued guidelines confirming that this exemption must be interpreted “very narrowly” and cannot be used as a means to circumvent MiCA’s authorisation requirements.

The guidelines specify activities that constitute solicitation, thereby voiding the exemption. These include using an EU country domain (.de, .fr), advertising in a Member State’s official language (unless it’s a common international finance language), or promoting services at non-educational events. Even after legitimate reverse solicitation, a non-EU firm cannot market new crypto-assets or services to the client. Offering a different crypto-asset category (e.g., ART instead of a utility token) is considered solicitation and violates Mica. By 2026, NCAs will investigate suspected misuse, and EU CASPs must avoid operational or marketing ties to non-compliant entities outside the EU.

Suitability and Competence

For CASPs that provide crypto-asset advice or portfolio management, MiCA imposes suitability requirements similar to those in traditional finance. These firms must collect information about their clients’ knowledge, experience, financial situation, and investment objectives to ensure that any personal recommendations are suitable for them. ESMA’s guidelines on this topic provide detailed criteria for the suitability assessment process.

Furthermore, ESMA has issued guidelines on the knowledge and competence of staff who provide information or advice on behalf of a CASP. These guidelines aim to ensure a minimum level of professionalism and understanding of the products and their risks. In 2026, CASPs will need to have robust training programs, assessment procedures, and ongoing professional development plans for their client-facing staff. Supervisors will review these programs to ensure they are adequate and that the firm can demonstrate the competence of its employees.

2.4 The Stablecoin Nexus: Navigating ART, EMT, and PSD2/3 Complexities

Stablecoins, categorised under MiCA as Asset-Referenced Tokens (ARTs) and E-Money Tokens (EMTs), are subject to a significantly more stringent regulatory regime due to their potential to achieve scale and pose risks to financial stability. The EBA is the lead authority for developing the technical standards in this area, reflecting the banking-like nature of its operations.

Heightened Requirements for ARTs and EMTs

Issuers, ARTs and EMTs face a range of specific, detailed obligations set out by the EBA and ESMA. These include RTS and Guidelines covering own funds requirements, the composition and management of reserve assets, liquidity management policies, liquidity stress testing, and the development of comprehensive recovery and redemption plans. These rules aim to ensure that stablecoins are truly stable, that issuers can meet redemption requests at any time, and that orderly wind-down plans are prepared in case of failure. For CASPs that handle or offer services related to ARTs and EMTs, understanding these underlying issuer requirements is essential for conducting due diligence and managing counterparty risk.

The PSD2 Interplay and the March 2026 Deadline

A critical point of regulatory friction exists at the intersection of MiCA and the Second Payment Services Directive (PSD2). Because EMTs are legally deemed to be “electronic money,” services involving them, such as custody and transfer, can also qualify as “payment services” under PSD2. This created the prospect of a burdensome dual-authorisation requirement for CASPs.

In response, the EBA issued a “no-action letter” in June 2025, providing a temporary and partial solution. The EBA advised NCAs not to prioritise the supervision and enforcement of most PSD2 requirements for MiCA-authorised CASPs dealing in EMTs. However, this forbearance is not indefinite. The EBA explicitly advised NCAs to begin enforcing the requirement for PSD2 authorisation (as a payment institution or e-money institution) on March 2rch 2, 2026.

This sets a firm deadline in Q1 2026. CASPs offering custody or transfer services for EMTs must either secure the relevant PSD2 licence or stop those activities. The EBA also advised that for firms seeking dual authorisation, capital requirements under MiCA and PSD2 should be applied cumulatively, which could significantly increase the prudential burden. The long-term solution proposed by the EBA is to incorporate the relevant consumer protection and prudential standards from the upcoming PSD3/PSR framework directly into Mica. However, until such legislative changes are enacted, the March 2026 deadline remains a key milestone in risk management.

Systemic Risk and Non-Compliant Tokens

A major enforcement priority for 2026 will be the eradication of non-MiCA-compliant stablecoins from the EU market. The ESRB’s 2025 report explicitly warned of the systemic risks posed by the widespread circulation of tokens that do not meet MiCA’s stringent reserve, governance, and transparency standards, citing examples like Tether (USDT).

MiCA Article 94 mandates CASPs to have policies for ceasing services involving non-compliant crypto-assets. Supervisors will strictly enforce this regulation in 2026. CASPs that continue offering exchange, custody, or lending services for unauthorised ARTs or EMTs will face a high likelihood of enforcement action. This presents a significant business risk for platforms that generate substantial revenue from these tokens. CASPs must establish transparent and credible transition plans to phase out non-compliant assets and encourage the use of MiCA-authorised, euro-denominated stablecoins, in line with the strategic objectives of European regulators.

Section 3: Embedding Digital Operational Resilience: A DORA Compliance Blueprint

The Digital Operational Resilience Act (DORA), applicable as of January 2025, establishes a binding, harmonised framework for managing Information and Communication Technology (ICT) risk across the EU financial sector, including CASPs. By 2026, supervisors will expect firms to have advanced beyond the initial stage of drafting policies and procedures. The focus will shift to demonstrating that digital operational resilience is thoroughly embedded in the organisation’s risk culture, governance structures, and daily operations. Compliance will be assessed not by the presence of documents but by evidence of their practical and ongoing application.

3.1 The ICT Risk Management Framework: From Policy to Practice

Chapter II (Articles 5-16) of DORA lays out the core requirements for a comprehensive ICT risk management framework. In 2026, CASPs must be able to provide tangible proof of the maturity of this framework.

Core Elements

The foundation of the framework is the identification and protection of all ICT assets. This begins with the creation and maintenance of a comprehensive, up-to-date inventory of all ICT assets, including software, hardware, network systems, and the data they process. This inventory must map the interdependencies between systems and identify those that support critical business functions.

Building on this inventory, CASPs should conduct ongoing risk assessments to identify and evaluate threats and vulnerabilities, utilising frameworks such as ISO 27005 or NIST. The process must adapt to evolving threats, be reviewed annually, improved with lessons learned, and regularly audited.

Business Continuity and Recovery

A key element of the DORA framework is strong business continuity management (BCM) and disaster recovery planning. CASPs must maintain detailed Business Continuity Plans (BCPs) and ICT response and recovery strategies that aim to minimise disruptions and enable the quick restoration of critical services. These strategies should specify clear activation triggers, define roles and responsibilities, and outline communication plans for internal and external stakeholders. By 2026, supervisors will require evidence that these plans are not just theoretical but have been thoroughly tested and proven.

Incident Management and Reporting

DORA establishes a harmonised process for managing and reporting major ICT-related incidents. CASPs must have an incident management process in place to detect, manage, and resolve incidents promptly and effectively. This includes implementing early warning indicators and systems for continuous monitoring and evaluation.

When a major ICT-related incident occurs, CASPs must adhere to a strict reporting timeline. The ESAs have established RTS and ITS that define the criteria for classifying incidents, the materiality thresholds, and the specific contents, templates, and timelines for reporting. The reporting process includes several stages: an initial notification to the competent authority, interim reports on progress, and a final report analysing the root causes of the incident. By 2026, the efficiency and accuracy of a CASP’s incident reporting will serve as a direct indicator of its compliance maturity. Delays or incomplete reports will likely result in significant supervisory criticism.

3.2 Resilience Testing and Vulnerability Management: Proving Your Defences

A central tenet of DORA is that resilience cannot be assumed; it must be tested. Chapter IV of the regulation mandates a comprehensive and risk-based digital operational resilience testing programme.

Annual Testing Programme

All CASPs, in proportion to their size and risk profile, must establish a testing programme that includes various assessments, such as vulnerability scans, penetration tests, and scenario-based tests. All ICT systems and applications supporting critical functions must be tested at least annually to ensure their reliability and effectiveness. Crucially, these tests must be conducted by independent testers, whether internal or external, to ensure objectivity and impartiality. The results of all tests must be documented, and any vulnerabilities or deficiencies identified must be prioritised, remedied, and validated promptly.

Threat-Led Penetration Testing (TLPT)

For financial entities classified as significant due to their size, complexity, and systemic importance, DORA requires a more advanced form of testing: Threat-Led Penetration Testing (TLPT). This involves simulating the tactics, techniques, and procedures of real-world threat actors to evaluate a firm’s live production systems. These tests must be carried out at least every three years. The RTS on TLPT, which are expected to be fully adopted and enforced by 2026, provide detailed methodology and requirements for these exercises. Although not all CASPs will be mandated to conduct TLPT, the methods and results from these tests across the financial sector will shape supervisory expectations for all firms, enhancing security and resilience standards.

3.3 Managing the Supply Chain: ICT Third-Party Risk

DORA recognises that a financial entity’s resilience is only as strong as that of its weakest technology supplier. It therefore introduces a stringent framework for managing ICT third-party risk.

Vendor Due Diligence and Contracting

Before engaging with an ICT third-party provider, CASPs must conduct thorough due diligence to assess the provider’s suitability, capabilities, and associated risks. The relationship should be governed by a detailed written contract with mandatory provisions from Article 30 of DORA, addressing data security, access and audit rights, incident reporting, and exit strategies. The RTS specifies the firm’s policy content for contractual arrangements supporting critical functions. Many CASPs will need to significantly enhance their procurement and vendor management processes, transitioning from simple service-level agreements to more complex, risk-focused negotiations.

The CTPP Oversight Framework and Regulatory Contagion

The most innovative aspect of DORA is the development of a direct, pan-EU oversight framework for ICT third-party providers designated as “critical” by the ESAs. This framework has a significant impact on the regulatory landscape. A CASP’s operational resilience and, by extension, its regulatory status, are no longer solely determined by its internal controls. They are now directly and inextricably linked to the compliance posture of its critical technology vendors.

The designation of CTPPs in 2025 lays the groundwork for the framework to become fully operational in 2026, a key priority in the ESAs’ work programme. The ESAs’ Joint Examination Teams will have the authority to request information, conduct inspections, and make recommendations directly to designated CTPPs, such as major cloud service providers. If a JET detects a significant vulnerability or a failure to meet DORA’s standards at a CTPP, it can require remediation.

This establishes a channel for “regulatory contagion.” A supervisory action at the CTPP level will cascade to all its financial clients. A CASP may need to modify systems, processes, or vendors due to a supervisory finding at its cloud provider. An incomplete 2026 risk plan ignores this supply chain risk. CASPs must prepare for supervisory intervention by vendors, including forced migrations or service changes by ESAs. This demands a dynamic vendor management approach, viewing key suppliers as extensions of the CASP’s regulated perimeter.

Section 4: The New AML/CFT Paradigm: Preparing for AMLA’s Ascendancy

The creation of the new EU Anti-Money Laundering Authority (AMLA) marks the most significant overhaul of the Union’s framework for fighting financial crime in a generation. For CASPs, which regulators widely regard as high-risk for money laundering and terrorist financing (ML/TF), the arrival of AMLA signals an era of increased scrutiny and higher supervisory expectations. While AMLA’s direct supervisory powers over a select group of 40 high-risk entities will not come into effect until 2028, its influence will be strongly felt throughout 2026 through its roles as a standard-setter and supervisor of supervisors.

4.1 Aligning with the EU Single AML Rulebook and FATF Standards

The new AML/CFT package establishes a more harmonised and directly applicable legal framework, thereby reducing the scope for divergent national interpretations that criminals have historically exploited.

The New AML Regulation (AMLR)

A core element of the reform is the new Anti-Money Laundering Regulation (AMLR), which creates a single rulebook with directly applicable requirements for all obliged entities, including CASPs. This replaces the previous directive-based system, which required transposition into national law and often led to inconsistencies. The AMLR will harmonise key obligations, such as conducting customer due diligence (CDD), identifying and verifying beneficial owners, and the requirements for ongoing transaction monitoring. For CASPs operating across multiple EU jurisdictions, this will simplify compliance by establishing a single set of rules. However, it will also raise standards, as the AMLR codifies best practices and closes loopholes that may have existed in some national regimes.

FATF Recommendation 15 and the “Travel Rule”

The EU’s new framework fully implements the global standards set by the Financial Action Task Force (FATF), particularly Recommendation 15, which applies AML/CFT obligations to virtual assets and VASPs. A key component of this is the “Travel Rule,” which is enshrined in the EU’s updated Transfer of Funds Regulation (TFR) and became fully applicable alongside MiCA’s CASP rules in December 2024.

The Travel Rule mandates that CASPs must collect, retain, and transmit information about the originator and beneficiary of every crypto-asset transfer they handle, and make this information available to relevant authorities upon request. This aims to ensure that crypto transactions are not more anonymous than traditional electronic fund transfers and to assist law enforcement in tracing illicit flows. By 2026, full, seamless compliance with the TFR will be an essential supervisory requirement. CASPs are required to have the technical solutions and protocols in place to exchange this data accurately and securely for each transaction. Non-compliance will be regarded as a fundamental failure in AML/CFT controls.

4.2 Supervisory Expectations in the AMLA Era

Amla’s establishment on June 26, 2024, and the commencement of its operational power on July 1, 2025, set the stage for its transformative role. From its inception, AMLA has consistently emphasised that the crypto-asset sector is a strategic priority.

AMLA’s Strategic Focus on Crypto

In its very first work programme, AMLA identified the supervision of CASPs as a key objective, recognising that the sector is vulnerable to significant ML/TF risks because of its cross-border nature, technological features, and potential for anonymity. AMLA’s chair, Bruna Szego, has stated that it is “essential that... Europe is adequately protected from the risks of money laundering and terrorist financing stemming from this sector”. This high-level focus guarantees that CASPs will face a sustained and intense level of supervisory scrutiny as AMLA increases its activities in 2026.

The Impact of Indirect Supervision and the “AMLA Effect”

Although AMLA will not directly supervise any CASPs in 2026, its “indirect supervision” mandate will have a significant and immediate effect. This mandate authorises AMLA to coordinate and oversee the activities of NCAs, develop binding technical standards, and conduct peer reviews to ensure a consistent and practical application of the single rulebook across the EU.

This fosters a strong dynamic that can be called the “AMLA Effect.” NCAs will be very aware that their supervisory practices are themselves being overseen by a new, well-funded pan-EU authority. AMLA has already expressed concerns about the risk of “diverging application of AML/CFT requirements and inconsistent controls” at the national level, especially during the initial phase of MiCA licensing. No national supervisor will want to be recognised by AMLA as a “weak link” in Europe’s defences against financial crime.

This will motivate NCAs to increase their supervisory efforts in 2026, showcasing their strength and alignment with AMLA’s standards. CASPs should expect their local supervisors to become more stringent, carry out more frequent and thorough on-site inspections, demand more detailed data on risk assessments and transaction monitoring, and act more swiftly to impose penalties for any identified shortcomings. In this way, AMLA’s “indirect” influence will have a clear and tangible effect on the compliance obligations and regulatory risks faced by every CASP in the Union.

Enhanced FIU Coordination

Another key function of AMLA is to support and coordinate the EU’s Financial Intelligence Units (FIUs), acting as a central hub to facilitate the analysis of cross-border suspicious transactions. AMLA has announced that its financial intelligence pillar will prioritise joint analyses of crypto-related cases, targeting cross-border typologies and emerging risks.

For CASPs, this means that the suspicious activity reports (SARs) they submit are more likely to be linked with other intelligence and escalated into multi-jurisdictional investigations.

The enhanced information sharing and analytical capability at the EU level will make it more difficult for illicit actors to exploit jurisdictional boundaries. It also increases the chance that a CASP could become involved in a complex, cross-border investigation, requiring substantial resources to respond to information requests from multiple authorities, which are coordinated through AMLA. CASPs must ensure their record-keeping and SAR-filing processes are impeccable, as this data will feed into a much more powerful and interconnected analytical system.

Section 5: Integrated Risk and Compliance Strategy for 2026

The simultaneous development of the MiCA, DORA, and AMLA frameworks in 2026 calls for a fundamental shift in how CASPs manage risk and compliance. A fragmented, checklist-oriented approach, where different teams handle prudential, operational, and financial crime risks separately, is no longer feasible. The interconnectedness of the new regulations requires a unified governance and control structure that recognises and addresses risk comprehensively. The ultimate responsibility for this integrated approach lies with the firm’s management body, which is accountable for all three regulatory pillars.

5.1 A Unified Governance and Control Framework: Breaking Down Silos

The central compliance challenge for 2026 is the convergence of requirements from MiCA, DORA, and AMLA. Many operational events will trigger obligations across multiple regulatory regimes, and a fragmented response will lead to compliance gaps and inefficiencies.

The Convergence Challenge

A successful strategy must begin by mapping controls across the different regulations to identify overlaps, avoid duplication, and ensure comprehensive coverage. For instance, an effective “Incident Response Plan” should be a single, cohesive document that addresses multiple dimensions of a single event. Consider a security breach where a hacker gains access to client wallets:

• DORA is triggered, requiring the incident to be classified, managed, and reported to the NCA as a major ICT-related incident according to specific templates and timelines. The BCP and recovery plans must be activated.

• MiCA is triggered, as the incident constitutes a breach of the asset safeguarding and custody requirements under Article 67. This may require immediate notification to affected clients and the NCA, and could impact the firm’s prudential standing.

• AMLA/TFR is triggered if the breach involves unauthorised transfers. The CASP must assess whether the activity is suspicious and requires the filing of a SAR with the FIU. The loss of transaction data could also constitute a breach of TFR record-keeping obligations.

An integrated framework ensures that the response to such an event is coordinated, with legal, compliance, IT security, and operations teams working from a familiar playbook. This approach should be applied across all key control areas, including third-party risk management (where DORA’s ICT vendor rules overlap with MiCA’s outsourcing provisions and AMLA’s need to assess risk in payment chains), change management, and employee training.

Board-Level Responsibility

Ultimate accountability for the firm’s compliance and resilience rests with its management body. This is an explicit requirement in DORA, which states that the management body defines, approves, and is responsible for the ICT risk management framework. This principle of senior management accountability is reflected in MiCA’s governance and suitability requirements, as well as the AML/CFT framework’s emphasis on a strong “tone from the top.”

To effectively discharge this responsibility, the board requires integrated reporting that provides a comprehensive view of the firm’s risk landscape. By 2026, board-level dashboards should evolve to present operational, prudential, conduct, and financial crime risks in a unified way. The board should be able to see, for instance, how a concentration of risk with a single CTPP (a DORA issue) could impact the firm’s ability to meet its MiCA safeguarding obligations and its overall capital adequacy. This integrated perspective is vital for strategic decision-making and for demonstrating effective governance to a diverse supervisory community.

5.2 Strategic Risk Mitigation and Forward Planning

Based on the analysis in this report, CASPs face four top-tier strategic risks in 2026. Proactive mitigation is crucial for survival and success in the evolving regulatory landscape.

Key Risk Identification and Mitigation

1. Enforcement Risk: The conclusion of the MiCA transitional period 1uly 1, 2026, creates an “enforcement cliff-edge.”

   • Mitigation: Conduct a comprehensive, independent audit or gap analysis against the complete MiCA framework in late 2025 or early 2026. This should be a “mock supervisory inspection” that stress-tests not just policies but their practical implementation and the evidence available to prove compliance. Remediate all identified gaps well before the deadline.

2. Systemic Risk (Stablecoins): The regulatory crackdown on non-MiCA-compliant stablecoins, combined with the March 2, 2026, deadline for PSD2 compliance for EMT services, poses a significant business model risk.

   • Mitigation: Develop a clear and public transition plan to phase out services for non-compliant stablecoins by mid-2026. Proactively engage with issuers of MiCA-compliant, preferably euro-denominated, ARTs and EMTs. For firms involved in EMT transfers, immediately begin the application process for a PSD2 license or establish a partnership with a licensed payment service provider to meet the March deadline.

3. Supply Chain Risk (DORA): The active oversight of CTPPs by the ESAs creates a risk of “regulatory contagion,” where supervisory mandates on a vendor disrupt the CASP’s operations.

   • Mitigation: Enhance vendor risk management beyond initial due diligence. Maintain an up-to-date register of all ICT providers and map their criticality to business functions. For CTPPs, establish clear communication channels to stay informed of any ESA oversight activities. Develop and test exit strategies and contingency plans for the potential failure or mandated alteration of a critical vendor’s services.

4. Supervisory Risk (AMLA): The “AMLA Effect” will lead to more intensive and demanding supervision by local NCAs.

   • Mitigation: Treat the local NCA as a proxy for AMLA. Proactively engage with supervisors, provide high-quality and timely information, and be prepared for more rigorous on-site inspections. Invest in automated transaction monitoring and risk assessment systems that can produce the granular data and audit trails expected in this heightened supervisory environment.

5.3 A Practical Guide to Engaging with Supervisory Authorities

In the complex landscape of 2026, managing relationships with a web of supervisory bodies is a critical compliance function.

Navigating the Supervisory Web

CASPs will interact with multiple authorities, each with a distinct mandate:

• The National Competent Authority (NCA): The primary, day-to-day supervisor for MiCA authorisation and ongoing supervision, as well as AML/CFT compliance.

• The European Supervisory Authorities (ESMA & EBA): While not direct supervisors for most CASPs, the ESAs set the rules through technical standards and guidelines, coordinate NCAs, and drive supervisory convergence. Their publications and priorities are the leading indicators of future supervisory focus.

• The Anti-Money Laundering Authority (AMLA): The emerging super-supervisor for financial crime. In 2026, engagement will be indirect, but CASPs must understand its strategic priorities as they will shape the behaviour of their NCA.

Effective engagement requires a “no surprises” approach. Firms should maintain open and transparent communication with their NCA, proactively notifying them of significant business changes, incidents, or emerging risks.

Inspection Readiness

Supervisory inspections in 2026 may be “integrated,” with teams from different supervisory disciplines (e.g., prudential, conduct, AML, ICT) conducting joint reviews. Preparation is key:

• Documentation: Ensure all required policies, procedures, risk assessments, and reports are up-to-date, board-approved, and readily accessible in a central repository.

• Personnel: Designate clear points of contact for different regulatory topics and ensure they are well-trained and prepared to speak confidently and accurately about the firm’s control environment.

• Evidence: Be prepared to go beyond policies and demonstrate compliance. This means having system logs, transaction records, training completion reports, board minutes, and audit trails available to prove that controls are operating effectively.

The 2026 Compliance Plan

The following table provides a high-level strategic roadmap of key milestones and action items for CASPs throughout 2026, synthesising the critical deadlines and inflexion points identified in this report. It is designed to be a tool for the board and senior management to guide strategic planning and resource allocation.

#CryptoRegulation #MiCA #DORA #AMLA #DigitalAssets #Compliance #Fintech #EU #FinancialServices #RiskManagement