Picture a crypto exchange registered in an EU Member State, operating normally in early April 2026. The registration is valid. The compliance team has July 1 circled in red. The founder believes the situation is under control: there are still 90 days to sort out the licensing. The business is legal today, and the deadline is ahead of them.
MiCA Decoded is a 12-article weekly series for Bitcoin.com News, co-authored by LegalBison’s Co-Founding and Managing Directors: Aaron Glauberman, Viktor Juskin and Sabir Alijev. LegalBison advises crypto and FinTech companies on MiCA licensing, CASP and VASP applications, and regulatory structuring across Europe and beyond.
That belief contains a flaw. And the flaw, depending on the jurisdiction, may already be irreversible.
Myth 1: The Deadline Most Service Providers Got Wrong
July 1, 2026, is the date by which a crypto-asset service provider must hold a granted authorization, or cease operations entirely. Everything that follows in this article depends on that distinction.
Article 143(3) of MiCA states that service providers operating lawfully before December 30, 2024, may continue to do so until July 1, 2026, or until they are granted or refused authorization, whichever comes first.
The word is “granted.” Not “applied for.” Not “in progress.”
Authorization processes take several months from submission to decision, varying by jurisdiction and application quality. A service provider standing in April 2026 without a filed application does not have 90 days left to act on their licensing situation.
For most EU jurisdictions, the grandfathering window has already closed. What remains is a different calculation entirely: whether any path to operational continuity still exists, and what it requires.
Myth 1: “I Was Registered Before December 2024, So I’m Covered Until July”
Grandfathering under MiCA is not automatic for every registered VASP. It was always conditional, and the condition that most service providers missed was jurisdiction-specific: each Member State set its own application deadline, before which a formal authorization request had to be submitted to benefit from the transitional protection.
Those deadlines, for the majority of EU Member States, are gone.
According to ESMA’s published list of grandfathering periods, the Czech Republic set its deadline at July 31, 2025. Bulgaria closed its window on October 8, 2025. Germany, Lithuania, Ireland, Austria, and Slovakia all had 12-month periods from December 30, 2024, placing their deadlines around the end of December 2025. The majority of EU Member States set application deadlines that are now several months in the past.
A VASP registered before December 30, 2024, but without an application filed before its Member State’s specific deadline cannot rely on grandfathering protection in that jurisdiction. The July 1 hard stop will apply without the buffer the transitional regime was designed to provide.
A related question surfaces immediately: could a VASP registration in one Member State be used to passport services into another during the transitional period?
The answer is no, and it was never possible. VASP registrations were national designations under pre-MiCA AML frameworks, not financial services licenses with cross-border effect. The grandfathering regime did not change this. A service provider registered in Poland under a 6-month transitional period had no legal basis to solicit users in Austria, where a 12-month period applied.
Each Member State’s transitional period applied only within that specific jurisdiction. Consequently, engaging in cross-border activities during this transitional phase required service providers to rely on one of three approaches:
- obtaining a full MiCA CASP authorization,
- ensuring the complete absence of any solicitation directed at users in the target Member State (relying on reverse solicitation),
- or holding multiple domestic VASP licenses across each of the target Member States.
It is important to note that under this third option, the service provider would have had to simultaneously navigate and comply with the varying transitional periods and deadlines of each individual jurisdiction.
This is why July 1 is not the most important end date in the context of the transitional period as in the majority of Member States, the end date has passed months ago.
Myth 2: “Applying Is Just a Matter of Submitting the Paperwork”
For some jurisdictions, the problem is not that service providers missed a deadline. The problem is that the paperwork has nowhere to go.
Poland is the clearest illustration. The country’s grandfathering period was set at six months from December 30, 2024, with an implied application deadline around June 2025. That window has passed. But the situation in Poland runs deeper than a missed filing date. In December 2025, the president vetoed the bill that would have enacted the regulation into Polish law, leaving the country without a designated National Competent Authority.
No Competent Authority means no state body/government body to receive, process, and issue decisions on CASP applications. A service provider that wanted to apply could not do so, because the regulatory infrastructure to receive the application did not exist, resulting in companies operating properly in the space being forced to set up new operations in a new jurisdiction because they would no longer be able to operate legally in Poland.
In Poland, the KNF’s position is unambiguous: registered Polish VASPs may continue operating until July 1, 2026, but if no Competent Authority is established before that date, those businesses must cease providing crypto-asset services on July 2. The KNF has stated explicitly that this deadline cannot be extended by national law or by a KNF decision.
It is a hard stop embedded in EU regulation, not a domestic policy choice.
The situation has also created a market asymmetry that illustrates the stakes precisely. Foreign service providers holding authorizations issued in other EU Member States can already passport their services into Poland by notifying the KNF of their intent. Polish-registered service providers cannot passport out. They cannot apply for authorization domestically. They are confined to the Polish market with no mechanism to expand and a hard stop on the horizon. Romania, as covered in previous installments of this series, reflects a comparable pattern of legislative delay and unresolved implementation status.
How to assess whether a crypto platform is in the gap zone
The following conditions, applied to any crypto platform currently operating in the EU, indicate whether it is relying on grandfathering protection that has already lapsed or is about to:
- Is the platform registered in a Member State that has not enacted its MiCA implementing legislation?
- Did the platform miss its Member State’s CASP application deadline?
- Is the platform currently operating without a pending authorization application filed with a Competent Authority?
If any of these conditions apply, the platform is operating on borrowed time. The grandfathering protection that kept it legal has lapsed or will lapse on July 1. This applies equally to exchanges, wallet providers, and other crypto-asset service providers that users, investors, or business partners may currently be relying on.
Myth 3: The Reverse Solicitation Escape
This is the plan being discussed in founder circles across Europe right now. De-register locally. Stop marketing to EU users. Let them come to you. Claim the reverse solicitation exemption and keep operating without a license.
The reverse solicitation exemption under Article 61 of the regulation is not a fallback strategy for service providers who have missed their authorization window. It is a narrow carve-out that applies when a client established or situated in the EU approaches a third-country firm entirely on their own exclusive initiative, with no prior solicitation of any kind from the firm or anyone acting on its behalf.
What makes this test difficult to satisfy in practice is that solicitation is not defined by formal presence. A firm can have no EU legal entity, no VASP registration, and no office anywhere in the EU and still be found to have solicited EU users. ESMA’s Final Report on the Guidelines on Reverse Solicitation, which were drafted under the mandate of Article 61(3), identifies a range of factors that regulators and ESMA consider when assessing whether genuine reverse solicitation exists.
Under ESMA’s Guidelines, unlawful solicitation can be carried out by anyone “having close links” with the third-country firm. In practice, this means regulators will scrutinize links to the EU through the firm’s shareholders, beneficial owners, or directors.
Furthermore, ESMA explicitly warns that maintaining a website in an EU official language that is not customary in international finance is a strong indicator of solicitation. Hungarian, Czech, Slovak, or Lithuanian are perfect examples of this: their local-language availability clearly signals deliberate targeting of a specific Member State’s population, rather than general global accessibility.
They include any commercial arrangement, direct or indirect, through which the firm’s services are promoted to EU-based audiences, whether through affiliates, referral partners, or third-party platforms. The presence or absence of an EU legal entity is one data point among many. It is neither necessary nor sufficient to determine whether solicitation has occurred.
For any service provider considering this route, the practical implication is this: the exemption is assessed on the totality of the firm’s conduct and connections, not on its registration status. A service provider whose shareholders are EU-based, whose platform is available in five EU languages, including regionally specific ones, and whose affiliate network generates EU signups is not insulated from MiCA’s scope by the absence of a registered office.
The activity is what the regulator sees. The internal label is irrelevant. It is whether those activities, from the perspective of a regulator in the user’s Member State, constitute directed commercial outreach.
A service provider that continues to rank in German or French-language search results through SEO, runs affiliate programs paying commissions on EU signups, maintains country-code domains, or participates in EU-facing conferences and venues, while claiming it has ceased EU marketing has not met the exemption’s baseline.
The MiCA compliance implications of getting this wrong extend beyond regulatory sanction. Providing crypto-asset services to EU clients without authorization after July 1 constitutes unauthorized provision of financial services. In EU member states such as Poland, provision of financial services without an authorization is subject to criminal liability. Several have criminalized it. Service providers relying on reverse solicitation as their primary post-July strategy should understand precisely what they are relying on.
Some NCAs are taking a pro-active enforcement approach by reaching out to entities they identify to target the respective country. The AFM in the Netherlands and BaFin in Germany seem to have a strict stance on this. They provide detailed analyses on why they believe a service provider is in breach of MiCA and f.e. solicited users. Next steps are invitations for in person interviews resulting often in a one sided dialogue.
The Arithmetic of “Pending”
For service providers who have applied but not yet received authorization, the picture is more nuanced but no less urgent.
A pending application does not grant the right to operate past July 1 2026. The regulation requires authorization to be granted before the transitional period expires, not merely filed.
- A service provider whose application is complete, submitted in a well-resourced jurisdiction, and moving through the review process may receive the necessary authorization before the deadline.
- A service provider whose application is incomplete, filed recently, or sitting in a jurisdiction with a congested pipeline may not.
There is no general right of continued operation while a review is underway past the hard deadline. Service providers in this position need direct, current communication with their National Competent Authority about their specific timeline. Assumptions are not a viable compliance strategy at this stage.
One dimension that extends beyond the EU: Iceland and Liechtenstein adopted 18-month grandfathering periods through EEA integration, placing their windows approximately in line with the EU’s July 2026 cliff. The structural deadline applies throughout the European Economic Area, not only within EU Member States.
Restructuring: What It Actually Involves
For service providers in jurisdictions where the authorization pipeline is blocked or the application window has closed, one path to business continuity remains: restructuring by securing a CASP license in a jurisdiction where the authorization infrastructure is functioning and applications are actively being processed.
Several EU Member States have established CASP processing pipelines and are issuing authorizations. Malta, Austria, Ireland, and Lithuania are among the jurisdictions where the regulatory frameworks are operational and applications have been moving through review. Each carries its own substance requirements, which matter as much as the timeline.
Cross-border restructuring to another EU jurisdiction involves more than the authorization application itself. The practical requirements include:
- Establishing the legal entity in the target jurisdiction with genuine governance and operational presence, not a shell registration.
- To satisfy the authorization requirements, the firm must have its share capital paid up in an account with a formal credit institution (notably, an account with an EMI or a Payment Service Provider/PI is not sufficient). While this bank account does not strictly need to be located in the target jurisdiction, establishing this relationship should begin as early as possible, as onboarding crypto businesses is a rigorous process that does not automatically follow from simply filing for a license.
- Ensuring the complete cessation of prior EU activities before relying on a non-EU licensing position. A service provider that relocates its primary licensing to a non-EU jurisdiction, yet maintains an active EU legal entity or continues to service EU users under a legacy VASP registration, has not effectively resolved its regulatory exposure. Under MiCA, providing crypto-asset services within the Union strictly requires an active EU authorization. Third-country firms are broadly prohibited from providing crypto-asset services in the EU and cannot bypass these requirements while maintaining an operational footprint in the bloc.
- Understanding the strict reverse solicitation restrictions that apply to the existing EU client base. According to ESMA’s Final Report on the guidelines on reverse solicitation under MiCA, EU-regulated entities are explicitly prohibited from soliciting or redirecting EU clients to crypto-asset services provided by a third-country firm, even if that firm is part of the exact same corporate group. A non-EU licensed service provider cannot solicit its former or prospective EU users into its new non-EU structure. This prohibition encompasses any person or entity acting on the third-country firm’s behalf, this means that commercial arrangements functioning as user acquisition channels, even if framed as B2B partnerships, affiliates displaying backlinks, or influencers, are considered unlawful solicitation. As a consequence, transitioning an existing user base across a jurisdictional restructuring requires meticulous handling, as simply redirecting users to the non-EU entity’s website or app constitutes a breach of the reverse solicitation rules.
For service providers who cannot secure authorization before July 1, operations must pause on that date. The license application process can continue during that pause. Authorization, once granted, restores the ability to operate.
As of today, banks are already reaching out to their VASP-only registered clients, informing them that they won’t continue providing banking services past July 1, unless the client provides proof of a CASP application or license.
Business interruption is a real consequence, but it is not permanent, and for service providers who have already filed a credible application with a functioning Competent Authority, the interruption window may be short.
The more significant risk is for service providers who have not yet filed at all and are attempting to compress a multi-month authorization process into the weeks remaining before the deadline.
What This Article Decoded
MiCA’s grandfathering regime has been widely misread. Here is what the regulation actually establishes, stated plainly:
On the timeline: July 1, 2026, is not the date by which service providers needed to act. It is the date by which authorization must be held. For most EU Member States, the application deadline that actually mattered passed between June and December 2025. Service providers who did not file by their jurisdiction’s specific deadline cannot use the grandfathering protection.
On passporting: A pre-MiCA VASP registration in one EU Member State never granted the right to solicit users in another. It was a national AML designation, not a passportable financial services license. The transitional periods confirmed and reinforced that restriction, not removed it.
On the legislative gap: In jurisdictions where implementing legislation was not enacted, no National Competent Authority exists to receive CASP applications. Service providers in those jurisdictions face a structural problem that goes beyond a missed deadline. They cannot apply domestically, cannot passport out, and will lose the right to operate on July 1 regardless of intent to comply. They are forced to pause their operations or seek authorization in a different jurisdiction.
On reverse solicitation: The exemption is not a post-authorization fallback strategy. It applies exclusively to third-country firms with no EU-directed commercial activity. Therefore, an EU-based service provider with a live VASP registration cannot invoke it. Even third-country firms that have fully ceased EU operations must ensure their residual activities do not constitute solicitation, which ESMA defines very broadly. Under ESMA’s framework, regional search visibility (SEO), affiliate and influencer arrangements, and indirect promotions at industry conferences all constitute potentially unlawful outreach toward EU users.
On what comes next: Authorization processes take months. A pending application does not extend operational rights past July 1. Service providers without a filed application today are not three months away from a solution. The realistic question is whether restructuring into a functioning jurisdiction, with the full operational requirements that entails, is viable within the available window. Next week, we will look into the actual duration of the CASP application process.
This article was produced in partnership with LegalBison. The content is for informational purposes only and does not constitute legal advice.