MiCA Level 2: ESMA's Technical Standards That Fill In the Framework

MiCA — the EU’s Markets in Crypto-Assets Regulation — entered full force on December 30, 2024. That date matters. But for anyone trying to operate a crypto asset service provider in the EU, the more important documents are not the MiCA regulation itself but the dozens of regulatory technical standards that ESMA has been producing since the regulation was adopted in 2023.

The distinction between Level 1 and Level 2 is fundamental to how EU financial regulation works. Level 1 is the framework regulation passed by the European Parliament and Council — in this case, MiCA. It sets out the goals, the principles, the broad requirements. Level 2 is the implementing detail: the technical standards that specify exactly what information a whitepaper must contain, precisely how a CASP must segregate customer assets, and specifically what capital ratios apply to different types of issuers.

The Level 2 measures are where regulatory intent becomes operational burden. They are also where industry lobbying is most effective, because the technical details are complex enough that non-specialist legislators defer to regulators and regulators are heavily informed by industry consultation. Understanding the Level 2 process is understanding where the practical cost of MiCA compliance is determined.

What Level 1 vs Level 2 Means in EU Law

The EU’s legislative architecture distinguishes between different levels of normative acts. A regulation like MiCA is Level 1: it has direct legal effect in all member states without transposition, but it operates at a relatively high level of abstraction. MiCA tells you that a CASP must have adequate capital. It does not specify the exact ratio.

Level 2 comprises regulatory technical standards (RTS) and implementing technical standards (ITS) produced by the European Supervisory Authorities — in MiCA’s case, primarily ESMA (for CASPs and crypto asset trading) and the EBA (European Banking Authority, for e-money tokens and asset-referenced tokens). These technical standards are developed through a formal consultation process: a draft is published, market participants have typically 60 to 90 days to comment, a final version is produced, and the European Commission endorses it. Once endorsed, an RTS has the force of law across the EU.

This architecture has advantages. Technical details can be updated by regulators without requiring a new legislative process. The standards can be adapted as technology evolves. And the formal consultation process creates a channel for industry expertise to inform the details.

But the architecture also has costs. The timeline from Level 1 adoption to complete Level 2 implementation can extend years. During that period, the law exists on paper but its practical requirements are uncertain. Companies cannot fully build compliance infrastructure until the technical standards are final.

ESMA’s MiCA Mandate

MiCA gives ESMA an extraordinarily broad Level 2 mandate. The regulation directs ESMA to develop technical standards on topics including: the content and format of crypto asset whitepapers; the procedure for authorization of crypto asset service providers; the ongoing reporting requirements for CASPs; the prudential requirements (capital, liquidity) for CASPs; the custody and safeguarding of customer assets; the management of conflicts of interest; the market abuse detection and prevention framework; the cross-border recognition of third-country CASPs; and the environmental sustainability disclosures for consensus mechanisms.

By ESMA’s own count, MiCA requires more than 30 separate technical standards or guidelines — one of the most extensive Level 2 mandates given to any European supervisory authority. ESMA Chair Verena Ross has described the MiCA implementation program as among the most demanding regulatory development exercises in ESMA’s history.

Key Technical Standards: Whitepaper Requirements

The whitepaper RTS is among the most commercially significant Level 2 measures. MiCA requires issuers of crypto assets to publish a whitepaper before offering tokens to the public in the EU. The whitepaper must be reviewed (though not pre-approved, in most cases) by national competent authorities and must contain specific information.

The ESMA RTS specifies exactly what that information must be: a description of the issuer, the project, the technology, the risks, the reserve assets (for asset-referenced tokens), the rights attached to the token, and the methodology for maintaining the peg (for asset-referenced and e-money tokens).

The whitepaper requirements are more prescriptive and more demanding than any previous disclosure regime for crypto assets in the EU. Companies that had produced short marketing-style documents for previous token offerings must now produce documents that meet a disclosure standard analogous to a simplified securities prospectus.

CASP Authorization: The Gating Process

The CASP authorization RTS specifies the process by which a crypto asset service provider obtains authorization from its home member state national competent authority — the authorization that then entitles it to operate across the EU under the MiCA passport.

The RTS specifies the documents an applicant must provide: ownership structure, governance arrangements, management body composition, compliance program, AML policies, IT and security policies, business continuity plan, outsourcing agreements, capital evidence, and a detailed description of each service to be provided.

The authorization timeline under MiCA is 25 working days for competent authorities to assess completeness of an application, and then 40 working days to assess the substance and issue a decision. In practice, many national competent authorities have found this timeline difficult to meet given the volume of applications following MiCA’s entry into force. By mid-2025, more than 40 CASP licenses had been issued across EU member states, but a backlog of pending applications existed in several jurisdictions.

Custody Segregation: The Operational Core

The custody RTS addresses what is, for many institutional clients, the central operational question: how exactly must a CASP hold client assets?

MiCA at Level 1 requires CASPs providing custody services to hold client assets separate from their own assets. The Level 2 RTS specifies how. Client crypto assets must be held in accounts — on-chain, in the CASP’s own custody infrastructure or with a sub-custodian — that are clearly identified as belonging to clients, not the CASP. The CASP must maintain records that allow the assets attributable to each client to be identified at any time. In insolvency, client assets must be identifiable and available for return to clients ahead of general creditors.

The custody RTS also addresses the use of sub-custodians — a practically important question given that many CASPs do not operate their own custody infrastructure but rely on specialist custodians. The CASP remains liable to clients for the performance of any sub-custodian it uses, creating a responsibility chain that encourages careful sub-custodian due diligence.

Reserve Assets for Stablecoin Issuers

The RTS on reserve assets for asset-referenced token (ART) and e-money token (EMT) issuers are commercially significant for the stablecoin sector. MiCA at Level 1 requires stablecoin issuers to hold reserves at least equal to the outstanding token value. The Level 2 RTS specifies what assets qualify as reserves.

EBA’s reserve composition standards require that reserves be held in highly liquid, low-risk assets: predominantly short-dated government debt and cash deposits at credit institutions. The restrictions on reserve composition are more conservative than what some stablecoin issuers had previously maintained — Tether, for example, had held a portion of reserves in commercial paper and other less liquid instruments.

Consultation, Delays, and Industry Pushback

The Level 2 process has not been smooth. Several technical standards were delayed beyond their originally targeted timelines, creating implementation uncertainty for companies trying to build compliant operations. The complexity of the MiCA mandate — more than 30 standards to be developed simultaneously by two authorities with significant interdependencies — strained ESMA and EBA’s capacity.

Industry pushback during consultations focused on several areas. The whitepaper requirements were widely criticized as disproportionately burdensome for small issuers and potentially chilling legitimate token development. The CASP authorization timelines were criticized as unrealistically short given competent authority capacity. The custody segregation requirements were criticized as operationally impractical for certain token types.

Some of these concerns were partially addressed in final versions of technical standards. Many were not. The Level 2 process is a consultation, not a negotiation — ESMA and EBA retain authority to adopt technical standards that the industry considers burdensome.

The Level 2 measures determine, more than any other element of MiCA, whether the regulation produces a genuinely workable EU crypto market or an excessively bureaucratic one. That determination is still being made as the final technical standards work their way through the endorsement process — and as the first wave of CASPs discover what authorized operation under MiCA actually requires.