The MiCA Regulation and Current Compliance Requirements in 2026
The year 2026 marks a major turning point for the crypto sector.
MiCA (Markets in Crypto-Assets) is no longer a new or future regulation; it is now a reality that determines who can legally operate in the crypto-asset market.
The key moment comes on 1 July 2026when the transitional period comes to an end. From that date onward, a historical Virtual Asset Service Provider (VASP) registration or the status of a pending licence applicant will no longer be sufficient to operate in the market. For Slovak entities, the decisive factor will be whether they have actually been granted authorisation by the regulator.
The Slovak Perspective: The Role of the National Bank of Slovakia (NBS) and Local Practice
In Slovakia, the National Bank of Slovakia (NBS) serves as the competent supervisory and regulatory authority. It is responsible for granting Crypto-Asset Service Provider (CASP) licences and overseeing compliance with the MiCA requirements.
From a practical perspective, this has several important implications for market participants:
The licence is not a simple registration, but a full regulatory procedure involving a detailed assessment of governance, cybersecurity, risk management and the business model.
The scope of services provided is a key consideration as custody, exchange, advisory, and trading platform services are subject to different regulatory requirements.
An NBS licence also enables cross-border business activities through the EU passporting regime, allowing services to be provided across the European Union. At the same time, it brings a higher level of regulatory oversight and increased expectations from the regulator.
Key Obligations in 2026
Authorisation or a Prepared Exit Plan – Companies that do not obtain a licence must have a documented wind-down plan in place, including procedures for informing clients and transferring or returning client assets.
Client Protection and Transparency – MiCA requires clear and transparent disclosures, strict segregation of client assets, and effective management of conflicts of interest.
Interaction with Other Regulations – MiCA should be assessed alongside the requirements of the Transfer of Funds Regulation (TFR), which governs the traceability of crypto-asset transfers, as well as the Digital Operational Resilience Act (DORA), which sets requirements for IT security and operational resilience.
People Competencies as a New Compliance Focus – Regulators are increasingly assessing whether individuals who interact with clients possess the necessary knowledge, expertise, and professional qualifications to perform their roles effectively.
What Should Applicants Prepare for Before Obtaining a Licence
Before a licence can be granted, applicants must demonstrate that they have a clear business plan, a well-defined business model, and a clear understanding of their target client base. Applicants must also have an experienced management team, an appropriate corporate governance framework, and sufficient capital resources to support their operations.
The preparation process also includes comprehensive financial documentation, a clear overview of the company’s financial performance, and high-quality financial reporting. It is essential to have effective AML and KYC procedures in place, secure IT systems to protect client data and assets, and a successfully completed cybersecurity audit.
The regulator also assesses client protection measures, internal processes and control mechanisms, as well as the professional competence and preparedness of the company’s personnel. An important requirement is a business continuity plan that ensures the company can continue operating effectively in the event of outages, incidents, or other crisis situations.
In 2026, MiCA is no longer just a topic for discussion—it is a regulatory reality that companies must address through timely and systematic preparation. For companies seeking to operate in the market on a long-term and credible basis, success will depend not only on obtaining a licence, but also on demonstrating strong governance, robust security measures, and effective client protection frameworks.
