MiCA’s Grandfathering Period Is Ending. What Does It Actually Mean for EU Crypto Users?
On 1 July 2026, the final EU-wide MiCA grandfathering period for crypto-asset service providers ends. This is not the date MiCA “starts”, as MiCA has already been in force for some time. It is also not a ban on crypto, self-custody wallets, or EU users holding digital assets. Rather, it is the end of a transitional period of coexistence between pre-MiCA national crypto regulation and post-MiCA supranational crypto regulation.
In practice, this means that nationally licensed firms that failed to secure a MiCA licence by 1 July 2026 must wind down. After the relevant grandfathering period has expired (and some have expired prior to 1 July 2026), a provider serving EU clients must have a lawful MiCA basis to provide crypto-asset services. The lawful basis can be:
- A MiCA CASP authorisation;
- A valid Article 60 notification route for certain already-regulated financial entities;
- A genuinely narrow reverse-solicitation fact pattern for a third-country firm.
A pending application is not enough.
For users, the question is therefore not “is crypto still legal?” The question is: is the exact legal entity holding my account and assets still allowed to serve me?
The MiCA timeline: this did not start on 1 July 2026
MiCA was adopted in 2023 and entered into force in June 2023. Under Article 149, the Regulation applies in stages: Titles III and IV, covering asset-referenced tokens and e-money tokens, applied from 30 June 2024; the broader MiCA regime, including the CASP regime, applies from 30 December 2024; and MiCA is binding and directly applicable in all Member States.
The grandfathering period is a temporary exception for firms that were already providing crypto-asset services lawfully before 30 December 2024. Article 143(3) allowed those firms to continue until 1 July 2026 or until they were granted or refused a MiCA authorisation, whichever came first. Member States could reduce or disapply that period where their pre-MiCA national regimes were less strict than MiCA.
This is why the market has not had one single transition date. Some Member States chose shorter periods. Latvia, Hungary, the Netherlands, Poland, Slovenia and Finland had six-month periods; Sweden had nine months; Germany, Ireland, Lithuania, Austria and Slovakia had twelve months; and many others retained the full eighteen-month period.
So 1 July 2026 is not the first MiCA deadline. It is the final EU-wide backstop.
The market is being compressed by authorisation
Before MiCA, the EU crypto market was fragmented across national VASP and crypto registration regimes. TRM Labs estimates that more than 3,000 CASP registrations or licences had been issued across the EU before MiCA, but that the real number of operational CASPs was probably closer to 1,100–1,300. In contrast, ESMA’s Interim MiCA Register shows around 230 licensed providers in late June 2026.
Therefore, by entity count, the MiCA transition is a major contraction. Roughly speaking, around 18–21% of the estimated active pre-MiCA provider population had become MiCA-authorised by late June 2026. Compared with the gross pre-MiCA registration count, the figure is below 8%. That is why shorthand claims such as “75–90% of entities are being filtered out” are directionally understandable.
Naturally, entity count is not the same as trading volume. A small number of large exchanges and custodians may account for a large share of users, assets and trading. The economic impact is therefore likely smaller than the entity-count compression, but the regulatory transition is still significant.
What happens after the grandfathering period ends?
The legal rule is simple. Under Article 59 MiCA, a person must not provide crypto-asset services within the Union unless that person is authorised as a CASP under Article 63, or is one of the financial entities allowed to provide the service under Article 60.
ESMA has stated that the MiCA transitional period expires across the EU on 1 July 2026 and that, after that date, any entity providing crypto-asset services to EU clients without a MiCA licence will be in breach of EU law and must cease offering those services. ESMA also states that this applies irrespective of whether national law has been adjusted to MiCA in a Member State.
The practical consequence is that a provider cannot say:
“Our MiCA application is pending, therefore we can continue as normal.”
A pending application is not authorisation. If authorisation has not been granted by the relevant deadline, the provider should not continue ordinary services to EU clients.
What should an unauthorised provider do?
The answer is not “freeze everyone and disappear”. ESMA’s expectation is an orderly wind-down that protects users.
In its June 2026 public statement, ESMA said unauthorised CASPs must immediately stop onboarding new EU clients, refrain from opening new client relationships or accounts, and cease marketing activities and solicitation. They must limit services to actions necessary to sell or transfer crypto-assets, reallocate assets, or close positions. Custody may continue only for the period strictly necessary to complete an orderly exit.
ESMA also expects clear, prompt and repeated client communications explaining asset-safeguarding measures, the wind-down plan, the timeline to dispose of, transfer, reallocate or close positions, and any deadline by which residual positions would be closed automatically.
In a properly handled case, users should receive:
- clear notice;
- a deadline;
- information on which legal entity currently holds the account;
- instructions for withdrawal or migration;
- information on whether trading, custody, transfers or staking-like services will stop;
- a route to transfer assets to an authorised provider or to a self-hosted wallet.
This should not start at the last minute. ESMA said in April 2026 that CASPs should have orderly wind-down plans ready for implementation ahead of the end of the transitional period in the relevant Member State, and that by 1 July 2026 any unauthorised CASP must have implemented its wind-down plan.
This point matters for the countries whose grandfathering periods already ended. Latvia, Hungary, the Netherlands, Poland, Slovenia, Finland, Sweden, Germany, Ireland, Lithuania, Austria and Slovakia did not get a second grace period on 1 July 2026. Their local deadlines came earlier. The 1 July date simply removes the last remaining pockets of EU grandfathering.
Are user assets at risk?
Assets are not automatically confiscated, cancelled or made illegal because a platform misses the MiCA deadline. A user who owns crypto does not lose ownership merely because a provider is not authorised.
But assets can be practically at some risk, as this kind of transition can be almost traumatising for a jurisdiction.
The main risks are access disruption, withdrawal delays, forced migration, forced closure of positions, loss of normal trading functionality, and weaker legal protection where assets remain with an unauthorised provider. ESMA has specifically warned clients of unauthorised CASPs, whether EU or non-EU, that they do not benefit from MiCA safeguards, including protections for client assets. ESMA invites users to verify whether their provider is authorised in the ESMA Register and to act promptly where this is not the case, including by transferring assets to an authorised CASP or to a self-hosted wallet.
The user-facing answer is thus that assets are not automatically lost because a provider is unauthorised. But if users' assets are held by a provider that cannot lawfully continue serving them, the user faces a higher risk of access disruption, withdrawal friction and reduced protection. There can also be disruption for licensed entities as well, if partners in their value chain failed themselves to secure a licence.
Self-custody wallets are a different matter. MiCA does not ban EU users from holding crypto in a self-hosted wallet. The issue arises when a business provides crypto-asset services to clients: custody, exchange, trading platform operation, transfer services, order execution, advice, portfolio management or similar services.
MiFID notification is not a general workaround
Some commentary has pointed to MiFID-regulated firms as if they have a transitional route into MiCA. That needs precision.
Article 60 MiCA allows certain already-regulated financial entities to provide specified crypto-asset services after notifying their home NCA. For investment firms, the rule is limited: a MiFID investment firm may provide crypto-asset services in the Union only where those services are equivalent to the investment services and activities for which it is specifically authorised, and only after notifying its home NCA at least 40 working days before providing those services for the first time.
This is:
- not grandfathering;
- not a shortcut for a local VASP that has not become authorised;
- not available to a crypto firm just because it has started preparing a MiCA application.
It is a notification route for certain already-authorised financial entities, within the scope of their existing permissions.
A MiFID firm authorised only for investment advice cannot use Article 60 to operate a crypto exchange. A MiFID firm authorised only for reception and transmission of orders cannot use that alone to provide crypto custody. The permission must map across.
Reverse solicitation is not a business model
Reverse solicitation is another narrow point that is often misunderstood. Article 61 MiCA allows a third-country firm to provide a crypto-asset service where the EU client initiates the service at the client’s own exclusive initiative. But ESMA’s guidelines say the client’s own exclusive initiative must be construed narrowly, the assessment is factual, and contractual disclaimers cannot override contrary facts.
If a non-EU exchange has solicited EU users, those users are not reverse-solicited for that service relationship. That is true whether the solicitation happened through paid advertising, EU-focused campaigns, referral codes, affiliates, KOLs, influencers, push notifications, migration emails, or group-entity redirection.
ESMA’s guidelines specifically mention influencers. A person acting on behalf of a third-country firm can include a so-called influencer, and indicators include directing the audience to the firm’s website, providing access to its services, offering promotional deals, displaying the firm’s logo, or receiving monetary or non-monetary benefit. ESMA’s examples include a third-country firm using an EU-based influencer or content creator and remunerating them to push crypto-assets, services or activities.
A KOL campaign aimed at EU users is therefore very likely solicitation. It is not compatible with claiming that users arrived exclusively on their own initiative.
What about non-EU and non-KYC exchanges?
A non-EU exchange does not automatically need to offboard every EU user simply because it is non-EU. In theory, it may be able to serve a specific EU user where the user genuinely approached it on the user’s own exclusive initiative and the exchange did not solicit that user.
But this is narrow and fragile. If the exchange cannot evidence reverse solicitation, or if the user came through EU marketing, KOL content, referral links, affiliate campaigns, app-store targeting, EU-language pages, or migration from an EU group entity, the exchange should not assume Article 61 is available.
For an unauthorised non-EU exchange, precautionary EU offboarding could therefore be a response in some cases. That may mean geo-blocking, blocking new EU accounts, stopping EU deposits, disabling trading, moving accounts into withdrawal-only mode, or setting account-closure deadlines.
The “non-KYC” point adds another layer. MiCA itself is not the detailed KYC rulebook. The detailed customer due diligence and transfer-information obligations sit mainly in AML/CFT law and the Transfer of Funds Regulation. But MiCA makes AML/CFT controls part of CASP authorisation and governance. Article 62 requires a CASP application to include internal control mechanisms, policies and procedures to identify, assess and manage risks, including money-laundering and terrorist-financing risks. Article 68 requires CASPs to have procedures and arrangements for risk assessment to comply with AMLD-transposing national law.
The EBA’s travel rule guidelines, applicable from 30 December 2024, specify the steps CASPs should take to detect missing or incomplete information accompanying transfers of funds or crypto-assets.
So a MiCA-authorised retail exchange cannot be “non-KYC” in the ordinary anonymous-exchange sense. And an EU user moving assets from a non-KYC offshore exchange back into an EU-regulated CASP may face enhanced checks, delays, rejection, source-of-funds questions or provenance issues.
What if a group has EU and non-EU entities?
MiCA protection attaches to the specific legal entity providing the service, not automatically to every company in a global exchange group. Therefore, users should not rely on brand recognition alone.
If an EU entity fails to obtain MiCA authorisation, it cannot simply migrate users to an offshore affiliate and continue business-as-usual. That would likely be viewed as continued provision or solicitation of MiCA services into the EU, not reverse solicitation.
A lawful migration is different. A provider may migrate users to a properly authorised EU CASP, including another authorised group entity, provided the onboarding, disclosures and AML/CFT checks are done properly. It may also help users withdraw to a self-hosted wallet. But “click here to move your EU account to our offshore exchange” is not a valid solution; exchanges inviting users to tick a box consenting that they are soliciting services from the offshore entity “of their own exclusive initiative” will quickly find that supervisors do not accept this as a valid workaround.
ESMA has also warned that CASPs should ensure outsourcing and delegation arrangements do not result in services being provided to EU clients through unauthorised third-country entities, and that custody cannot be outsourced or delegated to entities not authorised as CASPs.
What users should check now
Users should ask five practical questions.
- First, which legal entity holds my account? The app, brand and logo are not enough. The contract entity matters.
- Second, is that entity authorised under MiCA for the service I use? A firm may be authorised for some services but not others.
- Third, is the provider merely saying “application pending”? Pending is not authorised.
- Fourth, am I being asked to migrate offshore? Migration to an authorised EU CASP is different from migration to an unauthorised non-EU affiliate.
- Fifth, what happens if I do nothing? The provider should explain whether assets will remain withdrawable, whether trading will stop, whether positions will be closed automatically, and what deadline applies.
-
The bottom line
MiCA’s 1 July 2026 deadline is not a ban on EU users holding crypto. It is the end of the last EU-wide permission for legacy providers to keep serving clients without full MiCA authorisation.
For users, the safest summary is:
If your provider is MiCA-authorised for the service you use, the transition should be manageable. If your provider is unauthorised, pending, offshore, non-KYC, or unclear about which legal entity serves you, your main risk is not automatic loss of assets; it is access disruption, weaker protection, withdrawal friction and forced migration.
For providers, the message is even clearer:
Apply, be authorised, use a valid Article 60 route, or stop normal EU service. Reverse solicitation is not a scalable workaround. A pending application is not a licence. And wind-down should be orderly, documented and communicated before users are harmed.
