The European Securities and Markets Authority (ESMA) has issued two decisive reports in July 2025, to reinforce the implementation of the Markets in Crypto-Assets Regulation (MiCA). Both documents underline ESMA's intention to ensure regulatory convergence, strengthen investor protection, and set a high supervisory bar across Member States.
Guideline for the criteria on the assessment of knowledge and competence under MiCA
On 11 July 2025, ESMA published a final report that specifies the criteria for assessing the knowledge and competence of staff at crypto-asset service providers (CASPs), as mandated by Article 81(7) of MiCA (ESMA Guidelines). These guidelines aim to establish a harmonised minimum standard for professionals who provide information or advice on cryptoassets or crypto- asset services listed in Article 3(1)(16) of MiCA across the EU to ensure investor protection.
Personnel distinction
The ESMA Guidelines establish that the level and depth of knowledge and competence expected of staff giving advice on crypto-assets and crypto-asset services should be of a higher standard than those that only give information on crypto-assets and crypto-asset services. Hence, ESMA Guidelines distinguish between two categories of staff from CASPs:
Staff providing information
CASPs should ensure that this category of staff has the necessary knowledge and competence to understand:
- Key characteristics, risks, and features of the crypto-asset services offered, including the functioning of distributed ledger technology (DLT) and the protocols used.
- Types of costs and charges incurred by clients, including fees charged by service providers and network costs like gas fees.
- How crypto-asset markets function, including the impact of investor sentiments and social media on price volatility, and the influence of large holders on market liquidity and volatility.
- The impact of economic events on crypto-asset values, the difference between past and future performance scenarios, and the limits of predictive forecasting.
- Differences in investor protection under MiCA compared to the Markets in Financial Instruments Directive II (MiFID II), and issues related to market abuse and anti-money laundering.
- Data relevant to crypto-assets, specific market structures, and basic valuation mechanisms.
Moreover, this category of staff must meet one of the following:
- At least 80 hours of relevant professional qualification and six months supervised experience, or
- At least one year of supervised experience.
Staff providing advice
CASPs should ensure that this category of staff has the necessary knowledge and competence to understand the same concepts as staff providing information and, additionally, the following points:
- Total costs and charges clients may incur, including CASP service fees and associated DLT network fees (e.g., gas fees).
- CASP obligations regarding suitability requirements under Article 81 MiCA, as outlined in relevant guidelines and reporting formats for portfolio management.
- Assessment of whether crypto-assets or specific offerings are suitable for the client, based on updated client information.
- Basics of portfolio management, particularly the impact of diversification on investment options.
- Understanding valuation methods for crypto-assets discussed in the advice.
Subject to stricter requirements. They must meet one of the following:
- A tertiary education degree and one year of supervised experience;
- A secondary education degree with three years of professional formation and one year of experience;
- 160 hours of professional training and one year of experience;
- two years of relevant MiFID II or Insurance Distribution Directive (IDD) experience and six months of supervised experience under MiCA.
Continuous Professional Development (CPD)
CASPs must determine the appropriate number of CPD hours annually, considering the complexity and range of their services. CPD should address regulatory changes, market developments, and emerging technologies. Both internal and external training options are acceptable, provided they include an assessment of acquired knowledge.
Emphasis on crypto-specific risks
ESMA highlights that crypto markets pose unique risks compared to traditional finance. Staff must understand:
- Volatility and liquidity risks,
- cybersecurity threats,
- risks from improper storage of cryptographic keys,
- IT programming vulnerabilities,
- transfer risks across incompatible DLT networks.
Transitional measures and verification
Staff active before the guidelines take effect may be presumed competent if they have at least one year of relevant experience. However, CASPs must verify this through internal assessments (e.g., appraisals or exams) at least annually. ESMA rejected mandatory external certification due to feasibility concerns but encourages external CPD providers.
The guidelines will apply six months after their official translation is published on ESMA's website. National Competent Authorities (NCAs) must notify ESMA of their compliance or intent to comply within two months of publication
SMSG recommendations
The Securities and Markets Stakeholder Group (SMSG) broadly supported the guidelines but pushed for stricter external verification, especially for advisory roles. It also recommended illustrative examples to clarify scope and product differentiation.
In sum, the guidelines represent a significant step in harmonising professional standards for CASPs, with a strong focus on investor protection and market integrity in an emerging sector.
Fast-track peer review on CASP authorisation and supervision in Malta
On 10 July 2025, ESMA published the Peer Review Committee's (PRC) findings on the Malta Financial Services Authority's (MFSA) authorisation of CASPs. The PRC had raised concerns about the thoroughness and timing of the authorisation process, questioning whether the MFSA exercised sufficient diligence in assessing the CASP's compliance with MiCA requirements.
Key findings: inadequate assessment and unresolved risks
The PRC found that the MFSA authorised CASPs despite several material issues remaining unresolved, including:
- Inadequate assessment of ICT infrastructure, Web3 usage, and custody arrangements;
- Unresolved AML/CFT enforcement cases;
- Governance arrangements;
- Incomplete evaluation of the business model, conflicts of interest, and client onboarding processes.
The report explicitly questions why the MFSA did not use the authorisation process to ensure these deficiencies were addressed beforehand and suggests that the process lacked the necessary rigour and time to properly assess compliance. Although the MFSA responded appropriately to incidents post-authorisation, the PRC noted that some supervisory actions should have occurred earlier, during the authorisation phase
Assessment overview
ESMA summarises the assessment of the MFSA in three key areas:
Broader recommendations for EU NCAs
The report also includes recommendations for all National Competent Authorities (NCAs), urging them to:
- Evaluate business plans with a forward-looking approach;
- Scrutinise conflicts of interest and group arrangements;
- Assess ICT systems in line with DORA standards;
- Review customer interfaces to ensure clear risk disclosures;
- Monitor exposure to DeFi risks and unregulated services.
NCAs are encouraged to enhance cooperation and information-sharing through the Digital Finance Standing Committee (DFSC) to ensure consistent authorisation practices across the EU.
Malta's response
The MFSA welcomed the review and acknowledged the findings, committing to implement the PRC's recommendations. It highlighted its early leadership in crypto regulation and reaffirmed its intention to work with ESMA and other EU supervisors to strengthen supervisory convergence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.