MiCAR allowed virtual asset service providers (VASPs) to continue operating under their existing status during a transitional period that expired on 1 July 2026. This transitional regime was designed to ensure business continuity for active players while providing them with sufficient time to obtain an authorisation as crypto-asset service providers (CASPs) under MiCAR.
This transitional period has now ended, which has significant consequences for both VASPs and their customers.
In a statement published yesterday, the Commission de Surveillance du Secteur Financier (CSSF) highlighted these implications and reminded customers of the risks associated with dealing with VASPs that have not obtained the authorisation required under MiCAR.
The CSSF also (i) reminds customers that third-country crypto-asset service providers actively offering their services to EU customers also require a CASP authorisation in the EU and (ii) highlights the limits of the “reverse solicitation” regime.
Consequences for VASPs
Going forward, any entity providing, on a professional basis, crypto-asset services to clients located in the European Union (the “Entity”) is required to hold an authorisation as a CASP.
Accordingly, VASPs are no longer permitted to operate without holding authorisation as CASPs.
In the absence of such authorisation, the Entity is no longer permitted to (i) accept new clients, (ii) open new accounts or wallets, or (iii) advertise or market its products and services. It is then required to wind down its activities in an orderly manner, including, as applicable, by either selling the crypto-assets in exchange for legal tender, transferring the crypto-assets to another platform operated by a service provider duly authorised as a CASP, or transferring them to a self-hosted wallet.
Consequences for customers
The CSSF calls upon customers holding crypto-assets (including bitcoin, ether, stablecoins or other digital assets) through an application or online platform to verify that their provider is still duly authorised to provide such services within the European Union.
Customers may in particular consult:
- the relevant provider’s website, which usually contains its regulated status in the legal notice or general terms and conditions,
- the register maintained by the European Securities and Markets Authority (ESMA) which lists EU CASPs,
- the register published by the CSSF for Luxembourg-supervised CASPs.
Consequences for crypto-asset service providers established in third countries
The CSSF reminds that crypto-asset service providers established in third countries and actively offering their services to clients established in the European Union are likewise required to obtain an authorisation as a CASP within the European Union.
An exception nevertheless remains available in the case of reverse solicitation, namely where the client contacts the service provider on its own exclusive initiative.
There is, however, a risk that certain third-country service providers may seek to rely on this exception in order to continue their activities, which may give rise to consumer protection concerns, in particular where the service provider is required to close client accounts at short notice.
In line with the CSSF regulatory practice, this reverse solicitation exemption must be interpreted strictly. To rely on this exemption, third-country crypto-asset service providers must refrain from soliciting customers within the EU, e.g. through online advertising, brochures, telephone calls, emails, advertising banners, pop-ups and/or similar means on websites on social media.
Authors: Aurélia Viémont, Mélanie Poirrier, Delia Nesbitt and Anne Picot-Guillot (CMS Luxembourg)