MiCA and AI compliance for crypto-asset service providers

MiCA is divided into nine titles. Title II covers asset-referenced tokens (ARTs); Title III covers e-money tokens (EMTs); Title IV covers issuance of other crypto-assets; Title V covers crypto-asset service providers; Title VI covers prevention and prohibition of market abuse. CASPs are authorised to provide ten core services including custody and administration of crypto-assets, operation of trading platforms, exchange of crypto-assets for funds or other crypto-assets, execution of orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management, transfer services and crypto-asset offering services [1].

AI systems operating inside CASPs are typically deployed for: AML and KYC onboarding (Title V plus the AMLR / AMLD framework), transaction monitoring and travel-rule compliance, market-abuse surveillance under Title VI, customer support automation, suitability and appropriateness assessments under Article 81, automated portfolio management or robo-advice under the portfolio-management authorisation, and ICT operational support including fraud detection. Each of these is governed by the corresponding MiCA article plus, where the CASP is in scope, DORA's third-party ICT risk regime.

MiCA grandfathered existing national crypto regimes through a transitional period running until July 2026 in member states that elected the maximum window. CASPs operating during the transition continue to be supervised by national competent authorities under national rules until they obtain full MiCA authorisation.

Article 68 sets the prudential and operational requirements for CASPs, including governance arrangements, internal control mechanisms, effective procedures for risk assessment, and ICT systems and security arrangements. Article 68(7) requires CASPs to have in place ICT and security risk-management arrangements that comply with DORA. The combined effect is that any AI system that supports a CASP's authorised services is subject to DORA's full third-party and resilience regime as well as MiCA's substantive conduct rules.

Article 73 governs outsourcing. CASPs may outsource operational functions, including AI-driven processes, but they remain fully responsible for compliance and must ensure that outsourcing does not impair the quality of internal controls, the ability of the competent authority to supervise, or services provided to clients. Pre-outsourcing notification to the competent authority is required for material arrangements, and the contract must include audit rights, data protection commitments and exit provisions.

Article 81 covers suitability and appropriateness assessments for advice and portfolio management services. Where AI is used to generate or support these assessments, CASPs must be able to demonstrate that the system produces outputs that meet the suitability standard, that conflicts of interest are managed, and that the firm retains the records necessary to evidence compliance to ESMA and national competent authorities [2].

MiCA is supplemented by an extensive Level 2 framework. ESMA and the EBA have published a series of regulatory and implementing technical standards covering authorisation requirements, complaints handling, conflicts of interest, suitability assessment, business continuity and white papers. Several of these directly affect AI systems: the RTS on suitability under Article 81 requires firms to document the inputs and outputs of automated assessment systems, and the guidelines on algorithmic trading and high-frequency execution apply where CASPs operate trading venues with AI-supported matching or surveillance.

ESMA's 2024 statement on the use of AI in retail investment services, while issued under MiFID II, signals supervisory expectations that read across to MiCA. Firms deploying AI for investment-style services must ensure transparency to clients on the use of AI, manage conflicts of interest specific to AI (such as model bias toward certain assets), and apply governance and oversight proportionate to the risks. ESMA's product-intervention powers are explicitly available where AI-driven services produce significant investor harm.

The EBA's guidelines on internal governance under MiCA (issued 2024) align closely with the EBA guidelines for credit institutions and investment firms. They require management-body responsibility for risk-management of AI systems, documented model governance, ongoing performance monitoring and human-in-the-loop oversight for material decisions [3].

Title VI of MiCA applies the market-abuse regime to crypto-assets admitted to trading on a CASP-operated platform. CASPs are required to operate effective arrangements, systems and procedures to prevent and detect insider dealing, unlawful disclosure of inside information and market manipulation, and to file Suspicious Transaction and Order Reports (STORs) to the competent authority.

AI-based market surveillance is now standard in this space, but the regime imposes specific evidence-of-effectiveness obligations. The surveillance system must be calibrated to the products and venues in scope, the alerts logic must be auditable, and false-positive rates must be tracked. ESMA's surveillance guidelines, originally written for the MAR equivalent in traditional markets, are the operative reference. Firms deploying AI for crypto market surveillance must be able to explain to a supervisor how the model identifies wash trading, spoofing, layering and pump-and-dump patterns specific to crypto-asset venues, and how the output is escalated for STOR review.

MiCA, the EU AI Act (Regulation 2024/1689), DORA and the AML Regulation form four overlapping but complementary regimes for AI-using CASPs. MiCA governs the substantive conduct of CASPs and the prudential framework. The AI Act governs the AI system itself - high-risk classification under Annex III for AI used in creditworthiness or for AML decisions, transparency obligations and human-oversight requirements. DORA governs ICT operational resilience including third-party risk for AI vendors. The AML Regulation governs customer due diligence, PEP screening and transaction monitoring obligations.

For an AI-driven AML/KYC stack inside a CASP, all four apply simultaneously. The mature compliance pattern is to maintain a unified governance register that captures the MiCA authorisation evidence, AI Act technical documentation, DORA register of information and AMLR procedures in one navigable structure, with cross-references rather than parallel duplicate documentation.

Impetora's TRACE methodology was built around AI systems that have to survive financial-services supervisory review, and CASPs face the same shape of audit. Trust covers the contractual layer including outsourcing notification material, sub-processor disclosure and audit rights aligned with Article 73. Readiness covers the data and workflow audit that becomes the input to the CASP's risk register and authorisation file. Architecture covers production-grade design with the logging, recoverability and surveillance requirements that Articles 68 and Title VI impose. Citations and Evidence covers the audit trail that ESMA, EBA and national competent authorities can request.

The practical path for a MiCA-bound engagement: scope the AI system against the specific CASP service it supports, document the third-party stack explicitly, structure the outsourcing notification before go-live, and align surveillance and incident-reporting runbooks with the combined MiCA / DORA / AMLR rhythm.