The EU regulatory picture has gotten clearer – what it means for the industry

Steve Aquino, Head of Legal at Mesh, shares more about what the EU’s Markets in Crypto-Assets Regulation is, how it compares with existing and proposed US regulations, and its implications for the payments industry.

You often hear regulations being referred to as a landscape. Ideally, it’s a clear picture. But in the crypto world, it’s been a blurry one until only recently. The major clarifying agent has been the EU’s Markets in Crypto-Assets Regulation (a/k/a MiCA), which came into full effect at the tail end of 2024 and joined existing financial regulations to provide perhaps the world’s most comprehensive set of crypto-specific rules.

These directives cover a market with 450 million people (some 85 percent of them older than 15 and thus potential crypto users), giving them massive implications for PSPs, banks, and merchants. And as other countries – the United States in particular – start to play catch-up with their own regulatory regimes, it creates a clear reference point for other major jurisdictions. Below, we explore the contours of the EU’s crypto regulatory picture, how they compare with existing and proposed US regulations, and the overall impact on industry participants.

EU regulations: MiCA and beyond

MiCA seeks to fill the gaps in existing EU financial regulations that otherwise don’t explicitly cover crypto. Broadly speaking, it requires all crypto-asset services providers (CASPs) to obtain licensure with a local authority (e.g., the AMF in the Netherlands) to provide certain crypto, after which they can passport their services across the EU. 

MiCA defines a CASP, simply, as one who offers crypto-asset services. Those services include custody of assets, operating a crypto trading platform, exchanging crypto for fiat or other crypto-assets, executing, receiving, or transmitting of orders for crypto-assets, and providing transfer services for crypto on behalf of clients. But, then, what crypto assets are covered? MiCA’s definition is comprehensive: any asset-referenced tokens (ARTs), tokens referenced to only one fiat currency (known as e-money tokens, or EMTs – as in, a dollar-pegged stablecoin like USDC), utility tokens, and any other crypto-assets. One potentially major exception: central bank digital currencies. 

So you’re a CASP – what does that mean for you? Well, for starters, you’ll have to determine which regulated services you want to offer. If they include custody or operation of an exchange, the logistical lift becomes heavier. In any case, all CASPs must adopt comprehensive anti-money-laundering, data-security, compliance, anti-market-abuse, governance-related, and other policies and procedures, appoint key personnel (including at least one EU-based managing director – and possibly more), and establish a local presence in your jurisdiction of choice. And if you want to issue a crypto-asset, you must publish a white paper, which must be pre-approved by the local supervisor if the crypto-asset is an ART or an EMT.

The Payment Services Directive 2 (PSD2) governs all payment services and payment service providers throughout the EU and European Economic Area. Its goal is to create a more integrated and level playing field for both banks and non-bank payment providers. It imposes a number of security, privacy, consumer-protection, and Open Banking-related requirements on them. There’s a wrinkle, though, for crypto-asset participants: while PSD2 does not apply directly to crypto-assets, any payment service provider or bank that touches crypto and fiat still likely falls under PSD2’s remit. That possibility becomes more of a reality if you’re a PSP handling EMTs: while the European Banking Authority (EBA) has said it wants to avoid dual-licensing under MiCA and PSP2, it has nevertheless said that three EMT-related activities still fall under PSD2: transferring EMTs on behalf of clients; providing custody and administration of EMTs; and holding a custodial wallet in the name of one or more clients if the wallet allows sending and receiving EMTs. In other words, the bread-and-butter of a PSP’s activities. The EBA has given institutions who fall under this dual-licensing structure until March 30, 2026, to seek a PSD2 licence and advised local authorities to subject CASPs to ‘streamlined procedures’ to avoid redundancy. 

But we can’t talk about PSD2 and MiCA without mentioning the upcoming Payment Services Directive 3 (PSD3) – the proposed update to PSD2 that is still in proposal form. In its current form, PSD3 looks to harmonise payment-service regulations with MiCA, the GDPR, DORA (mentioned below), and others, while recognising crypto as a key component of the modern payments ecosystem. As it applies to crypto-related activities, PSD3 will characterise e-money institutions as payment institutions, and deem ‘staged wallets’ – i.e., wallets where users store money for future online transactions – as payment instruments, require enhanced training that covers MiCA, PSD3, and other payments-related regulations, and strong consumer authentication (SCA) requirements, with liability attaching to institutions, including wallet providers, for SCA failures.

The regulations don’t end there, though: the Markets in Financial Instruments Directive II (MiFID II) applies to crypto-assets that qualify as ‘financial instruments’ – in particular, tokenized shares, bonds, or derivatives. That means investment firms, trading platforms, and service providers dealing with security tokens must comply with MiFID II authorisation requirements, including licensing, transparency, investor protection, and conduct of business rules. Then there are the two Anti Money Laundering Directives (AMLD), AMLD 5 and AMLD 6, which require certain crypto-asset institutions, such as fiat-to-crypto exchanges and custodial wallet developers, to register with EU authorities and follow strict anti-money-laundering requirements at the pain of criminal liability for violations. And the Digital Operational Resilience Act (DORA) requires CASPs to implement structured documentation, internal controls, incident reporting obligations for major IT incidents, and repeatable testing. It mandates prompt reporting to regulators of major IT incidents along with root cause analysis and remediation plans.

The US’s approach

That covers the most important crypto-specific EU regulations. What are we doing in the US? We’ll start with the GENIUS Act, the US’s landmark crypto legislation, which passed into law this summer.

The GENIUS Act is tailored to what it calls ‘payment stablecoins’ – i.e., means of payment or settlement with a fixed-value redemption right and that maintains stable value. The Act limits issuers to stablecoin-related activities, requires adherence to anti-money-laundering and sanctions standards, and mandates 1:1 reserves that can be composed of only highly liquid, stable assets, such as cash equivalents, Treasury bills, and repurchase agreements, and bans re-hypothecation of assets. 

One key distinction between the GENIUS Act and the EU’s EMT regulations deals with the entities that may qualify to become an issuer. The US bill limits issuers to subsidiaries of federally regulated and insured depository institutions; nonbank institutions supervised by the US Office of the Comptroller of the Currency; or state-chartered entities under federal or similar state-specific oversight. In the EU, issuers aren’t so limited – having an e-money license issued by an EU member state will do. Arguably, then, the EU’s scheme makes it easier for relatively small players to enter the field. 

Even though the GENIUS Act is the first piece of federal, crypto-specific legislation in the US, being a payment services provider or banking institution in the US means you’re also considering a number of other key regulations. Perhaps most important of which are the Bank Secrecy Act, which imposes anti-money-laundering and sanctions-related requirements, and state-level money transmitter license (MTL) regimes, which allow licensees to transmit and custody funds on behalf of others. In the US, MTLs are largely products of state law, with different standards among the 49 states that require them. So if you want to engage in MTL-type activity, you have to go about the process (which can last up to two years in some states) of obtaining licensure, or find a partner to handle the flows. That’s another key difference between the US’s and the EU’s regulatory schemes for custody, since the EU allows for passporting of products among member states.

How this affects PSPs, banks, and merchants

Talking about the implications for EU and US regulation (not to mention global standards), I think, must begin with a business case. Global stablecoin market cap eclipsed USD 285 billion this month – a nearly 40 percent increase since the beginning of the year – with stablecoin reportedly hitting a record high in August. With the US entering the mix through the GENIUS Act, the world’s largest economy is now in play. As crypto regulations become clearer and more tailored to these new assets, the business opportunity grows massively. The GENIUS Act may also push PSPs and banks even closer to dollar reserves, since it requires issuers to back coins with dollars and Treasuries. Call it the US’ way to cement a head start: the stablecoin market is clearly dominated by dollar-pegged coins – USDC and USDT alone represent roughly USD 240 billion of the world’s total stablecoin market cap.

From a regulatory perspective, the EU’s and the US’s schemes mean players looking to hold, process payments through, exchange fiat for, and settle in crypto must understand that each new product likely implicates several different regulations, with different cross-border standards. These rules aren’t just personal to each enterprise. Whether you’re a PSP, bank, or a merchant, the regulatory landscape and its interlocking requirements mean it’s near-mandatory to ensure any partner for crypto-related services has the right licenses and maintains enterprise-grade compliance protocols throughout the relationship.

So, in sum, if we’re sticking with the landscape metaphor, the picture of crypto regulations is becoming clearer, but it has a lot of differently coloured brush strokes. 

About author

Steve Aquino is the Head of Legal at Mesh, where he leads the company’s global policy, regulatory, and compliance strategies. Steve has counselled tech and Web3 startups, financial institutions of all sizes, small-cap securities issuers, and investment banks. Before starting his career as a lawyer, Steve was a reporter, covering national politics, social justice issues, and internet privacy in the Web2 era.

 

 

About Mesh

Founded in 2020, Mesh is the first global payment network for crypto, connecting hundreds of exchanges, wallets, and payment service providers to enable seamless digital asset payments and conversions. By unifying these platforms into a single network, Mesh is pioneering an open, connected, and secure ecosystem for digital finance.