Digital asset regulation in the EU is not one framework — it is four, operating simultaneously, with overlapping scope and no clean boundaries. MiCA governs crypto-assets that are not financial instruments. MiFID II governs those that are. PSD3 governs payment services. DORA governs operational resilience. Getting this mapping wrong does not produce a compliance gap — it produces a business model that cannot legally operate.
At VoltLegal, we advise digital asset businesses, DeFi protocols, and payment product teams on where they sit within the EU regulatory perimeter — and what that means for their operating model, licensing requirements, and product design.
EU digital asset regulation — the MiCA and MiFID II boundary
MiCA explicitly excludes crypto-assets that qualify as financial instruments under MiFID II from its scope. This means that for any digital asset business, the first regulatory question is not “how do we comply with MiCA?” — it is “does MiCA even apply to us?”
A crypto-asset qualifies as a financial instrument under MiFID II if it constitutes a transferable security, a money-market instrument, a derivative, or another instrument listed in MiFID II Annex I Section C. ESMA has published guidance clarifying that this classification is based on economic substance, not contractual form. A token that functions economically like a share, bond, or derivative will be classified as a financial instrument — regardless of what the whitepaper calls it.
The practical consequence: firms dealing in, managing, or advising on crypto-assets that are financial instruments need MiFID II investment firm authorisation, not a MiCA CASP licence. These are different regulatory regimes with different capital requirements, conduct rules, and supervisory relationships. Operating under MiCA when MiFID II applies — or vice versa — is not a technical compliance error. It is operating without authorisation.
We provide written classification opinions that map specific tokens and digital asset products to the applicable EU regulatory framework. These opinions are increasingly required by exchanges, institutional investors, and banking partners before they will engage with a digital asset business.
DeFi protocols — where EU regulation currently stands
MiCA Recital 22 states that fully decentralised crypto-asset services — those with no identifiable intermediary — fall outside MiCA’s scope. In practice, the word “fully” is doing significant work. EU policymakers have not defined decentralisation, and ESMA has indicated that starting around mid-2026, regulators will begin developing frameworks for interpreting decentralisation thresholds.
The current regulatory position for DeFi protocols operating in the EU:
Protocol developers — where a development team builds and maintains a protocol without controlling on-chain activity or holding custody of user assets, current EU regulatory frameworks do not clearly impose licensing obligations. US appellate guidance (Risley v. Universal Navigation, 2025) similarly limits primary liability for open-source protocol developers. However, this position is evolving and depends heavily on the specific governance and upgrade authority structure of the protocol.
DeFi interface operators — firms that build, maintain, or market a DeFi interface, facilitate user onboarding, or exercise governance control over the protocol are at significantly higher regulatory risk. If the underlying protocol provides services that would require CASP authorisation if provided by a centralised entity, the interface operator may be treated as the de facto service provider. This is the position regulators are actively developing enforcement frameworks around.
Liquid staking and yield products — where staking yields are structured or marketed as investment returns, or where liquid staking tokens are traded as financial instruments, the risk of MiFID II classification is material. ESMA has flagged this area as a supervisory priority. We advise DeFi protocols on the regulatory status of their staking and yield mechanics before product launch.
Governance tokens with economic rights — governance tokens that also provide fee-sharing, revenue distribution, or buyback mechanics have moved into financial instrument territory under MiFID II analysis in multiple EU jurisdictions. This applies regardless of whether the economic rights were designed intentionally or emerged through governance votes post-launch.
PSD3 and digital asset payment products
The Payment Services Regulation (PSR) and Payment Services Directive 3 (PSD3) reached political agreement in November 2025 and are expected to become law in mid-2026, with a 21-month transition period. Full application is expected in late 2027 to early 2028.
For digital asset businesses with payment product components, PSD3 creates overlapping obligations with MiCA in several areas:
EMT issuers and dual authorisation — under MiCA, only credit institutions or EMIs may issue e-money tokens. The EBA’s February 2026 Opinion clarified that certain EMT-related payment services require PSD2/PSD3 authorisation in addition to MiCA CASP authorisation. The EBA identified three supervisory outcomes for EMT-related services, depending on whether the CASP already holds PSD2 authorisation or operates via an authorised PSP. This dual authorisation requirement applies to specific business models — we map your operating structure to the applicable outcome before any application work begins.
Payment initiation and account information services — DeFi protocols and crypto wallets that connect to bank accounts, initiate payments, or aggregate account information may trigger PSD3 obligations regardless of their MiCA status. The perimeter between crypto-native services and regulated payment services is increasingly contested.
Fraud liability and verification of payee — PSD3 introduces new fraud liability rules and mandatory Verification of Payee (VoP) checks for all wire transfers. Crypto businesses providing fiat settlement, on/off ramps, or payment services will need to implement VoP infrastructure and updated fraud liability frameworks.
Reverse solicitation — what it actually covers
MiCA Article 61 provides a narrow exemption for third-country firms providing services exclusively at the client’s own initiative. ESMA’s guidelines on reverse solicitation, published in 2024, make clear that this exemption cannot be used systematically as a market access strategy. Specifically:
- Any general marketing or advertising directed at EU persons — including through social media, websites accessible in the EU, or intermediaries — negates the exemption
- The exemption applies only to the specific service the client requested on their own initiative, not to other services subsequently cross-sold
- Firms cannot structure their operations to rely on reverse solicitation while actively building EU client relationships
We advise non-EU firms on the actual scope of the reverse solicitation exemption and on what operating changes are necessary to maintain a defensible position — or whether EU authorisation is the more commercially viable path.
Our digital asset regulation EU services
Our digital asset regulation mandate covers:
- Regulatory perimeter mapping — MiCA, MiFID II, PSD3, or multiple frameworks
- Written classification opinions for tokens, digital asset products, and DeFi protocols
- DeFi regulatory analysis — decentralisation assessment, interface operator exposure, governance token classification
- PSD3 readiness assessment for digital asset businesses with payment product components
- Dual authorisation analysis for EMT issuers — mapping to applicable EBA supervisory outcomes
- Reverse solicitation position review for non-EU firms serving EU clients
- Ongoing regulatory monitoring — EU digital asset regulatory developments, ESMA and EBA guidance, enforcement trends
Talk to us about digital asset regulation in the EU
If you are building a digital asset product, DeFi protocol, or payment solution that touches EU users, the regulatory perimeter analysis should happen before the product is designed — not after it is live. We offer a structured scoping session to map your business model to the applicable EU frameworks.
Book a 30-minute consultation to discuss your digital asset regulatory exposure and what a compliant operating model looks like for your specific product.