National Competent Authorities for Crypto in EU: How MiCA Licensing Works in 2025

When the Markets in Crypto-Assets Regulation (MiCA) fully took effect on December 30, 2024, it didn’t just change how crypto companies operate in Europe-it rewrote the rules for who’s in charge. Instead of one EU-wide regulator, the system relies on 27 separate National Competent Authorities (NCAs). Each EU country picked its own financial watchdog to handle crypto licensing, supervision, and enforcement. That means if you’re running a crypto exchange, wallet provider, or stablecoin issuer in the EU, you don’t apply to Brussels-you apply to Berlin, Paris, Madrid, or Amsterdam.

Who Are the National Competent Authorities?

Every EU member state named a single body as its NCA. These aren’t new agencies created just for crypto-they’re the same regulators that have overseen banks, stock markets, and insurance firms for decades. Their existing expertise became the foundation for crypto supervision under MiCA.

In Germany, it’s BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht). In France, it’s the AMF (Autorité des Marchés Financiers). Spain uses CNMV (Comisión Nacional del Mercado de Valores), Italy uses CONSOB (Commissione Nazionale per le Società e la Borsa), and the Netherlands relies on De Nederlandsche Bank (DNB). These are not small players. BaFin supervises over 2,500 financial institutions. The AMF manages €3.5 trillion in assets. They’re used to heavy oversight-and now they’re doing it for crypto too.

The first licenses under MiCA started rolling out on day one: December 30, 2024. The Netherlands and Malta were among the first to issue them. By June 2025, more than 40 Cryptoasset Service Provider (CASP) licenses had been granted across the EU. Germany’s BaFin began issuing licenses in mid-January 2025, taking a careful, methodical approach. The Netherlands, with its tech-savvy financial sector, moved faster-issuing over 15 licenses in the first three months.

What Do NCAs Actually Do?

Getting a license is just the start. Once a crypto firm is approved, the NCA becomes its day-to-day regulator. That means ongoing checks on everything from how the company manages customer funds to whether it’s reporting suspicious transactions.

NCAs require firms to:

• Maintain minimum capital reserves-usually €50,000 to €150,000 depending on services offered
• Submit quarterly financial and operational reports
• Keep client assets separate from company funds (custody rules)
• Report any security breaches within 24 hours
• Follow strict rules for marketing crypto assets, including clear risk warnings

They also enforce anti-money laundering (AML) rules. While the new European Anti-Money Laundering Authority (AMLA) will take over supervision of the largest cross-border firms in 2026, NCAs still handle AML for smaller firms and domestic operations.

And they’re not just watching paperwork. NCAs can conduct on-site inspections, demand internal audit reports, freeze assets, or even shut down non-compliant services. In April 2025, the European Commission added new rules requiring all trading platforms to detect and report market manipulation-like spoofing or pump-and-dump schemes-directly to their NCA.

Why Does Jurisdiction Matter?

Not all NCAs are the same. Some are faster. Some are stricter. Some are more open to innovation. That makes choosing where to apply a strategic decision.

If you’re a startup with limited resources, you might avoid countries with high fees or slow processing. Germany’s BaFin is thorough-but its application review can take 6 to 9 months. The Netherlands, by contrast, has a dedicated MiCA team and aims to process applications in under 4 months. Spain and Portugal have been more flexible with smaller firms, offering guidance during the application process.

Some firms are choosing jurisdictions based on legal clarity. For example, France’s AMF has issued detailed guidelines on how to classify tokens-whether they’re utility tokens, asset-referenced tokens, or e-money tokens. That predictability helps companies design their products upfront instead of guessing.

But here’s the catch: if you want to operate in more than one EU country, you don’t just get one license and expand. You need to register with each NCA where you offer services. That means duplicated compliance work, multiple reporting systems, and different interpretations of the same rules.

The Big Shift: Why Centralization Is Coming

The current system works-but it’s messy. Twenty-seven different regulators mean 27 different ways of interpreting MiCA. ESMA, the EU’s securities watchdog, has been spending hundreds of staff hours just trying to align them.

In October 2024, ESMA chair Verena Ross told the Financial Times the EU is preparing to move supervision of major crypto firms from national authorities to ESMA directly. The goal? To avoid building the same regulatory infrastructure 27 times.

The European Commission confirmed in September 2024 that they’re considering transferring oversight of “significant” crypto companies-those operating across borders or handling large volumes-to ESMA. That includes exchanges, custodians, and stablecoin issuers with over €1 billion in assets.

This isn’t just theory. The EU already did this with credit rating agencies and some clearing houses. The model exists. The question is when-and which firms will be first.

The European Banking Authority (EBA) is already overseeing stablecoin reserves. The ECB watches for systemic risks. And in 2026, AMLA will supervise the biggest cross-border crypto firms for money laundering. That means crypto companies will soon face three layers of EU-level oversight, plus their local NCA.

What This Means for Crypto Businesses

Right now, you still apply to your NCA. But you need to plan for change.

If you’re a small or medium-sized firm, stick with your home country’s NCA. Use the next 12 to 18 months to build compliance systems, get licensed, and prove you can operate cleanly. Don’t rush to expand across borders until you’re stable.

If you’re a large firm with international operations, start preparing for ESMA oversight. Review your governance structure. Document your risk controls. Build relationships with regulators now, before they become your direct supervisors.

Compliance costs are rising. In Germany, annual supervisory fees can exceed €20,000 for mid-sized firms. In the Netherlands, they’re closer to €8,000. Some NCAs charge per transaction volume. Others charge based on asset size. You need to budget for this.

And don’t assume one license gives you EU-wide access. MiCA allows passporting-but only if your NCA approves it, and only if you meet their standards. Many firms are still learning how to navigate this.

The Future Is Mixed, Not Just Centralized

Don’t expect the NCAs to disappear. Even if ESMA takes over supervision of the biggest players, smaller firms will still report to their national authorities. The EU isn’t eliminating national oversight-it’s layering it.

Think of it like a pyramid:

• Top: ESMA supervises major cross-border firms
• Middle: AMLA handles AML/CFT for large firms
• Bottom: NCAs supervise domestic and small firms

This structure is designed to be efficient: centralized oversight where it matters most, local control where it’s practical.

The success of MiCA so far has been surprising. While the U.S. struggles with conflicting state and federal rules, the EU has built a unified, enforceable framework in under two years. That’s why crypto firms from Japan, Singapore, and even the U.S. are now applying for EU licenses-they want the credibility that comes with MiCA compliance.

But the system is still evolving. The next 18 months will be critical. Will ESMA’s centralization plan pass? Will fees get standardized? Will NCAs finally align their interpretations?

For now, the answer is simple: know your NCA. Understand its rules. Prepare for change. And don’t assume the rules you follow today will be the same tomorrow.