The Malta Financial Services Authority (MFSA) released a follow-up circular providing further guidance on the authorisation process for crypto-asset service providers (CASPs) under the Markets in Crypto-Assets Regulation (MiCA), formally known as Regulation (EU) 2023/1114. This update builds on the Authority's earlier communication issued on 10 December 2024.
The latest circular introduces two new mandatory annexes that must accompany all MiCA authorisation applications:
- Annex AX05 – Digital Operational Resilience Assessment
- Annex AX50 – ICT Third-Party Provider Assessment
These additions reflect the MFSA's commitment to aligning the MiCA authorisation process with the broader EU regulatory framework, particularly Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), which became fully applicable in January 2025.
Applicants are now expected to demonstrate robust ICT risk management and operational resilience capabilities at the point of application. Specifically:
- Annex AX05 requires a comprehensive evaluation of an applicant's digital resilience, including governance structures, incident response protocols, and business continuity planning.
- Annex AX50 focuses on the oversight and risk management of outsourced ICT services, requiring detailed disclosures on third-party dependencies.
These requirements apply to all CASP applicants—both Category A and Category B—without exception or transitional relief, regardless of whether the application process had already commenced prior to this update.
The MFSA's approach underscores the importance of embedding ICT and operational resilience considerations into the licensing process from the outset. Prospective applicants should ensure that their internal frameworks, outsourcing arrangements, and supporting documentation are fully aligned with both MiCA and DORA obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
