EU Crypto Regulation 2026: Complete Overview
Back to blog
Guides

EU Crypto Regulation 2026: Complete Overview for Web3 and Fintech Founders

Europe has the world's most comprehensive crypto regulatory framework. MiCA is the headline act, but it doesn't stand alone — it interlocks with MiFID II, the Travel Rule (TFR), DORA, PSD2, AIFMD, and the emerging AMLR. For Web3 and fintech founders entering the EU market in 2026, understanding how these pieces fit together is essential. This guide maps the whole landscape.

By Compliora AI Team March 23, 2026 12 min read
Contents
  1. The architecture of EU crypto regulation
  2. MiCA — the headline framework
  3. MiFID II — for tokenised financial instruments
  4. TFR (Travel Rule) — AML for crypto transfers
  5. DORA — digital operational resilience
  6. PSD2 / PSD3 — payment services
  7. AIFMD — for tokenised funds
  8. AMLR — the new AML package
  9. Other relevant frameworks
  10. 2026 timeline and what's next
  11. Practical steps for founders

The architecture of EU crypto regulation

EU crypto regulation works through the interaction of several regulations and directives, each addressing a different dimension of risk. Understanding the architecture matters because your project will typically trigger multiple frameworks simultaneously — not just MiCA.

The main dimensions:

  • Token classification and market conduct — MiCA and MiFID II
  • AML/CFT for crypto transfers — TFR (Regulation 2023/1113) and the AML framework
  • Payment services — PSD2 (and the forthcoming PSD3)
  • Operational resilience and ICT risk — DORA
  • Funds management — AIFMD and UCITS Directive (for tokenised funds)
  • Consumer protection and data — GDPR, Consumer Rights Directive, and sectoral rules

For a typical EU-focused Web3 or fintech project, at least three of these will apply. For larger projects — custodial exchanges, stablecoin issuers, DeFi protocols with frontends — often five or more apply simultaneously.

The overlap is intentional: EU regulation is built on a "functional equivalence" principle. The same risks should be regulated the same way, regardless of whether the underlying technology is traditional finance or blockchain. That means crypto businesses often face the same obligations as banks and investment firms — just adapted to the crypto context.

MiCA — the headline framework

Regulation (EU) 2023/1114 (MiCA) is the cornerstone. It creates a unified EU-wide framework for crypto-assets that are not financial instruments and for the service providers that deal with them.

Key features:

  • Three token categories — asset-referenced tokens (ARTs), electronic money tokens (EMTs), and "other" crypto-assets including utility tokens
  • Regulation of service providers — the CASP regime with ten service categories from Article 3(1)(16) MiCA
  • EU-wide passporting — once authorised in one Member State, a CASP can provide services across all 27
  • Market abuse rules — Title VI (Articles 86-92) establishes a crypto-specific market abuse regime

Timeline

  • 29 June 2023 — MiCA entered into force
  • 30 June 2024 — Title III (ARTs) and Title IV (EMTs) began to apply
  • 30 December 2024 — Full application of MiCA
  • 1 July 2026 — Maximum grandfathering end date for existing CASPs under Article 143(3) (earlier in some Member States)

For detailed analyses, see our guides on when MiCA applies, CASP licence requirements, token classification, and Article 143(3) grandfathering.

MiFID II — for tokenised financial instruments

Where a crypto-asset qualifies as a financial instrument under Article 4(1)(15) of Directive 2014/65/EU (MiFID II), it falls outside MiCA (per Article 2(4)(a) MiCA) and under the full weight of EU securities law.

The most common pathway is qualification as a transferable security under Article 4(1)(44) MiFID II. Tokens with profit-sharing, redemption rights, voting rights with economic consequences, or claims on issuer assets typically fall here.

The MiFID II regime brings:

  • Prospectus Regulation (Regulation (EU) 2017/1129) for public offerings
  • Investment firm authorisation for intermediaries
  • Market Abuse Regulation (Regulation (EU) No 596/2014)
  • MiFIR transparency and transaction reporting obligations
  • Client asset rules

Additionally, the DLT Pilot Regime (Regulation (EU) 2022/858) creates a temporary regulatory sandbox for DLT-based market infrastructures (trading venues, settlement systems) for tokenised financial instruments. This runs alongside MiFID II and MiCA.

See our detailed analysis: MiCA vs MiFID II: Which Applies to Your Token.

Get a full regulatory map for your project

Compliora AI identifies every EU framework that applies to your Web3 or fintech project — not just MiCA. Get a professional report covering MiCA, MiFID II, TFR, DORA, PSD2, and more.

Start Assessment →
€49 · No signup required

TFR (Travel Rule) — AML for crypto transfers

The Transfer of Funds Regulation (Regulation (EU) 2023/1113) extends the FATF "travel rule" to crypto-asset transfers. It applies from 30 December 2024, the same day as MiCA's full application.

Core obligations for CASPs:

  • For every crypto transfer, collect and transmit information about the originator (sender) and beneficiary (recipient)
  • Required information includes names, account numbers (wallet addresses), and for larger transfers, additional identification details
  • Verify information received from counterparty CASPs
  • Implement procedures for handling transfers with missing or incomplete information
  • Enhanced requirements apply to transfers to/from self-hosted wallets (non-custodial wallets) above EUR 1,000

The EBA Travel Rule Guidelines (4 July 2024) provide detailed operational guidance on how CASPs should implement these requirements.

This is a hard technology problem: Implementing the Travel Rule requires wallet address verification infrastructure, counterparty CASP identification, messaging protocols, and robust data handling. Most CASPs use specialised Travel Rule compliance providers (like Notabene, Sumsub, Elliptic) to handle the technical implementation.

DORA — digital operational resilience

The Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA) establishes harmonised rules on ICT risk management for EU financial entities. It applies from 17 January 2025 and covers 20 types of financial entities — including CASPs.

DORA's five pillars:

  1. ICT risk management — governance, policies, and a comprehensive ICT risk management framework
  2. ICT incident reporting — classification and reporting of major ICT-related incidents and significant cyber threats to competent authorities
  3. Digital operational resilience testing — including threat-led penetration testing (TLPT) for larger entities
  4. ICT third-party risk management — due diligence, contractual requirements, and monitoring of ICT service providers
  5. Information sharing — arrangements for sharing cyber threat intelligence among financial entities

Critically, DORA also creates an EU-wide oversight framework for Critical ICT Third-Party Providers (CTPPs). Large cloud, data, or cybersecurity providers that support the EU financial sector may be designated as CTPPs and subject to direct supervision by the European Supervisory Authorities (EBA, EIOPA, ESMA).

For CASPs, DORA compliance typically requires significant investment in documentation, processes, incident reporting capabilities, and third-party contract review. Many existing crypto exchanges have found DORA implementation more demanding than MiCA itself.

PSD2 / PSD3 — payment services

The Payment Services Directive 2 (Directive (EU) 2015/2366, PSD2) regulates payment services in the EU. It matters for crypto projects in several ways:

  • Fiat on/off ramps — most CASPs need to handle fiat payments (SEPA, card, open banking). Direct fiat handling typically requires PSD2 authorisation or partnering with a licensed payment institution
  • EMI licence and EMTs — issuers of e-money tokens need electronic money institution (EMI) authorisation under Directive 2009/110/EC (the E-Money Directive), which operates in tandem with PSD2
  • Payment initiation — some crypto services that facilitate payments may trigger PSD2 authorisation as payment initiation service providers (PISPs)

The EU has proposed PSD3 (the third Payment Services Directive) along with a new Payment Services Regulation (PSR). These are expected to apply from 2026-2027, introducing enhanced fraud protection, strong customer authentication rules, and updated rules on open banking.

For EMT issuers, the interplay between PSD2 and MiCA is particularly important. The EBA Opinion of 10 June 2025 clarified that CASPs operating on EMTs must comply simultaneously with the initial capital requirements under Article 67 MiCA and those of Article 7 PSD2 — the "no double use" rule means one euro of capital cannot be counted twice.

AIFMD — for tokenised funds

The Alternative Investment Fund Managers Directive (Directive 2011/61/EU, AIFMD) regulates managers of alternative investment funds. It's relevant to crypto projects in several ways:

  • Tokenised funds — if your project involves pooling investor capital to invest collectively (whether in crypto-assets, real estate, or other assets), you may be operating an AIF and need AIFMD authorisation as an AIFM
  • Crypto funds — funds that invest in crypto-assets are typically AIFs and subject to AIFMD
  • DeFi pool structures — some DeFi protocols that pool user funds (lending pools, yield aggregators) may fall within AIFMD's definition of AIF, triggering authorisation requirements

AIFMD II (Directive (EU) 2024/927) was adopted in March 2024 and introduces new requirements for loan-originating funds, updated liquidity management rules, and enhanced transparency. Member States must transpose by April 2026.

Crypto-native funds — tokenised VCs, DeFi aggregators, yield protocols — increasingly face AIFMD scrutiny as regulators apply a "substance over form" analysis to pooled investment structures.

AMLR — the new AML package

The EU has replaced its directive-based AML framework with a directly applicable Anti-Money Laundering Regulation (AMLR, Regulation (EU) 2024/1624) alongside a new Sixth AML Directive (AMLD6) and the creation of the Anti-Money Laundering Authority (AMLA).

Key elements:

  • Single EU rulebook — AMLR directly applies in all Member States, ending the fragmentation of national AML rules
  • Direct crypto coverage — CASPs are explicitly within scope, with enhanced customer due diligence requirements for crypto transactions
  • Cash payment limits — EUR 10,000 cap on cash payments across the EU
  • Beneficial ownership — expanded and harmonised registers across Member States
  • AMLA — the new EU AML authority, based in Frankfurt, with direct supervisory powers over certain "selected obliged entities" and indirect oversight of others

AMLR will gradually apply from 10 July 2027, with AMLA starting operations in 2025-2026. For CASPs, the key practical implication is that AML compliance will become more harmonised across the EU — but also more demanding, with direct regulation rather than national interpretation.

Other relevant frameworks

Depending on your business model, additional regimes may apply:

Prospectus Regulation

Regulation (EU) 2017/1129 governs public offerings of securities. Relevant when your token is classified as a financial instrument.

Market Abuse Regulation (MAR)

Regulation (EU) No 596/2014 governs insider dealing, market manipulation, and disclosure for financial instruments. MiCA's Title VI provides crypto-specific parallel rules.

UCITS Directive

Directive 2009/65/EC governs UCITS funds. Relevant for tokenised retail funds.

GDPR

Regulation (EU) 2016/679 applies to processing personal data — including wallet addresses in certain contexts, KYC/AML data, and user identification.

Consumer Rights Directive

Directive 2011/83/EU establishes rules on distance contracts with consumers. Relevant to retail-facing crypto services.

DLT Pilot Regime

Regulation (EU) 2022/858 creates a temporary sandbox for DLT-based market infrastructures handling tokenised financial instruments.

2026 timeline and what's next

Key dates and developments to track in 2026:

DateEvent
30 June 2025End of grandfathering in Netherlands, Poland
30-31 December 2025End of grandfathering in Germany, Spain, Austria, Ireland, Italy
April 2026AIFMD II transposition deadline
1 July 2026End of MiCA grandfathering in full-period Member States (CZ, EE, FR, LU, MT)
2026-2027PSD3 and Payment Services Regulation expected to apply
10 July 2027Main application date of AMLR (with earlier AMLA setup)

Looking further ahead, the EU has signalled additional regulatory priorities:

  • MiCA II — potential extension of MiCA to cover currently-excluded areas like fully decentralised DeFi protocols, NFTs that don't meet the uniqueness test, and crypto lending
  • Tokenisation and CMU — deeper integration of DLT in the Capital Markets Union, with further MiFID II amendments
  • Digital Euro — the ECB's proposed retail CBDC could reshape the EMT landscape once implemented

Practical steps for founders

If you're a Web3 or fintech founder navigating EU compliance in 2026, a practical approach:

  1. Start with classification. What category does your token fall into (utility, EMT, ART, financial instrument, NFT)? This drives which regulatory regime applies.
  2. Map your services. Which of the ten CASP service categories in Article 3(1)(16) MiCA do you provide? Or are you outside CASP scope entirely?
  3. Identify all applicable frameworks. Don't stop at MiCA. Check MiFID II, TFR, DORA, PSD2, AIFMD, AMLR. Each may add obligations.
  4. Assess cross-border scope. Do you genuinely target only one Member State, or the whole EU? Passporting requires full MiCA authorisation.
  5. Plan the timeline. Authorisation work typically takes 6-15 months end to end. Work backwards from your target go-live date.
  6. Budget realistically. A full MiCA authorisation typically costs EUR 200,000-500,000 including legal, technology, and capital requirements. Stablecoin projects and custodial exchanges can run significantly higher.
  7. Engage specialists early. EU regulatory work is specialist territory. Generic corporate or tech lawyers typically lack the depth for MiCA/MiFID II boundary analysis, TFR implementation, or DORA compliance.

The EU's approach to crypto is strict but predictable. Once you understand the architecture, compliance becomes a project you can plan, budget, and execute — not a moving target. Projects that invest in regulatory infrastructure early find it becomes a competitive advantage: banking relationships, enterprise customers, and institutional partnerships all require it.

Get your complete EU regulatory roadmap

Compliora AI runs your project through MiCA, MiFID II, PSD2, AIFMD, TFR, and DORA simultaneously. Get a professional report identifying every applicable framework with article-level citations and priority recommendations.

Start Assessment →
€49 · No subscription · No signup required

Disclaimer: This article provides general information about EU financial regulation and does not constitute legal advice. Regulatory positions evolve and national competent authorities may interpret rules differently. Consult qualified EU regulatory counsel before making compliance or business decisions. Article numbers and regulation references should be verified against the current consolidated texts of the relevant EU instruments.

Compliora AI
Compliora AI Team
EU regulatory assessment for Web3, crypto & fintech
← Back to all articles
Link copied to clipboard