MiCAR Transitional Period for Crypto-Asset Service Providers Expires: What Luxembourg Market Participants Need to Know Now
Introduction
In March 2026, we published a client alert1 examining the Commission de Surveillance du Secteur Financier’s (CSSF) updated FAQ on crypto assets in investment funds and the key changes since the initial 2022 guidance. That alert highlighted, among other things, the new obligation on investment fund managers (IFMs) to assess their crypto-asset-related activities against article 60(5) of the EU Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) (MiCAR), a provision that was set to increase in importance as the MiCAR transitional period drew to a close.
That moment has now arrived. The 18-month transitional period granted under article 143(3) of MiCAR to entities already providing crypto-asset services under applicable national law expired on 1 July 2026.2 As of today, any entity providing MiCAR-regulated crypto-asset services in Luxembourg without a valid authorisation is operating outside the law.
This alert sets out the key implications for Luxembourg market participants.
The Transitional Period: A Brief Recap
MiCAR became fully applicable across the European Union on 30 December 2024.3 Article 143(3) allowed entities already providing crypto-asset services in compliance with applicable national law to continue doing so for a period not exceeding 18 months (i.e. until 1 July 2026) without holding a MiCAR crypto-asset service provider (CASP) authorisation. In Luxembourg, the primary beneficiaries of this transitional regime were entities registered as virtual asset service providers (VASPs) under the law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the 2004 AML Law). In anticipation of the expiry of that period, the European Securities and Markets Authority (ESMA) issued a public statement on 23 June 2026 setting out its expectations for how unauthorised CASPs should manage the transition.4
What Has Now Changed?
Former VASPs
VASP registration under the 2004 AML Law is no longer a sufficient basis on which to provide crypto-asset services within the scope of MiCAR. Entities must either hold a full CASP authorisation under article 62 of MiCAR5 or, where they qualify as a regulated financial entity, have completed the notification procedure under article 60 of MiCAR.6
Wind-Down Obligations for Unauthorised CASPs
ESMA expects unauthorised CASPs to take immediate steps to wind down their EU activities in an orderly manner whilst safeguarding clients’ interests and mitigating risks to market integrity. In particular, unauthorised CASPs must: (i) immediately stop onboarding new EU clients and cease marketing activities; (ii) limit the provision of services to actions necessary to sell or transfer crypto assets, reallocate assets or close positions; and (iii) communicate clearly, promptly and repeatedly with clients about wind-down plans, including a deadline by which any residual positions would be closed automatically. Wind-down arrangements must be implemented in compliance with all relevant EU or national conduct laws and anti-money laundering/combating the financing of terrorism obligations throughout the process. ESMA further reminds CASPs established outside the European Union that they cannot provide MiCAR services to EU clients, and MiCAR prohibits CASPs from outsourcing or delegating certain services (notably custody) to entities that are not authorised as CASPs.
IFMs and Depositaries
As highlighted in our March 2026 alert, IFMs must analyse the services they perform in connection with crypto assets against the activities listed in article 60(5) of MiCAR,7 as this may trigger additional authorisation or notification obligations over and above existing fund management authorisations. In addition, where a fund or IFM has appointed a CASP as custodian under Model 1 of the depositary framework,8 it must now verify that the appointed service provider holds a valid MiCAR CASP authorisation. This is not a merely formal requirement: under Model 1, liability for crypto-asset restitution rests directly with the appointed CASP rather than with the depositary, meaning that the regulatory status of the appointed CASP translates immediately into a fund-level risk.
Credit Institutions
Those providing crypto-asset services should confirm whether they have completed the article 60 notification9 or hold a stand-alone CASP authorisation, as applicable.
What Should You Do Now?
The expiry of the transitional period warrants a careful review of existing arrangements. In particular, you should do the following:
- Verify that any appointed CASP holds a valid MiCAR authorisation. VASP registration alone is no longer sufficient.
- Verify whether your CASP is authorised under MiCAR using the ESMA Register,10 and act promptly where this is not the case, including by transferring crypto assets to an authorised CASP or to a self-hosted wallet.
- As an IFM, conduct or revisit your analysis under article 60(5) of MiCAR without delay.
- As a depositary, determine which custody model applies and ensure all required CSSF notifications have been submitted.
- Review service agreements with crypto-asset counterparties and fund documentation for MiCAR compliance.
Why This Matters for You
The expiry of the MiCAR transitional period marks a hard regulatory boundary for the Luxembourg crypto-asset market. Entities that were relying on VASP registration to provide services that fall within the scope of MiCAR are now operating without a valid legal basis, and the consequences—including supervisory action by the CSSF and potential civil liability to clients—are immediate. There is no grace period beyond 1 July 2026.
For investment funds, IFMs and depositaries, the implications are equally direct: the regulatory status of any appointed CASP is now a live fund governance and risk management issue, not a matter that can be deferred to the next periodic review cycle. Acting promptly to verify authorisation status, revisit service agreements and update fund documentation is essential to avoiding both regulatory exposure and reputational risk. It should be noted that although, in the case of indirect investments into crypto-funds (e.g. exchange-traded funds), IFMs are not required to apply for a “Other-Other Fund-Crypto-assets” licence; they have to undertake an assessment of the ability of such crypto funds’ managers to identify and manage the risks pertaining to investments in crypto assets.
Our Investment Funds practice group and Finance practice team advises fund managers, depositaries and institutional investors on Luxembourg fund law and the evolving crypto-asset regulatory framework.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.