MiCA (Markets in Crypto-Assets Regulation) is the EU’s comprehensive framework for regulating crypto-assets, including stablecoins and crypto-asset service providers (CASP).
Published in the Official Journal of the EU on 9 June 2023, most of the provisions of this regulation entered into force between 30 June 2024 and 30 December 2024, depending on the section.
Turkey is not an EU member, but there will be significant implications if there are cross-border transactions, customers or links with the EU.
The Markets in Crypto-Assets Regulation (MiCA) introduces uniform EU market rules for crypto-assets. The regulation covers crypto-assets that are not regulated by existing financial services legislation. The basic provisions for issuers and traders of crypto assets (including asset reference tokens and e-money tokens) cover the transparency, disclosure, authorisation and supervision of transactions. The new legal framework will support market integrity and financial stability by regulating the public offering of crypto assets and ensuring consumers are better informed about the relevant risks.
MiCA Implementing Measures
During the MiCA implementation phase, ESMA (in close cooperation with EBA, EIOPA and ECB) is consulting the public on a series of technical standards to be published in three packages in sequence. The aim is to present draft Level 2 and 3 measures incorporating feedback from the public as soon as possible. The date on which the measures will enter into force depends on their adoption by the European Commission and approval by the European Parliament and the Council of the EU.
Although the MiCA (Markets in Crypto-Assets Regulation) regulations are not written directly from ISO standards, they are built on international best practices. Therefore, companies falling under the scope of MiCA (e.g. crypto-asset service providers, exchanges, custodians, stablecoin issuers) wishing to comply will find that adopting certain ISO standards both facilitates compliance and increases credibility with regulators. From the perspective of ISO Standards, companies falling under the scope of MiCA can easily comply with the process using the following standards. Some of these standards are merely guidelines, while others can be certified by UKAS or IAS. We have compiled the standards for you according to the area in which you wish to apply them:
Management and Corporate Governance
- ISO 37000: Guidance on Anti-Bribery Management Systems
- ISO 37301: Compliance Management Systems
- ISO 31000: Risk Management
Information Security and Cyber Security
- ISO/IEC 27001: Information Security Management System
- ISO/IEC 27002: Code of Practice for Security Controls
- ISO/IEC 27017: Cloud Security
- ISO/IEC 27018: Protection of Personal Information in the Cloud
- ISO/IEC 27701: Privacy (Critical for GDPR compliance)
MiCA requires the protection of customer assets, measures against cyber attacks, and the protection of personal data. ISO 27001 and 27701 are the most commonly used frameworks for meeting these requirements.
Business Continuity and Resilience
- ISO 22301: Business Continuity Management System
- ISO/IEC 27031: IT Security Management System
Financial Controls and Quality
- ISO 9001: Quality Management System
- ISO 20000-1: IT Service Management System
- ISO 22316: Business Resilience
Anti-Money Laundering (AML) and KYC
ISO has not published a standard specifically for AML/KYC; however, the use of these standards is beneficial in designing a holistic structure:
- ISO 37001: Anti-Bribery Management System
- ISO 37301: Compliance Management
- ISO/TC 307 Blockchain standards (particularly for identity verification and traceability in crypto asset transactions)
Market Abuse and Transparency
- ISO 37002: Whistleblowing Management System
- ISO 19600 (predecessor to ISO 37301)
Environmental and Sustainability Dimension
MiCA does not directly mandate ESG (Environmental, Social, Governance) standards, but in connection with the EU’s Green Deal:
- ISO 14001: Environmental Management System
- ISO 26000: Social Responsibility
- ISO 50001: Energy Management System
Roadmap for Management System Compliance Timeline
- 0–3 months → Gap analysis + compliance strategy
- 3–9 months → ISO 27001/27701 implementation + 22301 business continuity plans + 37301 compliance system
- 9–12 months → MiCA-compliant white paper/customer information documents + completion of AML/KYC processes
- After 12 months → Internal audit, regular reporting, continuous improvement and certification audit
This roadmap establishes a robust compliance framework by integrating MiCA’s requirements for licensing, transparency, risk management, and customer protection with the proven methodologies of ISO standards. For more information about our Training and Audit services, please contact us at info@cfecert.co.uk.
