Joonas Ilmasti
← Back to blog

MiCA and the Bitcoin-only business

What Europe's crypto rulebook actually changes for operators who only care about one asset.

Joonas IlmastiRegulation3 min read

The Markets in Crypto-Assets regulation has been in force long enough that most of the early panic has settled. What's left is the work: the unglamorous, jurisdiction-by-jurisdiction work of fitting a Bitcoin-only product into a framework built mostly with everything else in mind.

If you run a Bitcoin-only exchange, custody product, payments rail, or merchant-services business in Europe, here is the short version of what to internalise.

What MiCA does (and doesn't) apply to

MiCA was designed around three categories of cryptoasset: asset-referenced tokens, e-money tokens, and "other" cryptoassets. Bitcoin sits in that last bucket, and the regulation does not impose token-issuer obligations on it. There is no Bitcoin "issuer" to comply, by design.

What MiCA does regulate, even for Bitcoin-only operators, is the service provision around it. If you offer custody, exchange, transfer, advice, portfolio management, or placement of cryptoassets in the EU, you are a Crypto-Asset Service Provider, and the CASP authorisation regime applies in full.

That is the lever. The asset is permissionless. The service provider is not.

What changes for builders

A few practical consequences I see most often in current engagements:

  • Authorisation is real work, not a paperwork exercise. Capital requirements, governance, custody segregation, conflict-of-interest policies, complaints handling, ICT risk: the regulator will read what you write and ask you about it.
  • Passporting is genuinely useful. Authorisation in one Member State extends to the whole EU. For small Bitcoin-only operators this is the single biggest structural advantage MiCA offers; it didn't exist this cleanly before.
  • Travel Rule (TFR) is the operational hot stone. Most enforcement attention I've seen since application has focused here, not on the more abstract MiCA provisions.
  • Sound money still gets you no extra credit. Regulators do not, generally, care about your monetary philosophy. They care about whether your customer-asset segregation is what your policy says it is.

How to think about the next twelve months

Treat MiCA the way you treated GDPR: a slow, structural shift that punishes lateness more than imperfection. The companies that did well with GDPR were the ones that started early, kept their documentation honest, and built a working relationship with their lead supervisor.

The same approach works here. Pick your lead jurisdiction with care, do the work in front of regulators rather than around them, and build the compliance function as a feature of the product, not a tax on it.