- Spain has extended its MiCA transition period to 1 July 2026 and is actively processing CASP applications through the CNMV.
- Malta remains in the final stage of transition but is facing increased scrutiny from ESMA over its supervisory approach.
- Cyprus has moved fully from AML registration to MiCA licensing, with all crypto firms required to secure authorisation by 1 July 2026.
- Italy has combined MiCA implementation with significant tax reforms, including a 33% crypto capital gains tax from 2026.
When MiCA entered into force across the European Union, it promised a harmonised regulatory framework for crypto businesses. The goal was straightforward: replace fragmented national regimes with a single rulebook, a common licensing framework, and the ability for authorised firms to passport their services across the EU and EEA.
While that legal framework now exists, implementation continues to vary across Member States. Regulators are applying MiCA at different speeds, transitional periods are ending on different timelines, and supervisory expectations continue to reflect local regulatory cultures.
Southern Europe provides one of the clearest examples of this divergence.
At the same time, DAC8 is introducing a new layer of reporting obligations across the region. For crypto-asset service providers (CASPs), compliance is no longer limited to obtaining a licence. Firms must also prepare for tax reporting, customer due diligence requirements, and increased regulatory oversight.
The result is a regulatory landscape that is becoming increasingly focused on execution. The rules may be harmonised, but the practical experience of obtaining and maintaining a licence remains highly jurisdiction-specific.
Spain:
Spain continues to position itself as one of Europe's most advanced MiCA jurisdictions.
The country's regulator, the National Securities Market Commission (CNMV), is now the sole competent authority for CASP authorisation and supervision. The Bank of Spain stopped accepting new crypto registrations at the end of 2024, leaving the CNMV as the central point of contact for applicants.
One of the most significant developments since late 2025 was Spain's decision to extend its transitional period from 12 months to the full 18 months permitted under MiCA. This moves the deadline to 1 July 2026 and makes Spain the only EU Member State to extend its transition period rather than shorten it.
The CNMV has also published a detailed MiCA Q&A and an extensive applicant handbook, signalling that the regime has moved beyond policy discussions and into practical supervision. Applicants should expect a substantial application process covering governance, risk management, cybersecurity, shareholder structures, and anti-money laundering controls.
Spain has also implemented DAC8 reporting requirements from 1 January 2026. Crypto firms must report customer transactions, balances, and asset movements to the Spanish tax authority, with the first reporting cycle covering activity from 2026 onward.
Malta:
Malta remains one of Europe's most established crypto jurisdictions, but the regulatory environment has become more demanding.
The country opted for the full 18-month MiCA transitional period, allowing eligible providers to continue operating under previous arrangements until 1 July 2026. As a result, Malta is currently focused on moving existing operators into the MiCA framework before the deadline expires.
The Malta Financial Services Authority (MFSA) has already built a comprehensive MiCA infrastructure, including rulebooks, authorisation procedures, reporting requirements, and supervisory frameworks. Compared with many Member States, Malta entered the MiCA era with considerable experience regulating digital asset businesses.
However, the regulatory narrative has shifted. ESMA recently conducted a peer review of a Maltese CASP authorisation and identified weaknesses in areas including governance, conflicts of interest, supervisory history, and technology risk assessments.
This does not diminish Malta's importance as a crypto hub, but it does mean that firms should not assume authorisation will be easier than elsewhere. The direction of travel is towards greater supervisory scrutiny and stronger compliance expectations.
Cyprus:
Cyprus has undergone one of the most significant regulatory transformations in the region.
For several years, crypto businesses operated under an AML registration framework supervised by the Cyprus Securities and Exchange Commission (CySEC). That system ended in October 2024 when CySEC stopped accepting new registrations and began transitioning the market toward MiCA authorisation.
Since November 2024, CySEC has accepted MiCA applications, and all CASPs operating in or from Cyprus must obtain authorisation under the new framework. Existing firms that failed to apply by 27 February 2026 must cease operations by 1 July 2026 and submit a wind-down plan.
The licensing requirements are extensive. Applicants must demonstrate robust governance arrangements, cybersecurity controls, risk management frameworks, and fit-and-proper assessments for shareholders and management. Businesses are also required to maintain a genuine presence in Cyprus through local incorporation, physical offices, and local staff.
Following authorisation, firms face ongoing obligations including annual fees, compliance reporting, anti-money laundering controls, customer due diligence procedures, and notification of material business changes.
At the time of writing, Cyprus has granted 11 MiCA licenses in total. These include Zero21 Ltd, Unlimit Crypto Ltd, Tria Bridge Ltd, Ronin Em Ltd, Noemon Tech Ltd, Naga X Ltd, Montes Auri Ltd, Krypto Knight Ltd, J2TX Ltd, ComplyCrypto Depository EU Ltd, and A.E. Talos Cyprus Ltd.
Italy:
Italy has taken a different path by combining MiCA implementation with substantial changes to crypto taxation.
The country's MiCA framework is supervised through CONSOB and the Financial Intelligence Unit, with crypto service providers required to comply with local registration and reporting requirements. One of the most significant operational requirements is that firms must maintain a local presence in Italy. Pure cross-border operations are no longer permitted, requiring EU firms to establish an Italian permanent establishment and non-EU firms to incorporate locally.
Alongside these regulatory changes, Italy has introduced major tax reforms affecting both investors and service providers.
The most notable change is the increase in the crypto capital gains tax rate from 26% to 33% beginning in 2026. The previous €2,000 exemption threshold has also been removed, meaning all gains are now taxable regardless of size.
Additional restrictions limit the use of crypto losses, which can no longer be offset against gains from traditional securities. Self-custody users must continue to report holdings through annual tax filings, while a 0.2% annual stamp duty applies to qualifying holdings.
For many businesses and investors, Italy's tax changes may prove just as significant as its MiCA implementation.
The DAC8 Challenge
Across Southern Europe, MiCA is only one part of the compliance equation.
DAC8 reporting requirements are now being implemented across the region, creating new obligations around customer identification, transaction reporting, tax residency collection, and cross-border information sharing.
For CASPs, this means compliance programmes must extend beyond licensing requirements. Firms need systems capable of managing both regulatory supervision under MiCA and tax reporting obligations under DAC8.
As regulators continue to strengthen oversight, the distinction between licensing compliance and tax compliance is rapidly disappearing.
Conclusion
Spain, Malta, Cyprus, and Italy demonstrate that MiCA may have created a common European rulebook, but implementation still reflects national priorities and regulatory cultures.
Spain is focused on orderly authorisation and active supervision. Malta is balancing its crypto-friendly reputation with growing regulatory scrutiny. Cyprus has completed its transition from registration to licensing, while Italy has paired MiCA implementation with sweeping tax reforms that reshape the economics of crypto investing and operations.
For CASPs, the key challenge is no longer preparing for MiCA. It is navigating a landscape where licensing, supervision, tax reporting, and operational compliance are increasingly interconnected. As the final transition deadlines approach, firms that treat MiCA as a one-time licensing exercise risk overlooking the broader regulatory obligations that now define crypto business operations across Southern Europe.
.svg){kind=icon}
.png)
.jpg)
.jpg)
.jpg)
.jpg)
.png){kind=logo}
.jpg)
.JPEG)
%20(1).jpg)
.png)
.jpg)
.jpg)
.jpg)
.png)
.png)
.png)
.jpeg)
.jpg)
