July 1, 2026 marks a pivotal moment for the crypto market in the European Union: the end of the transitional period provided for in Regulation (EU) 2023/1114 on crypto-asset markets, known as MiCA. After this date, crypto-asset service providers serving EU clients will no longer be able to operate under previous national regimes, but only if they hold a valid MiCA authorization.
In Romania, according to the latest estimates, the measure directly affects approximately 600,000 cryptocurrency investors.
Entities that were registered with the ONPCSB before December 30, 2024, under the old pre-MiCA notification regime, may continue to operate under national rules until July 2026, but must already comply with MiCA standards for governance, AML, and cybersecurity.
What will change as of July 1, 2026?
According to ESMA, the MiCA transitional period will expire on July 1, 2026. From that date, crypto service providers that have not obtained MiCA authorization will no longer be able to continue operating with EU clients. The mere existence of an authorization application still under review is not sufficient to continue providing services after the transitional period expires.
ESMA emphasizes that unauthorized providers must have orderly wind-down plans prepared and implemented. These plans must enable an orderly exit from the market without causing undue economic harm to clients—through prior notification of clients, the transfer of crypto-assets to a MiCA-authorized provider or to a self-hosted wallet, as well as the closure of positions or accounts under transparent conditions.
At the European level, on February 27, 2026 (public information released on May 28, 2026), ESMA provided stricter clarifications regarding how crypto platforms must manage and protect client assets, prohibiting certain practices that could diminish users’ control over digital assets.
Customer migration and the obligations of authorized providers
An important point highlighted by ESMA concerns the migration of clients to authorized entities. Providers that have obtained MiCA authorization must actively manage the process of taking over existing clients before July 1, 2026, by applying robust onboarding procedures, including conducting the necessary checks from an AML/CFT perspective.
This migration must not be used to allow unauthorized entities to indirectly continue their activities. National authorities will ensure that unauthorized providers, including entities within the same group, do not continue “business as usual” activities after the transitional period expires.
ESMA also draws attention to entities established outside the European Union. Apart from the limited exception for reverse solicitation, they may not provide crypto services falling under MiCA to EU investors and may not solicit EU clients for the provision of such services. This rule applies to business-to-business relationships as well.
Risks for Unauthorized Providers
Providing crypto services without the necessary authorization may result in administrative measures and significant penalties. Depending on the nature of the violation and applicable national legislation, these may include cease-and-desist orders, public statements regarding the violation, as well as hefty administrative fines.
Furthermore, the lack of authorization can have immediate commercial consequences: the inability to serve EU customers, damage to relationships with banking and institutional partners, as well as significant reputational risks.
Passporting of Services in the EU and Romania
The MiCA regime provides a significant advantage for authorized providers: the “passporting” mechanism. An authorized provider in one Member State may provide services in other EU Member States without having to apply for separate authorizations in each jurisdiction. In practice, large platforms already operating in Romania use this mechanism—a platform fully licensed under MiCA in a Member State such as Ireland or Luxembourg can automatically use it to serve customers in Romania.
At the same time, all platforms active with Romanian users, regardless of where they are licensed, are required to report transactions annually to ANAF.
At the same time, authorization entails substantial requirements: adequate internal governance, compliance procedures, prudential requirements, policies regarding conflicts of interest, protection of client assets, complaint resolution mechanisms, as well as business continuity and orderly winding-down plans.
What does this deadline mean for users?
For users of crypto services, July 1, 2026, may have direct consequences. If the service provider they use is not MiCA-authorized, it may be required to suspend services, restrict access for EU customers, transfer assets to an authorized entity, or terminate the contractual relationship.
ESMA recommends that investors verify whether the provider is listed in the relevant official registers and, above all, identify exactly which legal entity they are contracting with. The protection provided by MiCA applies to the authorized entity within the Union, not automatically to all companies within the same group or to entities outside the EU operating under the same brand.
If the provider is not authorized, users should act promptly, including by transferring crypto-assets to an authorized provider or to a self-hosted wallet, or by closing positions, as appropriate. Continuing the relationship with an unauthorized provider may entail a lower level of legal protection and a higher risk of losing access to assets.
Conclusion
Starting July 1, for crypto operating entities, MiCA authorization becomes an essential condition for conducting business legally and sustainably in Romania and the EU. For users, verifying the status of the provider and the contracting legal entity becomes a necessary practical measure to protect their assets and rights.
Authors:
Ioana Chiper Zah
Tatiana Țapu