Review of MiCA Regulation in the Czech Republic in 2026

By 2026, the EU Markets in Crypto-Assets Regulation (MiCA) isn’t a framework companies are “getting ready for.” It’s the baseline rule set for legally running a crypto-asset business across the European Union. The old playbook — operating in gray zones, relying on basic registrations, using “light-touch” setups, or postponing compliance until after launch — has largely stopped working in real-world supervision and banking.

MiCA became applicable in steps. Requirements for asset-referenced tokens (ARTs) and e-money tokens (EMTs) started applying on June 30, 2024. The broader operational regime — including authorisation requirements for Crypto-Asset Service Providers (CASPs) and most conduct and governance obligations — has applied since December 30, 2024.

In the Czech Republic, supervisory practice has settled into a clear pattern: regulators are less interested in how polished policies look and more focused on whether controls actually function in daily operations. Supervisors assess governance, AML/CFT measures, client-asset safeguarding, and ICT/operational resilience as living systems that must operate continuously — not as filing-date paperwork.

What you’ll take away from this guide

• Treat MiCA in Czechia in 2026 as an Operating Standard, Not a One-Off Licensing Milestone
• How ČNB authorisation works in practice: scope-based permissions, the Czech transitional window, and the real timelines for legacy providers versus brand-new entrants
• What falls inside MiCA and what does not: which service lines trigger CASP status, how ART/EMT regimes interact with the service-provider framework, and where the boundaries are
• What supervisors pressure-test during reviews and inspections: governance and “fit & proper,” financial soundness, AML/CFT execution, safeguarding mechanics, plus ICT and outsourcing controls aligned with DORA-type expectations
• What typically triggers enforcement in 2026: unauthorized activity, scope drift beyond approved permissions, material control failures — and how those issues quickly spill over into banking and partner relationships
  

2026 Reality: MiCA as the Operating Standard (Not a “Transition Phase”)

MiCA created a unified European Union framework that governs (i) the provision of regulated crypto-asset services and (ii) the issuance and ongoing maintenance of certain token types. By 2026, the practical implication is blunt:

If you provide regulated crypto-asset services, you need authorisation — and you need an operating model that can withstand supervision at a level broadly comparable to regulated financial services.

Supervisory attention has shifted toward “prove it works” themes, including:

• Decision-making reality: whether true control persons and accountable managers run the business, rather than nominal directors;
• AML/CFT execution: whether the firm embeds AML controls into real transaction flows and customer journeys (onboarding → monitoring → escalation), rather than siloing them in documents;
• Safeguarding in practice: whether client asset protection exists as enforceable technical and operational mechanisms (segregation, access control, reconciliation), not a policy paragraph;
• ICT and outsourcing control: whether the firm governs technology risk, vendor reliance, incident response, continuity, and testing, documents them, and maintains DORA-style evidence.

MiCA also enables EU passporting after authorisation. But operationally, passporting rarely makes life easier: it increases visibility, raises expectations around governance and reporting, and puts cross-border consistency under the microscope.

Czech Transitional Regime: Finite, Conditional, and Commercially Sensitive

A Czech-specific feature in 2026 is the transitional (“grandfathering”) window for providers that were operating under a trade licence before MiCA took full effect.

ČNB indicates that a firm which provided “services related to virtual assets” under a trade licence before December 30, 2024, and filed its MiCA CASP application by July 31, 2025, may continue operating until the authorisation decision becomes final — but in any case not beyond July 1, 2026.

What that means operationally in 2026

Legacy providers may remain active during the authorisation procedure, but only within the transitional boundaries and only if they filed on time and stay inside the permitted operating model.

New entrants do not get this runway. They are expected to be MiCA-ready from day one and cannot treat licensing as a “we’ll build compliance later” exercise.

This difference matters commercially. Banks, payment partners, and institutional counterparties usually treat “transitioning but pending” firms differently from firms with no licence at all. By 2026, they show little tolerance for activity outside the regulated perimeter — especially when the firm touches client assets or runs exchange flows.

MiCA Authorisation in 2026: Activity Drives the License

Under MiCA, what you actually do determines your authorisation — not your marketing, not your legal form, and not your future roadmap. Regulators structure the regime as a service menu: the competent authority approves specific activities, and the firm must operate strictly within that perimeter.

In the EU (including the Czech Republic), regulated entities typically fall into two buckets:

1. CASPs — firms providing regulated crypto-asset services;
2. Token issuers — entities issuing ARTs or EMTs, each with a dedicated prudential and supervisory regime.

Scope discipline is the key enforcement line

A CASP may perform only the activities that its authorisation explicitly states. If the firm expands into an additional service line without approval, regulators treat that expansion as unauthorised activity — even if it happens gradually, even if volumes stay small, and even if the firm calls it “incidental.”

From a supervisory standpoint, scope creep (doing more than what was approved) triggers intervention faster than almost anything else in 2026.

Typical regulated service lines under MiCA include (simplified, non-exhaustive)

• Custody / administration of client crypto-assets (including control over keys or wallet access).
• Exchange services (crypto-to-fiat and crypto-to-crypto), whether as principal, broker, or platform operator depending on structure.
• Operating a trading platform or similar market infrastructure (matching, order books, venue rules).
• Executing orders for crypto-assets (including routing and execution logic).
• Receiving and transmitting orders (order handling without necessarily executing in-house).
• Placing crypto-assets (distribution-related activity, depending on model).
• Transfer services for crypto-assets (moving assets between addresses/wallets under a service model).
• Advice and portfolio management, where the service is provided in an investment-like manner and captured by MiCA’s conduct expectations.

ARTs and EMTs: “Stable Value” Triggers a Different Supervisory Lens

MiCA treats stable-value token models separately from service providers because the risk profile is different: redemption expectations, reserve integrity, consumer exposure, and the potential for stress events require tighter controls.

Asset-Referenced Tokens (ARTs)

ARTs are designed to maintain value by referencing one or more assets or rights, excluding EMTs. In practical terms, ART structures often resemble stablecoin models backed by:

• baskets of fiat currencies,
• commodities,
• other assets,
• combinations of the above.

Supervisory focus typically lands on reserve governance, custody and segregation arrangements, valuation methodology, liquidity planning, and redemption mechanics — especially under adverse market conditions.

E-Money Tokens (EMTs)

EMTs aim to maintain a stable value by referencing a single official currency (e.g., the euro or the U.S. dollar). Regulators supervise EMT issuers under a framework broadly comparable to electronic money institutions, with enhanced requirements for:

• capital and prudential buffers,
• guaranteed redemption rights,
• reserve management and safeguarding
• consumer and payment-user protection standards.

Scope Boundaries: Where MiCA Stops

MiCA applies to crypto-assets understood as digital representations of value or rights transferred and stored using distributed ledger technology or similar systems. But it also draws clear boundary lines.

• NFTs are generally outside MiCA where they are genuinely unique and non-interchangeable (and not structured to mimic fungible or investment-like instruments).
• Financial instruments remain governed by existing EU financial regulation (e.g., MiFID II), not by MiCA — meaning classification errors can place a business under the wrong regime.

These exclusions matter in real supervision. Regulators don’t view misclassification as a minor technicality when it pushes a firm into the wrong authorisation or the wrong control framework.

Choosing the Right Authorisation in 2026

For firms operating in Czechia (and potentially across the European Union), the authorisation strategy should start with the operating model, including:

• the exact services delivered to clients and how they are delivered,
• whether the business touches custody or exercises control over client assets,
• where exchange activity sits (principal, broker, platform),
• how custody, key management, and transaction execution are organized,
• technology architecture and third-party reliance (outsourcing),
• long-term business and scaling mode

Regulators treat operating without the correct authorisation — or outside the approved scope — as unauthorised financial activity, which may trigger enforcement measures, financial penalties, loss of banking support, and restrictions on market access.

Minimum Capital Requirements (CASPs): Linked to Risk Profile

MiCA ties minimum initial capital to the risk intensity of the authorised activity. In practice, supervisors look beyond the day-one threshold and evaluate whether capital and prudential safeguards remain adequate as operations scale, volumes increase, and AML/CFT exposure evolves.

€50,000 — Non-Custodial CASP models

Generally relevant where the firm does not hold or control client assets. Examples include models focused on advice, order reception/transmission, and certain placement functions (where applicable).

Operational and compliance risk typically drive the prudential risk profile more than custody risk, but supervisors still expect a credible control environment and strong governance.

€125,000 — Custody and exchange-related services

Typically relevant where the firm holds or controls client assets (custody/administration) and/or provides crypto-to-fiat or crypto-to-crypto exchange services.

Higher capital expectations reflect the need to support:

• effective safeguarding and segregation controls,
• reconciliation discipline and operational reliability,
• resilience against fraud, error, or process breakdowns,
• higher AML/CFT exposure driven by transaction flows.

€150,000 — Trading platforms and market operators

Typically relevant for operators of trading platforms and market infrastructure functions.

This category faces the highest CASP capital requirement due to increased exposure to:

• market integrity and fair/orderly trading requirements,
• operational resilience expectations (continuity, incident response, availability),
• market abuse prevention and surveillance obligations.

Capital is reviewed alongside governance, control design, and the firm’s ability to monitor and manage platform activity.

Token Issuers: Separate Prudential Regimes

ART issuers — €350,000 or 2% of reserve assets

ART issuers must maintain minimum own funds of €350,000 or 2% of reserve assets (whichever is higher). This is designed to address risks around reserve custody, valuation and liquidity volatility, operational stability, and redemption pressure.

EMT issuers — 2% of average outstanding e-money (with adjustment)

EMT issuers generally must hold capital equal to at least 2% of the average outstanding e-money in circulation. Where issuance is uncertain, projections may be permitted, and supervisors may adjust the requirement upward or downward by up to 20% depending on risk profile.

Ongoing Prudential Compliance: Not a One-Time Test

Under MiCA, capital adequacy is not “pass/fail at licensing.” Licensed entities are expected to maintain prudential compliance continuously.

Capital requirements may be met through one or a combination of:

• own funds (including high-quality capital after deductions), and/or
• an insurance policy or comparable guarantee covering the EU territories where services are provided.

If a firm fails to maintain adequate capital or prudential safeguards, supervisors may impose corrective measures, restrict activities, or withdraw authorisation. Firms typically address related financial planning obligations (budgeting, reporting discipline, forecasting) within the broader MiCA business and financial planning framework.

Requirements for MiCA Authorisation in the Czech Republic in 2026

MiCA authorisation in Czechia hinges on two things: (1) what you are (a CASP versus a token issuer) and (2) what you actually plan to do — i.e., the precise set of regulated activities you intend to perform. The competent authority grants permissions only within the approved scope, and the review functions as an operational readiness assessment — not a “paperwork check.”

Before filing, firms should translate their real operating model into MiCA language: map current and planned services to the regulated activity menu and lock the correct scope. Scope errors are a frequent cause of questions and delay — for example, describing the model as “non-custodial” while the technical design still implies control over client assets.

In practice, applications are usually assessed across five core pillars:

1. Prudential safeguards (capital / insurance / financial sustainability)
2. Governance and substance (fit & proper, accountability, independence of controls)
3. AML/CFT effectiveness (risk-based framework that works in reality)
4. Safeguarding (client assets and client funds protected in practice)
5. ICT & operational resilience (including outsourcing administration aligned with DORA-type expectations)

Management and Fit & Proper: Directors and Shareholders

Competent authorities look closely at who owns the firm and who runs it — not only whether they are formally eligible, but whether the governance structure will hold up in day-to-day supervision in 2026.

Directors: typical expectations

Directors are generally expected to:

• show good reputation and relevant competence for crypto/financial services operations
• have no relevant criminal convictions, especially related to AML/TF, fraud, or integrity offenses
• commit sufficient time to perform the role effectively
• set up a management structure capable of real oversight and meaningful engagement with supervisors

Qualifying shareholders: typical expectations

Supervisors subject shareholders with qualifying holdings to enhanced scrutiny and require them to:

• demonstrate good reputation and absence of relevant criminal convictions
• provide a transparent, lawful, and verifiable source of funds / source of wealth, supported by documentation and a clear economic rationale
• disclose the full ownership and control chain (including indirect holdings), history of control, and potential conflicts of interest
• disclose political exposure (PEP-linked structures generally trigger enhanced due diligence)
• confirm their influence will not undermine the sound and prudent management of the institution

Where supervisory concerns arise, authorities may request remediation, impose conditions, limit influence, or apply administrative measures.

Substance and Key Functions: Built to Work, Not to Look Good

Applicants must demonstrate an organisational setup that supports:

• clear segregation of duties,
• independent control functions
• consistent management oversight.

Supervisors do not rely on org charts alone. They evaluate whether the firm assigns adequate staff, funding, and decision authority to these functions so they can operate effectively.

Key functions (indicative; depends on scope and risk)

The structure should be proportional to the business model, authorised activities, and risk profile. Common functions include:

• AML/CFT function (AML Officer / Responsible Person)
  Owns the AML/CFT framework, risk assessment, KYC/KYB, monitoring logic, control design, and effectiveness testing.
• MLRO / suspicious reporting function (where applicable)
  Performs independent review, investigation, escalation, and SAR/STR reporting, with traceable documentation.
• Risk management
  Identifies and monitors operational, prudential, compliance, and outsourcing risk; maintains a framework proportionate to the activity class.
• Compliance function
  Tracks MiCA and related obligations, manages compliance risk, monitors breaches, and maintains policy governance.
• Finance (CFO / finance function)
  Capital monitoring, prudential safeguards, budgeting, forecasting, and readiness for regulatory financial reporting.
• ICT security / information security (CISO or equivalent)
  Cyber governance, ICT risk controls, incident response coordination, and resilience testing consistent with MiCA expectations and DORA principles.
• Management / directors
  Strategy, governance, and executive oversight; supervisors expect documented routines and accountable decision-making.
• Operations / service delivery
  Client lifecycle workflows, reconciliations, complaints handling, incident coordination, and day-to-day control execution.
• Technology (CTO / head of IT)
  Architecture, secure development, infrastructure stability, system integrity, and third-party integrations.

Depending on complexity, supervisors may expect additional functions (e.g., internal audit, data protection, outsourcing oversight, customer support, and—where relevant—market surveillance for platforms). In 2026, supervisors pay particular attention to whether control functions have real authority and independence, especially in custody, exchange, and platform models.

Documentation Package: Consistency Beats Volume

A strong MiCA file is not the longest one — it is the most internally consistent and evidence-based. Documents should reflect actual operations and must not contradict each other across sections.

Typical document set (indicative)

Corporate, ownership, and governance

• incorporation and group documents; ownership/control chain
• governance framework: roles, reporting lines, committees, decision-making
• conflicts of interest policy; outsourcing governance policy

Programme of operations / business model

• description of regulated services and requested scope
• target markets, client types, geographic footprint
• delivery channels (web/mobile/API), workflows, key processes
• outsourcing map and third-party dependencies

Prudential and financial

• prudential safeguards model (own funds / insurance or comparable guarantee)
• funding sources and source-of-funds evidence
• projections, stress scenarios, budgeting and financial controls
• financial reporting readiness

AML/CFT

• AML/CFT risk assessment
• KYC/KYB and monitoring workflows, escalation routes
• appointment, resourcing, and independence of AML/MLRO functions
• training plan and effectiveness testing methodology

Risk, safeguarding, and operational controls

• safeguarding policy plus technical implementation (segregation, wallet design, key controls)
• reconciliations, incident handling, complaints handling
• operational risk and incident response procedures

ICT, cybersecurity, and resilience (MiCA & DORA-aligned)

• ICT risk framework, cybersecurity controls, access management
• incident response and reporting logic
• BCP/DR plans and testing calendar
• penetration testing / independent reviews (proportionate to risk)
• third-party risk governance and contractual controls

Individuals and evidence pack

• CVs, qualifications, integrity documentation, criminal record certificates (where required)
• evidence of readiness: system descriptions, process maps, logs/monitoring outputs (where available)
• banking/service-provider arrangements where relevant to safeguarding and continuity

Regulators typically place extra weight on the Business Plan, Financial Plan, and Accounting Strategy; the next sections cover each one.

Business Plan, Financial Plan, and Accounting Strategy (Three-Year Horizon)

Supervisors typically require CASP applicants to submit a coherent three-year package that lets them evaluate resilience, sustainability, and operational reliability.

Business Plan (Programme of Operations)

Should cover:

• business strategy and organisational structure (including group relationships where relevant)
• target markets, customer categories, and geographic coverage
• delivery channels (platforms, apps, APIs) and process overview
• staffing and resource model aligned to volumes and risks
• outsourcing strategy and delegated activities
• services and asset types in scope
• projected transaction volumes and key performance assumptions

Financial Plan

Should include:

• projected financial statements (balance sheet, P&L, cash flow)
• revenue and cost forecasts by service line
• activity assumptions (clients, turnover, transaction counts)
• prudential safeguards compliance across the horizon
• transparent funding sources (equity, loans, intra-group)
• stress testing and adverse scenarios

Accounting Strategy

Should demonstrate:

• clear accounting policies aligned with EU expectations (including Directive 2013/34/EU principles where applicable)
• strict separation of client and company assets to prevent commingling
• accounting/reporting systems capable of recording all relevant transactions with audit trails
• external audit readiness and governance over financial reporting

Newly Established Companies: Practical 2026 Expectations

New entities often face tighter scrutiny because they lack operating history. In practice, supervisors put greater emphasis on:

• credible three-year projections with stress cases and a defensible commercial rationale
• proof that regulatory capital and prudential safeguards are genuinely available and sustainable
• operational readiness at filing (people, systems, controls), not just a future roadmap

AML/CFT Under MiCA: «Implemented» Means Running

Before authorisation, supervisors require CASPs to demonstrate an active, operational AML/CFT framework — not a drafted policy set. Supervisors typically evaluate real-world effectiveness, governance, and evidence of control execution.

Risk-based approach

At minimum, the risk assessment should cover:

• customer categories and risk profiles,
• service and product risk,
• transaction risk plus distribution/delivery channels,
• geographic exposure and cross-border footprint.

Mitigation must be proportional and embedded into workflows (onboarding → monitoring → escalation → reporting).

Controls and governance

Applicants should evidence:

• governance for AML oversight, decision-making, and escalation
• procedures for CDD/EDD, ongoing monitoring, and suspicious activity handling
• internal reporting lines and audit trails supporting accountability and traceability

Monitoring, record-keeping, and evidence

Monitoring capabilities must detect unusual or suspicious patterns and, where relevant, must additionally:

• reflect known typologies;
• incorporate on-chain and off-chain indicators; and
• support investigation workflows to ensure auditable, defensible decision-making.

Record retention and data integrity must support inspection and timely reporting.

Training and effectiveness testing

Applicants should have:

• As part of the onboarding process, we deliver AML training and thereafter run periodic refresher sessions.
• Where relevant, we run role-specific training for higher-risk and control roles.
• Moreover, we run regular effectiveness testing and, where gaps are identified, apply remediation routines with clear ownership.

Conflicts of interest

CASPs must implement controls to prevent and manage conflicts that could compromise AML/CFT or compliance judgments.

AML Officer and MLRO functions: independence and authority

MiCA doesn’t require specific job titles, but it does require AML/CFT responsibilities to be clearly assigned, properly resourced, and operationally independent. In practice:

• the AML Officer runs day-to-day framework execution
• the MLRO (or equivalent) ensures independent review, investigation, and reporting

Safeguarding and Operational Resilience in 2026

By 2026, supervisors scrutinise safeguarding more than almost any other area. CASPs must show that they protect client assets against misuse, operational failure, and insolvency risk through technical and operational controls — not contract language alone.

Segregation of client assets and client funds

CASPs are expected to maintain strict separation between:

• the firm’s own assets,
• assets held for clients.

Core safeguards typically include:

• client fiat is not used for the firm’s own account
• client crypto-assets are not used, pledged, or transferred without explicit client consent
• wallets and custody structures are operationally segregated
• segregation is enforced technically (wallet architecture, access rights), not only through terms

Key management and access controls

Where the CASP holds or controls cryptographic keys, it should implement and evidence:

• secure key storage (e.g., multi-sig / HSM)
• access controls and approval workflows
• separation of duties across tech, ops, and compliance
• audit logs and incident handling procedures

Safeguarding client fiat funds (non-EMT)

Where client fiat is received (excluding EMTs), safeguarding typically requires placement with:

• a central bank,
• a licensed credit institution.

Firms should document the safeguarding account setup, timelines, reconciliation routines, counterparty risk review, and multi-bank administration (if used).

Client disclosures

CASPs must provide clear disclosures explaining:

• how segregation is implemented,
• custody risks and controls,
• how safeguarding is applied under MiCA in practice.

ICT Systems, Cybersecurity, and Operational Resilience (MiCA & DORA)

MiCA expects crypto businesses to run secure, stable, and controllable operations. In parallel, DORA provides the structured playbook for ICT risk governance — and by 2026 it’s effectively the benchmark regulators and counterparties use when they judge whether resilience controls are “real.”

In practical terms, CASPs should be able to demonstrate that their ICT environment is documented, governed, and tested, including:

• clear technical documentation for core systems and critical dependencies
• cybersecurity policies plus an ICT risk management framework that is actually used
• independent assurance proportionate to the risk profile (for example, audits and penetration testing)

Business Continuity and Disaster Recovery

Continuity is evaluated as an operating capability, not an appendix. CASPs are expected to maintain critical services through:

• a documented business continuity plan (BCP)
• workable disaster recovery arrangements
• recurring tests, with retained evidence of outcomes and tracked remediation

Outsourcing and Third-Party Risk Management

When a firm outsources technology, custody, or other critical functions, supervisors expect vendor governance that goes beyond procurement paperwork. CASPs should typically:

• maintain an up-to-date outsourcing register
• identify, assess, and mitigate third-party risks (including concentration and single-point-of-failure risk)
• embed contractual protections (security requirements, incident notification, audit/inspection rights)
• run oversight routines for critical providers and maintain credible exit plans for key dependencies

Incident Handling and Reporting Readiness

CASPs should be equipped to detect and manage ICT incidents end-to-end. That includes procedures to identify, document, escalate, and — where applicable — notify significant incidents, supported by:

• incident logs and classification criteria
• root-cause analysis and post-incident reporting
• corrective actions with owners, deadlines, and evidence of closure

Penalties and Enforcement Under MiCA (2026)

By 2026, MiCA enforcement will no longer be treated as a “transition topic.” Across the EU, it is part of routine supervisory practice. Crypto firms operating in Czechia face active oversight, and regulators treat non-compliance as a regulatory breach — not as a learning phase. Authorities have a wide enforcement toolkit, ranging from financial penalties to operating constraints and, in severe cases, withdrawal of authorisation. Measures are applied proportionately, typically weighing the nature of the breach, how long it lasted, its impact, and the firm’s administration and compliance track record.

Administrative Fines and Authorisation Actions

MiCA enables competent authorities to impose meaningful administrative fines. Depending on the infringement, penalties can reach:

• several million euros as a fixed amount,
• a significant percentage of the firm’s annual turnover.

Where deficiencies persist, supervisors may also apply periodic penalty payments designed to force remediation rather than punish a single event.

For serious or systemic issues, regulators may:

• suspend specific activities,
• narrow the authorised scope,
• revoke MiCA authorisation entirely.

In 2026, regulators treat operating without authorisation — or outside the approved scope — as unauthorised financial activity and may move quickly to enforce.

AML/CFT and Cybersecurity as Enforcement Triggers

Weaknesses in AML/CFT remain one of the most frequent reasons regulators step in. Failures in KYC, transaction monitoring, or suspicious activity handling commonly lead to:

• intensified supervisory scrutiny,
• formal remediation programs,
• knock-on restrictions from banks and payment institutions.

In parallel, material ICT failures may escalate under DORA. Serious incidents, inadequate incident response, or weak ICT governance can result in corrective measures, financial penalties, and mandated remediation.

Even where formal sanctions are limited, regulatory findings often lead to partner de-risking, loss of banking access, and reputational damage.

Why Ongoing Reviews Matter

Regular internal reviews and independent assessments are often the difference between controlled remediation and enforcement. Supervisors increasingly emphasize:

• evidence of operational effectiveness (not just documented intent),
• visible management involvement in compliance oversight, and
• timely closure of identified gaps.

Firms that delay corrective actions or rely on “checkbox compliance” typically face materially higher regulatory risk.

Practical Compliance Expectations in the Czech MiCA Process (ČNB Supervisory Approach)

By 2026, MiCA fully shapes how Czech National Bank (ČNB) supervises the sector. Czech National Bank (ČNB) uses MiCA as a stable operating standard, not as a staged alignment exercise. In practice, Czech National Bank (ČNB) runs the authorisation process as a test: can the applicant already operate like a regulated financial market participant at the filing date? It does not run the process as a collaborative gap-fixing exercise where the applicant closes core deficiencies later.

Authorisation as a Readiness Test (Not a Consultative Process)

ČNB commonly proceeds on the assumption that:

• the operating model is final and clearly defined,
• key functions are staffed and working,
• controls are implemented and can be evidenced,
• prudential safeguards are available and sustainable.

Applications framed around “we will implement this after submission” generally carry higher supervisory risk in 2026. In practice, “later” is often interpreted as insufficient institutional maturity rather than a realistic implementation plan.

Continuous Compliance Is the Default Standard

ČNB does not treat MiCA compliance as a one-time milestone. In 2026, ČNB expects firms to embed continuous compliance into daily governance and control routines.

Firms are expected to remain aligned with:

• authorised scope and permitted activities,
• administration and independence of control functions,
• AML/CFT execution and monitoring effectiveness,
• prudential safeguards and capital adequacy,
• safeguarding and operational resilience (including ICT and outsourcing governance).

Supervisors typically consider a framework inadequate when the firm keeps it only on paper, fails to maintain it actively, or cannot demonstrate it through operational outputs.

Risk and Prudential Safeguards Must Move With the Business

Risk assessment and prudential safeguards are evaluated as dynamic obligations. ČNB expects reassessments when there are material changes in:

• transaction volumes and client behavior,
• scope evolution (including incremental features that shift risk),
• custody or exchange exposure / control over client assets,
• customer mix and geographic footprint,
• outsourcing structure and critical providers.

Static or outdated risk/capital assessments are often read as weak internal control and insufficient management oversight.

Documentation Must Match Reality (Mismatches Raise Red Flags)

Reviewers don’t assess documentation in isolation. It must accurately describe real workflows. Misalignment between written policies and actual operations is among the most common sources of supervisory findings — especially in areas such as:

• administration and decision-making trails,
• AML procedures, monitoring logic, escalation paths, and evidence packs,
• safeguarding and wallet/key management architecture,
• source of funds / source of wealth narratives,
• ICT security, incident response, and BCP/DR testing,
• outsourcing governance and oversight routines.

Generic, template-style policies that are not tied to the applicant’s operating model often fail the “substance” test.

Key Risk Areas: Governance, Control Independence, and Funding Transparency

ČNB places strong weight on governance and internal control reality: responsibilities must be clearly allocated, reporting lines must work, and oversight must be demonstrable. Weak governance, insufficient independence of AML/compliance functions, or opaque decision-making can be enough to trigger an adverse conclusion.

Funding transparency is similarly sensitive. Formal confirmations (bank balances, certificates) rarely stand on their own unless the legal and economic origin of funds is explained, documented, and consistent with the ownership chain. Gaps in governance, control design, or source-of-funds narratives can each justify escalation — including discontinuation of the procedure.

Practical Management Implication in 2026

In 2026, MiCA compliance should be managed as a continuous executive responsibility that directly affects:

• stability of authorisation and scope integrity,
• banking and payment access,
• the ability to passport services across the EU,
• long-term operational viability and supervisory credibility.

Where internal resources or regulatory experience are limited, independent gap assessments and professional support can reduce risk — not by replacing internal ownership, but by strengthening implementation quality, evidence readiness, and consistency across the authorisation file.

Use Professional Compliance Support Where Needed

MiCA compliance in 2026 is an ongoing management function, not a one-off legal task. Many crypto businesses use external specialists to stay aligned, especially where internal resources are constrained.

AMS supports MiCA-regulated crypto companies in areas including:

• independent compliance gap assessments,
• AML/CFT and governance reviews,
• capital and prudential compliance checks,
• ICT and operational resilience evaluations,
• remediation planning and supervisory support.

External oversight can reduce enforcement risk and strengthen credibility with regulators, banks, and counterparties.

FAQ: MiCA Regulation in Czechia in 2026

What changed once MiCA became fully applicable in 2026?

By 2026, MiCA is treated as the day-to-day operating rulebook across the EU, not an “incoming” framework. The practical shift is that crypto regulation moved from patchwork national arrangements and temporary pathways to a single, enforceable model with consistent expectations on licensing, governance, safeguarding, AML/CFT, and ICT resilience. In other words, 2026 is the point where “registration-style” approaches and stop-gap compliance typically stop being commercially and supervisory viable.

Is MiCA authorisation mandatory for crypto businesses operating in the Czech Republic?

If you perform regulated crypto-asset services in the Czech Republic, authorisation is generally required. The key question is not what you call your business, but what you do in practice. Operating without the correct authorisation — or providing regulated services beyond the approved scope — is typically treated as unauthorised activity. Whether any exclusions apply depends on classification (for example, whether an asset falls outside MiCA or is regulated elsewhere), so scope and product analysis is critical before launch.

 

How is MiCA enforced in practice in the Czech Republic?

Enforcement is driven by supervisory practice, not theory. The Czech National Bank (ČNB) evaluates whether controls work in real operations: governance routines, AML monitoring, safeguarding mechanics, outsourcing oversight, and incident readiness. Firms are increasingly expected to evidence implementation (workflows, logs, testing outcomes, accountability trails), not simply present well-written policies.

What types of MiCA authorisations are available?

MiCA authorisation tracks depend on the firm’s role:

• CASP authorisation for businesses providing regulated crypto-asset services;
• separate authorisation and supervision regimes for ART issuers and EMT issuers.

Choosing the correct scope is a licensing-critical step. A firm can only perform the activities included in its approved authorisation. If the operating model includes custody, exchange, or platform functionality, the required scope and supervisory expectations typically increase.

Which crypto-asset services fall under MiCA regulation?

MiCA captures a broad set of client-facing services. Regulated activities commonly include custody and administration, exchange services (crypto-to-fiat and crypto-to-crypto), operating trading platforms, order execution and order routing, placement and transfer services, and — where applicable — advisory and portfolio-style services. The exact perimeter depends on the technical setup and how the service is delivered (including control over client assets and transaction execution).