MiCA didn't end on 1 July. For authorised CASPs, it started.

Production systems for order-book records in ESMA format, Travel Rule, DAC8/CARF, DORA resilience and EU AI Act governance — built for authorised crypto-asset service providers. Secure, audit-ready, delivered to production.

Production, not demos · FSQS-registered · DORA Art. 28 ready · EU AI Act-aligned

Frameworks in scope
Mapped to the regulations you actually report on.
MiCA ESMA RTS MAR · market abuse Travel Rule (TFR) DAC8 / CARF DORA EU AI Act AMLR GDPR

Authorisation was the exam. Operating is the job.

~280 CASPs are authorised across the EU — around 17 hold a full trading-venue licence. Every one of them now operates as a regulated financial institution, with the obligations that come with it.

Source: ESMA interim MiCA register · as of 6 Jul 2026 · updates weekly

01

The licence is where the work starts

The transitional period ended on 1 July 2026 — with no extensions, as ESMA confirmed on 17 April 2026. Passing authorisation was a project with an end date. Record-keeping, reporting and resilience are processes that run every day — and they need infrastructure, not another PDF.

02

Counterparties drop off the register weekly

ESMA's interim MiCA register updates weekly. Some of the counterparties you transact with may no longer be authorised, may be in wind-down, or may sit outside the EU without a licence. That exposure belongs on your risk register — with dates.

03

Records in ESMA's format, not yours

NCAs expect order and trade records in ESMA's standardised machine-readable format — a JSON schema published on 28 November 2025. Exports that almost match the schema do not pass validation.

04

The obligations stack

Travel Rule verification on every transfer. DAC8/CARF transaction-data collection, mandatory since January 2026. DORA ICT resilience. EU AI Act governance over any AI used in AML and monitoring. Market-abuse surveillance that stays effective and provable, as MIDAS extends this scrutiny to CASPs. Each is its own pipeline — and they all run at once.

The systems that make operational compliance run

We build and run the engineering side of MiCA operations. We don't give legal or regulatory advice — your counsel interprets the rules; we make the systems produce what the rules require.

[01]

MiCA Register Exposure Snapshot

A board-ready executive summary that quantifies your exposure in euros — built to put in front of your CCO or board, not to sit in an analyst's inbox. One week, fixed fee.

Each counterparty resolved against ESMA's weekly interim MiCA register — across group structures, subsidiaries, and legal vs trading names and their transliterations
Flags for unauthorised, in wind-down, and non-EU without a licence — with exposure quantified in €
Board-ready summary + risk register, addressed to the CCO/board — designed to escalate, not to file
The counterparty gaps it surfaces point to your own deeper system gaps (records, Travel Rule, DORA) — where Steps 2–4 pick up
See the engagement path →
[02]

Order-book & trade records in ESMA format

Pipelines that turn your matching-engine and custody data into records in ESMA's machine-readable format — built to pass NCA validation, not almost pass it.

Mapping from your trading and custody systems to the ESMA JSON schema
Schema validation before a regulator ever sees a record
Measured outcome: records accepted at NCA validation
[03]

Travel Rule pipeline

Originator and beneficiary data captured and verified before the transfer moves — not reconstructed after it has.

Originator/beneficiary capture on every transfer
Pre-transfer verification against counterparty data
Automated holds on mismatch that route to a named approver, with the decision logged
[04]

DAC8 / CARF data collection

Transaction-data capture for mandatory tax reporting, collected at transaction time — not reverse-engineered at reporting time.

Collection wired into your transaction flow, in force since January 2026
Reporting-ready datasets in the required structure
Completeness checks, so gaps surface monthly — not at the filing deadline
[05]

AML monitoring with explainability

Monitoring where every alert carries a reason an analyst can defend — and where the models behind it are governed under the EU AI Act.

Live from 2 Aug 2026 · EU AI Act Art. 50

Explainable alerts with a per-decision audit trail
Model documentation, risk classification and human oversight per the EU AI Act
Article 50 transparency obligations from 2 August 2026 — the forcing function that turns AI-governance policy into a working pipeline
Built on the AI control layer that passed regulatory review for an EU financial services firm
[06]

DORA ICT resilience

As an authorised CASP, DORA applies to you the same way it applies to a bank. This is our home ground — we run a dedicated DORA practice.

ICT risk management, incident reporting, and third-party register
Article 28 vendor readiness — ours and your other suppliers'
28 regulatory documents mapped in our DORA Library
Start with the DORA Assessment →
[07]

Market-abuse surveillance & STOR readiness

Monitoring that stays effective and provable — as MIDAS extends this scrutiny to CASPs. Firms get sanctioned not for lacking a system, but for one that isn't maintained.

On-chain and off-chain surveillance wired to your matching engine and custody data
STOR (Suspicious Transaction & Order Report) readiness — provable coverage, provable maintenance
Model tuning and threshold reviews as an ongoing engineering discipline — not a one-off deployment
Emerging module — available to build alongside the AML and AI-governance pipeline

Start with one week. Scale only when the numbers justify it.

Four steps. Each one produces a deliverable you keep, whether or not you take the next step. Fixed fees — no hourly billing.

Step 1 · 1 week

MiCA Register Exposure Snapshot

€4,900 · fixed

We resolve each of your counterparties against ESMA's weekly interim MiCA register — across group structures, subsidiaries, and legal vs trading names and their transliterations — and flag which are unauthorised, in wind-down, or non-EU without a licence.

You receiveA board-ready executive summary that quantifies the exposure in euros — addressed to your CCO or board, built to escalate, not to sit in an analyst's inbox — plus the risk register behind it.
Step 2 · 3–4 weeks

Operational Readiness Diagnostic

€15,000–€22,000 · fixed

Full audit of operational readiness: order-book records against the ESMA JSON schema, Travel Rule, DAC8/CARF, DORA ICT resilience, EU AI Act governance over your AML and monitoring models — and control ownership: who signs off, and who's accountable when a system fires.

You receiveA prioritised gap map with dates — the technical gaps and the control-ownership gaps behind them — and a build plan scoped module by module.
Step 3 · by scope

Build

€45,000–€140,000 · by scope

We build the specific pipelines and systems for the gaps found — with the sign-off and audit trail encoded in the flow, not a control that lives in a document beside it. Every module ships to production with a measurable outcome agreed up front — not a prototype that stops at the demo.

You receiveSystems in production with outcomes like "records accepted at NCA validation" or "Travel Rule holds that route to a named approver, with the decision logged".
Step 4 · ongoing

Embedded Run

€5,000–€9,000 / month

Compliance is a process, not a milestone: the register updates weekly, regulation shifts, and AI systems need continuous governance. We operate what we built.

You receive2–3 measurable KPIs in the SOW — e.g. 100% of records pass NCA validation; compliance-gap closure inside an agreed number of days.
Weeks, not Big-Four months. Snapshot in a week; production modules in weeks — not the multi-month procurement-and-slides cycle of a large consultancy. And one accountable owner, start to finish: a senior architect owns the technical decisions and the production guarantee across all four steps — the same person from Snapshot to Run.
The standard of done. Success here isn't a matter of opinion. Each engagement defines “done” against an external standard — the NCA's validation, ESMA's schema — set as a written acceptance test in the SOW. Engineering measured the way your regulator measures it.

A platform gives you a template. I own the outcome.

A RegTech platform is a generic template you bend to fit — live in two hours, then months of internal work to match your NCA's validation and your stack. We build the system to your exact validation and your actual stack — and we run it after. The engagement lives in the problem for years.

A platform

  • A generic template — live in two hours, then bent to fit
  • You integrate to it — it doesn't integrate to you
  • Support desk — you own the outcome
  • The tool is the deliverable; you find the engineers to run it
  • Priced per seat / per volume — costs grow with your scale

This engagement

  • Built to your NCA's validation and your actual matching-engine, custody, and CRM stack
  • Snapshot in a week; production modules in weeks — not months of procurement and slides
  • Embedded Run — we operate what we built, for years. Support is not the model; ownership is
  • Fixed-fee delivery — the outcome is the deliverable, not the tool
  • One accountable senior architect from Snapshot to Run
Embedded Run is the thing SaaS structurally doesn't do. A platform sells you the tool. We live in the problem — every week the register updates, every quarter regulation shifts, every model needs retuning. That is where the work actually is.

Built for banks under DORA. Now applied to authorised CASPs.

An honest note on proof. MiCA's transitional period ended on 1 July 2026, so no one has years of CASP case studies — and we won't invent any. What we bring is the production track record we've built for regulated finance: banks under DORA, FSQS-vetted delivery, systems that passed audit review. An authorised CASP is now the same kind of firm, under largely the same regulatory register.
Registered
FSQS Registered Supplier
UK & Ireland · Northern Europe
Aligned
DORA
Article 28 ready
Aligned
EU AI Act
Governance & risk classification
Compliant
GDPR
EU data protection

Your data stays yours, on your side, under your control.

Most RegTech vendors host your transactions on their infrastructure — and ask you to accept US Cloud Act exposure and vendor lock-in as the price of the tool. We architect the opposite: client PII, transaction detail and conversation data stay on your own infrastructure. We hold only metadata and audit logs — never the sensitive data itself.

We bring the systems. We don't bring a place your data has to live.

EU entity Gazolin Production SRL · Baia Mare, Romania Vetted FSQS Registered Supplier · UK & Ireland (10101341) & Northern Europe (20100065) No US Cloud Act exposure

The right fit — and when we're not

We're the right team if

  • You're an EU-authorised CASP — or in authorisation — with live transaction volume.
  • You want operational systems in production: records, pipelines, monitoring that run every day.
  • You value one accountable owner and outcomes you can measure over the cheapest quote.

We're probably not your team if

  • You're operating without authorisation, or winding down.
  • You're a pure-DeFi project with no legal entity in scope.
  • You're looking for a compliance box-tick — or for legal advice. We build systems; your counsel interprets the regulation.

Book a 30-minute Register Exposure review.

We'll show you which of your counterparties may no longer be authorised — and where that leaves your exposure. If the answer is "none", you'll know that too, in 30 minutes.

Book your review viktor@intellectumlab.com · Response within 24 hours