MiCA didn't end on 1 July. For authorised CASPs, it started.
Production systems for order-book records in ESMA format, Travel Rule, DAC8/CARF, DORA resilience and EU AI Act governance — built for authorised crypto-asset service providers. Secure, audit-ready, delivered to production.
Production, not demos · FSQS-registered · DORA Art. 28 ready · EU AI Act-aligned
Authorisation was the exam. Operating is the job.
~280 CASPs are authorised across the EU — around 17 hold a full trading-venue licence. Every one of them now operates as a regulated financial institution, with the obligations that come with it.
Source: ESMA interim MiCA register · as of 6 Jul 2026 · updates weekly
The licence is where the work starts
The transitional period ended on 1 July 2026 — with no extensions, as ESMA confirmed on 17 April 2026. Passing authorisation was a project with an end date. Record-keeping, reporting and resilience are processes that run every day — and they need infrastructure, not another PDF.
Counterparties drop off the register weekly
ESMA's interim MiCA register updates weekly. Some of the counterparties you transact with may no longer be authorised, may be in wind-down, or may sit outside the EU without a licence. That exposure belongs on your risk register — with dates.
Records in ESMA's format, not yours
NCAs expect order and trade records in ESMA's standardised machine-readable format — a JSON schema published on 28 November 2025. Exports that almost match the schema do not pass validation.
The obligations stack
Travel Rule verification on every transfer. DAC8/CARF transaction-data collection, mandatory since January 2026. DORA ICT resilience. EU AI Act governance over any AI used in AML and monitoring. Market-abuse surveillance that stays effective and provable, as MIDAS extends this scrutiny to CASPs. Each is its own pipeline — and they all run at once.
The systems that make operational compliance run
We build and run the engineering side of MiCA operations. We don't give legal or regulatory advice — your counsel interprets the rules; we make the systems produce what the rules require.
MiCA Register Exposure Snapshot
A board-ready executive summary that quantifies your exposure in euros — built to put in front of your CCO or board, not to sit in an analyst's inbox. One week, fixed fee.
Order-book & trade records in ESMA format
Pipelines that turn your matching-engine and custody data into records in ESMA's machine-readable format — built to pass NCA validation, not almost pass it.
Travel Rule pipeline
Originator and beneficiary data captured and verified before the transfer moves — not reconstructed after it has.
DAC8 / CARF data collection
Transaction-data capture for mandatory tax reporting, collected at transaction time — not reverse-engineered at reporting time.
AML monitoring with explainability
Monitoring where every alert carries a reason an analyst can defend — and where the models behind it are governed under the EU AI Act.
Live from 2 Aug 2026 · EU AI Act Art. 50
DORA ICT resilience
As an authorised CASP, DORA applies to you the same way it applies to a bank. This is our home ground — we run a dedicated DORA practice.
Market-abuse surveillance & STOR readiness
Monitoring that stays effective and provable — as MIDAS extends this scrutiny to CASPs. Firms get sanctioned not for lacking a system, but for one that isn't maintained.
Start with one week. Scale only when the numbers justify it.
Four steps. Each one produces a deliverable you keep, whether or not you take the next step. Fixed fees — no hourly billing.
MiCA Register Exposure Snapshot
We resolve each of your counterparties against ESMA's weekly interim MiCA register — across group structures, subsidiaries, and legal vs trading names and their transliterations — and flag which are unauthorised, in wind-down, or non-EU without a licence.
Operational Readiness Diagnostic
Full audit of operational readiness: order-book records against the ESMA JSON schema, Travel Rule, DAC8/CARF, DORA ICT resilience, EU AI Act governance over your AML and monitoring models — and control ownership: who signs off, and who's accountable when a system fires.
Build
We build the specific pipelines and systems for the gaps found — with the sign-off and audit trail encoded in the flow, not a control that lives in a document beside it. Every module ships to production with a measurable outcome agreed up front — not a prototype that stops at the demo.
Embedded Run
Compliance is a process, not a milestone: the register updates weekly, regulation shifts, and AI systems need continuous governance. We operate what we built.
A platform gives you a template. I own the outcome.
A RegTech platform is a generic template you bend to fit — live in two hours, then months of internal work to match your NCA's validation and your stack. We build the system to your exact validation and your actual stack — and we run it after. The engagement lives in the problem for years.
A platform
- A generic template — live in two hours, then bent to fit
- You integrate to it — it doesn't integrate to you
- Support desk — you own the outcome
- The tool is the deliverable; you find the engineers to run it
- Priced per seat / per volume — costs grow with your scale
This engagement
- Built to your NCA's validation and your actual matching-engine, custody, and CRM stack
- Snapshot in a week; production modules in weeks — not months of procurement and slides
- Embedded Run — we operate what we built, for years. Support is not the model; ownership is
- Fixed-fee delivery — the outcome is the deliverable, not the tool
- One accountable senior architect from Snapshot to Run
Built for banks under DORA. Now applied to authorised CASPs.
EU Financial Services Company
GenAI systems needed full control and audit trails to survive regulatory review under DORA. We built an AI control layer with per-request audit trails, guardrails, and exit readiness — the same discipline AML monitoring needs under the EU AI Act.
Investment Document Analysis — Canada
Analysts needed precise answers from fund documents and investment policies, with no room for guesswork. We built a document Q&A system that answers with exact page citations — the record-level accuracy NCAs scrutinise.
Your data stays yours, on your side, under your control.
Most RegTech vendors host your transactions on their infrastructure — and ask you to accept US Cloud Act exposure and vendor lock-in as the price of the tool. We architect the opposite: client PII, transaction detail and conversation data stay on your own infrastructure. We hold only metadata and audit logs — never the sensitive data itself.
We bring the systems. We don't bring a place your data has to live.
The right fit — and when we're not
We're the right team if
- You're an EU-authorised CASP — or in authorisation — with live transaction volume.
- You want operational systems in production: records, pipelines, monitoring that run every day.
- You value one accountable owner and outcomes you can measure over the cheapest quote.
We're probably not your team if
- You're operating without authorisation, or winding down.
- You're a pure-DeFi project with no legal entity in scope.
- You're looking for a compliance box-tick — or for legal advice. We build systems; your counsel interprets the regulation.
Book a 30-minute Register Exposure review.
We'll show you which of your counterparties may no longer be authorised — and where that leaves your exposure. If the answer is "none", you'll know that too, in 30 minutes.
Book your review viktor@intellectumlab.com · Response within 24 hours