National Competent Authorities for Crypto in EU: Who Regulates What and Where

When you run a crypto business in the European Union, you don’t just pick a country because it’s convenient. You pick it because of who’s watching. Since December 30, 2024, every crypto firm operating in the EU must be licensed by a National Competent Authority-a single government agency in each member state that acts as the gatekeeper, inspector, and enforcer of the Markets in Crypto-Assets Regulation (MiCA). This isn’t a suggestion. It’s the law. And if you skip this step, you’re not just risking fines-you’re risking being shut down across all 27 EU countries.

Who Are These Authorities?

Each EU country picked its own financial watchdog to handle crypto oversight. These aren’t new agencies created just for crypto. They’re the same bodies that have regulated banks, stock markets, and investment firms for decades. That’s intentional. The EU wanted experienced regulators, not amateurs.

In Germany, it’s BaFin-the Federal Financial Supervisory Authority. BaFin has been cracking down on shady crypto schemes since 2018. When MiCA went live, it didn’t waste time. By mid-January 2025, it had already issued its first licenses to crypto firms that met its strict capital and governance rules.

France’s AMF (Autorité des Marchés Financiers) took a similar approach. Known for its aggressive market surveillance, the AMF moved fast on MiCA compliance, requiring firms to prove they could protect client assets, prevent market manipulation, and report suspicious activity in real time. Spain’s CNMV and Italy’s CONSOB followed suit, applying their existing securities frameworks to crypto tokens.

The Netherlands stood out early. By December 30, 2024-the very day MiCA took effect-it had already granted licenses to multiple firms. Why? Because Dutch regulators had been preparing for years. They held workshops, published draft guidelines, and even ran pilot programs with crypto startups. That head start paid off.

Malta, once called the “Blockchain Island,” didn’t slow down either. Even though it’s a smaller country, its MFSA (Malta Financial Services Authority) issued some of the first licenses under MiCA. That’s because Malta had already built a crypto-friendly legal framework before MiCA existed. Now, it’s adapting that framework to meet EU-wide standards.

What Do These Authorities Actually Do?

Getting a license is just the start. Once a crypto firm is approved, the National Competent Authority doesn’t walk away. It watches. Every day.

NCAs require firms to:

• Keep enough capital on hand to cover losses (minimum €125,000, but often much higher depending on services offered)
• Separate client funds from company funds-no mixing allowed
• Report any security breaches, hacks, or system failures within 24 hours
• Submit quarterly reports on trading volumes, customer complaints, and risk exposures
• Pass annual audits by independent third parties

They also monitor for market abuse. On April 29, 2025, the EU added new rules requiring all trading platforms and brokers to use systems that detect suspicious activity-like pump-and-dump schemes or wash trading. If something looks off, the firm must report it to its NCA. No exceptions.

And it’s not just about trading. If your company issues stablecoins, asset-referenced tokens, or utility tokens, your NCA will check your whitepaper, reserve holdings, and redemption procedures. For example, if you’re running a euro-backed stablecoin, the European Banking Authority (EBA) steps in to make sure you hold enough cash or liquid assets to back every token. But your NCA still handles the day-to-day supervision.

Why Some Countries Are Getting More Licenses

As of July 2025, over 40 Cryptoasset Service Provider (CASP) licenses have been issued across the EU. Germany and the Netherlands together hold more than half of them.

Why? Three reasons:

1. Experience - BaFin and the Dutch authority have decades of experience regulating financial markets. They know how to review applications quickly and thoroughly.
2. Resources - These countries have bigger teams, better tech systems, and more funding to handle the workload.
3. Clarity - They published detailed guidance before MiCA went live. Companies knew exactly what to submit. In some countries, firms waited months just to get a response.

Smaller countries like Austria or Slovenia have issued fewer than five licenses so far. Not because they’re lax. But because they’re still building their teams and systems. Some crypto firms avoid them-not because they’re unsafe, but because they don’t want to wait.

The Big Shift Coming: Centralization

Here’s the twist: the EU doesn’t plan to keep this 27-agency system forever.

In October 2024, Verena Ross, head of ESMA (the European Securities and Markets Authority), told the Financial Times the EU is preparing to move oversight of major crypto firms from national regulators to ESMA itself. Why? Because having 27 different rules, 27 different inspectors, and 27 different interpretations of the same law is inefficient-and expensive.

Imagine a crypto company that wants to operate in Germany, France, and Italy. Right now, it needs three separate licenses, three sets of reports, three audit schedules, and three different compliance teams. That’s not scalable. It’s a nightmare for startups.

The EU’s plan? Let ESMA supervise the biggest cross-border firms directly. Smaller firms that only operate in one country will still go through their NCA. But if you’re handling billions in transactions across multiple countries, you’ll answer to ESMA.

This change is still in draft form. It won’t happen before 2027. But it’s coming. And firms that are already working with BaFin or AMF are being told to prepare for it.

What About Anti-Money Laundering?

You might think AML is handled by the same NCA. It’s not.

Starting in 2026, the new Anti-Money Laundering Authority (AMLA) will take direct control over the largest crypto firms-those with over €100 million in annual transactions. AMLA will monitor their customer due diligence, transaction monitoring, and reporting systems. Your NCA still handles licensing and market conduct. AMLA handles crime prevention.

This creates a new layer of complexity. A firm might be licensed by BaFin, supervised for trading by BaFin, but audited for money laundering by AMLA. Two agencies. Two sets of rules. One company.

What Should Crypto Firms Do Now?

If you’re thinking about launching or expanding in the EU, here’s what matters:

• Choose your NCA wisely - Don’t pick the country with the cheapest fees. Pick the one with the fastest processing, clearest rules, and most experience. Germany, Netherlands, and France are the safest bets right now.
• Prepare for audits - Your governance documents, risk controls, and client protection plans need to be flawless. No vague language. No shortcuts.
• Expect change - The rules won’t stay the same. The shift to ESMA supervision is real. Start building systems that can adapt.
• Don’t assume one license covers all - Even if you’re licensed in the Netherlands, you still need to comply with local rules in every country where you have customers.

What’s Next?

The EU’s crypto regulatory model is the most advanced in the world. It’s not perfect. It’s messy. But it’s working. More than 40 firms are now legally operating under MiCA. Investors are returning. Exchanges are opening. And the rest of the world is watching.

But the next chapter is coming. Centralization. AMLA. More rules. More pressure. The firms that survive won’t be the ones that just got a license. They’ll be the ones that built flexible, transparent, and proactive compliance systems from day one.

The clock is ticking. The authorities are watching. And they’re not going away.