Lexters

Outsourcing Under Markets in Crypto-Assets Regulation (MiCA) 

HomeUncategorizedOutsourcing Under Markets in Crypto-Assets Regulation (MiCA) 
August 19, 2025
By admin

Building on our recently published chapter in the Chambers and Partners Blockchain Guide 2025 

This briefing launches our Blockchain Insight Series, which expands on the material we contributed to the newly released Chambers and Partners Blockchain Guide 2025. In this article we cover topics related to outsourcing under MiCA, such as legal and operational considerations of outsourcing key functions within crypto- assets service providers (CASPs) as well as issues like governance, risk management and compliance. Model clauses for outsourcing agreements will also be presented to provide practical guidance. 

As CASPs expand their operations, they often rely on third parties for important functions. However, under MiCA, Romanian national authorities expect CASPs to maintain the supervision to avoid “letterbox” arrangements, which refers to situations where excessive delegation leads in reality to a loss of decision making power or operational substance. 

Digital Operational Resilience Act (DORA) Compliance 

Outsourcing IT and data services is common, but entities must assess these third‑party arrangements against DORA standards to manage cyber and operational risks. Also, before selecting a provider, whether within the same corporate group or external, companies must carry out due diligence procedures and document objective reasons for their choice. [Please refer to this link for a concise presentation of the principles and essentials of DORA for CASPs.] 

Minimum Standards for Outsourcing 

Alongside remaining compliant with DORA’s provisions, CAPS are required to follow the minimum standards imposed by the European Securities and Markets Authority (ESMA): 

  1. Retention of control – CASPs are expected to manage the outsourcing mechanisms to avoid the delegation of core responsibilities to the extent that the firm becomes a “letterbox” entity. Retention of control means, for example, that CASPs have sufficient personnel to supervise the delegated work in its entirety. 
  1. Jurisdictional awareness – Outsourcing to jurisdictions outside the EU requires a detailed assessment when delegating management level functions. Also, outsourcing to jurisdictions where national authorities would be unable to obtain information from the entity to which the function is outsourced is in violation of Article 73 (1) (d) of MiCA. 
  1. Anti-Money Laundering functions – The outsourcing of these functions is prohibited, and the responsibility of AML compliance always remains with CASPs. 
  1. Outsourcing documentation – CASPs are required to prepare documentation concerning the outsourced functions that contains comprehensive information to be shared with the national authorities. 
  1. Outsourcing within corporate groups – When outsourcing functions to entities within the same group, the selection must be based on objective reasons and supported by proper due diligence. Additionally, such outsourcing should not impact the ability of a CASP to make independent decisions regarding their EU activities, with decisions prioritizing the best interests of the EU operations. 

Delegation of Responsibilities 

Certain functions such as risk management, compliance and internal audit are deemed highly important, as ESMA expressly stated in its Supervisory Briefing from 31 January 2025. Outsourcing these is only acceptable if CASPs can still maintain continuity and regulator access. 

CASPs are required to be aware of any further sub-outsourcing by the entities they engage with, particularly for the abovementioned functions, as this is considered to increase the risk of their activities. CASPs should have a clear understanding of sub-outsourcing and ensure their Service Level Agreements provide sufficient visibility and control over the entire outsourcing chain. Additionally, CASPs must avoid assigning the responsibility of monitoring multiple outsourced functions to a single individual unless they can demonstrate that such a structure will not compromise the continuity or integrity of services. 

Outsourcing the Custody of Clients Assets 

Outsourcing the custody of client assets under MiCA is limited to entities authorized under Article 59 because these entities are subject to regulatory requirements designed to warrant the safety and protection of clients’ assets. Article 59 specifically mandates that only authorized custodians, such as regulated financial institutions, can hold crypto-assets on behalf of clients. 

Article 75 (9) of MiCA allows entities to outsource custody functions to providers operating under a grandfathering period if they were offering these services before MiCA’s implementation. This provision lets them continue under the previous legal framework until they comply with MiCA’s new requirements. After the grandfathering period ends, the provider must fully adhere to MiCA regulations to continue offering custodial services. 

Contractual Arrangements 

To protect their position, CASPs should include clauses in contracts that require providers to maintain relevant logs, data, and documentation, and grant regulators direct access to these materials upon request. The following elements could be integrated in outsourcing contracts to meet MiCA, DORA, and ESMA requirements: 

Regulator Access and Transparency – It is recommended that the contract include provisions requiring the third-party provider to retain relevant logs, data, and documentation related to the outsourced functions, and to make them available for inspection by both the CASP and relevant regulatory authorities upon request. The provider should keep detailed records of all outsourced activities, including operational tasks, transaction logs, and documentation related to compliance. Additionally, the contract should specify clear timeframes for providing access to this information (e.g., “within 24 hours of the request”) to conform with any inspection or inquiry. 

Regulatory Notification Obligations – The contract must require the provider to notify the CASP immediately if a regulator requests information, inspection, or audit. It should specify a timeframe for notification (e.g., “within 48 hours”) and ensure coordination for CASP attendance during inspections, whether on-site or remote. 

Audit Rights – CASPs should have the right to conduct regular audits of outsourced functions. The contract may specify audit frequency (e.g., quarterly) and types (e.g., financial or compliance) and include provisions for the provider to fully cooperate during these audits. It should grant access to relevant systems and data, with a notice period (e.g., “two weeks”) for audits and clarity on the areas to be reviewed. 

Control Over Sub-outsourcing – The contract should require prior approval from CASPs for sub-outsourcing any part of the service. It should also mandate disclosure of sub-contracting arrangements, to guarantee that sub-contractors adhere to the same compliance obligations, including audit rights and transparency. 

Exit and Service Continuity – Establishing procedures for transitioning services back to the CASP or a new provider upon termination helps facilitate the handover of data and operational responsibilities. For example, the parties may draft business continuity and disaster recovery plans, tested regularly, with timetables for transitions to prevent service disruption. 

Security and Change Management – The contract should require the provider to adhere to specific cybersecurity standards and notify the CASP of any material changes to systems or infrastructure. It should include a process for evaluating and approving changes, to allow the CASP to be able to confirm that they do not affect their compliance or security status. 

Conclusion 

Outsourcing under MiCA requires CASPs to continuously supervise delegated functions, as the responsibility for compliance does not transfer to third-party providers. CASPs retain ultimate responsibility and must watch out that their outsourcing agreements include provisions that hold providers accountable for meeting regulatory standards. Final points: 

  1. CASPs must maintain control over core functions like compliance and risk management, even when outsourcing these responsibilities. 
  1. Outsourcing to non-EU jurisdictions and sub-outsourcing should be carefully assessed given jurisdictional and operational risks. 
  1. Proper contractual provisions, including audit rights and transparency clauses, are helpful in meeting regulatory standards. 

For more information on outsourcing under MiCA, please contact the Lexters team through the Contact Section. 

Resources: 

ESMA Supervisory Briefing, 31 January 2025: https://www.esma.europa.eu/sites/default/files/2025-01/ESMA75-453128700-1263_Supervisory_Briefing_on_Authorisation_of_CASPs.pdf

This note is for general information only and does not constitute legal advice. 

Send us a comment

    Previous Service

    Next Service

    English, French, Italian, Spanish
    Linkedin-in Envelope

    Daniil Turturoiu

    Membership
    • New-York Bar Association
    • Bucharest Bar Association
    Daniil is a Paralegal with a Bachelor's degree from the University of Paris Nanterre and a Master's degree in International and European Business Law from Pantheon-Sorbonne University. Known for his quick adaptability and penchant for creative problem-solving, Daniil brings a wealth of international experience to the table, allowing him to approach legal matters from multiple perspectives. With a keen interest in the intersection of business and technology, he views it as a recipe for success. Fluent in Romanian, English, and French, with a good understanding of Italian, Daniil navigates legal complexities with ease across linguistic boundaries.
    His areas of practice cover:
    • Corporate and M&A
    • Legal technology
    • Blockchain & Digital Assets
    • Regulatory compliance
    Education
    • LL.B, Université Paris Nanterre
    • LL.M, Université Paris 1 Panthéon Sorbonne - Droit européen et international des affaires”
    English, French, Italian, Spanish
    Linkedin-in Envelope

    Ștefan Gheorghe

    Membership
    • Bucharest Bar Association
    Stefan is a dedicated and passionate young lawyer with a keen commitment to legal excellence. Actively involved in corporate law and litigation, Stefan demonstrates a remarkable balance of enthusiasm and diligence in his work. Despite his relative youth, Stefan brings a fresh perspective to the table and demonstrates a deep understanding of legal complexities. His consistent dedication to provide top solutions for his clients is matched only by his proactive approach to problem solving and his willingness to exceed expectations.
    His areas of practice cover:
    • Corporate and M&A
    • Legal technology
    • Regulatory compliance
    • litigation
    Education
    • LL. B in Law, University of Bucharest, Faculty of Law (2023)
    English, Romanian
    Linkedin-in Envelope

    Iulian Călinescu

    Membership
    • Bucharest Bar Association
    Iulian is a young, passionate legal professional whose expertise centers around dispute resolution, business litigation, commercial law, administrative law, and European law. Iulian embodies a calm resolve in the face of adversity, navigating legal challenges with poise and precision. Their passion for litigation is tempered by a sober understanding of its complexities, as they strive to uphold justice with dignity and humility. Iulian believes that patience, hard work, and a deep understanding of legal principles are essential in achieving favorable outcomes for their clients. Whether representing individuals or businesses, Iulian approaches every legal matter with a sense of purpose and professionalism.
    His areas of practice cover:
    • Dispute resolution
    • Commercial law
    • Business litigation
    • Adminsitrative law
    • European law
    Education
    • LL.B in Law, „Alexandru Ioan Cuza” University of Iași, Law Faculty, 2020.
    • LLM in Business Law, „Alexandru Ioan Cuza” University of Iași, Law Faculty, 2021