Staking Under MiCA: What EU Institutions Need to Know in 2026

Quick Summary:

• MiCA (Regulation (EU) 2023/1114) applies to staking services offered by Crypto-Asset Service Providers (CASPs) operating in the EU as of December 30, 2024.
• By mid-2026, ESMA’s interim public CASP register and passporting rights will be fully operational, and the transitional grandfathering period for pre-existing providers will have expired.
• EU institutions engaging with staking services may need to assess licensing status, asset segregation models, AML/KYC requirements, DORA compliance, and data protection obligations before selecting a provider. 
• The Markets in Crypto-Assets Regulation, commonly known as MiCA, is the European Union‘s comprehensive regulatory framework for crypto-assets. It entered into force in June 2023, with provisions applying in stages.
• Titles III and IV, covering asset-referenced tokens (ARTs) and e-money tokens (EMTs), took effect in June 2024.
• The full regulation, including all CASP-related provisions, became applicable on December 30, 2024. MiCA creates a unified regulatory framework across all 27 EU member states, replacing fragmented national regimes.

Where Staking Meets MiCA

MiCA does not explicitly use the word “staking” in its text. Still, staking-as-a-service offered by CASPs is generally considered to fall within the scope of regulated services, particularly:

• custody,
• administration,
• transfer of crypto-assets.

Interpretation of exactly how staking activities map to MiCA‘s service categories relies on ESMA guidelines and positions taken by national competent authorities. Protocol-level staking and solo staking, in which individuals validate directly without a third-party intermediary, are not explicitly included in MiCA‘s scope.

Liquid staking tokens present a separate consideration. Depending on their design and economic function, such tokens may qualify as ARTs or EMTs under MiCA.

Each token generally requires individual assessment.

MiCA Key Facts for Staking Services

Element	Detail
Regulation	EU 2023/1114 (MiCA)
Full application date	December 30, 2024
Supervising bodies	ESMA + National Competent Authorities (NCAs)
Staking covered	Staking-as-a-service by licensed CASPs
Staking generally excluded	Protocol-level staking; solo staking
Transitional deadline	July 1, 2026
Key guidance	ESMA Guidelines on CASPs (2025)

CASP Licensing Requirements Under MiCA for Staking Providers

A Crypto-Asset Service Provider (CASP) is any entity that provides one or more crypto-asset services as defined in MiCA. Staking activities may trigger a licensing obligation when the provider holds, controls, or administers client crypto-assets during the staking process, or when the provider executes transfers such as bonding and unbonding transactions on behalf of clients.

The Authorization Process

To obtain a CASP license, a provider must apply to the NCA in its home member state. The application process generally involves meeting minimum capital requirements, demonstrating governance standards, providing a detailed business plan, and passing fitness and propriety assessments for management.

The licensing process typically takes three to six months, depending on the jurisdiction and the complexity of the business model.

Staking as a Custody-Adjacent Service

Providers that hold or control client assets during the staking process may be subject to stricter requirements under Article 70 of MiCA, which governs the safekeeping and administration of crypto-assets on behalf of clients.

If a staking provider issues tokens as part of its service (for example, liquid staking tokens representing the staked position), the MiCA white paper obligation may also apply, requiring the provider to publish a compliant crypto-asset white paper and notify the relevant NCA.

CASP License Categories Relevant to Staking

CASP Service Type	MiCA Article	Applies to Staking?
Custody and administration of crypto-assets	Art. 70	Yes, if assets are held during staking
Operation of a trading platform	Art. 76	Indirect (liquid staking tokens)
Advice on crypto-assets	Art. 81	Possible, if staking recommendations are made
Transfer services	Art. 78	Yes, if unbonding or transfer is executed

Asset Segregation Rules: What Staking Providers Must Do With Client Funds

Article 70(1) Requirements

As stated in Article 70(1) of MiCA, CASPs providing custody or administration services must segregate client crypto-assets from their own assets. This requirement is material for staking operations because, during bonding and unbonding periods, institutional clients need to understand who controls their assets and how those assets are held, both on-chain and off-chain.

Record-Keeping and Liability

CASPs are required to maintain accurate and up-to-date records of client holdings.

• These records must enable the institution to identify each client’s assets at any point in time.
• If client assets are lost, the CASP generally bears liability unless it can demonstrate that the loss resulted from an external event beyond its reasonable control.
• The EBA and ESMA have been developing additional technical standards on asset segregation as part of the 2025 and 2026 implementation guidance.

Non-Custodial Infrastructure Providers

Infrastructure providers that operate as non-custodial validators do not hold client assets. This distinction is material under MiCA’s segregation framework.

Non-custodial providers such as Everstake generally do not take possession of or control delegated assets, so the segregation obligations under Article 70 may not apply directly to them.

That said, this analysis may vary depending on the specific business model and the applicable NCA’s interpretation.

AML and KYC Obligations for Institutions Using Staking Services

MiCA does not operate in isolation on anti-money laundering matters. It works alongside the EU’s Transfer of Funds Regulation (TFR, EU 2023/1113), the forthcoming Anti-Money Laundering Regulation (AMLR), and the framework overseen by the newly operational EU Anti-Money Laundering Authority (AMLA).

CASPs offering staking services must implement customer due diligence (CDD), enhanced due diligence (EDD) for high-risk clients, and ongoing transaction monitoring. The travel rule, as applied under the TFR, may also be relevant for staking operations.

When unbonding or reward distribution transactions constitute a “transfer” under the regulation, originator and beneficiary data may be required.

Vendor Due Diligence for EU Institutions

EU institutions that engage external staking providers must generally conduct vendor due diligence. This includes:

• banks,
• asset managers,
• funds.

The staking provider’s AML program should meet EU standards, and the institution may consider securing contractual audit rights to verify ongoing compliance.

AMLA commenced operations in July 2025, and by early 2026, all AML/CFT mandates had been transferred from the European Banking Authority (EBA) to AMLA. Direct supervision of the largest entities is expected to begin in 2028.

AML/KYC Checklist for EU Institutions Evaluating Staking Providers

Requirement	Applicable Standard	Status to Verify
CDD on staking clients	AMLR / MiCA Art. 83	Documented policy in place?
Travel rule compliance	TFR (EU 2023/1113)	Applied to all transfers?
Transaction monitoring	FATF Guidance	Real-time system in place?
Sanctions screening	EU Consolidated List	Updated daily?
Vendor AML audit rights	Internal policy	Contractually secured?

What Changed in 2026: ESMA Registry, Passporting, and New Supervisory Expectations

The ESMA CASP Register

As of early 2026, ESMA maintains an interim public register of all authorized CASPs across the EU. The register is published as a collection of CSV files on the ESMA website and is updated weekly.

A full integration into ESMA‘s IT systems is expected by mid-2026. EU institutions may use this register to verify a provider’s authorization status in near-real time.

The register also lists non-compliant entities, offering an additional layer of due diligence.

Passporting Rights

A CASP licensed in one EU member state can now offer services, including staking, across all 27 member states without requiring additional national authorizations. This passporting mechanism represents a shift from the pre-MiCA patchwork of national regimes.

For EU institutions operating across multiple jurisdictions, this simplifies engagement with a single authorized provider.

The End of Grandfathering

The transitional regime under Article 143 of MiCA allowed entities that were already providing crypto-asset services under national law before December 30, 2024, to continue operating while seeking full MiCA authorization. This grandfathering period runs until July 1, 2026.

After this date, any CASP that has not obtained authorization must cease providing regulated services in the EU. ESMA has warned that last-minute applications will face heightened scrutiny.

Reverse Solicitation Narrowing

In 2025, the ESMA clarified that the “reverse solicitation” exemption for non-EU providers is narrow. It cannot be used systematically to circumvent the licensing requirement.

EU institutions should take note that relying on reverse solicitation as a basis for ongoing service relationships with unlicensed non-EU providers may carry regulatory risk.

DORA Intersection

Since January 2025, CASPs have fallen within the scope of the Digital Operational Resilience Act (DORA). This change infers that ICT risk management, incident reporting, and oversight of third-party ICT providers are mandatory.

For staking services, this has direct implications for the relationship between EU institutions and their validator infrastructure providers.

Key MiCA Milestones Timeline

Date	Event
June 2023	MiCA entered into force
June 2024	Titles III and IV applied (ARTs, EMTs)
December 30, 2024	Full MiCA application (all CASPs)
Q1 2025	ESMA CASP guidelines published
January 2025	DORA application date
July 2025	AMLA commenced operations
January 2026	AML/CFT mandates transferred from EBA to AMLA
July 1, 2026	Transitional grandfathering period ends
2028	AMLA direct supervision begins

How MiCA Affects Non-EU Staking Providers Serving EU Institutions

MiCA does not grant a passporting right to third-country (non-EU) providers.

• Under Articles 60 through 62 of MiCA, non–EU firms may only serve EU clients at the client’s own exclusive initiative, commonly known as reverse solicitation.
• ESMA has confirmed that this must be genuinely client-initiated and cannot serve as a systematic market access strategy.

The Non-Custodial Infrastructure Distinction

Non-EU infrastructure providers, such as validators and node operators (including Everstake), may fall outside MiCA‘s direct scope when they:

• do not hold client assets,
• do not issue tokens,
• do not provide advice.

None of these requirements is explicitly stated in the regulation and requires careful legal analysis specific to each business model.

EU institutions considering engagement with non-EU validators should assess whether the provider’s activities constitute a regulated crypto-asset service under MiCA.

Institutional Responsibility

Regardless of the provider’s domicile, EU institutions bear responsibility for their vendor ecosystem. They must generally conduct due diligence on all third-party providers, including non-EU validators, to confirm compliance with EU standards.

Everstake operates as a non-custodial staking infrastructure. EU institutions using Everstake’s validator services retain control of their assets at all times. Everstake maintains GDPR compliance and supports institutional audit requirements. The company holds SOC 2 Type II, ISO 27001:2022, and NIST CSF certifications, and may provide Data Processing Agreements upon request.

GDPR Considerations When Using Blockchain-Based Staking Infrastructure

Staking involves on-chain transactions that are immutable by design, which may create certain tension with GDPR’s right to erasure under Article 17 of Regulation (EU) 2016/679.

Controllers, typically the EU institutions themselves, must assess what personal data is processed in connection with staking operations, identify who the data processors are, and determine where data is stored.

Validator Infrastructure and Data Processing

If a validator operator processes personal data on behalf of an EU institution, a Data Processing Agreement (DPA) is generally required under GDPR. Pseudonymous on-chain addresses may still constitute personal data if re-identification is possible, a position supported by EU data protection authorities.

As a GDPR-compliant infrastructure partner, Everstake provides DPAs and supports EU institutions’ data protection obligations. Institutions may request a DPA as part of their vendor onboarding process for any staking infrastructure provider.

Compliance Checklist: How EU Institutions Should Assess a Staking Provider in 2026

Before engaging a staking provider, EU institutions may consider verifying the following across four compliance domains.

Domain	Question	Why It Matters
Licensing	Is the provider registered in the ESMA CASP register?	Confirms MiCA authorization
Custody model	Does the provider hold client assets at any point?	Triggers Art. 70 obligations
AML program	Does the provider have a documented AML/KYC policy?	Required under AMLR/TFR
DORA compliance	Does the provider meet ICT resilience standards?	Mandatory for regulated entities
GDPR	Is a DPA available? Where is the data processed?	Required if personal data is involved
Passporting	In which member states is the provider authorized?	Relevant for multi-jurisdiction use
Asset segregation	Are client assets segregated on-chain and in records?	Art. 70 MiCA obligation
Incident reporting	Does the provider have a breach and incident protocol?	DORA and MiCA requirement

For institutions evaluating non-custodial infrastructure partners, Everstake’s institutional staking solutions are designed to support compliance verification, including audit-grade reporting, certified security frameworks, and GDPR-aligned data handling.

FAQ: Staking and MiCA: Common Questions From EU Institutions

Does MiCA directly regulate staking?

MiCA does not use the word “staking” explicitly. That said, staking services offered by CASPs generally fall within the scope of custody, transfer, and related services regulated under MiCA. The precise classification depends on the nature of the service and the applicable NCA’s interpretation.

Can an EU institution use a non-EU staking validator under MiCA?

Yes, this may be possible if the non–EU provider is not acting as a CASP in relation to the institution. For example, a non-custodial validator that does not hold client assets and does not provide advice may fall outside MiCA’s direct scope. EU institutions retain compliance responsibility for their vendor chain and should conduct appropriate due diligence.

What is the ESMA CASP register, and how do I use it?

ESMA maintains an interim public register of all authorized CASPs across EU member states. It is published on ESMA’s website as CSV files, searchable by provider name and country. The register can be used to verify a provider’s authorization status. Full integration into ESMA’s IT systems is expected by mid-2026.

Does MiCA apply to liquid staking tokens?

Liquid staking tokens may qualify as asset-referenced tokens (ARTs) or e-money tokens (EMTs) under MiCA, depending on their design and economic function. Each token must be assessed individually, and issuers of qualifying tokens must comply with the relevant Title III or Title IV requirements.

How does DORA interact with MiCA for staking services?

CASPs within the scope of MiCA are also subject to DORA’s ICT risk management requirements, including obligations for third-party ICT provider oversight, which apply directly to validator infrastructure relationships. EU institutions must generally ensure that their staking providers meet DORA’s standards for operational resilience, incident reporting, and business continuity.

Disclaimer:
The information provided in this article is for general informational purposes only and does not constitute legal, regulatory, financial, or compliance advice. Nothing in this article should be relied upon as a substitute for professional legal counsel. The regulatory landscape described — including MiCA, GDPR, DORA, AML/CFT requirements, and related frameworks — is subject to ongoing development, and applicable rules may vary significantly depending on jurisdiction, business model, and individual circumstances. Readers should consult qualified legal, regulatory, and compliance professionals before making any decisions based on the information contained herein. Neither the author nor any affiliated party accepts liability for actions taken or not taken based on the contents of this article.