ESMA Flags Gaps in Malta’s Crypto Licensing Under MiCA

The European Securities and Markets Authority (ESMA) has identified several gaps in Malta’s cryptocurrency licensing practices under the Markets in Crypto-Assets Regulation (MiCA). The ESMA’s review, released on Thursday, scrutinized the authorization process of crypto asset service providers (CASPs) by Malta’s Financial Services Authority (MFSA). While the MFSA met certain expectations in supervisory setup and staffing, the EU regulator found that the Maltese authorities only “partially met expectations” in the authorization process for a specific CASP.

The review, conducted by the ESMA’s ad hoc Peer Review Committee (PRC), recommended that the MFSA assess material issues that were pending at the date of the authorization or that have not been adequately considered at the authorization stage. This recommendation comes over a year after the MiCA framework came into force on June 29, 2024, aiming to provide a unified and consistent legal framework for crypto assets across the EU. The ESMA highlighted that the MiCA’s authorization approach applies to all National Competent Authorities (NCAs), emphasizing the need for consistency across NCAs in authorization and setting supervisory expectations.

The PRC’s review focused on three main areas: supervisory settings and resources, the authorization process, and the supervisory review and use of adequate powers. While the MFSA fully met the supervisory settings requirements and largely met the supervisory review rules, it only “partially met expectations” relevant to the “authorization of the specific CASP.” The PRC noted that the MFSA has built a “good level of expertise in this sector and has sufficient supervisory resources for CASP authorizations and supervision.” However, the MFSA needs to monitor closely the growth in authorization applications and identify and adjust supervisory practices in a timely manner.

The ESMA did not disclose the name of the CASP in question, making it unclear whether the PRC’s recommendation to assess the issue would impact any issued licenses. Experts suggest that the review is largely positive and does not pose a material risk to existing licenses. The issue is likely related to a difference of opinion between ESMA and MFSA regarding the management of certain issues. The MFSA seems to think that some issues can be managed via ongoing monitoring, whereas ESMA believes that the MFSA should leverage the threat of license rejection to resolve issues before authorization.

Currently, there are four CASPs licensed by the MFSA under MiCA, including BP23, Foris Dax, Okcoin Europe, and Zillion Bits. In April, Malta’s Financial Intelligence Analysis Unit fined Okcoin Europe $1.2 million after detecting certain violations dating back to 2023. The penalty came soon after the MFSA granted a MiCA license to OKX in January 2025. The ESMA and MFSA have not yet commented on the review’s potential impact on the MiCA-licensed companies in Malta.

In a positive light, the report notes that Malta MFSA is adequately staffed and continues to monitor crypto companies. However, there were apparent issues in the review as well. In one illustration, it can lead to licensing issues because the MFSA often licenses without resolving certain major problems. Besides, the review states that there are important areas that were not given much emphasis. These are the speed at which the companies are intending to expand, how they manage the conflict of interest, how they carry out their day-to-day work, and the strength of their technology.

In spite of these gaps, ESMA observed that the technical skills of Malta team are good. They are also amenable to cooperating with other EU regulators. The cooperation is crucial since the crypto market transforms rapidly and impacts a vast number of countries simultaneously. After this, the report states the rationale of the review. It is not the case with Malta only. ESMA desires to have improved licensing in all the EU countries. The crypto is expanding quickly. It opens up new risks and new possibilities, such as Web3 and decentralized applications.

ESMA also requested everyone in the EU to pay attention to these new areas. Most of these new crypto services are cross-border, and their technology is complex and in need of regulation that conventional regulations might do a poor job of supporting. Looking ahead, ESMA wants each country’s national authority to use these suggestions. This will assist them in checking crypto firms better. ESMA will also assist regulators to speak more to each other. It is a standard practice that makes rules just and transparent to all.

Although this report discusses Malta, the idea is very clear to the entire EU. Europe would wish to be the best destination of digital assets. Crypto firms require good and solid regulations to create trust. This will soon be established with the help of MiCA. These rules should be well observed by each country. The future of crypto in Europe will depend on how each of the member states implements MiCA. In addition, according to the review conducted by ESMA, some positive work is being performed, yet, there is still a lot to be done. When the regulating bodies inspect crypto companies thoroughly, individuals and companies will be more confident in the system. Finally, powerful regulations and collaboration among EU members will contribute to the development of crypto services in a secure manner.

The crypto market is evolving rapidly. Therefore, there is a greater need than ever of clear rules and active checks. Europe intends to be the European leader in digital finance and secure all users. Europe is making it happen and with the help of MiCA and ESMA.