MiCAR and PSD2: single authorization or dual authorization for EMT services?

On June 10, 2025, the European Banking Authority (EBA) issued a long-awaited "No Action Letter" published which finally brings clarity to one of the most complex legal issues in the crypto sector. It concerns the interplay between Regulation 2023/1114 on crypto asset markets (Markets in Crypto-Assets Regulation (MiCAR).) and the Payment Services Directive 2015/2366 (Payment Services Directive 2 (PSD2)) for crypto asset service providers (crypto-asset service providers (CASPs)) offering services using electronic money tokens (EMTs).

The background: a legal quagmire

The issue arose because of the dual legal nature of EMTs. According to article 48(2) of MiCAR electronic money tokens are considered to be electronic money, making them subject to the definition of "funds" in Article 4(25) of PSD2 fall. This means that EMTs are simultaneously crypto assets under MiCAR as well as means of payment under PSD2 - a situation that has led to considerable legal uncertainty.

The European Commission recognized this problem in December 2024 when it asked the EBA and ESMA to issue a No Action Letter. In her letter the European Commission warned of the risk of regulatory arbitrage and reduced consumer protection due to differing interpretations of regulations in different member states.

The core problem: duplicate authorization requirements

The main problem the EBA addresses is the potential need for CASPs to obtain dual authorizations - both under MiCAR as under PSD2 - for activities involving EMTs. This situation would arise when:

• CASPs offer custodial wallets (custodial wallets) that allow customers to make EMT transfers
• CASPs maintain control of private cryptographic keys on behalf of their clients
• The custody portfolio qualifies as a "checking account" under PSD2

Such dual authorization would impose a disproportionate administrative burden on CASPs and could hamper innovation in the industry.

The EBA solution: a pragmatic approach

Which services are considered payment services

The EBA advises national regulators to consider the following activities as payment services under PSD2:

Well payment services:

• Transfer of crypto assets involving EMTs executed on behalf of clients to third parties
• Retention and administration of EMTs
• Custodial portfolios held in clients' names and allowing transfers to third parties

Explicitly excluded:

• Self-transfers (e.g., to self-hosted wallets from the same owner)
• "Exchange of crypto assets for cash" as defined in MiCAR
• "Exchanging crypto assets for other crypto assets" as defined in MiCAR
• Intermediation when purchasing crypto assets with EMTs

Transition period until March 2026

Importantly, the EBA has established a transition period. National regulators is advised that PSD2 authorization will not be required for relevant EMT services until March 1, 2026. This will give CASPs time to prepare for the new requirements.

During the authorization process, regulators should implement streamlined procedures that maximize the use of information already provided by entities during their CASP authorization under MiCAR.

Selective enforcement of PSD2 provisions

Once authorized as a payment service provider, the EBA recommends that certain PSD2 provisions not be enforced as a priority, including:

• Protective measures (safeguarding).
• Consumer information regarding rates
• Maximum execution time of payment transactions
• Unique identifiers (such as IBAN)
• Open banking

Maintain priority, however:

• Strong customer authentication (SCA) for accessing custody portfolios and initiating EMT transfers
• Fraud Report
• Cumulative calculation of own resources

Important distinction: CASPs limited to EMT custody and transfers can benefit from this simplified approach. Fully licensed EMIs and group structures, on the other hand, must be fully compliant with all relevant PSD2 provisions from inception.

Practical implications for businesses

For existing CASPs

CASPs currently offering EMT services must analyze their services to determine which activities are covered by PSD2 requirements. They have until March 2026 to obtain PSD2 authorization or enter into a partnership with an authorized payment service provider.

For new entrants

New entities wishing to offer both CASP and payment services are not recommended a specific order for authorizations. However, they should ensure that all information provided is accurate, complete and current.

One strategic option that is gaining traction is the use of group EMI structures. Here, an existing e-money institution within a group can provide PSD2 compliance for CASP operations, which can reduce regulatory complexity and costs.

For EMIs and payment institutions

Existing electronic money institutions (EMIs) and payment institutions that want to facilitate EMT transactions can take advantage of the notification regime under Article 60 of MiCAR, provided they meet the restrictions.

Long-term solutions

The EBA stresses that the No Action Letter is only a temporary solution. For the long term, it advises the European Parliament and Council to:

1. MiCAR to strengthen by relevant provisions from PSD3/PSR on transparency, consumer protection, authentication and fraud reporting, adapted to the technical specificities of EMTs
2. Alternative: amend PSD3/PSR To explicitly state which provisions apply to crypto asset services that qualify as payment services, without requiring a second authorization

The EBA rejects a third option - completely excluding EMTs from future payment regulation - as undesirable, as it would lead to competitive distortions and reduced consumer protection.

Impact on the Belgian market

For Belgian CASPs, this No Action Letter means welcome clarity after months of uncertainty. The FSMA, as the Belgian regulator for both MiCAR and PSD2, will have to implement the EBA directive in its supervisory practice.

Belgian companies offering EMT services would do well to:

• Thoroughly analyze their current services against the EBA criteria, with special attention to the distinction between self-transfers (not in scope) and transfers on behalf of clients to third parties (in scope)
• Planning their licensing strategy: choose between dual authorization (CASP/PSD2), group EMI structures, or partnerships with existing payment service providers
• Contacting FSMA early on their specific situation and expected national guidance
• Starting implementation work now although enforcement does not begin until March 2026 - preparation time is crucial
• Adapt their compliance procedures to the new guidance

Critical comments from legal practice

While this No Action Letter brings welcome clarity, there are also critical comments from legal practitioners. The regulatory situation is characterized by remarkable complexity with CASPs having to navigate a landscape full of legal obstacles created by the interplay between two ambitious but imperfectly aligned regulatory frameworks.

Fundamental questions about the approach taken:

There are legitimate doubts about whether a No Action Letter was the right legal instrument for this structural problem. The choice to issue temporary directives rather than direct legislative changes raises fundamental questions about the coherence of the European regulatory process. This instrument, originally designed for exceptional circumstances, is now being used to address systemic legislative deficiencies.

Risks of this pragmatic solution:

The EBA explicitly recognizes that CASP authorization under MiCAR is insufficient to address all risks associated with EMT transactions. This fundamental premise actually undermines the rationale behind MiCAR as a comprehensive crypto-regulatory framework. Moreover, the temporary nature of the solution creates structural uncertainty for long-term investments and strategic business decisions.

In addition, implementation remains dependent on interpretation by national regulators, which carries the risk of divergent implementations among member states - precisely the problem that MiCAR's harmonizing effect is supposed to solve.

Systematic deficiencies:

The fact that such extensive and complex directives were needed shortly after MiCAR came into force points to fundamental planning errors in the European legislative process. The question arises whether the ambitious timelines for crypto regulation were realistic, given the complexity of the technology and existing financial regulations.

Despite these critical comments, it must be acknowledged that the EBA addressed an extraordinarily complex legal issue with the resources that were available. The hope is that such exceptional corrective measures will not become the norm and that future regulations will be better coordinated from initial drafting.

Conclusion and recommendations

This EBA No Action Letter represents an important step toward regulatory clarity in the crypto sector, but it does not solve all the problems. For CASPs, it is essential to:

1. Act now: Analyze your current services and prepare for possible PSD2 requirements
2. Seeking early contact: Contact supervisors about your specific situation
3. Staying flexible: Keep in mind possible changes as PSD3/PSR take shape
4. Seeking legal advice: The complexity of the matter requires specialized legal support

For more information on MiCAR regulations and their practical implications, please visit our MiCAR page.

The coming months will be crucial for the further development of the European crypto-regulatory landscape. CASPs that act proactively now will be better positioned to take advantage of the opportunities presented by the new regulations.

---