MiCA in Malta in 2026:

For Malta’s fintech and crypto sector, the legal centre of gravity is no longer national experimentation; it is EU-harmonised authorisation, governance, and conduct requirements, supervised locally by the MFSA within a framework that is increasingly shaped by EU-level supervisory expectations. 
 

1) The legal timeline matters: MiCA’s staged application 

MiCA entered into force on 29 June 2023, but it applied in two key waves: 

• 30 June 2024: rules on asset-referenced tokens (ARTs) and e-money tokens (EMTs) (Titles III and IV).  

• 30 December 2024: the remainder of MiCA, including the core regime for crypto-asset service providers (CASPs) and other crypto-assets.  

This staged commencement continues to influence compliance planning in 2026 because firms’ governance, white paper, token classification, and licensing readiness were often built in phases, sometimes unevenly. 
 

2) Malta’s framework in 2026: MFSA supervision under Cap. 647 and the MFSA MiCA Rulebook 

While MiCA is directly applicable EU law, Malta has enacted a domestic framework through the Markets in Crypto-Assets Act (Cap. 647), which supports the local supervisory and procedural mechanics. The MFSA confirms it is responsible for supervising entities authorised under Cap. 647.  

In parallel, the MFSA has issued a MiCA Rulebook that sets out practical instructions on authorisation processes and related supervisory expectations in the Maltese context (including process detail around CASP authorisation and notifications).  


3) The 2026 transition issue: “grandfathering” for VFA licensees and the 1 July 2026 marker 

A key Malta-specific issue in 2026 is the transition from the pre-MiCA VFA framework to MiCA authorisation. 

Based on local MFSA-linked guidance circulated around the legislative change,  VFA service providers licensed before 30 December 2024  may continue to provide services under the previous regime until 1 July 2026, or until they are granted or refused MiCA authorisation, whichever comes first.  

This is important to state precisely:  MiCA allows Member States to apply transitional arrangements, and the length and mechanics can differ between jurisdictions. ESMA has repeatedly highlighted the market risk created by divergent transitional periods and urged orderly transition planning an issue that is very much “live” as of late 2025/2026.  


4) Supervision in 2026: MiCA is harmonised, but scrutiny of authorisation quality is rising 

By 2026, the strategic value of MiCA is clear: a CASP authorised in one Member State can passport services across the EU under MiCA’s framework. That commercial opportunity is paired with regulatory sensitivity: authorisations granted locally have cross-border consequences. 

This has contributed to stronger EU-level focus on how national competent authorities authorise CASPs. In 2025, reporting indicated ESMA criticism of aspects of Malta’s MiCA licensing process, emphasising thorough assessment of matters such as business model, governance, IT infrastructure, and conflicts of interest.  

For Malta in 2026, the practical takeaway is that licensing speed is not the point; defensible decision-making, governance substance, and a demonstrably controlled operating model are. 

BDO Malta supports firms through the MiCA transition by focusing on legal structure and regulatory defensibility, not documentation for its own sake. The objective is simple: ensure that the business model is legally sustainable under MiCA and can withstand scrutiny from the MFSA and EU regulators. 

This includes: 

• Perimeter and licensing analysis to determine whether MiCA authorisation is required and, if so, under which category. 

• Authorisation strategy and MFSA engagement, including preparation and management of MiCA applications. 

• Governance and outsourcing reviews to align operational reality with regulatory expectations. 

• Remediation planning where existing structures will not withstand MiCA scrutiny. 

• Board-level advice on regulatory risk, strategic options and implementation timelines. 

Written by Dr. Lara Borg Bugeja (Team Lead, Legal Services) and Kyle Buhagiar (Lawyer) 

Contact us