The Malta Financial Services Authority (MFSA) released a follow-up circular providing further guidance on the authorisation process for crypto-asset service providers (CASPs) under the Markets in Crypto-Assets Regulation (MiCA), formally known as Regulation (EU) 2023/1114. This update builds on the Authority’s earlier communication issued on 10 December 2024.
The latest circular introduces two new mandatory annexes that must accompany all MiCA authorisation applications:
- Annex AX05 – Digital Operational Resilience Assessment
- Annex AX50 – ICT Third-Party Provider Assessment
Applicants are now expected to demonstrate robust ICT risk management and operational resilience capabilities at the point of application. Specifically:
- Annex AX05 requires a comprehensive evaluation of an applicant’s digital resilience, including governance structures, incident response protocols, and business continuity planning.
- Annex AX50 focuses on the oversight and risk management of outsourced ICT services, requiring detailed disclosures on third-party dependencies.
The MFSA’s approach underscores the importance of embedding ICT and operational resilience considerations into the licensing process from the outset. Prospective applicants should ensure that their internal frameworks, outsourcing arrangements, and supporting documentation are fully aligned with both MiCA and DORA obligations.
How can BDO Malta assist?
For further information or assistance with preparing your MiCA application, BDO Malta can support you through every stage of the authorisation process.Contact Us
