The MiCA Review Opens While Luxembourg's Licensing Model Is Under Threat: What Compliance Teams Should Actually Watch

On 20 May 2026, the European Commission launched a targeted consultation on the review of the MiCA Regulation, running until 31 August. A parallel public consultation opened the same day. Both feed into the Commission's mandated report under Articles 140 and 142, which may, if warranted, be accompanied by a new legislative proposal.

Forty-one days earlier, the European Central Bank had issued Opinion CON/2026/13, formally backing the Commission's proposal to move supervision of systemically important crypto-asset service providers from national competent authorities to ESMA in Paris. The two files are now travelling on parallel tracks, and they will collide.

The Headline Is the Review, the Story Is the Architecture

The surface reading of the MiCA review is procedural. MiCA's own Articles 140 and 142 require the Commission to report on the regulation's application and on developments in crypto-asset markets. The consultation is the evidence-gathering step. Most coverage has focused on the questions inside it: stablecoin interest rules, DeFi treatment, classification gaps, consumer protection.

The deeper reading is structural. The Commission is asking, in formal terms, whether MiCA has worked. It is asking the question at exactly the moment when one possible answer, the centralisation of supervision under ESMA, is being negotiated in parallel between the Council and Parliament. The consultation is not just feedback on what MiCA does. It is also, by implication, feedback on whether the national-supervisor model that MiCA chose can deliver consistent enforcement across 27 member states.

For Luxembourg, this is not abstract. The CSSF has been one of the most active MiCA licensing authorities in the EU. Coinbase chose Luxembourg as its European headquarters after receiving its CASP licence from the CSSF in June 2025. Standard Chartered set up its European digital-asset custody entity in Luxembourg the same year. The CSSF has approved 33 white papers for crypto-assets other than ARTs and EMTs, building a reputation as a diligent regulator.

That reputation is now what is being implicitly questioned. According to Reuters reporting, Ireland, Luxembourg, and Malta have expressed reservations about transferring oversight to Paris. France, Italy, and Austria have called for exactly that transfer. The political coalition that would benefit from centralisation has already formed.

What the Consultation Document Actually Asks

The consultation document itself is targeted at a specialised audience: CASPs, issuers, national and European supervisors, central banks, ministries of finance. The questions it asks are not the questions a retail consumer would write. They probe the seams of MiCA where the framework meets adjacent EU law.

Three of those seams matter directly for management companies and fund administrators, even firms that have no direct CASP licence.

The first seam is the boundary between MiCA and the AMLR. Article 68 of MiCA designates CASPs as obliged entities under the EU anti-money laundering framework. The substance of the KYC obligation flows from the AMLR (Regulation 2024/1624), which begins to apply from 10 July 2027. The Transfer of Funds Regulation, in force since 30 December 2024, removes any de minimis threshold for crypto-asset transfers between CASPs. A five-euro transfer between two EU-licensed exchanges requires the same originator and beneficiary data payload as a five-hundred-thousand-euro transfer. The MiCA review will produce findings on whether this combined surface is workable, or whether it requires alignment.

The second seam is the boundary between MiCA and MiFID. The consultation explicitly probes classification gaps. Where does a tokenised security stop being a MiCA crypto-asset and start being a MiFID financial instrument? The Commission is asking this question because national supervisors have answered it differently. For Luxembourg fund administrators custodying tokenised fund units, the answer determines which rulebook governs the file.

The third seam is supervisory architecture. The consultation does not directly ask whether ESMA should take over. It does not need to. The Commission's parallel proposal, backed by the ECB, has already put the question on the table. The MiCA review's findings will land into a negotiation that is already underway.

The Fund Administrator and Management Company Exposure

The instinct at most management companies and fund administrators is that MiCA is somebody else's problem. The firm does not run a crypto exchange. It does not issue stablecoins. Its compliance perimeter is AIFMD, UCITS, AMLR.

That instinct is increasingly wrong. The CSSF updated its FAQ on crypto-assets on 4 February 2026, specifically to address how funds and fund managers should treat direct and indirect crypto exposures. UCITS may invest indirectly in crypto-assets for a maximum of 10% of net asset value. AIFs marketing to well-informed investors may invest directly. Depositaries providing custody for funds investing directly in crypto-assets must either obtain a CASP authorisation or notify the CSSF. The crypto perimeter has already crossed into the traditional fund administration perimeter.

This is the practical exposure. A Luxembourg management company running an AIF with a 5% allocation to a tokenised real-estate vehicle is now operating across two rulebooks. The fund-level AIFMD obligations remain. The crypto-asset-level MiCA obligations attach to the depositary, the custodian, and the trading venue. The AMLR obligations sit underneath both. The Transfer of Funds Regulation governs any inter-CASP movement of the underlying tokens. Five frameworks, one file, one supervisor, one audit trail.

If the MiCA review concludes that the existing supervisory model produces inconsistent enforcement, and if the Commission's parallel centralisation proposal advances, the supervisor for parts of that file changes. The substantive obligations do not. The data and evidence that need to support them do not. What changes is who reviews them, against what benchmark, and how often.

Why This Reduces to a Data Infrastructure Question

The political question about who supervises CASPs is genuinely important and the outcome is uncertain. The operational question for management companies and fund administrators is not uncertain at all. Whatever the outcome, the firm will need to produce, on demand, a structured and auditable record of how each crypto-touching decision was made, what evidence supported it, and which rulebook it was made under.

That record is not a deliverable a firm can manufacture after an inspection notice arrives. It is either being built continuously into the operational workflow, or it is not. If it is, supervisory change is a change of audience. If it is not, supervisory change is a crisis.

The firms most exposed are those who treated crypto-asset compliance as a vendor problem rather than a data architecture problem. They bought a transaction monitoring tool, or a wallet screening service, or a Travel Rule connector, and they treated the resulting outputs as the compliance evidence. They are now sitting on a stack of provider-specific outputs in provider-specific formats, with no unified case file that links a beneficial ownership decision to the underlying registry extract, the screening result, the risk rationale, and the policy in force at the time.

A CSSF examiner can work through that stack. An ESMA examiner, working to a different methodology and a less mature relationship with the firm, will work through it differently. The firms that built a single, structured, queryable case file from the start will survive both. The firms that did not will have to rebuild under inspection pressure.

The Position

The MiCA review is not a housekeeping exercise. It is the first formal opportunity to argue, on the record, what the next phase of EU crypto-asset regulation should look like. The Commission has framed it narrowly, around fitness for purpose. The political context will widen it. The outcome, whatever it is, will be implemented through the same data layer that already supports the AMLR, the TFR, DORA, and the AIFMD.

For compliance teams at Luxembourg management companies, Mauritius fund administrators, and TCSPs handling any tokenised exposure, the correct response to the consultation is not to wait. It is to assume that the perimeter will expand, the supervisory architecture may shift, and the evidence requirements will compound. The firms that treat compliance as a data infrastructure problem with a regulatory deadline on top, rather than a policy problem to be solved with another vendor purchase, are the firms whose case files will hold up when the next examiner walks in, regardless of which institution sent them.

If your firm's exposure to MiCA, the AMLR, and the Transfer of Funds Regulation is sitting across separate tools with separate case files, we should talk before the consultation closes.