On the 17th of June 2025, the Malta Financial Services Authority (“MFSA”) published a circular titled ‘Follow-Up Circular to the Industry on the Authorisation Process for MiCA Applicants’.
The circular concerns the authorisation process for crypto-asset service providers (CASPs) under Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA), as integrated in Maltese law through Chapter 647. This circular supplements the Authority’s communication of the 10th December 2024 which was explained in a previous legal update.
The June 2025 circular introduces two additional annexes that are now required as part of a complete MiCA application file. These are Annex AX05 (Digital Operational Resilience Assessment) and Annex AX50 (ICT Third-Party Provider Assessment).
The additional documentation reflects the MFSA’s alignment with Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA), which has been fully applicable since January 2025. The MFSA’s position is that applications for authorisation under MiCA must be supported by evidence of ICT risk management and operational resilience arrangements that meet the standards set out under DORA.
Furthermore, the requirement to submit Annex AX05 obliges applicants to provide an assessment of their digital operational resilience framework, including governance, incident response, and continuity arrangements. Annex AX50 requires disclosure and assessment of dependencies on third-party ICT providers, including the nature of services outsourced and the applicant’s oversight and risk mitigation measures.
The two annexes are to be submitted by all applicants, including both Category A and Category B entities, in addition to the documentation outlined in the December 2024 circular. The Authority has not indicated any transitional arrangements or exceptions for applicants who had commenced the process prior to the publication of this circular.
The introduction of these annexes confirms the MFSA’s intention to embed ICT-related considerations within the MiCA authorisation process at an early stage. This reflects a broader alignment between MiCA licensing procedures and EU financial legislation applicable to digital operational resilience and ICT risk. From a procedural perspective, applicants are now required to demonstrate compliance with DORA requirements at the point of application, rather than post-authorisation. Prospective applicants must ensure that ICT governance frameworks, outsourcing arrangements, and related internal documentation are sufficiently developed and aligned with the obligations arising under both MiCA and DORA.
Our FinTech team can assist with queries related to the application and the authorisation process under the MiCA Regulation and Malta’s MiCA Act.
This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact Dr. Mario Mizzi from the FinTech Team or the DORA Team on: dora@mamotcv.com