Financial Services

EBA publishes Final Report on draft RTS and ITS on information for authorisation as issuers for ARTs under MiCAR

Written by

Dr. Michael Huertas

RegCORE Client Alert | EU Digital Single Market


On 7 May 2024, the European Banking Authority (EBA) published three sets of final draft regulatory technical standards (RTS) and one set of final draft implementing technical standards (ITS) relating to: (i) the authorisation as crypto-asset issuer (CAI) of asset-referenced tokens (ARTs), (ii) the information for the assessment of acquisition of qualifying holdings in issuers of ARTs and (iii) the procedure for the approval of white papers for ARTs issued by credit institutions under the EU’s Markets in Crypto-assets Regulation (MiCAR).Regulation (EU) 2023/1114.Show Footnote These technical standards are key to regulating access to the EU market by applicant crypto-asset issuers (CAIs) of ARTs and persons intending to exercise significant influence on these undertakings via the acquisition of qualifying holdings as well as in setting standards on the procedure for the approval of white papers for ARTs issued by credit institutions (i.e. banks). Each of the developments in points (i), (ii) and (iii) are assessed in dedicated Client Alerts, which should be read in conjunction with further analysis on MiCAR generally as well as specifically in context of further RTS/ITS as available from PwC Legal’s dedicated EU Regulatory Compliance Operations, Risk and Engagement (EU RegCORE) centre.

This specific Client Alert focuses on point (i) above and the supervisory expectation set in the EBA’s Final ReportAvailable here.Show Footnote on draft RTS on information for application for authorisation to offer to the public and to seek admission to trading of ARTs and the draft ITS on standard forms, templates and procedures for the information to be included in CAI applications pursuant to MiCAR. Both RTS and ITS detailed in the Final Report were developed in close cooperation with the European Securities and Markets Authority (ESMA) and are not only relevant for crypto-asset service providers (CASPs) but other financial services providers.

The Final Report marks an important milestone in delivering MiCAR’s full operationalisation by December 2024 in further clarifying how aspiring applicant CAIs for ARTs can become authorised. The Final Report particularly reinforces supervisory practices regarding access to the market for (a) those legal persons or other undertakings established in the EU which have been granted authorisation in accordance with Art. 21 MiCAR or (b) legal persons authorised as credit institutions (i.e., banks) subject to the MiCAR obligation to publishing an ART white paper.

Key takeaways from the Final Report

The Final Report explains the rationale and objectives of the RTS and ITS. These aim to specify the information requirements for applicant CAIs of ARTs, ensure a consistent and comprehensive assessment of such applications by the competent authorities and facilitate the adoption of opinions by the European Central Bank (ECB) or other central banks on the interaction of the proposed ARTs with monetary policy, monetary sovereignty, smooth functioning of the payment systems and financial stability. The Final Report also summarises the feedback received from the public consultation and the main changes made to the draft RTS and ITS as a result.

The RTS and ITS are annexed to the Final Report as a Commission Delegated Regulation and Commission Implementing Regulation respectively. The draft RTS and ITS will be submitted to the European Commission for its endorsement. Following that, they will be subject to the scrutiny of the European Parliament and Council and then move to publication in the EU’s Official Journal. Following publication in the Official Journal, the RTS (Commission Delegated Regulation) and ITS (Commission Implementing Regulation) will apply to applicant CAIs established in the EU (other than credit institutions )As credit institutions are only required to receive approval to publish a white paper, the RTS and ITS on authorisation do not apply to credit institutions.Show Footnote who intend to offer to the public or to seek admission to trading of a specific ART in the EU. The RTS and ITS will not apply to issuers of e-money tokens (EMTs) or significant asset-referenced tokens (s-ARTs), which are subject to different authorisation regimes under MiCAR.

Authorisation pre-requisites

Art. 16 MiCAR imposes pre-requisites on the public offering or trading of ARTs. A person wishing to apply to become a CAI in respect of an ART must be based in the EU and meet the following criteria:

  1. Be a legal person or undertaking that has been granted authorisation under MiCAR; or
  2. Be a credit institution which complies with requirements that are set out in MiCAR. 

A CAI’s authorisation for offering ARTs and/or to seek admission of the ART to a trading platform is valid across the EU.
Applicant CAIs must submit an application to the responsible competent authority specified in point (35), point (a), of Article 3(1) of MiCAR. The application should include all necessary and pertinent information, including the white paper. As discussed below, the RTS and ITS set out the content and form of such application. 
Undertakings which are not legal persons may apply for authorisation as a CAI of an ART provided that their legal status guarantees a degree of protection for the interests of third parties that is equal to that offered by legal persons i.e., by incorporated entities and that they are subject to comparable prudential (regulatory capital and liquidity) oversight.
Article 16(2) of MiCAR allows for exemptions from authorisation as a CAI of an ART in two cases, namely when:

  1. the issuance is small, with amounts never exceeding Euro 5,000,000 or its equivalent in another official currency, and the issuer is not connected to a network of other exempt issuers; or 
  2. the issuances are exclusively targeted at professional investors. Even in these instances, issuers must adhere to transparency regulations, including the obligation to notify the competent authorities of the white paper and marketing materials.

Requirements in the RTS

The RTS sets out the information to be contained in the application for authorisation, which includes the white paper (which must meet MiCAR’s requirements, as supplemented by further RTS/ITS), the programme of operations (i.e., the regulated business plan – RBP), the internal governance arrangements and structural organisation, the liquidity management and reserve of assets, the suitability of the members of the management body, and the sufficiently good repute of shareholders or members with qualifying holdings.

The Final Report and the RTS also specify the level of detail and comprehensiveness of the information required, taking into account the need to provide the competent authority and the ECB or other central bank with the relevant information to carry out their respective assessments. The RTS also aims to ensure consistency with the existing licensing practice in the financial sector and the EBA and ESMA guidelines on the suitability of the members of the management body. Whilst the Final Report and RTS cross-reference to a number of established (but also MiCAR-relevant) EU rulemaking and supervisory principles, care should be drawn that some concepts need to be translated into working for crypto-assets more generally and for ARTs more significantly.

The RTS follows the structure typically employed in the EU for the licensing of regulatory products and covers: 

  1. The applicant CAI’s identity details and background; 
  2. The RBP, including the mechanism of (i) issuance and redemption of ARTs, (ii) other outstanding issuances or activities carried out by the applicant CAI, (iii) the business model, strategy and risk assessment, (iv) the financial forecast showing the business plan and its viability, including the calculation of the own funds requirements and of the reserve of assets, (v) the applicant CAI’s past financial information. The RTS also states that as regards interaction between the business model and the serious risks to expose the issuer or the sector to anti-money laundering (AML) and countering terrorist financing (CTF) risks, the RBP requires that the risk assessment also includes AML/CTF considerations, and that the description of the mechanisms for issuance and redemption indicate the CASPs or other entities subject to AML/CFT obligations involved in such mechanisms; 
  3. The internal governance arrangements and structural organisation - including (i) information on third-party providers of critical and important functions and (ii) the internal control framework - including the Information and Communication Technology (ICT) risk management framework that has to be compliant with the requirements set out in the EU’s Regulation known as the Digital Operational Resilience Act (DORA) (please see separate coverage on DORA from our EU RegCORE); 
  4. The liquidity management, reserve of assets and redemptions rights, including a description of the stabilisation mechanism for the ARTs for which the authorisation is sought;
  5. The suitability of the members of the management body; and
  6. The sufficiently good repute of shareholders or members with direct or indirect qualifying holdings.

The RTS thankfully preserves the principle of proportionality in that if a CAI has already been authorised for one ART, they would not need to submit the same information again for another ART. In addition, the implementation of simplified prudential regulations, such as those for own funds, results in a reduced need for thorough reporting, in contrast to other entities - for the purpose of applying for authorisation. If the application seeks voluntary designation as an issuer of large ARTs, a greater level of information is required. This level of detail should be appropriate for the increased complexity and risk profile of the applicant CAI. 

As indicated above, while much of the above will be familiar to a number of regulated firms already authorised in the EU, it is important to note that the EU’s rulemaking requirements both in terms of granularity of detail to be provided as part of an application as well as supervisory scrutiny has increased steadily over the past years and specifically also for MiCAR relevant CAIs and CASPs. The RTS also permits competent authorities to request clarifications or additional information that may be required following a review of the information provided in accordance with the RTS. This accordingly means that certain national competent authorities may sharpen their expectations beyond the harmonised minimum set out in the RTS.

Details in the ITS

The ITS lays down the standard forms, templates and procedures for the information to be included in the application file submitted to competent authorities so as to ensure uniformity across the EU. The ITS requires the applicant CAIs to submit the application electronically, unless otherwise required by national law and to use the standard form and template set out in Annex I and II of the ITS. The ITS also provides for the possibility of the competent authority to request additional information or clarification from the applicant issuer, as well as the possibility of the applicant issuer to amend or withdraw the application.

Given the extent of what is required in a RBP and the application pack overall, it should be noted that the standard forms are a good starting ground but that most (successful) applications contain much more detail than the pro forma templates cater for.

Administrative process for assessing and granting authorisations for ARTs

Another area that is conceptually familiar but subject to MiCAR specifics is the administrative process from filing an application through to receiving the grant of an authorisation to act as a CAI for ARTs. The administrative process of competent authorities in granting authorisation to applicant CAIs involves several subsequent phases. Each of these are subject to time-bound deadlines but such deadlines may be paused and thus extended in the event of questions raised by the competent authority. Part of the skill in any (successful) application process is to shorten the pauses and thus streamline the period from application submission through to receipt of authorisation.

  • First, the competent authority evaluates the completeness of the application.
  • Once deemed complete, application is assessed in a second step. In the third step, the competent authority sends its preliminary decision on granting authorisation, along with the application file and white paper, to the ECB and other central banks (if the proposed token references currencies other than the Euro). These central banks are responsible for adopting an opinion on how the proposed token interacts with monetary policy, monetary sovereignty, the smooth functioning of payment systems, and financial stability.
  • After the ECB and other central banks provide their opinion, the competent authority makes a decision on whether to grant or refuse authorisation. It should be noted that a negative opinion from the ECB or other central bank results in a denial of the authorisation.

The grounds for refusal of authorisation are outlined in Art. 21(2) of MiCAR and include the following: 

  1. The risk that the management body of the applicant CAI may pose a threat to the effective, sound, and prudent management and business continuity, as well as the adequate consideration of the interests of its clients and the integrity of the market.
  2. The unsuitability of the members of the management body. 
  3. The lack of sufficient good repute by the shareholders and members, whether direct or indirect, who hold qualifying holdings. 
  4. The applicant CAI’s failure or likely failure to meet any of the requirements of Title III of MiCAR.
  5. The potential danger that the business model of the applicant CAI might significantly jeopardise market integrity, financial stability, the efficient functioning of payment systems, or expose the CAI or the industry to significant AML/CTF risks.


The Final Report and draft RTS and ITS on the authorisation of CAIs ARTs under MiCAR provide a comprehensive and detailed framework for the licensing and supervision of such entities in the EU. The RTS and ITS aim to ensure a consistent and comprehensive assessment of the applications by the competent authorities, and to facilitate the adoption of opinions by the central banks on the interaction of the proposed ARTs with monetary policy, monetary sovereignty, smooth functioning of the payment systems and financial stability.

While much in the process will be familiar to seasoned financial services and digital asset native firms (as well as their advisors), the required granularity of detail and a slightly MiCAR-modified administrative process, will warrant the need for dedicated legal and multidisciplinary advisory support for applications as well as post-authorisation set-up and transition to a steady-state readiness and running of the business.

It is also important to note that the requirements set out in MiCAR are supplemented by RTS/ITS beyond those analysed in this Client Alert. Consideration will need to be given to the breadth of other EU legislative and regulatory rulemaking instruments, as may apply directly or with MiCAR-modifications to CAIs and CASPs, which are subject to specific supervisory expectations of each of the respective competent authorities involved in supervising the EU’s Single Market for crypto-assets. This includes a need to understand the differences and commonalities and thus best options to navigate the expectations of competent authorities both at the EU and accordingly at the respective Member State level.

About us

PwC Legal is assisting a number of financial services firms, CAIs, CASPs along with other market participants in forward planning for changes stemming from relevant related developments. We maintain a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators for both their “build the business” and on-going “run the business” priorities. We couple our longstanding expertise in successful delivery of licensing applications, filing regulatory notifications and obtaining clearances as well as structuring, drafting and launching crypto-asset offerings, all with the help of a breadth of proprietary AI systems to streamline the preparation of applications and notifications as well as white papers to meet MiCAR and other EU as well as global standards. 

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via or our website.