MiCAR – Final guidelines on systems maintenance and security access protocols for crypto-assets other than ARTs and EMTs

RegCORE – Client Alert | Digital Single Market

QuickTake

The EU’s Market in Crypto-Assets Regulation (MiCAR) became fully operational as of 30 December 2024. As explored in PwC Legal’s EU RegCORE’ series covering developments across the “EU’s Digital Single Market, financial services and crypto-assets” MiCAR marks a momentous achievement in creating (i) a new chapter of the EU’s Single Rulebook for certain types of crypto-assets that are not classified as “financial instruments” and (ii) concurrently extending existing chapters of the Single Rulebook to those crypto-assets that do qualify as “financial instruments”.

To recap, MiCAR applies to all entities offering crypto-assets within the EU, regardless of their geographical location. This means that non-EU persons or entities can issue crypto-assets in the EU, but they must comply with the MiCAR framework and respective supervisory guidelines. Non-EU issuers must register with the relevant national competent authority (NCA) in the EU Member State where they intend to offer their crypto-assets. They may also need to appoint a legal representative within the EU to ensure compliance with MiCAR requirements.

The maintenance of systems and security access protocols in conformity with EU standards is a paramount regulatory and supervisory priority enshrined in MiCAR, notably when it comes to both crypto-asset service providers (CASPs) and/or (i) offerors and (ii) persons seeking admission to trading of crypto-assets (summarised as crypto-asset issuers or CAIs) complying with such EU standards. These EU standards include the EU’s Regulation known as the Digital Operational Resilience Act (DORA) and the EU’s second Network Information Security Directive (NIS2) – details of which, from a legal analysis perspective, are available in coverage from PwC Legal’s EU RegCORE. Crucially, while DORA and NIS2 apply to (a) CASPs and (b) CAIs of (1) asset-referenced tokens (ARTs) and (2) electronic money tokens (EMTs) and (c) they do not apply to CAIs of crypto-assets that are not ARTs and EMTs thus leaving a regulatory gap.

Article 14(1) of MiCAR empowers the European Securities and Markets Authority (ESMA) in cooperation with the European Banking Authority (EBA) to issue supervisory guidelines specifying the EU standards which CAIs of crypto-assets (excluding those that are ARTs and EMTs must implement and maintain so as to close the above-mentioned gap and to provide certainty for market participants on how to evidence to NCAs and other respective supervisory authorities on how CAIs maintain “effective administrative arrangements to ensure that their systems and security protocols meet EU standards.”

ESMA confirms that it understands the term “administrative arrangements” to mean processes, which may involve the senior management of the CAI, to assign roles and access rights, as well as procedures for granting and revoking access. ESMA equally confirms that for purposes of its mandate in Article 14(1) MiCAR, it will maintain a narrow interpretation of the term “systems”. This narrow interpretation allows for a targeted focus on information and communication technology (ICT) risks and aligning of how such term is used in DORA and NIS2 and the cybersecurity and (digital) operational resilience obligations set out therein.

On 17 December 2024, ESMA published its Final Report containing, in Annex III, the now final “Guidelines specifying Union standards on the maintenance of systems and security access for offerors and persons seeking admission to trading of crypto-assets other than asset referenced tokens and e-money tokens” (which is summarised herein as the General CAI Security Access Protocol Guidelines).Available here – see Annex III for the text of the General CAI Security Access Protocol Guidelines.Show Footnote ESMA ran a consultation on a draft version of the General CAI Security Access Protocol Guidelines between March and June 2024 and received responses from industry as well as advice from ESMA’s Securities and Markets Stakeholder Group (the SMSG). These responses have been reflected in the 8 pages that make up the final General CAI Security Access Protocol Guidelines and in the 22 pages of the Final Report setting out the context and rationale for the changes plus industry and SMSG feedback. This provides useful context to ESMA’s and other supervisors’ expectations of CAIs (other than ART and EMT related CAIs) in maintaining their systems and security access protocols (in particular with respect to robust cryptographic key management) in conformity with appropriate EU standards, thereby enhancing the security and integrity of their operations.

This Client Alert assesses the key takeaways for CAIs resulting from ESMA’s commentary set out in the Final Report and in the principles communicated in the General CAI Security Access Protocol Guidelines. This Client Alert should be read in conjunction with further analysis on MiCAR and in particular a number of further supervisory clarifications provided by ESMA, the EBA and their sister European Supervisory Authority (ESA) the European Insurance and Occupational Pensions Authority (EIOPA), as well as from the European Central Bank (ECB).

Key takeaways from ESMA’s General CAI Security Access Protocol Guidelines

ESMA’s General CAI Security Access Protocol Guidelines focus on:

• General principle on proportionality: the guidelines emphasise a proportional approach, meaning that while in-scope entities should do everything to comply with the guidelines, they may nevertheless adopt measures in such manner that are commensurate with the size, risk profile, and complexity of the entity's activities. The guidelines explicitly state that smaller entities are not expected to implement the same level of comprehensive measures as larger, more complex organisations. This means that smaller entities can adopt a more streamlined approach to compliance, focusing on the most critical aspects of ICT and security risk management without being overburdened by extensive requirements. This principle ensures that smaller entities are not unduly burdened by the requirements. A key aspect for those in-scope entities that are looking to rely on such proportional approach will be for them to be able to evidence and demonstrate that they, and the group (if applicable) they belong to, qualify as small, non-complex and low risk.
• Administrative arrangements: in-scope entities must have an adequate internal governance and control framework for maintaining their network and information systems and mitigating ICT risks. Key roles and responsibilities must be clearly defined, and staff must be adequately trained and resourced. The management body is accountable for overseeing the implementation of ICT risk management arrangements. Smaller in-scope entities are required to have an adequate internal governance and control framework, but the guidelines allow for flexibility in how these arrangements are implemented. For instance, smaller in-scope entities can assign roles and responsibilities for ICT risk management to existing staff rather than creating new positions or departments. This approach may help to minimise additional operational costs and administrative burdens.
• Physical security access protocols: in-scope entities must implement physical security measures to protect their premises, data centres and sensitive areas from unauthorised access and environmental hazards. Access should be restricted to authorised individuals based on the need-to-know and least privilege principles, and access rights should be periodically reviewed. While the guidelines require all entities to implement physical and logical security measures, smaller in-scope entities can adopt less complex solutions that are still effective in mitigating risks. For example, the guidelines suggest that physical access to network and information systems should be restricted based on the need-to-know and least privilege principles, but the implementation of these controls can be simpler and less costly for smaller entities.
• Security access protocols for network and information systems: logical access to network and information systems must be restricted to authorised individuals. Entities should implement strong controls over privileged system access, including role-based access, logging, and monitoring for anomalies. Remote administrative access to critical ICT assets should be granted only on a need-to-know basis and when strong authentication solutions are available. All access rights should be periodically reviewed and withdrawn when no longer required.
• Cryptographic Key Management: entities are responsible for managing cryptographic keys through their entire lifecycle, including generating, renewing, storing, backing up, and destroying keys. Controls must be in place to protect keys from loss, unauthorised access, and modification. A register of all certificates and certificate-storing devices must be maintained, and certificates should be promply renewed before expiration. Smaller entities must manage cryptographic keys through their entire lifecycle, but the guidelines do not mandate the establishment of a specific policy on cryptographic key management. Instead, smaller entities can integrate cryptographic key management into their regular ICT management arrangements, which reduces the need for additional documentation and specialised staff.

While the General CAI Security Access Protocol Guidelines exempt those in-scope entities from full compliance with DORA and NIS2 obligations and supervisory expectations, there are still a number of key implications for certain in-scope entities.

Key implications for in-scope entities

The implementation of ESMA’s General CAI Security Access Protocol Guidelines may have significant implications for certain in-scope entities as:

1. Compliance and governance: in-scope entities must ensure that their governance structures are robust enough to meet the requirements of the guidelines. This includes assigning clear roles and responsibilities for ICT risk management and ensuring that the management body is actively involved in overseeing these arrangements.
2. Resource allocation: in-scope entities will need to allocate sufficient resources, both in terms of budget and skilled personnel, to maintain their network and information systems and manage ICT risks effectively. This may involve hiring additional staff or providing specialised training to existing staff.
3. Enhanced security measures: the guidelines necessitate the implementation of stringent physical and logical security measures. Firms will need to review and possibly upgrade their current security protocols to ensure compliance. This includes regular reviews of access rights and the implementation of strong authentication and monitoring controls.
4. Cryptographic key management: effective cryptographic key management is critical. Firms must establish comprehensive procedures for managing cryptographic keys and ensure that these procedures are followed rigorously. This includes maintaining an up-to-date register of certificates and ensuring timely renewal of certificates. This is a particularly easy area for NCAs to focus their attention in assessing compliance during their periodic and ad hoc reviews.
5. Reporting and documentation: in-scope entities must maintain detailed records of their security measures, access logs and cryptographic key management activities. These records will be essential for demonstrating compliance during regulator-driven audits and for investigating any security incidents. Again, this is a particularly attractive area for NCAs to focus their attention on assessing compliance during their periodic and ad hoc reviews as it also opens up supervisory dialogue overall on appropriateness of governance and risk management compliance by the in-scope entity.

In addition to the above-mentioned considerations, certain in-scope entities may need to consider the evolution and relevance of similar requirements and expectations that are being put in place across non-EU jurisdictions. Some of these may have overlapping but also possibly competing obligations including on where certain roles as well as overall mind and matter may need to be physically located.

In-scope entities will want to ensure that they are able to produce sufficiently detailed and well-maintained policies and procedures documents reflective of compliant processes, systems and controls.

For some in-scope entities it may also be advisable to ensure that periodic third-party administered legal and compliance audits are run to evidence satisfaction with the statutory and supervisory requirements, including where any in-scope entities also rely on contractually documented and/or other forms of intra-group and/or external outsourcing and delegation arrangements.

Timing considerations

In terms of immediate next steps, the General CAI Security Access Protocol Guidelines are set to be translated into each of the official languages of the EU and published on the ESMA website. The publication of these translations will trigger a two-month period in which NCAs must notify ESMA whether they intend to comply with the General CAI Security Access Protocol Guidelines. The General CAI Security Access Protocol Guidelines will apply from three months after the publication of the translations. However, all in-scope entities should consider getting to grips with the General CAI Security Access Protocol Guidelines’ implications earlier rather than later. This also applies to those that may look to make use of MiCAR’s overall grandfathering period(s) – again an area where national options and discretions have hardwired potential for divergence.

While MiCAR’s full operationalisation starts 30 December 2024, an 18-month transitional phase i.e., a grandfathering period applies until 1 July 2026, which may be relevant for those CAIs that also may undertake CASP activity. These transitional measures (e.g. grandfathering and simplified procedure) apply in those Member States who have opted in. ESMA has published this list here.Show Footnote Entities in participating Member States are permitted to make use of the simplified CASP authorisation procedure (in Art. 143(6) MiCAR) but must acquire an authorisation in accordance with Article 63 of MiCAR by then. This grandfathering period varies from Member State to Member State with some having lower periods than the full 18 months (either at 6 or 12 months) and others yet to announce what they will offer. Notwithstanding this grandfathering period, the General CAI Security Access Protocol Guidelines will apply as per the timeline above, so for in-scope entities making use of grandfathering, they will still need to assess compliance with the General CAI Security Access Protocol Guidelines.

Outlook

The implementation of ESMA’s General CAI Security Access Protocol Guidelines signifies a pivotal step towards enhancing the security and operational resilience of relevant in-scope entities. By mandating robust governance structures, stringent physical and logical security measures, and comprehensive cryptographic key management, these guidelines aim to close existing regulatory gaps and provide a clear framework for compliance. Relevant in-scope entities may wish to proactively allocate resources and adapt their internal processes to meet these new standards, ensuring that their operations remain secure and resilient in the face of evolving cyber threats. In doing so, they may also find that this may serve to be a competitive advantage if such compliance is appropriately disclosed as part of its whitepaper and other offering documentation.

As the EU’s regulatory landscape continues to evolve, it is crucial for in-scope entities to stay ahead of compliance obligations and leverage available transitional measures effectively. The upcoming translations and subsequent compliance notifications by NCAs will set the stage for the full application of these guidelines. Some entities may wish to use this period to thoroughly review and upgrade their security protocols, ensuring that they are well-prepared for the regulatory scrutiny that will follow.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients to navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

In order to assist firms in staying ahead of their compliance obligations we have developed a number of RegTech and SupTech tools for supervised firms. This includes PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 2,000+ legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”.

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.