Crypto.com

The European Securities and Markets Authority (ESMA) has criticised Malta’s crypto licensing process, stating that the country’s financial regulator failed to conduct a sufficiently rigorous assessment when granting a crypto asset service provider (CASP) licence under the EU’s Markets in Crypto-Assets (MiCA) regulation.

The peer review, published on 10 July, follows concerns raised in earlier closed-door discussions among EU regulators over what some described as accelerated authorisation practices by certain member states. The ESMA review focused specifically on one unnamed licensing decision by the Malta Financial Services Authority (MFSA), although Malta has issued five MiCA licences since January 2025. Companies currently operating under these licences include Bitpanda, Crypto.com, OKX, ZBX, and Okcoin Europe, the latter having received a €1.2 million fine earlier this year for compliance violations.

MiCA, which entered into force in 2025, requires firms offering crypto-related services to be licensed by a national competent authority. Once granted, these licences can be “passported” to operate across the European Union. However, ESMA has expressed concern that national variations in scrutiny could undermine the regulation’s core objective of harmonised financial supervision across the bloc.

In its report, ESMA stated that the MFSA’s authorisation process only “partially” met expected standards. It acknowledged that the MFSA has sufficient technical expertise and institutional capacity, but concluded that its pre-licensing procedures failed to properly evaluate several key risk areas. Specifically, the review noted that material concerns about the applicant firm remained unresolved at the time of authorisation. It also found that the firm’s supervisory history had not been adequately taken into account.

“The overall authorisation process should have been more thorough and conducted over a sufficient period to allow MFSA to properly assess compliance against the MiCA framework,” the review stated.

Among the ESMA recommendations were calls for increased scrutiny of business models, governance structures, IT systems, potential conflicts of interest, and any links to unregulated services. The regulator made clear that gaps in these areas pose risks not only to investors but also to the integrity of the wider EU financial system.

Although ESMA’s remit does not allow it to overrule national regulators, its findings are likely to influence regulatory practices across the Union. The review reflects broader EU concerns about regulatory arbitrage and uneven standards in the implementation of MiCA. The ability of firms to obtain a licence in one jurisdiction and operate across all 27 member states has heightened the importance of consistent pre-authorisation controls.

Malta has positioned itself as an early proponent of digital asset regulation and was among the first EU countries to establish a legal framework for crypto firms. In its response, the MFSA said it “welcomes” the review’s findings and reiterated its commitment to aligning with EU financial standards. The authority did not directly address the criticisms outlined by ESMA, but stressed its pioneering role in embracing crypto sector regulation.

Industry analysts suggest the review will prompt a reassessment of Malta’s supervisory approach. Juan Ignacio Ibañez of the MiCA Crypto Alliance noted that the tension lies in differing regulatory philosophies: “Malta has emphasised continuous post-licensing engagement, while ESMA is now pushing for more comprehensive front-loaded enforcement.”

Criticism of Malta’s regulatory posture extends beyond the crypto sector. The island’s controversial Bill 55, which prevents the enforcement of certain foreign judgments—particularly those related to the gaming industry—has raised additional concerns in Brussels about the country’s alignment with EU law. While the legislation does not affect the crypto framework directly, it has contributed to a broader climate of scepticism about Malta’s regulatory governance.

The EU’s efforts to ensure consistency in MiCA’s application are expected to intensify as more member states process licence applications. The bloc aims to avoid a fragmented approach that could compromise investor protection or financial stability, particularly in a sector known for rapid innovation and cross-border operations.

While ESMA has not called for any revocation of licences already issued in Malta, the peer review signals a clear expectation for reforms. As the MiCA framework continues to roll out, the spotlight will remain on national regulators to demonstrate that they can uphold the regulation’s intended standards.

Malta, which has marketed itself as a blockchain-friendly jurisdiction, now faces a choice: adjust its regulatory posture to meet EU expectations, or risk increased scrutiny from Brussels. The review’s implications extend beyond one member state, serving as a precedent for how MiCA compliance will be monitored and enforced throughout the Union.