The European Securities and Markets Authority (ESMA) has issued a public statement cautioning crypto-asset service providers (CASPs) about investor protection risks when offering both regulated and unregulated services. The warning comes just months after the Markets in Crypto-Assets Regulation (MiCA) entered into application across the EU.
In its July 11 statement, ESMA reminded CASPs of their duty to act fairly and professionally, in the best interest of their clients, as stipulated under Article 66 of MiCA. The agency emphasized that firms must not create confusion over which products fall under MiCA protections and which do not.
“Clients may mistakenly assume that all offerings benefit from the regulatory safeguards”
“When CASPs provide both MiCA-regulated and unregulated services, clients may mistakenly assume that all offerings benefit from the regulatory safeguards,” ESMA stated. “Such misunderstandings pose a significant risk to investor protection.”
Unregulated services do not offer MiCA safeguards such as conflict-of-interest management, complaint handling protocols, asset safeguarding, or oversight by national competent authorities. ESMA also raised concerns about a possible “halo effect” — where a firm’s MiCA authorization is misused to lend legitimacy to unrelated, unregulated products.
ESMA identified several poor practices, including the use of vague language in marketing materials, burying disclaimers in terms and conditions, and referencing regulatory status when promoting unregulated products. The agency warned that even having regulated and unregulated services listed side by side on the same platform without adequate disclosure could mislead clients.
To mitigate these risks, ESMA outlined specific do’s and don’ts for CASPs. These include:
- Do clearly state whether a product or service is regulated under MiCA in all marketing communications and at every point in the sales process.
- Do create distinct website sections and client documentation for regulated and unregulated offerings
- Do present pop-up warnings with checkbox acknowledgment before offering any unregulated product or service.
- Don’t suggest that unregulated products benefit from regulatory oversight.
- Don’t use MiCA authorization as a promotional tool in communications about unregulated offerings.
- Don’t rely solely on small print or terms and conditions to explain the lack of investor protection.
ESMA also underlined the need for transparency about which legal entity is offering each product, and for proper management of potential conflicts of interest.
The statement is part of ESMA’s broader efforts to support MiCA implementation and ensure a harmonized approach to investor protection across the EU’s fast-growing crypto markets.
ESMA Issues Final Guidelines on Staff Competence for Crypto Service Providers under MiCA
The European Securities and Markets Authority (ESMA) has published final guidelines detailing the criteria for assessing the knowledge and competence of individuals at crypto-asset service providers (CASPs) who provide information or advice under the Markets in Crypto-Assets Regulation (MiCA). These guidelines aim to enhance investor protection and establish consistent supervisory standards across the European Union.
The new framework applies to all natural persons acting on behalf of CASPs to deliver client-facing information or advice. It outlines minimum expectations for education, practical experience, and continuous professional development (CPD), and introduces differentiated standards based on whether staff give “information” or “advice.”
Under Guideline 2, staff providing information must demonstrate understanding of the crypto-assets offered by their firm, including key risks like volatility, cybersecurity, and market manipulation. ESMA suggests two minimum qualification pathways: either 80 hours of formal training plus six months of supervised experience, or one year of supervised experience alone. For ongoing competence, firms should ensure at least 10 hours of CPD per year, adjusted proportionally to the complexity of the products offered.
For staff providing advice, the standards are stricter. Guideline 3 sets out four acceptable qualification tracks, including:
A three-year tertiary degree and one year of supervised advice provision,
A three-year professional course and one year of supervised experience,
160 hours of training with one year of supervised experience,
Or two years of prior MiFID II/IDD advisory experience with six months of crypto-specific supervised activity.
CPD for advisory staff should include at least 20 hours annually, covering market developments, regulatory changes, and emerging risks.
Concern over limited investor understanding of associated risks
ESMA allows transitional flexibility for staff already active at the time of the guidelines’ application. Those with at least one year of prior full-time experience may be presumed competent, but firms are encouraged to verify this through internal appraisals or exams. However, ESMA rejected stakeholder proposals for mandatory external certification, citing the current lack of standardised exams and proportionality concerns.
Guidelines also apply to staff overseeing or designing automated or semi-automated advice tools. Those responsible for setting parameters or defining content must have sufficient knowledge to ensure that clients receive accurate and suitable information. This approach mirrors standards in other regulatory regimes like MiFID II but is tailored to the unique risks of crypto-assets.
Under Guideline 4, CASPs must clearly distinguish internal roles between staff giving advice and those giving information. Firms must regularly review and assess their internal training and supervisory processes, with management expected to evaluate effectiveness at least annually.
The guidelines respond to increasing retail access to crypto-asset services across the EU and concern over limited investor understanding of associated risks. ESMA emphasizes that crypto-assets differ significantly from traditional financial products in terms of volatility, technical complexity, and legal safeguards.
The regulator also notes that MiCA offers fewer investor protections than MiFID II — including no product governance or appropriateness testing — which heightens the need for competent staff at CASPs.
The guidelines will take effect six months after publication in all official EU languages. National competent authorities (NCAs) must notify ESMA within two months whether they intend to comply. While not legally binding, NCAs are expected to enforce the standards through supervision and regulatory integration.
ESMA acknowledges that firms may face new costs for training and compliance but argues that these are outweighed by benefits including reduced mis-selling risks, improved client outcomes, and enhanced investor trust. It estimates that compliance will involve one-off and ongoing expenses related to staff development, while contributing to supervisory convergence and fairer competition across the EU.
The final guidelines incorporate feedback from 23 respondents and the Securities and Markets Stakeholder Group (SMSG), which generally supported stricter verification and external certification. ESMA opted for flexibility instead, noting current market constraints and the importance of proportional application.
