Regulación MiCA y custodia de Bitcoin en Europa
|

MiCA and Bitcoin Custody in Europe: What Changes for High-Net-Worth Holders

Europe now has a unified regulatory framework for crypto assets. The Markets in Crypto-Assets Regulation (MiCA, Regulation EU 2023/1114) rolled out in phases: stablecoin provisions took effect in June 2024, and the core CASP (Crypto Asset Service Provider) rules went live on 30 December 2024. National transition periods vary — the Netherlands closes its window in July 2025, while some member states have until July 2026.

For anyone holding significant wealth in Bitcoin, the relevant question isn’t whether MiCA applies to them. It’s how it applies — and the answer hinges entirely on one thing: how they custody their assets.

What MiCA actually regulates

MiCA creates an authorization regime for CASPs — any entity providing crypto-related services within the European Union. Custody and administration of crypto assets on behalf of clients is one such service, classified as a Class II CASP activity.

Any firm custodying someone else’s Bitcoin in Europe now needs:

  • Authorization from its National Competent Authority (NCA) — the financial regulator in its home member state.
  • Minimum capital of €125,000 or an equivalent insurance policy (Art. 67 MiCA).
  • Client asset segregation: custodied crypto assets cannot be commingled with the firm’s own holdings or used for proprietary purposes (Art. 75).
  • Governance obligations: business continuity policies, conflict-of-interest management, and auditable IT security protocols.
  • Sub-custody rules: if the custodian delegates to a third party, it remains liable to the client.

Once authorized in one member state, a CASP can operate across the entire EU through passporting — a single registration that enables cross-border activity without separate authorizations in each country.

ESMA published supplementary guidelines in January 2026 on staff competence and training requirements for CASPs, raising the operational bar. And since March 2026, non-EU firms seeking to offer custody services to European clients must establish a subsidiary within the Union — remote operations from third-country jurisdictions no longer suffice.

Exchange custody: stronger protections, greater transparency

If a holder keeps Bitcoin on an exchange or centralized platform, MiCA brings concrete changes. Exchanges operating in Europe must obtain CASP authorization and comply with the obligations above. For the client, this translates to:

  • Mandatory segregation: your assets are ring-fenced from the exchange’s own holdings. In the event of platform insolvency, they don’t form part of the bankruptcy estate.
  • Regulated disclosure: the CASP must inform you about risks, fees, and applicable custody policies.
  • Active supervision: NCAs have the power to audit, sanction, and revoke licenses.

The trade-off is straightforward: more oversight means more reporting. Exchanges report to tax and financial authorities, and client transactions are subject to a level of traceability that previously didn’t exist uniformly across Europe.

For a HNWI or family office, this means exchange custody is now more secure in regulatory terms — but also more visible to fiscal authorities and regulators. No surprise there: MiCA aligns crypto with the supervisory regime that already governed traditional financial assets.

Self-custody: outside MiCA, but not outside the system

One of the most contested issues during MiCA’s legislative process was the treatment of unhosted wallets — wallets where the user controls their own private keys. The outcome: MiCA does not directly regulate self-custody. If you hold your own keys, you’re not a CASP, and the regulation imposes no authorization, capital, or reporting obligations on you.

Wallet software providers also fall outside the CASP definition. As the Capital Markets Law Journal (Oxford Academic) notes, the mere provision of custody software does not constitute a regulated custody service under MiCA, provided the software provider has no access to or control over user assets.

The regulatory environment around self-custody, however, has shifted. The critical friction point is the Travel Rule applied to transfers involving unhosted wallets:

  • Transfers exceeding €1,000 from an unhosted wallet to a CASP (or vice versa) require the CASP to verify the wallet holder’s identity and their relationship to the funds.
  • In practice, moving Bitcoin from a hardware wallet to a regulated European exchange triggers an additional verification process: the exchange must confirm wallet ownership.
  • Smaller amounts still fall under the Travel Rule, but verification requirements are less intensive.

The net result: self-custody remains legal and unregulated in itself, but its interaction with the regulated financial system now carries more friction. Every time your Bitcoin touches a regulated touchpoint — an exchange, a payment service, an authorized OTC desk — the Travel Rule kicks in.

For a holder with substantial wealth, this raises a practical question: how much friction are you willing to accept each time you need liquidity or want to move funds?

The Travel Rule unpacked

The Travel Rule doesn’t originate from MiCA. It comes from the Transfer of Funds Regulation (TFR, Regulation EU 2023/1113), adopted alongside MiCA and applicable since 30 December 2024. Its logic is simple: require crypto asset transfers to carry originator and beneficiary information, mirroring the regime for traditional bank transfers.

For transactions between two CASPs, information flows automatically between entities. For transactions involving unhosted wallets, the burden falls on the CASP:

  • Outgoing transfers to an unhosted wallet: the CASP must collect the beneficiary’s name (if a third party) and assess transaction risk.
  • Incoming transfers from an unhosted wallet exceeding €1,000: the CASP must verify that the originator actually controls the wallet. Accepted methods include cryptographic proof (a Satoshi test), sworn declarations, or additional documentation based on the risk profile.

There is no threshold below which the Travel Rule ceases to apply — it covers all transfers — but verification requirements intensify above €1,000.

Collaborative custody: the middle ground MiCA didn’t anticipate

MiCA was designed with two custody models in mind: centralized custody (exchanges and regulated custodians controlling client keys) and self-custody (where the user has full control). A third model doesn’t fit neatly into either category: collaborative multisig custody.

In a collaborative custody arrangement, the keys needed to move Bitcoin are distributed among multiple parties — typically the holder, a technology provider, and an independent third party (or a combination). No single party can move funds unilaterally. At least two of the three must cooperate to sign a transaction.

From a regulatory standpoint, this model has distinct characteristics:

It isn’t centralized custody. The multisig technology provider has no unilateral control over client assets. It cannot move, freeze, or seize Bitcoin on its own. This distinguishes it from an exchange or traditional custodian, where the firm controls the keys and the client depends entirely on it.

It isn’t pure self-custody. The holder doesn’t operate alone. They have a structured security framework with backups, recovery protocols, and auditability. Losing one key doesn’t mean losing funds — the multisig scheme is designed to tolerate the loss of a single key.

It’s auditable and eliminates single points of failure. As XReg Consulting notes in its analysis of custody models under MiCA, collaborative custody offers stronger IT security than pure self-custody (where a user error can be catastrophic) and centralized custody (where the firm is a concentrated attack target). Key distribution eliminates the single point of compromise.

The precise regulatory classification of collaborative custody under MiCA depends on the specific implementation and how each NCA interprets the Regulation. What’s clear is that this model addresses a real demand: wealth that wants sovereignty over its assets without assuming the full operational risk of self-custody, and without surrendering complete control to a third party.

What this means for a European holder with significant wealth

The post-MiCA regulatory map has three territories:

Model MiCA regulation Holder control Operational risk Regulatory friction
Exchange / regulated custodian Full (authorized CASP) Low — CASP controls keys Counterparty risk mitigated by regulation Low — CASP handles compliance
Self-custody None directly Total — holder controls keys High — user error = irreversible loss High when interacting with CASPs (Travel Rule)
Collaborative custody (multisig) Varies by implementation High — requires holder participation Low — redundancy and recovery Moderate — depends on operational framework

Varies by implementation | High — requires holder participation | Low — redundancy and recovery | Moderate — depends on operational framework |

For a HNWI or family office, this isn’t just a technical decision. It’s a wealth governance choice: how much control you want to retain, how much operational risk you can manage, and how much interaction with the regulated system you need.

MiCA hasn’t eliminated options. It has clarified the rules and raised the bar for intermediaries. The side effect is that models combining sovereignty with structure — like collaborative custody — become more relevant, not less.

Europe’s framework in global context

Europe is, as of today, the jurisdiction with the most comprehensive regulatory framework for crypto assets. MiCA is a directly applicable regulation across all 27 member states — it requires no national transposition, avoiding the fragmentation that has plagued other jurisdictions.

For holders with international ties, the practical implications are clear:

  • Non-EU firms wanting to offer custody to clients in the EU must establish an authorized subsidiary within the Union.
  • Passporting allows a CASP authorized in one country to operate EU-wide, simplifying provider selection.
  • Regulatory predictability under MiCA contrasts with ongoing uncertainty in the U.S. and fragmentation across Asia and Latin America, potentially making Europe a regulatory anchor for international wealth.

A wealth architecture decision

Bitcoin custody isn’t a technical problem you solve once and forget. It’s a wealth architecture decision that should be revisited as the regulatory framework evolves.

MiCA has established the baseline rules. NCAs and ESMA will continue issuing guidelines and refining implementation. Custody models that offer both sovereignty and structure — where the holder maintains control over their assets while benefiting from professional backups and auditable protocols — are positioned to meet the demands of this new environment.

At Citadel B, collaborative multisig custody enables holders and family offices to maintain control of their Bitcoin through a distributed key scheme, recovery backups, and security standards aligned with the demands of Europe’s regulatory environment. Because when it comes to Bitcoin wealth, the key is not being the only key.

Publicaciones Similares