Infrastructure considerations for MiCA compliance: what changes after July 1, 2026

July 1, 2026 is the end of the grandfathering period for crypto asset service providers operating in EU member states. The Netherlands closed their transition period in July 2025. Several member states have announced earlier deadlines.

Most MiCA content focuses on legal authorisation: entity structure, capital requirements, application timelines. Almost nothing covers where the infrastructure should sit, and why it matters to a compliance review.

Here is what infrastructure teams should have documented before July 1.

Jurisdiction: where is the hardware?

MiCA does not mandate a specific infrastructure jurisdiction. But authorising authorities will ask about operational resilience. "We run on AWS us-east-1" is a different answer to "we own the hardware in a named jurisdiction."

The question is not whether cloud infrastructure is legally compliant. It is whether the answers you give during a CASP review are auditable and defensible. Jurisdiction is auditable when the hardware is owned and physically located in a specific place.

UK-domiciled infrastructure sits outside the EU policy perimeter. The UK is not EU post-Brexit, but it operates under a separate, established regulatory framework. Hardware in Manchester, owned by the operator, is not in an unregulated grey zone.

Operational resilience

Article 74 of MiCA requires CASPs to have business continuity plans. Article 75 requires documented ICT risk management. Neither mandates bare-metal infrastructure. Both ask you to document what happens when things go wrong.

For bare-metal infrastructure across three availability zones in a single city: one datacenter goes offline and the cluster continues. Failover at the leaf switches is automatic. The etcd cluster is distributed across all three buildings. The Kubernetes control plane stays up even if one site loses power.

For cloud-hosted validators, the equivalent question is: what is your SLA if your cloud provider changes its acceptable-use policy for crypto workloads? That has happened. "We migrate" is a recoverable position. It is harder to document as a continuity plan than hardware you own.

Uptime: 99.99% SLA, justified by redundant power, networking, and compute across three locations.

Key management

Key management is where CASP reviews get specific. Regulators want to know who holds the keys, what the custody model is, and what happens if a keyholder is unavailable.

For validator operations, distributed validator technology adds a second layer: key shares distributed across independent operators, so no single operator can sign on behalf of the validator.

Fireblocks multi-sig key management means no single person holds an unencrypted key. This is auditable. It does not change based on which datacenter your validators run in.

Penetration testing by Bulletproof is on the record. Harris & Trotter LLP has independently verified financial disclosures. ISO 27001 and SOC 2 are completing in July 2026.

These are not marketing claims. They are the documentation that a compliance review will ask to see.

Physical auditability

One question that rarely comes up until it matters: if an authorising authority wants to inspect your infrastructure, what happens?

For cloud-hosted validators, the answer is that you do not own the datacenter and you cannot arrange a walkthrough. The cloud provider has its own compliance certifications, but those are the provider's certifications, not yours.

For owned bare-metal in a named facility: a physical walkthrough is available. You can show a compliance reviewer the rack. You can demonstrate which server hosts which workload.

What to ask your infrastructure provider before July 1

Whether you own your infrastructure or use a managed provider, these are the questions worth answering before July 1:

The answers matter more than the infrastructure model. But the infrastructure model determines which answers are available to you.

Working through a MiCA CASP authorisation? What has come up in your review so far?

Common questions

What does MiCA require for staking infrastructure?

MiCA Articles 74 and 75 require documented business continuity plans and ICT risk management. For staking CASPs this means: documented hardware jurisdiction, a tested failover plan if a datacenter goes offline, independent key management controls, and an auditable answer to physical inspection requests from authorising authorities.

When does the EU MiCA grandfathering period end?

The EU-wide MiCA grandfathering period ends July 1, 2026. Several member states set earlier deadlines — the Netherlands closed their transition period in July 2025. CASPs operating without authorisation after their member state's deadline face enforcement risk.

Can you run a MiCA-compliant staking operation on public cloud?

Technically yes, but cloud creates documentation gaps. Cloud-hosted validators cannot arrange a physical inspection if requested during a CASP review. Infrastructure jurisdiction follows the cloud provider's region and can change without notice. The cloud provider's compliance certifications belong to them, not the CASP.

What infrastructure documentation should a CASP prepare for MiCA?

Hardware jurisdiction documentation, a tested business continuity plan with specific failover evidence, key management architecture and custody controls, independent audit records (penetration testing, financial verification), and confirmation of physical inspection availability. ISO 27001 and SOC 2 are increasingly expected in CASP reviews.

Frequently asked questions

What does MiCA require for staking infrastructure?

MiCA Articles 74 and 75 require documented business continuity plans and ICT risk management. For staking CASPs this means: documented hardware jurisdiction, a tested failover plan if a datacenter goes offline, independent key management controls, and an auditable answer to physical inspection requests from authorising authorities.

When does the EU MiCA grandfathering period end?

The EU-wide MiCA grandfathering period ends July 1, 2026. Several member states set earlier deadlines — the Netherlands closed their transition period in July 2025. CASPs operating without authorisation after their member state's deadline face enforcement risk.

Can you run a MiCA-compliant staking operation on public cloud?

Technically yes, but cloud creates documentation gaps. Cloud-hosted validators cannot arrange a physical inspection if requested during a CASP review. Infrastructure jurisdiction follows the cloud provider's region and can change without notice. The cloud provider's compliance certifications belong to them, not the CASP.

What infrastructure documentation should a CASP prepare for MiCA?

Hardware jurisdiction documentation, a tested business continuity plan with specific failover evidence, key management architecture and custody controls, independent audit records (penetration testing, financial disclosure verification), and confirmation of physical inspection availability. ISO 27001 and SOC 2 are increasingly expected.