PRIM3 Brief #9: MiCAR Phase-2 Enforcement — What We're Seeing in Practice

The Markets in Crypto-Assets Regulation (MiCAR) Phase-2 enforcement window opened in October 2025. We're now six months in, with roughly 280 documented enforcement actions across the EU member state competent authorities, three significant fines that crossed €10M, and a meaningful number of crypto-asset service providers (CASPs) that have voluntarily exited certain EU markets rather than complete the full authorisation process.

The mainstream Web3 read on MiCAR is "Europe has crypto rules now." That framing is true and unhelpful. What matters is how the rules are being enforced in practice — which provisions are being enforced strictly, which are being interpreted permissively, and which CASP categories are facing the most pressure. PRIM3 has spent real partner time mapping this for portfolio companies operating EU-side and we want to share the operational read.

The Enforcement Pattern, Honestly

Phase-2 enforcement has been more targeted than the broad MiCAR language would suggest. The pattern across the ESMA-published actions and the national-competent-authority cases we're tracking:

Strict enforcement is concentrated in three areas. First, stablecoin issuer reserve disclosures. The reserve-attestation and audit requirements under MiCAR Titles III and IV are being enforced strictly, with multiple fines for inadequate or late attestations. Second, retail-facing marketing and customer-protection. CASP-side marketing that the competent authorities have judged misleading is being enforced quickly, with several notable actions against firms that had been operating in grey areas. Third, unauthorised CASP operations. Firms operating without the appropriate Phase-2 authorisation are being shut down or fined, particularly in jurisdictions like Germany and France where local regulators have institutional capacity.

Selectively permissive enforcement on: DEX and DeFi-protocol oversight, where the lack of a clear regulated entity has produced enforcement ambiguity that the regulators have, for now, generally left ambiguous. The "if there's no clear entity, we'll defer enforcement until the framework is clarified" approach has been the working pattern. This is a window, and a window that's likely to close in 2027, but it's the operational reality today.

Quietly intense on: cross-border passporting reviews. Firms taking advantage of MiCAR's passporting regime to operate across multiple EU member states from a single home-state authorisation are facing more rigorous home-state reviews than the headline language would imply. Several CASPs have had their passporting routes effectively delayed by 6–12 months while home-state regulators conduct extended reviews.

Where Web3 Founders Are Getting Hit

The pattern that's emerged: the firms facing the most enforcement pressure aren't the firms in the most ambitious or sophisticated categories. They're firms in operationally messy categories — retail-facing exchanges with inadequate KYC controls, stablecoin operations with reserve-attestation gaps, marketing that hasn't been updated to the MiCAR standard.

The firms operating cleanly in technically complex categories — credible tokenisation infrastructure, institutional-grade settlement, well-counselled cross-chain protocols, are largely operating without enforcement friction. The regulators have signalled, in private communications and in some public ESMA statements, that they're prioritising the operational basics before pursuing complex enforcement questions in the technical sectors.

For founders, the operational message is clear: the bar to operate in the EU under MiCAR is much more achievable than the regulation's complexity suggests, provided you do the operational basics correctly. KYC discipline, reserve attestations, marketing reviews, and CASP authorisation are the table stakes. Sophisticated technical architecture is mostly being given the benefit of the doubt for now.

What This Means For Cross-Border Strategy

The EU is becoming the cleanest place in the world to operate certain categories of Web3 infrastructure in 2026. That's a non-obvious statement and worth defending.

The combination of (a) a clear authorisation framework that, while expensive, is genuinely workable; (b) enforcement priorities focused on operational basics rather than technical sophistication; (c) the EU passporting regime that allows a single home-state authorisation to cover 27 member states; and (d) the wholesale digital euro work that we covered in PRIM3 Brief #3, is producing a meaningfully attractive operating environment for institutional-grade Web3.

What we're seeing in our portfolio: founders we'd have advised, two years ago, to be U.S.-centric or Singapore-centric are increasingly opening EU-side operations as a primary jurisdiction. The cost-benefit has shifted. The EU is no longer the "we'll get to it eventually" jurisdiction; it's becoming the "we'll get authorised here first" jurisdiction for several categories.

This is particularly true for tokenized RWA founders, institutional stablecoin issuers, and CASPs focused on regulated trading venues. It's less true for DeFi-protocol-focused founders, where the EU's wait-and-see stance on protocol-level regulation is creating its own kind of policy risk.

The Practical Operating Playbook

For portfolio founders considering EU operations, PRIM3's working playbook in 2026:

Pick your home state deliberately. The national competent authorities have meaningfully different operational styles. Ireland, Luxembourg, Lithuania, and France have established themselves as workable for institutional-grade crypto firms. Germany is rigorous and slow. Spain and Italy are mid-tier on speed. Choose the home state based on institutional fit, not just on perceived friendliness — a fast home-state authorisation that doesn't fit your business will produce passporting friction later.

Build compliance infrastructure as part of the product, not as overhead. The firms operating successfully under MiCAR are the ones where compliance is engineered into the product (KYC automation, transfer-restriction tooling, attestation systems) rather than retrofitted as a separate team. The operational cost is roughly 40–60% lower for the engineered-in approach over the multi-year horizon.

Engage with the national competent authority pre-application. The regulators are generally receptive to firms that engage them before the formal application is filed. The pre-application conversations help calibrate the application content and avoid common rejection patterns. This is standard regulatory practice in the EU and is underutilised by Web3 founders.

Plan for ~9–14 months from initial application to operational authorisation in 2026. This is meaningfully longer than the official timeline. The regulators are honest about the queue length in private; firms that plan around a 6-month timeline end up cash-stressed.

What We're Seeing In Portfolio

Two of our portfolio companies have completed Phase-2 authorisation; a third is in mid-application. The pattern from the completed ones: the application work was substantial (3–5 FTE-months of focused work) but the regulators were workable and constructive when engaged early. The total all-in cost (legal + operational + advisory) for a clean authorisation in a competent home state has been roughly €600K–€1.2M for institutionally serious applications. That's expensive but tractable.

The pattern from firms that have stayed out of MiCAR: most of them are protocol-level DeFi plays where the CASP designation doesn't cleanly apply, or US-centric firms making the strategic decision that EU exposure isn't worth the operational lift. Both are defensible positions; neither is universal.

Where We're Allocating

PRIM3 is overweight on institutional-grade EU-jurisdictional plays in 2026, particularly tokenized RWA infrastructure and credible stablecoin issuers. We're balanced-weight on EU-focused CASPs where the team has institutional regulatory experience. We're underweight on EU-focused plays without serious compliance investment — the regulation is workable but unforgiving for amateur execution.

If you're operating or considering EU operations and want to compare notes on the enforcement landscape, pitch us via prim3.vc.