MiCA regulation in Portugal: Licensing, implementation, and what crypto firms need to know

Share:

General Counsel

Sep 02, 2025

5 min. read

MiCA regulation in Portugal: Licensing, implementation, and what crypto firms need to know

Share:

MiCA regulation in Portugal: Licensing, implementation, and what crypto firms need to know

In this article

Europe’s crypto market surged past €250 billion in 2023, yet until recently, it operated under fragmented rules across Member States. Now, the Markets in Crypto-Assets Regulation (MiCA) aims to centralise the framework—but Portugal’s path remains uniquely unsettled.

In this article, I’ll guide you through MiCA’s direct applicability, Portugal’s implementation status, the fallback transitional regime, and the exact steps you need to prepare for licensing once Lisbon enacts its national law. Let’s break down what every crypto firm in Portugal must know to stay compliant and competitive.

National implementation status in Portugal

You’ll notice Portugal hasn’t yet adopted the national diploma needed to kick off MiCA licensing. As of January 3, 2025, the Banco de Portugal confirmed it currently lacks the power to receive or assess MiCA licence applications—so you’re in a holding pattern until implementing legislation arrives.

Transitional regime under MiCA’s default fallback

Let’s break down what happens if Portugal doesn’t shorten its grandfathering. Under Article 143(3), any Virtual Asset Service Provider (VASP) registered by December 30, 2024 enjoys an 18-month window—until July 1, 2026—to secure full MiCA authorisation, or else must cease operations.

Licensing requirements upon national law enactment

When Portugal finally enacts its MiCA Implementing Act and names a National Competent Authority (NCA), you’ll need full authorisation under Articles 59–62. Prepare to submit a comprehensive dossier covering everything from your business model to your disaster-recovery plans.

ComponentDescription
Program of ActivitiesBusiness model overview, service types, and target markets.
Governance & Fit & ProperOrganigram, board roles, compliance officer CVs, integrity declarations.
Risk Management & AML/CFTKnow Your Customer/Customer Due Diligence (KYC/CDD) policies, transaction monitoring, Travel-Rule compliance aligned with Portuguese AML law.
Technical & Operational ResilienceICT-system architecture diagrams, cybersecurity measures, business-continuity/disaster-recovery plans.
Prudential ResourcesTiered own funds (€50 000–€150 000), client-asset segregation, and cold-wallet insurance.
White Paper & Disclosure (for ARTs/EMTs)Standardised disclosures on asset-referenced tokens (ARTs) and e-money tokens (EMTs): rights, fees, governance, and risk factors.
Supporting DocumentsCorporate incorporation papers, audited financial statements, and professional-indemnity insurance.
Components of a MiCA authorisation dossier

Key dates and expected milestones

I know it feels like a lot, so here’s a quick timeline you can trust. These milestones will help you map your compliance journey and avoid last-minute scrambles.

DateMilestone
30 June 2024Asset-referenced tokens (ARTs) and e-money tokens (EMTs) provisions apply EU-wide.
30 December 2024Full Crypto-Asset Service Provider (CASP) regime applies—Portugal still awaits its Implementing Act.
3 January 2025Banco de Portugal confirms no authority yet to grant MiCA licences.
1 July 2026End of the 18-month fallback; any un-authorised VASPs must cease operations.
TBC 2025/2026Expected enactment of Portugal’s MiCA Implementing Act and designation of the national competent authority.
Key dates and expected milestones

What crypto firms in Portugal need to know

Here’s the bottom line: you don’t have to wait for the law to be hammered out before getting ready. Start now on these nine action items to stay ahead of the curve:

  1. Monitor National Legislation – Track the draft Implementing Act to understand licensing details and any potential shortened transition.
  2. Verify Registration Status – Confirm your VASP status under Law 83/2017 and Notice 3/2021 by December 30, 2024.
  3. Prepare Your Authorisation Dossier – Draft all sections (see Table 1) now to accelerate your application.
  4. Align AML/CFT & Travel-Rule Systems – Upgrade KYC/CDD, monitoring tools, and reporting workflows to meet both MiCA and Portuguese AML law.
  5. Strengthen Governance & Controls – Finalise your organigram, appoint your compliance lead, and document fit & proper attestations.
  6. Bolster Technical Resilience – Run penetration tests, implement ICT redundancy, and update your business-continuity plans.
  7. Plan Capital & Safeguards – Secure the required own funds, budget for supervisory fees, and arrange cold-wallet insurance plus professional indemnity.
  8. Leverage EU Passporting – Once authorised, use MiCA’s single-passport mechanism to expand into other EU markets without extra national licences.
  9. Prepare for Enforcement – Remember: MiCA breaches can incur fines up to 5 % of turnover or €5 million. Have a rapid incident-response protocol in place.

Streamline MiCA compliance with CyberUpgrade

Meeting MiCA’s rigorous requirements—from whitepaper filings to ongoing governance and transparency—often means endless manual tracking and audit prep. CyberUpgrade automates your MiCA workflows with prebuilt templates and real-time Slack or Teams prompts, keeping policies, risk assessments, and evidence audit-ready in one central hub.

Beyond MiCA, CyberUpgrade also supports DORA, ISO 27001, and NIS 2 frameworks, letting you “map once, prove many” across multiple regulations. Automated data extraction, vulnerability scans, and KPI dashboards feed each regulator’s portal seamlessly, reducing manual work by up to 80 %.

With fractional CISO services guiding your continuous monitoring and customizable compliance workflows, you’ll secure faster approvals, avoid fines, and adapt as MiCA and related frameworks evolve—turning compliance from a hurdle into a strategic advantage.

Ready for takeoff once Lisbon signs off?

By confirming your VASP registration, drafting your MiCA-ready dossier, and fortifying your AML/CFT, governance, and technical frameworks, you’ll nail this transition window. Think of this period as your runway: get everything prepped early, and you’ll be ready to launch the moment Lisbon signs off.

If you’ve got questions on your dossier or want to discuss how MiCA impacts your specific business model, reach out to CyberUpgrade—we’re here to help!

Share this article

Post on Linkedin
Post on Facebook
Post on X

How useful was this post?

0 / 5. 0

General Counsel

He is regulatory compliance strategist with over a decade of experience guiding fintech and financial services firms through complex EU legislation. He specializes in operational resilience, cybersecurity frameworks, and third-party risk management. Nojus writes about emerging compliance trends and helps companies turn regulatory challenges into strategic advantages.
  • DORA compliance
  • EU regulations
  • Cybersecurity risk management
  • Non-compliance penalties
  • Third-party risk oversight
  • Incident reporting requirements
  • Financial services compliance

Explore further