Europe’s crypto market surged past €250 billion in 2023, yet until recently, it operated under fragmented rules across Member States. Now, the Markets in Crypto-Assets Regulation (MiCA) aims to centralise the framework—but Portugal’s path remains uniquely unsettled.
In this article, I’ll guide you through MiCA’s direct applicability, Portugal’s implementation status, the fallback transitional regime, and the exact steps you need to prepare for licensing once Lisbon enacts its national law. Let’s break down what every crypto firm in Portugal must know to stay compliant and competitive.
National implementation status in Portugal
You’ll notice Portugal hasn’t yet adopted the national diploma needed to kick off MiCA licensing. As of January 3, 2025, the Banco de Portugal confirmed it currently lacks the power to receive or assess MiCA licence applications—so you’re in a holding pattern until implementing legislation arrives.
PRO TIP
Engage your legal counsel or crypto trade association early to review draft bills and public consultations. Your feedback can help shape the final regime.
Transitional regime under MiCA’s default fallback
Let’s break down what happens if Portugal doesn’t shorten its grandfathering. Under Article 143(3), any Virtual Asset Service Provider (VASP) registered by December 30, 2024 enjoys an 18-month window—until July 1, 2026—to secure full MiCA authorisation, or else must cease operations.
PRO TIP
Double-check your VASP registration under Law 83/2017 and Bank of Portugal Notice 3/2021 by December 30, 2024. Missing that cutoff means you can’t lawfully continue past mid-2026.
Licensing requirements upon national law enactment
When Portugal finally enacts its MiCA Implementing Act and names a National Competent Authority (NCA), you’ll need full authorisation under Articles 59–62. Prepare to submit a comprehensive dossier covering everything from your business model to your disaster-recovery plans.
Component | Description |
Program of Activities | Business model overview, service types, and target markets. |
Governance & Fit & Proper | Organigram, board roles, compliance officer CVs, integrity declarations. |
Risk Management & AML/CFT | Know Your Customer/Customer Due Diligence (KYC/CDD) policies, transaction monitoring, Travel-Rule compliance aligned with Portuguese AML law. |
Technical & Operational Resilience | ICT-system architecture diagrams, cybersecurity measures, business-continuity/disaster-recovery plans. |
Prudential Resources | Tiered own funds (€50 000–€150 000), client-asset segregation, and cold-wallet insurance. |
White Paper & Disclosure (for ARTs/EMTs) | Standardised disclosures on asset-referenced tokens (ARTs) and e-money tokens (EMTs): rights, fees, governance, and risk factors. |
Supporting Documents | Corporate incorporation papers, audited financial statements, and professional-indemnity insurance. |
PRO TIP
Draft your white papers and governance attestations now. Iterating early with advisors will smooth the eventual application process.
Key dates and expected milestones
I know it feels like a lot, so here’s a quick timeline you can trust. These milestones will help you map your compliance journey and avoid last-minute scrambles.
Date | Milestone |
30 June 2024 | Asset-referenced tokens (ARTs) and e-money tokens (EMTs) provisions apply EU-wide. |
30 December 2024 | Full Crypto-Asset Service Provider (CASP) regime applies—Portugal still awaits its Implementing Act. |
3 January 2025 | Banco de Portugal confirms no authority yet to grant MiCA licences. |
1 July 2026 | End of the 18-month fallback; any un-authorised VASPs must cease operations. |
TBC 2025/2026 | Expected enactment of Portugal’s MiCA Implementing Act and designation of the national competent authority. |
PRO TIP
Plug these dates into your team’s shared calendar and set automated alerts at the 3-month, 1-month, and 1-week marks.
What crypto firms in Portugal need to know
Here’s the bottom line: you don’t have to wait for the law to be hammered out before getting ready. Start now on these nine action items to stay ahead of the curve:
- Monitor National Legislation – Track the draft Implementing Act to understand licensing details and any potential shortened transition.
- Verify Registration Status – Confirm your VASP status under Law 83/2017 and Notice 3/2021 by December 30, 2024.
- Prepare Your Authorisation Dossier – Draft all sections (see Table 1) now to accelerate your application.
- Align AML/CFT & Travel-Rule Systems – Upgrade KYC/CDD, monitoring tools, and reporting workflows to meet both MiCA and Portuguese AML law.
- Strengthen Governance & Controls – Finalise your organigram, appoint your compliance lead, and document fit & proper attestations.
- Bolster Technical Resilience – Run penetration tests, implement ICT redundancy, and update your business-continuity plans.
- Plan Capital & Safeguards – Secure the required own funds, budget for supervisory fees, and arrange cold-wallet insurance plus professional indemnity.
- Leverage EU Passporting – Once authorised, use MiCA’s single-passport mechanism to expand into other EU markets without extra national licences.
- Prepare for Enforcement – Remember: MiCA breaches can incur fines up to 5 % of turnover or €5 million. Have a rapid incident-response protocol in place.
PRO TIP
Form a cross-functional MiCA task force now—bringing together legal, compliance, IT, and finance—to streamline decisions and avoid silos.
Streamline MiCA compliance with CyberUpgrade
Meeting MiCA’s rigorous requirements—from whitepaper filings to ongoing governance and transparency—often means endless manual tracking and audit prep. CyberUpgrade automates your MiCA workflows with prebuilt templates and real-time Slack or Teams prompts, keeping policies, risk assessments, and evidence audit-ready in one central hub.
Beyond MiCA, CyberUpgrade also supports DORA, ISO 27001, and NIS 2 frameworks, letting you “map once, prove many” across multiple regulations. Automated data extraction, vulnerability scans, and KPI dashboards feed each regulator’s portal seamlessly, reducing manual work by up to 80 %.
With fractional CISO services guiding your continuous monitoring and customizable compliance workflows, you’ll secure faster approvals, avoid fines, and adapt as MiCA and related frameworks evolve—turning compliance from a hurdle into a strategic advantage.
Ready for takeoff once Lisbon signs off?
By confirming your VASP registration, drafting your MiCA-ready dossier, and fortifying your AML/CFT, governance, and technical frameworks, you’ll nail this transition window. Think of this period as your runway: get everything prepped early, and you’ll be ready to launch the moment Lisbon signs off.
If you’ve got questions on your dossier or want to discuss how MiCA impacts your specific business model, reach out to CyberUpgrade—we’re here to help!