Does MiCA apply to AI systems used by crypto-asset service providers?

Yes. MiCA applies to CASP operations including AI systems used for order execution, market abuse surveillance, customer suitability assessment, and token stabilization. The conduct of business obligations (Articles 66-82), record-keeping (Article 68), and market integrity requirements (Articles 87-92) apply regardless of whether the function is performed by a human or an algorithm. ESMA is developing technical standards and Q&A guidance applying MiFID II AI precedent to MiCA-covered activities.

What record-keeping does MiCA Article 68 require for AI decisions?

MiCA Article 68 requires CASPs to maintain records of all services, activities, and transactions for 5 years in a form allowing regulators to reconstruct each decision. For AI-assisted decisions: per-decision records with client identifier, all inputs the AI processed, AI output, model version at decision time, and timestamp. Re-running a current model on historical inputs does not satisfy Article 68 if the model has been updated since the original decision — the record must capture the decision as made, with the model that made it.

How does MiCA best execution apply to algorithmic order routing?

MiCA Article 72 requires CASPs executing orders to take sufficient steps to achieve best execution for clients. For AI order routing, this requires: documented best execution policy showing how the algorithm weights execution factors (price, cost, speed, likelihood of execution); per-order execution records with routing decision and fill quality; performance monitoring against the stated policy; and documentation of any material algorithm changes with validation. ESMA RTS under MiCA will specify execution quality reporting requirements, drawing on MiFID II Article 27 precedent.

What documentation does MiCA require for market abuse surveillance AI?

MiCA Articles 87-92 require CASPs to detect and report suspicious transactions and orders. For AI surveillance systems: documentation of detection methodology for each alert type, threshold calibration rationale with false positive rate analysis, per-alert investigation records (investigation outcome, STR filed or not with documented basis), annual validation against known manipulation patterns, and model version change history. Regulators examine STR quality — very high alert volumes with very low STR rates trigger questions about surveillance AI calibration.

What suitability and appropriateness AI records does MiCA require?

MiCA Articles 79-81 require per-customer records for suitability and appropriateness assessments. Required: all data collected for the assessment, AI output (recommendation or score), model version at assessment time, and any client override of an AI-generated warning. Article 80 requires warning clients when appropriateness thresholds are not met — capturing client acknowledgment of AI warnings satisfies the audit trail requirement. Re-assessment cadence and triggering conditions must be documented.

How does DORA interact with MiCA for AI systems at CASPs?

CASPs that are financial entities under DORA face both frameworks simultaneously. DORA applies to ICT systems — AI model API providers are ICT third-party service providers requiring TPRM registration, audit rights, and exit strategy documentation. MiCA applies to conduct of business and market integrity. For AI: a behavioral drift incident (model provider silent update causing execution algorithm behavior change) could trigger both DORA ICT incident reporting and MiCA Article 72 best execution review. DORA's three-stage incident reporting process requires AI decision audit trails to reconstruct what the system did during the incident window.

What are MiCA penalties for AI compliance failures?

MiCA Article 111 establishes maximum fines for CASPs: up to EUR 5 million or 3% of total annual turnover (whichever is higher) for most violations; up to EUR 15 million or 15% of total annual turnover for serious market abuse violations. Competent authorities can withdraw CASP authorization for repeated or serious violations — with passporting implications for CASPs operating across multiple EU member states. Given authorization withdrawal consequences, AI compliance failures in market abuse surveillance or best execution are existentially significant for EU-licensed CASPs.

MiCA Regulation and AI in Crypto-Asset Services: What CASPs Must Document

Q: Does EU AI Act apply to CASP AI systems in addition to MiCA?

EU AI Act and MiCA can apply simultaneously. EU AI Act Annex III includes AI used for creditworthiness assessment and financial decisions as high-risk — some CASP customer risk scoring AI may qualify. For high-risk AI under EU AI Act: Annex IV technical documentation, Article 9 risk management system, Article 13 transparency, and Article 14 human oversight are required. MiCA's 5-year retention obligation is stricter than EU AI Act Article 12 logging requirements, so building to the MiCA standard satisfies both on duration.

EU MiCA Regulation (EU) 2023/1114, fully applicable December 30, 2024, imposes conduct of business, governance, and record-keeping obligations on crypto-asset service providers (CASPs). AI systems used in algorithmic order execution (Article 72), market abuse surveillance (Articles 87-92), and customer suitability assessment (Articles 79-81) are subject to MiCA's 5-year record retention, best execution documentation, and market integrity requirements. MiCA interacts with DORA (ICT resilience) and EU AI Act (high-risk AI documentation) for CASPs that are financial entities.

MiCA Record-Keeping for AI Decisions (Article 68)

MiCA Article 68 requires CASPs to maintain records of all services, activities, and transactions for 5 years in a form allowing competent authorities to reconstruct each decision. For AI-assisted decisions, this means per-decision records with: client or counterparty identifier, all inputs the AI processed, AI output (recommendation, score, routing decision), model version active at decision time, and timestamp. Re-running a current model on historical inputs does not satisfy Article 68 if the model has been updated — the record must capture the decision as it was made, with the model that made it. Five-year retention is the binding constraint for CASP AI documentation, stricter than EU AI Act Article 12 logging requirements.

Algorithmic Order Execution AI: Article 72 Best Execution

MiCA Article 72 requires CASPs executing orders to take sufficient steps to achieve the best possible result for clients, considering price, cost, speed, and likelihood of execution. For AI order routing systems, compliance requires: documenting the best execution policy including how the algorithm weights execution factors; capturing per-order execution records with routing decision, venue, fill quality, and latency; monitoring AI execution performance against the stated policy; and documenting any material changes to the execution algorithm with validation before deployment. ESMA RTS under MiCA will specify execution quality reporting requirements, drawing on MiFID II Article 27 precedent. Kill-switch and circuit-breaker controls are required for systematic algorithmic trading, with annual testing documentation.

Market Abuse Surveillance AI: Articles 87-92

MiCA prohibits insider dealing, market manipulation, and unlawful disclosure for crypto-assets admitted to trading. CASPs must implement arrangements to detect and report suspicious transactions and orders under Article 91. For AI surveillance systems, required documentation includes: detection methodology for each alert type (insider trading patterns, layering/spoofing, wash trading, pump-and-dump), threshold calibration rationale with false positive rate analysis, per-alert investigation records (alert triggered, investigation outcome, STR filed or not filed with documented basis), annual validation against known manipulation patterns, and model version change history. Regulators examine STR quality — systems with very high alert volumes and very low STR rates trigger questions about threshold calibration and surveillance AI fitness.

Customer Suitability and Appropriateness AI: Articles 79-81

MiCA Articles 79-81 require CASPs to assess client suitability (portfolio management) and appropriateness (execution services) before proceeding. For AI-assisted assessments, per-customer records must capture: all data collected for the assessment, AI output (recommendation or score), model version at assessment time, and any client override of an AI warning. Article 80 requires CASPs to warn clients when appropriateness thresholds are not met — capturing client acknowledgment of AI-generated warnings satisfies the audit trail requirement. Suitability assessments must be periodically refreshed — the re-assessment cadence and triggering conditions must be documented.

MiCA, DORA, and EU AI Act: Coordinated Compliance for CASPs

CASPs that are financial entities face three frameworks simultaneously. MiCA addresses conduct of business and market integrity — 5-year records, best execution documentation, market abuse surveillance, suitability assessment. DORA addresses ICT operational resilience — AI model providers as ICT third parties requiring TPRM, behavioral drift as a potential ICT incident, resilience testing. EU AI Act addresses AI-specific accountability for high-risk AI — Annex IV technical documentation, Article 9 risk management system, Article 14 human oversight. A unified documentation approach — per-decision records with inputs/outputs/model version, behavioral baseline monitoring, change management, and human oversight logs — satisfies core requirements across all three. MiCA's 5-year retention obligation is the binding constraint on record duration.