The 5 new guidelines for implementing MiCA in Spain
The National Securities Market Commission (CNMV) has confirmed to the European Securities and Markets Authority (ESMA) its adherence to five new fundamental guidelines for the implementation of the MiCA (Markets in Crypto-Assets) Regulation in Spain. This step marks a decisive advance towards a more harmonized regulation of the crypto ecosystem in Europe, raising standards of investor protection, cybersecurity, and operational transparency.
Below is a summary of these five key guidelines that will lay the foundation for a safer and more reliable crypto-asset market in Spanish territory.
1. Suitability requirements and periodic account statements for portfolio management
Inspired by the MiFID II framework, this first guideline establishes that Crypto-Asset Service Providers (CASPs) must ensure that the products they offer are suitable for each client. To do this, data must be collected on their knowledge, experience, objectives, and financial situation, updated at least every two years.
In addition, CASPs will have to issue periodic reports detailing the evolution of the client’s portfolio, including transactions carried out, fees, and profitability. These reports must be available in a durable electronic format, thus guaranteeing their conservation and consultation.
The qualification of personnel is another central pillar: the teams involved must have specific training and technical skills in crypto-assets, given the high volatility of the sector.
2. Transparency in asset transfers
This guide focuses on the crypto-asset transfer service, reinforcing information requirements before and after each transaction. CASPs must provide the client with clear data on the blockchain used, execution times, fees, and cancellation conditions.
For each transfer, individualized information will be required, such as blockchain addresses, fees applied, and necessary confirmations, free of charge at least once a month. In addition, mechanisms must be established to manage errors, rejections, or returns, always informing the client of the reason and possible actions to take.
As a recommended practice, companies are encouraged to offer educational materials that help users understand the risks associated with crypto transfers.
3. Classification of crypto-assets
The third guideline introduces standardized tools such as flowcharts and templates to facilitate the classification of crypto-assets under MiCA. This will help determine whether it is a utility token, an asset-referenced token (ART), or an electronic money token (EMT).
In addition, specific formats are provided for the whitepapers required by MiCA and legal opinions that must be submitted before the application for admission to trading. The objective is to ensure a coherent and uniform interpretation throughout the EU from the product design stage, thus strengthening legal certainty.
4. Attracting Clients from Third Countries.
MiCA establishes a clear framework on how companies from outside the EU can (or cannot) attract European clients. According to the new guidelines, attracting clients will be understood as any activity of promotion, advertising, or offering of services—whether through traditional or digital means—aimed at users within the Community territory.
This includes everything from social media ads to affiliate campaigns or influencer posts. Even generic branded content may be considered attraction if it impacts the European market.
National authorities will evaluate each case and, if they detect attraction, the company must cease its activities or apply restrictions such as geographic blocking. Educational content will not be considered attraction, as long as it does not directly or indirectly promote the company’s services.
5. Security and access protocols
The last guideline revolves around technological protection. Here, ESMA highlights the importance of applying security measures proportional to the size and risk level of the company. Organizations must establish robust ICT risk management policies, with clearly defined responsibilities, trained personnel, and adequate resources.
Key requirements include:
- Physical security in sensitive facilities.
- Logical access control based on roles, strong authentication, and continuous monitoring.
- Secure management of cryptographic keys, from creation to destruction, including storage, backup, and renewal.
These rules seek to minimize vulnerabilities in critical infrastructures of the crypto ecosystem and protect both operators and users.
What do these new guidelines imply?
ESMA’s guidelines represent a significant regulatory challenge, especially for companies operating in multiple jurisdictions. To comply with MiCA and obtain the necessary authorization to provide services in Europe, it will be essential to adapt not only the technical and operational infrastructure but also the internal compliance and governance procedures.
This will require specialized advice, continuous training plans, and a thorough review of security and transparency systems. The good news is that, if implemented correctly, these guidelines will not only protect investors but will also contribute to consolidating a more robust, competitive, and secure European crypto market.
At Letslaw we are experts in blockchain and cryptocurrencies. If you need legal advice for Fintech companies, do not hesitate to contact us.
Letslaw es una firma de abogados internacionales especializada en el derecho de los negocios.
More from my site
MiCA Regulation: current obligations for entities that are not issuers of asset-referenced tokens
MiCA is now applicable for e-money tokens and asset referenced tokens, next steps?
New developments in cryptoasset advertising
Delegated Regulation (EU) 2024/1506 MICA: Classification of Asset-Referenced Tokens and Electronic Money Tokens
Requirements for Crypto-Asset service providers under the new MiCA Regulation
Regulation on Crypto Assets Markets: MiCA