Dual Licensing in Crypto: When MiCA Is Not Enough, Are We Asking the Right Questions?

Many CASPs are discovering, often too late, that their services qualify as payment services under PSD2. MiCA alone is not sufficient. The structural overlap between MiCA and the payment services framework is one of the most consequential edge cases in European crypto regulation, and the supervisory truce that masked it for nine months ended on March 2, 2026.

The Edge Case Hidden in Plain Sight

MiCA was designed to be the single rulebook for crypto-asset services in the EU. That was the political promise. The technical reality, eighteen months into enforcement, is that MiCA is the single rulebook for crypto-asset services that are exclusively crypto-asset services. The moment a CASP's activities cross into payment services territory, a second regulatory framework activates, and that framework is PSD2 today and PSD3 from late 2027 or 2028.

This is not a theoretical overlap. It is structural. The European Banking Authority acknowledged in its February 12, 2026 Opinion that any single financial activity should fall under one law. Yet both MiCA and PSD2 now govern stablecoin custody and transfer services where those services constitute payment services under PSD2's definition. The result is redundant supervision that doubles capital requirements and compliance costs without improving consumer protection. It also forces founders to confront a question many of them did not realize they needed to answer: is my crypto-asset service also a payment service?

For the population of companies operating in MiCA's grey zone, dual licensing is the question that arrives second, after the CASP authorization question itself. It arrives quietly, often during legal review of an existing MiCA application, and it arrives with significant operational and capital implications.

The real question is not whether PSD2 (and soon PSD3) becomes relevant for your business. For most CASPs handling EMTs in custody, transfer, or exchange capacities, it already is. The real question is at what stage payment services regulation will impact your operations, and how the structure you are building today will accommodate it.

The Legal Anchor: Why MiCA and PSD2 Inevitably Overlap

The structural overlap is not the result of regulatory accident. It is built into the text of MiCA itself. Three articles tie the framework together:

• MiCA Article 48(2): E-money tokens are explicitly classified as electronic money. This is the foundational equivalence. An EMT is not analogous to electronic money. It is electronic money.
• PSD2 Article 4(25): The definition of funds includes electronic money. Combined with MiCA Article 48(2), this means EMTs are funds for PSD2 purposes. Any service that involves moving funds on behalf of clients is potentially a payment service.
• MiCA Article 70(4): A CASP may provide payment services related to the crypto-asset services it offers, either directly or through a third party, provided that the entity actually performing those payment services is authorized under PSD2. This is the legal basis for both direct dual authorization and the partnership model.

The practical implication of this legal architecture is that holding EMTs in a custodial wallet that allows clients to send and receive is functionally equivalent to operating a payment account holding electronic money. Issuing a custodial wallet address that accepts EMTs is, in payment services terms, comparable to issuing an IBAN. The activities that have always required a payment institution license when performed with euros now require the same authorization when performed with EMTs. The framework is not new. The recognition of where it applies is.

The Trigger Points: When Crypto Services Become Payment Services

The EBA's June 2025 No Action Letter and February 2026 Opinion together identified the specific activities where the boundary between crypto-asset services and payment services dissolves. Three categories carry the most direct risk:

1. Custody and Administration of E-Money Tokens (EMTs)

When a CASP holds EMTs on behalf of clients, the activity walks straight into PSD2's safeguarding regime. EMTs are, by MiCA's own classification, electronic money. Custody of electronic money on behalf of clients is what payment institutions and electronic money institutions do. The MiCA authorization permits custody of crypto-assets generally. PSD2 requires safeguarding obligations under Article 10 specifically when those crypto-assets are EMTs and the custody relationship resembles e-money custody. Until March 2, 2026, the EBA explicitly told national competent authorities not to enforce Article 10 of PSD2 against CASPs in this position. After March 2, 2026, that supervisory tolerance ended.

2. Transfer Services Involving EMTs Between Users or Accounts

Moving EMTs between user accounts on a CASP platform looks operationally identical to executing a payment transaction. The user instructs the platform, the platform debits one account and credits another, the transaction settles. PSD2 calls this an execution of payment transactions service. MiCA calls this a transfer service for crypto-assets under Article 82. Both regimes claim jurisdiction. The EBA's confirmation that custody and transferring stablecoins on behalf of clients is a payment service under PSD2 closed the argument that this could be characterized as crypto-only activity.

One interpretive point in the EBA Opinion deserves specific attention: the language can be read to capture both third-party transfers and first-party transfers. A user moving EMTs from their CASP-held custodial wallet to their own self-custody wallet may, on this reading, qualify as a payment transaction. The decisive factor is not who the counterparty is. It is the act of transferring EMTs out of the custodial wallet, which resembles the execution of a payment transaction under PSD2. CASPs offering custodial wallet functionality supporting outbound EMT transfers should design on the assumption that PSD2 may apply, not on the assumption that first-party movement is exempt.

3. Business Models That Resemble Execution of Payment Transactions

This is the broadest and most uncertain trigger. A CASP providing on-and-off ramp services between fiat and EMTs, a CASP issuing a card product backed by stablecoin balances, a CASP enabling merchant settlement in stablecoins for euro-denominated goods and services, a CASP whose users primarily hold stablecoins to make payments rather than to invest — all of these business models look more like payment services than like crypto-asset services in their economic substance. The EBA's substance-over-form approach in the February 2026 Opinion makes clear that the label on your activity does not determine its regulatory treatment. The function does.

What Stays Outside PSD2: The Activities That Remain MiCA-Only

The mirror image of the trigger points is at least as useful for founders trying to self-locate. Several EMT-related service models remain firmly within MiCA's scope alone, with no PSD2 obligation attached:

• Exchange of EMTs for funds or other crypto-assets using the CASP's own proprietary capital, where no client funds are moved on behalf of users.
• Intermediation of crypto purchases involving EMTs for investment or trading purposes, where the EMTs serve as the buy-side currency rather than the payment medium.
• Custody of EMTs in wallets that do not support outbound transfers. If the wallet is structured to receive and hold but not to transfer, the resemblance to a payment account dissolves.
• Execution of orders on behalf of clients where the order is filled internally without movement of funds out to third parties or external addresses.
• Reception and transmission of orders for crypto-assets, advice on crypto-assets, and portfolio management on crypto-assets, all of which sit comfortably within MiCA's authorisation scope.
• Operation of a trading platform for crypto-assets, including EMT pairs, where the platform does not hold client funds in payment-account-like structures.

The Timeline: How We Got Here, Where We Are Now

The dual licensing question moved through three distinct phases since MiCA's full application:

• December 2024: The European Commission wrote to the EBA flagging the overlap between MiCA and PSD2 for CASPs handling EMTs. The Commission did not resolve the question. It asked the EBA to clarify how it should be supervised.
• June 10, 2025: The EBA published its No Action Letter (NAL), introducing a nine-month transition period during which national competent authorities were advised not to enforce PSD2 authorization requirements for EMT-related services. The NAL did not remove the underlying legal overlap. It deferred enforcement.
• February 12, 2026: The EBA published its follow-up Opinion, signaling the end of supervisory tolerance and setting out three clear outcomes for CASPs after the transition period.
• March 2, 2026: The NAL transition period expired. From this date, CASPs engaging in EMT-related activities that qualify as payment services must either be authorized under PSD2, operate through an authorized payment service provider, or cease the relevant activities.
• November 27, 2025: The European Parliament and Council reached provisional political agreement on PSD3 and the Payment Services Regulation (PSR). The agreed compromise texts were published April 23-24, 2026. PSD3 introduces a simpler authorization application process for providers already licensed under MiCA, but explicitly preserves two-license outcomes for certain business models.

The Three Outcomes Under the February 2026 Opinion

The EBA's February 2026 Opinion gave national competent authorities a clear framework for handling the post-March 2 enforcement landscape. The three supervisory outcomes are:

• Outcome 1: CASPs with existing PSD2 authorization. Where a CASP has already obtained PSD2 authorization as a payment institution or electronic money institution, or operates via an authorized PSP, it may continue EMT payment services within the scope of that authorization. France's five EMT issuers all sit here, having obtained both MiCA and payment services authorizations.
• Outcome 2: CASPs with pending PSD2 applications. CASPs that submitted a complete PSD2 authorization application before March 2, 2026, where the NCA has not yet decided on the application and the CASP actively cooperates with the NCA, may continue EMT-related payment services while the application is pending.
• Outcome 3: CASPs without PSD2 authorization or pending application. NCAs are advised to require these CASPs to cease EMT-related payment services immediately. Continued activity exposes the firm to enforcement, including business cessation measures and customer offboarding orders.

The Opinion's force is supervisory rather than legislative. It does not change MiCA or PSD2 directly. It tells NCAs how to interpret and enforce the existing legal overlap. The dual licensing trap contravenes EU principles of proportionality, legal clarity, and consistency. The Opinion does not resolve those tensions. It manages them while PSD3 negotiations proceed in parallel.

The Real Cost: What Dual Licensing Actually Requires

The capital and compliance burden of holding both authorizations is substantial:

• MiCA CASP minimum capital: €50,000 to €150,000 depending on service scope, with €125,000 applying to most CASPs handling EMTs.
• PSD2 payment institution minimum capital: €20,000 to €125,000 depending on payment service category, with €125,000 applying to electronic money issuance and execution of payment transactions.
• Combined minimum capital: approximately €250,000 for a CASP-plus-EMI structure handling EMT payment services. This figure represents the floor, not the realistic operational requirement.
• Operational compliance: Two parallel governance frameworks, two safeguarding regimes (MiCA's client asset segregation plus PSD2's Article 10 fund safeguarding), two reporting structures, two supervisory relationships, two audit cycles, and two sets of fit-and-proper management requirements.
• Total compliance overhauls for smaller CASPs averaged €2.1 million after enforcement actions in 2025. For a dual-licensed entity, the figure scales proportionally.

The structural questions are at least as important as the capital ones. Two regulators, one activity — conflicts of interpretation are common, particularly in the early implementation period. MiCA supervisors and payment services supervisors may sit in the same NCA but apply different standards. Dual licensing typically requires either a single legal entity with both authorizations under unified governance, or a group structure where the CASP and the EMI/PI sit as separate licensed entities with intercompany service agreements.

The Emerging Models: How CASPs Are Actually Structuring This

With March 2, 2026 now behind us, three structural patterns have become visible in the market:

Model 1: Direct Dual Authorization

The CASP obtains both MiCA and PSD2 authorizations under a single legal entity, typically in a jurisdiction where the same NCA handles both or where the two NCAs coordinate effectively. France has emerged as the dominant jurisdiction for this model. The ACPR (payment services) and AMF (CASP) ran industry working groups from 2023-2024, producing aligned guidance and predictable timelines. Circle obtained EMI authorization from the ACPR in 2024, allowing Circle France to issue both USDC and EURC under MiCA's electronic money token framework. France's five EMT issuers all sit here, all hold both authorizations, and all benefit from passporting across the EU from a single base.

Model 2: Group Structure with Separate Licensed Entities

A CASP and an EMI or PI sit as separate legal entities within the same group, each holding its own authorization. The CASP performs crypto-asset services. The EMI or PI handles payment services activities including EMT custody and transfers that qualify under PSD2. Intercompany agreements define how clients are onboarded, how assets flow, and how each entity bears its own regulatory liability. This model adds operational complexity but reduces single-entity supervisory load and allows different jurisdictions for the two licenses if that aligns with strategy.

Model 3: Partnership with an Authorized PSP

The CASP retains its MiCA authorization but partners with an already-licensed payment institution or electronic money institution to handle the regulated payment services component. This is the dominant pattern for smaller CASPs that cannot bear the capital and operational cost of dual licensing themselves. It is also the only realistic path for CASPs without an in-progress PSD2 application as of March 2, 2026, because direct authorization can no longer be obtained in time.

Concrete Examples Now Visible in the Market

• Fipto: In February 2026, Fipto became the first European stablecoin payment player to hold both a Payment Institution license from the ACPR and a full CASP license. Fipto positioned the unified structure as a regulated "Safe Harbour" for enterprises managing fiat and stablecoin payments ahead of the July 1, 2026 deadline.
• Banking Circle: On April 15, 2026, Banking Circle received a CASP license from the CSSF. Combined with its existing banking license, this provides a fully integrated stablecoin settlement service stack from a single regulated entity — a bank-plus-CASP variation of Model 1.
• Circle France: Circle France SAS holds EMI authorization from the ACPR (2024) and was authorized to issue EURC and USDC under MiCA's EMT framework. EURC reached approximately 41% of total euro stablecoin market capitalization by Q1 2026, up from 17% twelve months earlier. The structural advantage of having both authorizations in the same jurisdiction has been measurable.
• Revolut: Received a MiCA CASP license from CySEC (Cyprus) in 2025. As an established e-money institution with a Lithuanian banking license, Revolut already had the payment services authorization layer in place. The CASP license added the crypto-asset services authorization to an already PSD2-compliant stack.

The 19 authorized EMT issuers across 11 EU countries as of March 2026 represent firms that successfully navigated the dual-authorization challenge. France's concentration of five issuers, all dual-authorized, is the structural outcome of regulatory infrastructure choices made several years earlier.

PSD3: What's Coming, and What It Doesn't Fix

The political agreement on PSD3 and the Payment Services Regulation (PSR), reached November 27, 2025, was supposed to be the legislative resolution that the EBA's supervisory tolerance was bridging toward. The agreed compromise texts were published April 23-24, 2026, with publication in the Official Journal expected June or July 2026, and rules generally applying 21 months after publication.

What PSD3 does for CASPs:

• Streamlined authorization for MiCA-licensed providers: PSD3 introduces a simpler authorization application process for providers already licensed under MiCA, adding only payment-specific elements on top of the existing MiCA authorization.
• Reduced minimum capital alternative for AISPs: €50,000 initial capital as an alternative to professional indemnity insurance.
• Direct system participation: PSD3 amends the Settlement Finality Directive to enable direct participation by payment institutions and EMIs in designated payment systems, lowering the barrier to PSP status for crypto exchanges and stablecoin issuers wanting direct fiat on-and-off ramps.
• Issuer carve-out: Issuers of e-money tokens under MiCA will not be required to obtain separate PSD3 authorization if already authorized as crypto-asset service providers, unless they also provide payment services.

What PSD3 does not fix:

• Two-license outcomes remain necessary for certain business models. PSD3 streamlines the second authorization. It does not eliminate the requirement.
• Most CASPs will not benefit from the streamlined process until 2027 or 2028. The 21-month application period after entry into force places PSD3's practical impact in late 2027 at earliest.
• The structural overlap between crypto-asset and payment services regulation is preserved, not resolved. Industry voices argued for a clean carve-out exempting MiCA-licensed firms from separate payment service rules for EMT custody and transfers. That carve-out did not make it into the final PSD3 text.

The honest framing for founders is that PSD3 reduces friction at the second authorization step but does not eliminate the need for the second authorization. Plan accordingly.

The Forgotten Half of the Question: When Non-EMT Crypto Triggers PSD2

Almost all regulatory discussion since the EBA's June 2025 No Action Letter has focused on EMTs. But non-EMT crypto-assets — including Bitcoin, Ether, and asset-referenced tokens — can also trigger PSD2 obligations under specific business models. The principle is straightforward: PSD2 attaches to services that move funds on behalf of clients. Non-EMT crypto-assets are not funds within PSD2's definition. But the moment a service model introduces a fiat leg — where the CASP converts crypto into euros and disburses those funds to a third party on behalf of a client — the activity at the end of that chain becomes a payment service. The token type at the start of the transaction does not protect the fiat movement at the end.

Discussions among legal practitioners and regulators have surfaced a useful framing articulated by the Bank of Italy: EMTs are designed as payment instruments, and their transfer is presumptively tied to payment services — PSD2 attaches by default unless a specific exemption applies. Non-EMT assets are presumptively investment, trading, or transfer-of-value instruments, and PSD2 does not attach merely because they are moved between users. National competent authorities have not converged on a single interpretation of where this presumption flips, forcing multi-jurisdictional CASPs to seek local legal opinions for each member state of operation.

Six Service Models and Where the Line Falls

Salary Payments in Crypto

An employer paying employee salary in BTC directly to the employee's self-custody wallet, with the employee converting to fiat on their own initiative: this typically does not require PSD2 authorization. The same employer using a third-party payroll service that receives BTC, automatically converts to euros, and distributes those euros to employee bank accounts: the third-party service is performing a payment service and requires PSD2 authorization.

Crypto-Denominated Invoices

A B2B invoice denominated in ETH where a third-party platform handles invoice issuance and ETH collection without automatic fiat conversion: typically MiCA-only territory. The same platform converting ETH to euros automatically and depositing into the supplier's bank account: payment service requiring PSD2 authorization.

Peer-to-Peer Crypto Exchange

A platform allowing users to swap BTC and ETH directly with no fiat leg and no platform-controlled fund flows: MiCA-only. Adding fiat on-and-off ramps can trigger PSD2 because the fiat infrastructure on either side of the swap involves moving funds on behalf of clients.

Debit Cards Linked to Crypto Balances

A user holds BTC. A debit card provider converts BTC to euros in real time when the user pays at point of sale and transfers euros to the merchant. The crypto side is a MiCA-regulated service. The fiat leg — euros transferred to the merchant on behalf of the user — is a payment service requiring PSD2 authorization. This is one of the highest-risk and highest-frequency dual licensing scenarios in the consumer crypto market.

Crypto Payment Gateways and Merchant Services

A merchant receiving BTC directly into a wallet they control, with conversion arranged by the merchant separately: typically MiCA-only. A gateway intermediating between the customer's crypto and the merchant's fiat, holding or controlling the resulting fiat funds and transmitting them to the merchant's bank account: payment service requiring PSD2 authorization.

Placing of Crypto-Assets

A CASP licensed for placement of crypto-assets helping an issuer bring a new token to market, where investors send crypto and the CASP custodies the proceeds: typically within MiCA scope. The same CASP collecting fiat directly from investors, converting to crypto, and routing fiat to the issuer's bank account: introduces a fiat leg where PSD2 may apply.

The pattern across all six scenarios is the same. The determinative question is whether the service model involves the CASP holding or moving fiat on behalf of clients. Three diagnostic questions land the analysis quickly:

• Does my service handle fiat at any point on behalf of customers?


• Am I converting crypto to fiat for third parties under client direction?


• Is my role purely crypto exchange, or do I also deliver fiat to external recipients?

If the answer to any of these is yes, PSD2 attaches to that part of the activity, regardless of whether the underlying crypto-asset is an EMT, a non-EMT stablecoin, Bitcoin, Ether, or anything else. MiCA authorization alone is not sufficient. The fiat leg requires payment services authorization, either through direct PSD2 licensing or through a partnership with a licensed payment institution under MiCA Article 70(4).

The Right Questions for Founders

If your business model touches EMTs in custody, transfer, or exchange capacities, or if it involves any fiat leg under your control as part of a non-EMT crypto service, the questions you should be asking your legal counsel and strategic team include:

• Activity classification: Which of my specific services involve EMTs in a way that meets PSD2's definition of payment services? Custody of EMTs for clients, account-to-account transfers of EMTs, on-and-off ramp services, and merchant settlement in stablecoins are the highest-probability triggers.
• The fiat leg test: Does my service touch fiat on behalf of clients at any point in the transaction chain, even if the underlying asset is non-EMT crypto? Crypto debit cards, crypto payroll with automatic fiat conversion, crypto invoicing platforms that deposit euros into supplier bank accounts, and crypto payment gateways that intermediate between customer crypto and merchant fiat all introduce PSD2 obligations regardless of the originating token type.
• The first-party transfer question: Do my custodial wallets allow users to send EMTs to their own external addresses? Under the EBA's interpretation, this may constitute a payment transaction even where no third party is involved. Wallets structured to receive and hold but not to transfer outbound do not trigger this risk.
• Current authorization status: Where do I sit in the EBA's three-outcome framework as of May 2026? Authorized, application pending, or neither? If neither, what activities am I currently performing that I should have ceased on March 2?
• Structural model: Does direct dual authorization, group structure with separate licensed entities, or partnership with an authorized PSP fit my business strategy and capital position? The capital threshold for Model 1 (approximately €250,000 minimum, several million realistic) makes Model 3 the default for smaller operators.
• Jurisdictional choice: France has demonstrated structural advantages for dual licensing through ACPR-AMF coordination. Luxembourg, Ireland, and the Netherlands have growing populations of dual-authorized entities. Malta has CASPs but is currently under ESMA peer review for authorization quality concerns.
• PSD3 preparation: My PSD2 application or partnership structure today should anticipate PSD3's streamlined authorization process from late 2027 or 2028. Building a structure that can transition cleanly to PSD3 without re-architecting is meaningfully cheaper than a structure that requires migration.
• Operational resilience: DORA (the Digital Operational Resilience Act) has applied since January 2025 and creates parallel obligations on ICT risk management, third-party oversight, and incident reporting. A dual-licensed entity carries DORA obligations under both regimes.

The Pattern That's Emerging

Across the founders navigating this successfully in early 2026, three behaviors stand out:

• Early classification: Companies that mapped their activities against PSD2's definitions in 2024 or early 2025, before the EBA NAL even arrived, are now operating in the cleanest regulatory positions. Companies that waited for the NAL or the February 2026 Opinion to clarify their position are scrambling now.
• Jurisdictional anchoring: Companies that chose France or another coordinated dual-regime jurisdiction at incorporation have lower friction than companies that chose a CASP-friendly jurisdiction without considering the payment services dimension.
• Structural flexibility: Companies that built their authorization stack as modular — CASP today, EMI added later, group structure scalable — are easier to evolve than companies that obtained a CASP authorization tightly bound to a specific operational model that does not survive PSD2 scope expansion.

The market reality is now visible: companies that addressed dual licensing early have moved faster, attracted institutional partners more easily, and are positioned to absorb PSD3's transition without restructuring. Companies that delayed are stuck in regulatory positioning discussions, often with their EMT-related activities suspended or operating under partner stack arrangements they did not originally plan for. The structural choices made in 2023 and 2024 are now determining who can operate freely in 2026.

Where This Leaves the Right Questions Framework

MiCA was supposed to be the single rulebook. It is not, for any CASP whose activities touch EMTs in payment-services-adjacent ways. The dual licensing requirement is real, the supervisory tolerance has ended, and PSD3 will not eliminate the structural overlap. For founders, the implication is that asking "are we MiCA-compliant" is necessary but not sufficient. The follow-up question — "are we also covered for the payment services dimension of our activities" — is where the real strategic positioning happens.

The companies that have built structures anticipating dual licensing are moving faster than the companies still treating PSD2 as someone else's problem. This is the work that distinguishes regulatory compliance from regulatory strategy. The first reacts to legal frameworks as they are. The second anticipates how they will evolve and structures the company to remain capital-efficient and operationally agile across multiple successive regimes. For crypto businesses operating in the EU, the dual licensing question is not the last edge case MiCA will produce. It is, however, the one with the sharpest near-term consequences.