Cross-Border Compliance Under MiCA: Legal Interdependencies for Multi-Jurisdictional Crypto Operations
15 December 2025Corporate Client Insights, AML, Blockchain & Cryptocurrency
The EU’s Markets in Crypto-Assets Regulation (MiCA) (Regulation (EU) 2023/1114) establishes a harmonised licensing and conduct framework for crypto-asset markets. However, companies operating across multiple Member States are discovering that MiCA alone does not eliminate regulatory complexity. Cross-border operations expose companies to overlapping obligations under MiCA, the AML Regulation (AMLR) (Regulation (EU) 2024/1624), national AML laws, for example the Prevention of Money Laundering Act, PSD2 (Directive (EU) 2015/2366), EMD2 (Directive 2009/110/EC), and DORA (Regulation (EU) 2022/2554). Understanding these intersections is essential for managing regulatory risk effectively.
This article explains why these interdependencies persist, the areas in which they commonly arise, and their practical implications for cross-border crypto operations.
Functional Overlap: The Source of Multi-Regime Complexity
Modern crypto-asset business models integrate governance, payments, AML, and ICT functions. An EMT issuer, for example, may be licensed under MiCA while relying on payment channels governed by PSD2/EMD2, onboarding procedures subject to AMLR, and cloud services regulated by DORA. When these operations are distributed across Member States, such as centralised governance in one jurisdiction and onboarding or ICT in another, the overlap becomes operationally significant.
Supervisors are increasingly treating these interlinked risks as part of a unified regulatory ecosystem. ESMA and the EBA have emphasised coordinated enforcement, and national authorities are conducting joint inspections where ICT, AML, and prudential risk intersect.
Divergent AML Expectations
Although AMLR (with its application date set 10 July 2027) seeks EU-wide harmonisation, procedural divergence across Member States persists. Companies face varying onboarding expectations, monitoring thresholds, FIU reporting formats, and escalation procedures. A risk alert in one jurisdiction may trigger additional reporting, enhanced due diligence, or remedial actions that do not exist elsewhere. Reconciling these differences is crucial for ensuring compliance while operating across borders.
DORA as a Cross-Border Trigger
DORA applies EU-wide, but decentralised ICT footprints increase regulatory exposure. Cloud outages, system disruptions, or data-integrity issues can simultaneously trigger:
- DORA major-incident reporting;
- MiCA governance or custody incident obligations;
- PSD2/EMD2 operational-incident reporting;
- AMLR escalations where onboarding or monitoring processes are affected.
This highlights that operational events, such as a single ICT disruption, can generate obligations under multiple regulatory frameworks.
Practical Implications
MiCA authorisation is necessary but not sufficient for cross-border crypto operations. Companies must manage functional interdependencies that cut across MiCA, AMLR, PSD2/EMD2, and DORA. Compliance is no longer about adhering to a single rulebook; it requires coordinated policies, cross-jurisdictional governance, and structured escalation procedures.
Companies that understand these interdependencies and design compliance programs accordingly will be better positioned to manage regulatory risk and operate effectively in the EU market.
Conclusion
Cross-border crypto operations highlight the limits of harmonisation. MiCA provides an EU-wide licensing framework, but overlapping obligations under AMLR, PSD2/EMD2, and DORA persist. Companies that proactively map these intersections, establish integrated governance, and manage jurisdiction-specific requirements can reduce regulatory friction and strengthen operational resilience.
For more information, please contact us at crypto@newbalkanslawoffice.com