The class of 2025–26: a wave of small EU crypto firms hits first-time compliance, weeks before the deadline

We looked at the public register of small EU crypto-asset service providers — 118 firms below the enterprise tier. The striking finding: almost all of them are brand new. 98% were authorised in just the last 18 months, which means a whole cohort is meeting DORA, MiCA market-abuse and AML obligations for the first time — right as MiCA's 1 July 2026 authorisation deadline lands.

118

small EU CASPs analysed

98%

authorised in 2025–26

45%

in just 3 countries

Methodology: a snapshot of 118 authorised EU CASPs in the small/lean tier (those below the large-platform and bank category), drawn from public national and ESMA register data, June 2026. This is a landscape analysis of the population — who they are, where, and when authorised — not an assessment of any individual firm's internal compliance.

1. It's a brand-new cohort

Of the 118 firms, 116 were authorised in 2025 or 2026 — 73 in 2025 and 43 already in the first half of 2026. Only two predate that. These are not seasoned institutions with compliance departments; they're young firms that cleared authorisation recently and now face the full stack of EU obligations at once.

2026 (H1)43

202573

2024 & earlier2

2. Concentrated in three countries — but with a long tail

Germany (21), the Netherlands (19) and France (13) account for 45% of the cohort. But the firms span 20 countries — so any supervisor, vendor or commentator focused only on the big three is missing more than half the population, much of it in smaller markets like Malta, Czechia, Slovakia, Cyprus and Latvia.

Germany21

Netherlands19

France13

Other (17 countries)65

3. The obligations are stacking — on the firms least equipped for them

This cohort doesn't face one rule; it faces several at once, with overlapping 2026 timelines:

DORA — an annual Register of Information, already in force, machine-validated by regulators;
MiCA Article 92 — a working market-abuse surveillance system, expected at authorisation (1 July 2026);
AML/CFT — a full programme under the new EU AML rulebook;
The Cyber Resilience Act — for any firm shipping a wallet app or device, vulnerability reporting from September 2026.

Large platforms have compliance teams for this. The 118 here, by definition, mostly don't — and the enterprise compliance suites are priced for firms ten times their size. That's the gap the cohort is walking into.

Why it matters

The narrative around crypto regulation tends to focus on the big exchanges. The quieter story is the long tail of small, newly-authorised firms now carrying institution-grade obligations with a fraction of the resources — and a deadline two weeks out. How that cohort copes is the real test of whether MiCA's regime works at the small end of the market.

Run the free checks the cohort is using

See the free compliance tools →

DORA register · CRA scope · MiCA surveillance · AML — free, nothing uploaded

Figures are from public register data as at June 2026 and describe the population, not any firm's compliance status. CleanDesk builds free compliance tools for this segment. Reproduce the findings freely with attribution to CleanDesk (cleandeskhq.com).