EBA Issues No Action Letter Clarifying PSD2 & MiCA Overlap for Crypto Service Providers

Transitional Measures Introduced for CASPs Under PSD2 Until March 2026

The European Banking Authority (EBA) has issued a significant No Action letter urging European Union lawmakers to address the risk of dual authorisation for crypto-asset service providers (CASPs) transacting in electronic money tokens (EMTs). This development signals an important step towards harmonising the regulatory treatment of EMTs under the existing Payment Services Directive 2 (PSD2) and the newly implemented Markets in Crypto-Assets Regulation (MiCA).

Transition Period Offers Regulatory Breathing Space for Crypto Asset Providers

In its letter published today, the EBA advises the European Commission, Council and Parliament to avoid subjecting CASPs to overlapping authorisation requirements under PSD2 and MiCA in the long term. During an interim period running until 2 March 2026, national competent authorities (NCAs) are encouraged to apply PSD2 authorisation requirements to relevant CASPs only after the transition deadline and then to deprioritise enforcement of specific PSD2 provisions.

This approach is designed to prevent an unnecessary and burdensome duplication of regulatory oversight for CASPs offering EMT-related services, while maintaining core protections for consumers and market integrity.

Clarification on EMT Custody & Wallet Services

The EBA’s letter provides detailed guidance to NCAs on how to interpret EMT custody and administration under PSD2. It advises that:

• The transfer of crypto-assets involving EMTs by CASPs on behalf of clients constitutes a payment service under PSD2.

• Custody and administration of EMTs should also be treated as a payment service.

• A custodial wallet holding EMTs in the client’s name and enabling transfers to or from third parties should be regarded as a payment account.

From 2 March 2026, CASPs offering these services should be authorised under PSD2, but NCAs are instructed to streamline the authorisation process by leveraging information already submitted as part of their CASP authorisation under MiCA.

Targeted Enforcement of PSD2 Provisions

The EBA recommends that, even once authorisation is in place, NCAs should not prioritise the enforcement of specific PSD2 requirements for CASPs, including:

• Consumer disclosures on charges, execution timelines, or identifiers (such as IBAN).

• Safeguarding of funds.

• Open banking obligations.

However, strong customer authentication (SCA), payment fraud reporting, and own funds calculation must remain enforced to uphold consumer protection and market confidence.

This nuanced approach reflects the EBA’s commitment to ensuring that retail payments involving EMTs remain secure and reliable, without stifling innovation through excessive regulation.

Services Excluded from PSD2 Oversight

Importantly, the EBA makes clear that certain crypto-related activities do not fall within the scope of PSD2. These include:

• The exchange of crypto-assets for fiat or for other crypto-assets, as defined under MiCA.

• Intermediation of crypto-asset purchases using EMTs.

Such activities, the letter explains, should not require PSD2 authorisation, nor be subject to its rules.

Consumer Protection Remains Paramount

While the EBA acknowledges that requiring dual authorisation would place a disproportionate burden on CASPs, it emphasises that this is not an endorsement of MiCA authorisation as a substitute for PSD2. The success of PSD1, PSD2 and the Electronic Money Directive (EMD) in building a trusted payments market underscores the importance of maintaining robust consumer safeguards for both traditional and token-based payments.

Legal Basis for the Opinion

The EBA’s letter was issued in response to a European Commission request in December 2024, and developed in close cooperation with the European Securities and Markets Authority (ESMA). It is grounded in the EBA’s authority under Article 9c of Regulation (EU) No 1093/2010.

Read the EBA letter here.