Commission Delegated Regulation (EU) 2025/1125 on ART Authorisation
- James Ross
- Sep 16
- 10 min read
Executive Summary
Commission Delegated Regulation (EU) 2025/1125, which entered into force on October 5, 2025, constitutes a critical "Level 2" measure under the Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114 is not a primary legal instrument but an essential operational framework that delineates the granular information and documentation necessary for entities seeking authorisation to offer Asset-Referenced Tokens (ARTs) to the public or to seek their admission to trading. Its fundamental objective is to empower national competent authorities (NCAs) to conduct rigorous and harmonised assessments of whether applicants meet the stringent prerequisites of the broader MiCA framework.
This report states that the regulation imposes administrative, operational, and governance challenges on prospective ART issuers, urging the sector to meet standards similar to those of traditional financial institutions. Its detailed application process functions as a comprehensive pre-authorisation check, emphasising corporate integrity, robust controls, and economic prudence over the less-regulated crypto industry. In conjunction with the Digital Operational Resilience Act (DORA), the regulation creates a unified EU framework that addresses financial and technological risks, ensuring that ART issuers are both financially robust and technologically resilient.
This regulation highlights a fundamental global divide in stablecoin regulation. The EU's uniform early intervention approach contrasts with the US's modular system and the UK's phased strategy. This fragmentation will challenge international firms to develop complex compliance plans, possibly benefiting well-funded institutions. Ultimately, Regulation (EU) 2025/1125 positions the EU as a global leader, setting new standards for transparency, accountability, and consumer protection in the ART market.
1. The European Regulatory Architecture for Digital Assets
The Commission Delegated Regulation (EU) 2025/1125 is not a standalone legal instrument; it is a meticulously crafted component of a broader, highly structured legislative effort to regulate the digital finance sector within the European Union. Comprehending its position within this regulatory architecture is imperative for a full appreciation of its significance.
1.1. MiCA: The Foundational Framework for EU Crypto-Asset Regulation
The Markets in Crypto-Assets Regulation (MiCA), formally known as Regulation (EU) 2023/1114, serves as the cornerstone legal text for the regulation of crypto-assets across the EU. Its purpose is to institute a single set of uniform rules for both issuers of crypto-assets not previously encompassed by existing financial services legislation and for the service providers that handle them. MiCA’s primary objectives are to foster market integrity, support financial stability, and ensure robust protection for consumers and investors.
The EU’s phased timeline for Mica highlights its regulatory focus. Rules for Asset-Referenced Tokens (ARTs) and E-Money Tokens (EMTs), commonly referred to as stablecoins, took effect on June 30, 2024, before the broader Crypto-Asset Service Providers (CASPs) regulations, which are scheduled to take effect on December 30, 2024. This six-month gap reflects the EU's policy to prioritise risks linked to stablecoins- especially financial stability and investor protection- as more systemic and urgent. The EU aims to establish a strong, stablecoin regulatory framework to ensure stability and credibility before the broader crypto sector is fully regulated.
1.2. The EU Legal Hierarchy: From Principles to Technical Standards
MiCA itself is a "Level 1" regulation, meaning it establishes the overarching legal principles and requirements. However, it mandates the development of a substantial number of "Level 2" and "Level 3" measures to provide the requisite detail and clarity for compliance. Commission Delegated Regulation (EU) 2025/1125 is a "Level 2" measure, more formally known as a Regulatory Technical Standard (RTS). These standards are instrumental in providing the granular, prescriptive information required to fulfil MiCA's broad mandates.
These standards aim to promote supervisory convergence and prevent regulatory arbitrage across the EU. By creating a unified set of requirements, the EU ensures National Competent Authorities (NCAs) apply consistent assessment standards, preventing applicants from "forum shopping" for leniency. The regulation addresses operational and stability risks from past market incidents, like stablecoin de-pegging and crypto failures. The EU focuses on building trust and accountability from the start, not just reacting to crises.
2. Deconstructing the ART Authorisation Application: Key Requirements
Commission Delegated Regulation (EU) 2025/1125 elevates the process of issuing ARTs to a comprehensive and rigorous due diligence exercise. The application is a far more extensive undertaking than a simple registration; it is a detailed submission requiring voluminous information across multiple domains.
2.1. Comprehensive Business and Applicant Information
The regulation mandates that entities provide a complete legal identity, including their name, legal entity identifier (LEI), legal form, and place of incorporation. This is to be followed by a detailed program of operations and a business plan covering a minimum period of three years. This plan must articulate a clear description of the ART, encompassing its issuance and redemption mechanisms, and the underlying Distributed Ledger Technology (DLT). The application must also provide a macroeconomic overview of the business environment, the firm's competitive positioning, and its target clientele, compelling firms to define their strategic vision and market position with a level of detail previously uncommon in the crypto sector.
2.2. The Strategic and Operational Risk Framework
A key component of the application is a comprehensive risk assessment that covers potential threats. Applicants must identify and analyse business, operational, financial, ICT risks, and risks related to AML/CTF. This shift towards a holistic, risk-based approach, common in finance, adds a new compliance burden for crypto firms. Firms must also submit detailed financial forecasts under baseline and stress scenarios to meet MiCA's own-funds requirements. This financial foresight requirement aligns with prudential standards for banks and financial institutions.
2.3. Robust Internal Governance and Suitability
The regulation underscores the importance of assessing the human and organisational aspects of the applicant firm. It mandates a thorough review of the management and the qualifying shareholders' reputation and suitability. This "fit and proper" standard is crucial for regulating financial services and integrating the crypto sector into the formal system. It requires applicants to disclose personal histories, backgrounds, and conflicts of interest, ensuring only individuals with a clean record and relevant expertise participate.
Firms must establish strong internal governance, including an organisational chart, reporting lines, and control functions like compliance, risk management, and internal audit. This shift from trustless, decentralised principles to institutional trust and accountability changes crypto firms' culture. The application favours entities capable of building a traditional compliance framework.
3. The Critical Nexus: MiCA and DORA
A pivotal component of the ART authorisation application is its explicit cross-referencing of another significant piece of EU legislation: the Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554. This linkage is not merely a formality; it demonstrates a deep, convergent regulatory paradigm that views financial stability and technological resilience as interdependent pillars of a healthy economic ecosystem. DORA, which became applicable on January 17, 2025, applies directly to crypto-asset service providers.
The ART regulation mandates that firms' internal governance arrangements, particularly those concerning ICT and cybersecurity, must be fully compliant with DORA's principles. This creates a comprehensive, multilayered regulatory perimeter. While MiCA governs the financial aspects of ARTs, such as reserve assets and own-funds requirements, DORA governs the operational and technological aspects, including cybersecurity, third-party risk management, and incident reporting.
This dual-framework approach ensures that firms are not only financially prudent but also technologically robust. For an ART issuer, this means preparing for a comprehensive regulatory assessment that encompasses the following five pillars of DORA:
ICT Risk Management: The application requires a comprehensive framework for managing ICT risks, including robust cybersecurity governance and a detailed business continuity plan.
Third-Party ICT Risk Management: The regulation extends its oversight to a firm's supply chain, requiring due diligence and comprehensive contractual obligations with vendors, particularly for services that support critical functions.
Incident Reporting: Firms must have clear and detailed procedures for reporting major ICT-related incidents to competent authorities, with the content and format of these reports governed by specific technical standards.
Resilience Testing: Issuers are required to conduct regular digital operational resilience tests, including threat-led penetration testing.
Information Sharing: The regulation promotes the voluntary sharing of cyber threat information and intelligence.
The explicit integration of DORA into the ART application process is a pre-emptive measure to address the high probability of cyber-attacks and operational failures—a primary source of risk in the crypto sector. By mandating this comprehensive resilience framework at the point of market entry, the EU aims to prevent crises rather than simply reacting to them.
4. The Reserve of Assets: A Pillar of Stability
For Asset-Referenced Tokens, the reserve of assets is the most salient component, as it underpins the token's stability and the holders’ redemption rights. The application for authorisation requires a detailed framework for managing this reserve, covering its composition, custody, and overall management.
The principles governing this framework are rooted in traditional financial prudence, drawing direct parallels to banking and asset management.
Issuers must keep a 1:1 backing of all ARTs with high-quality liquid assets (HQLAs), usually secure instruments like cash, central bank reserves, and short-term government securities. They must hold these assets in segregated accounts and pass regular third-party audits to ensure transparency and adequacy. This regulatory focus responds to past issues like de-pegging and crises that challenged stablecoins.
The EU's regulation shifts stablecoin issuance from a trustless, decentralised model to one based on institutional trust and oversight. By mandating strict collateralization and audits, it aims to reduce risks such as a run on the bank and position stablecoins as a secure digital payment option. This policy learns from crypto market failures, aiming to build public trust in this emerging asset class.
5. The Global Picture: A Comparative Analysis
The EU’s approach to ART regulation, as operationalised by Commission Delegated Regulation (EU) 2025/1125, is a critical vector in the global competition to regulate crypto-assets. A comparative analysis with the emerging frameworks in the United States and the United Kingdom reveals fundamental regulatory divergences that will shape the future of the digital asset industry.
5.1. EU vs. US: MiCA vs. the GENIUS Act
The contrast between the EU’s MiCA framework and the United States’ Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act) is an exemplary case study of two fundamentally different regulatory philosophies. The EU has adopted a harmonised, "ex ante" (pre-emptive) approach, which seeks to set a single, clear set of rules before the market develops further, to ensure market stability and investor protection. The GENIUS Act, on the other hand, embraces a more modular, adaptive, and dual federal-state framework that aims to promote flexibility and market entry by "simplifying issuance".
A key difference is in issuer eligibility and scope. EU’s MiCA requires ART issuers to be established and authorised in the Union, creating a jurisdictional barrier for non-EU firms. The GENIUS Act offers more flexibility for "permitted issuers," including subsidiaries of insured depository institutions and state-regulated entities, with extraterritorial reach that subjects foreign issuers to U.S. regulation if they serve U.S. persons or are involved in transactions with them. This philosophical difference means an asset like a USD-pegged stablecoin is treated differently based on the issuer's jurisdiction. This divergence forces global firms to develop complex, cross-jurisdictional compliance strategies, which in turn increase operational costs.
5.2. EU vs. UK: A Juxtaposition of Regulatory Approaches
The UK has adopted a distinct, albeit non-prescriptive, approach, opting to expand its existing financial services and markets framework (FSMA) to include crypto-assets, rather than creating a new, standalone regime like the EU. The UK’s approach is phased, beginning with a focus on stablecoin issuance and custody, while plans for a broader regulation of other crypto-asset activities remain under development.
This approach could lead to a more fragmented, activity-based regulatory perimeter compared to the EU’s more holistic, asset-class-based approach under Mica. While the UK’s model may offer greater flexibility, the EU’s unified framework delivers more apparent legal certainty for firms operating across multiple Member States. The presence of three distinct regulatory models across these major global economic regions will make a single, global compliance strategy impossible. This fragmentation will effectively act as a barrier to entry, reinforcing the dominance of large, well-resourced financial institutions and slowing innovation for startups that lack the capital to handle this strategic complexity.
6. Strategic Implications and Recommendations for Industry
The detailed requirements outlined in Commission Delegated Regulation (EU) 2025/1125, combined with the broader MiCA and DORA frameworks, signal a new paradigm for the crypto-asset industry. Firms can no longer rely on a "move fast and break things" ethos; they must now cultivate a culture of institutional prudence and accountability that is commensurate with that of traditional financial services.
6.1. The Substantial Compliance Burden
The regulation introduces a significant administrative and operational burden that is a "far cry from the less regulated environment that some crypto-asset firms have operated in previously". Preparing a detailed application requires a substantial upfront investment of time, resources, and legal expertise. Firms must be ready to capitalise on sophisticated internal systems for risk management, ICT, and financial reporting, including economic forecasts under stress scenarios.
6.2. Recommendations for Proactive ART Issuers
To successfully navigate this new environment, prospective ART issuers must adopt a proactive and strategic approach. The following recommendations are essential for preparing for the regulatory demands:
Formulate a Comprehensive Compliance Roadmap: Firms should create a detailed plan that maps the application requirements of the delegated regulation to their internal organisational structure, identifying key milestones and resource needs.
Execute a Pre-Application "Fit and Proper" Assessment: Firms should perform an internal due diligence exercise on their management body and shareholders to identify and mitigate any potential issues regarding their suitability and repute before submitting the formal application.
Invest in DORA-Compliant Infrastructure: A firm’s ICT and cybersecurity infrastructure must be architected to meet DORA’s stringent requirements from the outset. This includes a robust framework for managing ICT risk, reporting incidents, and conducting regular resilience testing.
Implement Auditable Reserve and Custody Procedures: Issuers must institute clear, transparent, and auditable procedures for managing the reserve of assets, including the use of segregated accounts and independent, third-party custody solutions.
Devise a Multi-Jurisdictional Strategy: For firms with global ambitions, it is crucial to develop a tailored compliance strategy for each primary jurisdiction, taking into account the fundamental divergences between the EU, US, and UK frameworks.
7. Conclusion
Commission Delegated Regulation (EU) 2025/1125 is a significant market-shaping tool that operationalises the EU's vision for a secure and trustworthy crypto-asset ecosystem. It serves as a clear signal that the EU views ARTs as financial instruments that require strong oversight, not just technological innovations. The regulation bolsters the EU's proactive, harmonised approach to crypto-asset regulation, ensuring high standards of prudence, transparency, and consumer protection become the norm within the ART sector. Its detailed application process, emphasising strong governance, thorough risk management, and verifiable reserve assets, will fundamentally alter the competitive landscape.
The introduction of such a prescriptive and demanding framework will inevitably result in a significant market rationalisation. While it creates a substantial barrier to entry for smaller, less-capitalised firms, it simultaneously builds a foundation of institutional trust that could accelerate the mainstream adoption of ARTs by traditional financial institutions and retail users. The long-term impact of this regulation, particularly when viewed against the backdrop of diverging global frameworks, will be the institutionalisation of the stablecoin market, rendering regulatory clarity a competitive advantage and compliance a prerequisite for success.
Comments