Running a Crypto Exchange Under MiCA: Class 3 Operator Playbook (2026)

Operating a crypto exchange under a MiCA Class 3 authorisation is the most demanding crypto regulatory programme in the EEA — and the most commercially valuable. Class 3 authorises the two highest-risk crypto-asset services in MiCA's perimeter: custody and administration of crypto-assets on behalf of clients, and operating a trading platform for crypto-assets. Combined, these are the operating heart of every retail-and-institutional crypto exchange. Coinbase Europe, Kraken, Bitstamp, and the major EU-native exchanges all run Class 3 authorisations as their structural foundation.

The capital floor under MiCA Article 67 is €150,000 for Class 3 — but capital is the smallest constraint. The substantive bar runs through MiCA Article 75 (custody segregation and liability for client-asset loss), MiCA Article 76 (trading-platform market integrity rules), the Travel Rule under the Transfer of Funds Regulation, the AML obligations under EBA Guidelines moving to AMLR from 10 July 2027, and the ICT framework under the Digital Operational Resilience Act applicable from 17 January 2025. A Class 3 operator must satisfy all of these simultaneously, with documented operational evidence, audited annually, and inspection-ready at all times.²^[1]³^[2]⁴^[3]⁵^[4]⁶^[5]⁷^[6]⁸^[7]

This guide is the operator playbook. It covers the Class 3 perimeter in detail, the prudential and ongoing capital model, the custody architecture (hot, warm, cold) and the qualified custodian decision, the matching-engine and order-handling design, the listing and delisting policy framework, market-integrity and surveillance obligations, the conflicts-of-interest framework, outsourcing under DORA, AML programme design at exchange-scale, the cost benchmarks for running a Class 3 exchange, and the operational discipline that turns a granted licence into a sustainable business at scale.

MiCA classifies crypto-asset services into eight categories. Class 3 is the highest tier under Annex IV's prudential capital classification — it covers custody and operating a trading platform, plus all services authorised at Class 2 (execution, exchange, transfer) and Class 1 (advisory, portfolio management, reception/transmission).

MiCA Article 67 sets the initial capital floor at €150,000 for Class 3 — but the floor is rarely the operating reality. Three additional capital pressures push real-world Class 3 capital to €500,000–€1.5M for mid-sized operators, and to €5M+ for the largest exchanges.

• Fixed Overhead Requirement (FOR). 25% of prior year's fixed overheads. For a Class 3 exchange running €2M+ annual operating costs, the FOR exceeds the €150,000 floor and becomes the binding constraint.

• NCA-imposed risk-weighted add-ons. Bank of Lithuania, CySEC, and BaFin routinely require additional capital based on volume, custody assets under custody (AUC), and operational complexity.

• Operational buffer. Most experienced Class 3 operators hold 25–50% above the regulatory floor as operational buffer, avoiding any chance of breaching the requirement during stress.

• Insurance retention. Custody-loss insurance retentions typically self-insured up to €1M+; capital must cover the retention layer.

MiCA Article 75 makes the Class 3 custodian liable for client-asset loss except in narrow force-majeure circumstances. The custody architecture is therefore the single highest-stakes engineering decision in running a Class 3 exchange. The standard pattern combines three layers, each with progressively stronger security and progressively slower access.

Many Class 3 exchanges outsource cold and deep-cold custody to qualified custodians — Fireblocks, BitGo, Anchorage Digital, Komainu — while retaining the hot and warm tiers internally. The economic question is whether the third-party custodian fees and SLA structure beat the cost of building equivalent in-house security. For most operators below €5B AUC, qualified custodian outsourcing for cold tier is the standard.

Operating a trading platform under MiCA Article 76 imposes structural rules on how orders are received, matched, and executed. Class 3 operators must publish written rules covering order types, matching priority, market integrity, and conflicts of interest. The engine itself must be auditable — supervisors can request order-history data covering specific time windows under formal information requests.

• Order types. Limit, market, stop-limit, stop-loss as standard; advanced order types (TWAP, VWAP, iceberg) per the platform's documented order-handling policy.

• Matching priority. Price-time priority is standard; pro-rata or hybrid models permissible if disclosed.

• Best execution. Class 3 platforms providing execution services owe best-execution duties under MiCA conduct rules — comparable to MiFID II but adapted for crypto.

• Market integrity surveillance. Real-time and post-trade surveillance for market manipulation, wash trading, layering, spoofing. Surveillance vendor (Eventus, Trillium, Solidus Labs, or in-house) is mandatory.

• Conflicts of interest. The exchange must manage conflicts arising from operating a trading venue, providing custody, and any proprietary trading positions or related entities.

MiCA Article 76 requires the trading platform to publish operating rules including a written listing policy. Asset admission decisions must be principled, documented, and applied consistently. NCAs review the listing policy at authorisation and probe specific listing decisions during inspections.

• Issuer due diligence. White paper review (mandatory for asset-referenced tokens and e-money tokens); legal opinion on token classification; financial-crime exposure of the issuer.

• Liquidity assessment. Free float, trading volume on other venues, market depth analysis.

• Technical assessment. Smart contract security audit (where applicable), historical incidents, network maturity.

• Compliance assessment. Sanctions exposure on issuer or major holders; AML risk score from blockchain analytics on relevant addresses; alignment with the exchange's risk appetite.

• Delisting policy. Documented criteria triggering delisting — sanctions designation, substantial security breach, persistent low liquidity, regulator request.

The Digital Operational Resilience Act applies in full to every Class 3 operator from 17 January 2025 — bringing crypto exchanges into the same ICT regulatory framework as banks, asset managers, and insurers. Compliance with DORA is not optional and is examined in detail at every Class 3 supervisory inspection.

• ICT risk management framework. Documented framework covering identification, protection, detection, response, recovery; signed off by the management body; reviewed annually.

• ICT third-party register. Comprehensive register of every ICT provider (cloud, custody, analytics, KYC, Travel Rule), with criticality classification and exit strategies.

• Major incident reporting. Major ICT incidents reportable within hours; classification framework prescribed; FIU and NCA channels.

• Threat-led penetration testing (TLPT). 3-year cycle for significant operators; coordinated by the home NCA; €100,000–€400,000 per TLPT exercise.

• Critical ICT third party oversight. Critical third parties (large cloud providers, dominant custody platforms) face direct ESA oversight — joint with the home NCA.

Class 3 AML programmes operate at scale and complexity that small CASPs do not face. Millions of customers, billions in monthly transaction volume, hundreds of listed assets, and material flow from self-hosted wallets all combine to make exchange-grade AML a continuous engineering and operations challenge.

• Tiered KYC with risk-based EDD triggers. Standard CDD for retail; institutional KYC layer; PEP and high-risk-third-country EDD; dynamic re-tiering based on activity.

• Real-time transaction monitoring. Rules engine running thousands of rules across customer cohorts; alerts triaged through a case-management system; SAR pipeline to FIU.

• Travel Rule at scale. Multi-vendor Travel Rule architecture (typically Notabene + Sumsub or Sygna) covering all counterparty CASPs and self-hosted wallet flows.

• Blockchain analytics layered. Two analytics providers (Chainalysis + TRM Labs is common) feeding inbound deposit screening, withdrawal screening, and investigations.

• Sanctions screening at every layer. Onboarding identity, ongoing identity refresh, real-time wallet screening, transaction-level screening — 4-list coverage (OFAC + EU + UN + OFSI).

• Annual independent AML audit. Required under EBA Guidelines; comprehensive review of programme effectiveness, false-positive rates, SAR quality, and remediation tracking.

Annual operating cost for a regulated Class 3 exchange (excluding pure technology and customer-acquisition costs) typically falls in three brackets by scale.

• Capital co-mingled with operating cash. The single most-cited supervisory finding; trivially preventable; deceptively common.

• Listing decisions without documented diligence. NCAs probe specific assets; absence of decision papers triggers programme-level findings.

• Hot-wallet share too large. NCA expectation is 5% or less of AUC in hot tier; exceeding routinely creates operational-risk findings.

• Travel Rule architecture not at scale. Single-provider architecture fails when counterparty network gaps cause Sunrise rejections that exceed customer tolerance.

• DORA register incomplete. Missing critical third parties, no exit strategy documentation, no testing schedule.

• Inadequate market surveillance. Wash trading, spoofing, and layering signals not detected or not investigated; supervisory letters follow.

• Outsourcing without DORA-aligned contracts. Critical-function outsourcing requires audit rights, exit plans, and sub-outsourcing controls; pre-existing contracts often fail these tests.

Possible but operationally heavy. Self-custody at Class 3 scale requires a documented key-ceremony architecture, geographically distributed signers, regular cryptographic audits, and a SOC 2 Type II report on the custody operations. Most exchanges below €5B AUC find that outsourcing cold custody to Fireblocks, BitGo, Anchorage Digital, or Komainu is operationally cheaper and supervisorily simpler than building equivalent in-house. Larger exchanges (Coinbase Europe, Kraken) operate hybrid architectures.

AMLR overlays the existing EBA Guidelines AML framework with a directly-applicable single rulebook from 10 July 2027. Practical effects for Class 3: harmonised CDD/EDD across all 27 member states (relevant for passporting exchanges), AMLA direct supervision likely for the largest exchanges, AMLR-aligned Travel Rule overlay onto the existing Transfer of Funds Regulation. Plan AML programme upgrades during 2026 for AMLR application.

Crime insurance and cyber insurance for Class 3 operators typically runs €500,000–€2M annually for €25–100M of cover. Custody-specific 'crypto crime' policies (Lloyd's syndicates, specialist underwriters) cost €50,000–€500,000 per €10M of cover depending on cold-storage maturity, key-ceremony evidence, and audit history. Insurance coverage is increasingly required by institutional counterparties.

Subject to your listing policy, broadly yes — except where the token is itself a regulated MiCA crypto-asset that requires its own authorisation (asset-referenced tokens or e-money tokens — the issuer must be authorised). Also excluded: tokens that are securities under MiFID II (require a separate authorisation), tokens with sanctions exposure, tokens that have failed your listing diligence. The breadth varies by exchange — Kraken's listing list differs from Bitstamp's because their respective listing policies differ.

Conceptually similar but adapted. MiCA conduct rules require 'all sufficient steps' to obtain the best result for clients across price, costs, speed, likelihood of execution and settlement, size, and nature of the order. Class 3 operators publish best-execution policies, monitor execution quality, and provide clients with execution reports. The framework is lighter than MiFID II's RTS 27/28 but moving in the same direction; AMLA and ESMA technical standards will continue to refine.

BaFin Germany — by a meaningful margin. The most rigorous combined assessment of capital, governance, ICT, AML, custody architecture, and conflict-of-interest management. Central Bank of Ireland is close behind on rigour but slightly slower. Bank of Lithuania is the fastest with serious-but-pragmatic substance expectations. Most Class 3 operators choose Lithuania, Cyprus, or Malta for the speed-substance balance; the few that choose Germany do so for institutional credibility.

• MiCA Compliance Guide for CASPs: Authorisation walkthrough — capital, governance, supplier stack

• The Significant CASP Threshold: When ESMA Takes Over: MiCA Article 84 thresholds and ESMA direct supervision

• Chainalysis vs Elliptic vs TRM Labs: Choosing blockchain analytics in 2026

• MiCA Travel Rule Providers Compared: Notabene vs Sumsub vs Sygna vs Veriscope

A Class 3 crypto exchange is a serious operational machine: capital, custody, matching engine, surveillance, AML, ICT, listing policy, and a board-level governance discipline that pulls them all together. Done well, it is the most powerful authorisation in European crypto — passportable across 30 EEA member states, defensible to the most demanding institutional counterparties, and the foundation on which the next decade of European crypto market structure will be built. Done badly, it is the most expensive way to discover regulatory gravity. Build to the standard the most-demanding NCA expects. Document everything. Audit every layer. Treat supervisors as informed counterparties, not adversaries. The exchanges that survive the next five years will be the ones that built it like an institution from day one.