Anatomy of a MiCA Class 3 Supervisory Inspection (2026)

The first wave of post-authorisation MiCA Class 3 supervisory inspections lands in Q3 2026 — roughly twelve months after the first cohort of full CASP authorisations were granted across the EEA. For custody and trading-platform CASPs operating under MiCA Annex IV's €150,000 minimum own funds threshold, the inspection cycle is the moment the authorisation file gets stress-tested against operational reality. The firms that prepare seriously survive intact; the firms that mistake the inspection for a paperwork exercise discover the difference too late.

What follows is a private-practitioner playbook written down publicly for the first time — the inspection-readiness map. It walks a Class 3 CASP through the six phases of a supervisory inspection, the deep-dive themes supervisors actually probe at each phase, and the evidence-pack a competent compliance team has ready before the supervisory letter arrives. The map is built from the supervisory practice of BaFin, ACPR, AFM, CySEC, MFSA, Bank of Lithuania and the CSSF — the NCAs that have already granted material numbers of Class 3 authorisations and are now staffing the inspection function.

Class 3 inspections will differ structurally from the EMI inspection tradition NCAs have spent fifteen years refining. The book of business is different, the safeguarding architecture is different, the market-surveillance obligation under MiCA Article 78 has no clean EMI parallel, and the DORA overlay is heavier. The map below treats Class 3 as its own supervisory animal — not an EMI inspection in crypto clothing.

The legal frame is the Markets in Crypto-Assets Regulation¹^[1], in force across the EEA from 30 December 2024. Class 3 CASPs — firms providing custody and administration of crypto-assets, operation of a trading platform, or exchange of crypto-assets for funds or other crypto — sit at the high-intensity end of the supervisory population. Annex IV pegs minimum own funds at €150,000 but the operational supervision is materially heavier than that headline number suggests.

Four structural differences pull Class 3 inspections away from the EMI template. First, the safeguarding architecture is custody of crypto-assets, not segregated client money in a credit institution — the supervisor probes wallet architecture, multi-party computation or HSM design, key-ceremony evidence, and the legal characterisation of client crypto-asset claims in insolvency. None of this maps onto EMI safeguarding inspections. Second, MiCA Article 78 requires trading platforms to detect and report market abuse on-chain — a market-surveillance obligation no EMI has ever carried.

Third, the Digital Operational Resilience Act² overlay on Class 3 CASPs is heavier than on most EMIs because the ICT-third-party stack is denser — node infrastructure, custody-platform vendors, blockchain-analytics vendors, RPC providers — and each one is subject to DORA register-of-information and incident-reporting obligations. Fourth, the customer base is structurally different — retail crypto exposure, professional traders, institutional counterparties — and the AML risk-profile under the AMLR is rated higher than for a comparable-sized EMI.

The supervisory direction is converging on bank-equivalent governance standards for the regulated-fintech population. CSSF Circular 26/906 of 20 January 2026 aligned EMI and PI governance expectations to credit-institution norms; the same direction-of-travel will land on Class 3 CASPs through ESMA thematic guidance in the second half of 2026. A Class 3 inspection in 2026 should be prepared for as a quasi-bank inspection with crypto-specific deep-dives, not as a registration-style desk review.

A full-scope MiCA Class 3 inspection runs across six identifiable phases over a 12–20 week window from supervisory pre-notice to remediation-plan agreement. Some NCAs compress the middle phases; some extend the remediation phase across multiple supervisory cycles. The phases below are the structural skeleton — every Class 3 inspection across the EEA will move through them in roughly this order.

The inspection begins with a pre-notice letter from the home NCA, typically issued 6–8 weeks before the on-site phase. The letter identifies the supervisory team, the proposed on-site dates, the high-level scope (full-scope or thematic), and an initial document request running typically to 40–80 line-items. The pre-notice phase is where the firm builds the version-controlled evidence pack — anything not in the pack on day one of on-site is found and flagged.

Pre-notice evidence-pack expectations: current business-wide risk assessment, current AML policies and procedures with version history, organisational chart with the three lines of defence mapped, board minutes for the past 24 months with the AML and risk items annotated, MLRO annual report and management response, internal audit reports for the past 24 months, and the current safeguarding policy with custody-architecture diagrams.

Two to three weeks before on-site, the supervisor convenes a pre-meeting — typically a single half-day, mixed in-person and remote. The agenda is procedural on the surface: scope confirmation, on-site logistics, interviewees confirmed, document waves scheduled. It is substantive underneath: the supervisor uses the pre-meeting to probe the firm's self-awareness — does the firm know where its own weaknesses sit, can it articulate the residual risks the board has accepted, does it have a credible internal narrative of what has changed since authorisation.

The single most consequential thing a CEO can do in the pre-meeting is volunteer the firm's three biggest known control weaknesses — with the remediation plan and timeline already attached. A supervisor who hears self-aware honesty calibrates the inspection one way; a supervisor who hears defensive minimisation calibrates it another way entirely. The pre-meeting is the firm's last cheap opportunity to set the tone.

The on-site phase runs 3–5 days for a typical Class 3 inspection, longer for cross-border or post-incident inspections. The supervisory team is usually 4–8 staff: a lead inspector, an AML specialist, an ICT/DORA specialist, a market-surveillance specialist, and (for Class 3) a custody / wallet-architecture specialist seconded from the NCA's prudential or fintech unit. Each specialist runs their own thread of interviews and walk-throughs in parallel.

The on-site agenda is built around control walk-throughs, not document review. The supervisor wants to see a transaction monitoring alert opened, triaged, escalated, and closed — in the live system, with the actual analyst doing the work. It wants to see a key-ceremony rehearsal, a sanctions screening hit, a market-surveillance alert, a DORA incident-classification call. The firms that fail Phase 3 are the firms where the policy says one thing and the operator does something different — and the supervisor sees the gap in real time.

During and after on-site, the supervisor runs two to four follow-up document-request waves. Each wave is narrower and more pointed than the pre-notice request — chasing a specific control gap, a specific customer file, a specific incident report, a specific board decision. Response windows tighten: pre-notice was 4 weeks, wave-one is typically 5–10 working days, later waves are 48–72 hours. The firm's ability to respond at that tempo is itself supervisory evidence.

Document-wave evidence-pack expectations: individual customer files with the full KYC / EDD / source-of-funds / source-of-wealth trail, transaction-monitoring alert files end-to-end (alert → triage → SAR or close), specific market-surveillance alerts with the analyst notes, the DORA register of information with all ICT third-party contracts indexed, and signed minutes of any board or risk-committee meeting that touched the issue under investigation.

Every Class 3 inspection includes fit-and-proper re-interviews of the senior management body and key function-holders. The CEO, MLRO, Head of Compliance, CTO, and Head of Risk are interviewed individually — sometimes panel-style, sometimes one-on-one — with the supervisor probing whether the person interviewed at authorisation is still the person in the seat, still doing the job described in the regulatory business plan, and still credible against the firm's current risk profile. BaFin³^[3]'s Q1 2026 thematic review on crypto-custody firms ran fit-and-proper re-interviews as a standalone supervisory exercise, decoupled from full-scope inspection.

The interview is not a quiz. The supervisor wants to confirm the function-holder understands the firm's risks at their level of accountability — the MLRO can articulate the top three AML residual risks and why; the CTO can articulate the ICT third-party concentration risk and the DORA-mapped contingencies; the CEO can articulate the board's risk appetite and how it cascades into operational thresholds. A function-holder who cannot answer at that level is a supervisory finding in their own right.

Six to ten weeks after on-site, the supervisor issues a draft findings letter. Findings are graded — typically high / medium / low priority, with high findings demanding a remediation-plan response within 30 days. The firm has a defined right-of-reply window to comment on factual accuracy before the letter is finalised; that window is the firm's last clean opportunity to push back on a mischaracterised finding.

The remediation plan that follows is itself a negotiation. The firm proposes; the supervisor accepts, modifies, or rejects. A well-built remediation plan is specific, dated, owned, and measurable — a clear action, a named accountable officer, a hard delivery date, and an evidential test of completion. Generic remediation language ("we will strengthen our controls in this area") gets sent back with a request for specificity, and the firm has lost a supervisory cycle.

Beneath the phase structure, the inspection runs through six recurring deep-dive themes. Each NCA emphasises different themes — BaFin weights AML programme depth heavily; AFM tends to push hard on governance and board composition; the CSSF front-loads ICT/DORA — but all six themes feature in every full-scope inspection.

The AML deep-dive is the longest single thread. The supervisor probes the full lifecycle: CDD sufficiency at onboarding, EDD triggers and quality where applied, transaction monitoring rules tuned to the actual book of business (not the vendor defaults), sanctions screening coverage including wallet-address screening against on-chain analytics, and the SAR / STR pipeline with file-level evidence of timely reporting. Our practitioner practice is that supervisors pull individual customer files in randomised samples and trace each one end-to-end — onboarding, EDD, ongoing review, alert history, exit.

Our companion piece on the AML audit for crypto firms sets out the file-level evidence trail supervisors look for at this depth — including the typical request format for individual customer-file pulls during Phase 4 document waves.

Class 3 CASPs operating trading platforms must detect and report market abuse — insider dealing, market manipulation — under MiCA Article 78. ESMA⁴^[4] is expected to publish thematic guidance on Article 78 supervision in H2 2026. The supervisor asks: which market-abuse scenarios is the firm screening for, how were the scenario thresholds calibrated, who tunes them and on what cadence, how does the firm reconcile on-chain wash-trade patterns with off-exchange flow, and what is the STOR (suspicious transaction and order report) pipeline.

We treat the Article 78 implementation question in depth in our market surveillance for MiCA Class 3 trading platforms guide — including scenario library, threshold-calibration approach, and STOR pipeline architecture.

Custody safeguarding is the deepest crypto-specific dive. The supervisor probes the wallet topology: hot / warm / cold split, MPC versus HSM key architecture, signer geographies, threshold parameters, key-ceremony evidence with video and dual-control attestation, withdrawal-approval workflows, address-allow-listing where used, and the legal characterisation of client crypto-asset claims under the firm's home insolvency regime. The supervisor will ask to see a recent key-ceremony rehearsal and the attestation pack — not in policy form, in operational form.

The governance deep-dive looks at board composition (executive / non-executive balance, diversity of skills, crypto-asset literacy), committee structure (board risk committee, board audit committee, AML committee), the cadence and quality of board minutes, the substance of management-information packs, and the demonstrable evidence that the board is exercising oversight rather than rubber-stamping. Bank of Lithuania inspection methodology pushes particularly hard on whether non-executive directors are independent in substance, not just on the org chart.

The DORA thread runs through the inspection alongside the AML thread. The supervisor wants to see the DORA register of information populated and current, the ICT-third-party concentration analysis, the documented threat-led penetration testing programme where applicable, the ICT incident classification and reporting pipeline, and the contractual exit-rights position with critical ICT third parties. Our DORA implementation playbook for CASPs maps the supervisor's expected evidence pack across the full DORA pillar set.

The MLRO function gets a dedicated supervisory thread. Reporting line (the MLRO must report directly to a board-level forum with unimpeded access to the chair), resourcing (FTE count against transaction volume and risk profile), independence (no operational conflict, no commercial KPI), training cadence, and MLRO annual report quality. A weak MLRO annual report — particularly one without explicit recommendations the board has accepted, deferred, or rejected on the record — is one of the most reliable predictors of a high-priority finding.

The single most cost-effective preparation step a Class 3 CASP can take is a pre-inspection tabletop — a structured, full-day rehearsal of the inspection using external counsel or an independent compliance adviser playing the supervisor. The tabletop runs the pre-meeting agenda, simulates Phase 3 walk-throughs in the live system, runs three fit-and-proper interviews under supervisory conditions, and stress-tests two or three of the deep-dive themes most likely to surface findings.

The output is not a report — it is a pre-inspection gap register with 60–90 day fixes assigned to named owners. Items that cannot be fixed before the supervisor arrives are converted into pre-volunteered weaknesses in the Phase 2 pre-meeting. The tabletop turns surprises into supervisor-credit; the alternative is letting the supervisor find the gaps for the first time, on the record, with a finding attached.

Across the early Class 3 inspection cycle, a small number of findings recur with high frequency. Pre-empting them is the highest-leverage preparation a firm can do.

• TM rule library left at vendor defaults — supervisors expect rules tuned to the firm's actual customer segments, product mix, and on-chain typologies. The fix is a documented threshold-calibration cycle with the analyst who runs it sitting in the inspection room.

• MLRO reporting line below the board — a recurring finding even for firms that scored well at authorisation. Move the line, document the move, evidence direct chair access.

• Business-wide risk assessment stale at 18+ months — refresh annually with an explicit log of what changed and why; do not let the BWRA become a static authorisation artefact.

• DORA register of information incomplete — every ICT third-party contract, including the long-tail of SaaS tools, must be on the register with the function-criticality classification documented.

• Customer-base composition reporting weak — the firm cannot quickly produce the percentage of its book that is retail vs professional, EEA vs non-EEA, high-risk segment vs standard. This was the lead finding in BaFin's Q1 2026 thematic review.

• Key-ceremony evidence inadequate — policies describe ceremonies but no recent ceremony has been videoed, dual-control-attested and filed. Run one and file the evidence pack before the supervisor asks.

Firms that have run a serious bank-diligence file exercise as part of opening institutional banking will find the inspection evidence pack overlaps materially with what their bank already required. The two exercises are different audiences but share roughly 60% of underlying artefacts.

Typically 6–8 weeks for a full-scope planned inspection, evidenced by a formal pre-notice letter. Thematic deep-dives and post-incident inspections can run on shorter notice — sometimes 2–4 weeks. Unannounced supervisory visits are rare in the Class 3 population in 2026 but are not legally precluded; firms with open enforcement history should assume reduced lead times.

The CEO and MLRO are present throughout. The Head of Compliance, CTO, Head of Risk, and Head of Operations rotate through the relevant sessions. Board members are not normally in the on-site room, but the chair and the chair of the board risk committee are typically interviewed separately during Phase 5. External counsel is allowed but not expected to drive the engagement — the supervisor wants to hear from the function-holders themselves.

A serious failing triggers an enforcement track parallel to the remediation plan. The supervisor can require business-restriction measures (new-customer freeze, product withdrawal), impose monetary penalties, require management changes, and — in the most severe cases — withdraw the CASP authorisation. The firm's right of appeal sits with the home Member State's administrative-law framework. Most firms in the 2026 cohort that get high-priority findings will not face enforcement — they will face an intensive remediation cycle under supervisory oversight, with a follow-up inspection 12–18 months later.

Home-state primacy applies. The home NCA leads the inspection; host-state NCAs may second a participant where the firm has material activity in the host state, or may run a parallel host-state thematic on a different cadence. ESMA coordinates the supervisory-college structure for the largest cross-border CASPs. The CSSF⁵^[5] model — alignment to bank-equivalent governance norms under Circular 26/906 — is increasingly the reference architecture for cross-border Class 3 supervision.

Typical Class 3 remediation cycles run 6–18 months from findings letter to closed-out remediation. High-priority findings are typically closed within 6 months; medium findings within 12; low findings rolled into the firm's next business-planning cycle. Supervisory tracking is continuous — quarterly check-ins with the lead inspector are the norm for the early Class 3 cohort.

• AML Audit for a Crypto Firm: file-level evidence walk-through for the AML deep-dive supervisors run at Phase 4.

• Market Surveillance for MiCA Class 3 Trading Platforms: Article 78 scenario library, threshold-tuning approach, and STOR pipeline design.

• DORA Implementation Playbook for CASPs: the ICT/DORA evidence pack supervisors expect at Phase 3 and Phase 4.

• AMLR Readiness — 12-Month Roadmap: how the AMLR transposition reshapes the AML programme the inspector will probe.

• Bank-Diligence File for a Crypto Firm: 60% of the inspection evidence pack overlaps with the institutional-banking file most CASPs already carry.

The first Class 3 inspection cycle will set the supervisory tone for the rest of the MiCA era. Firms that arrive with a tested evidence pack, a self-aware narrative, and a credible remediation muscle will exit the cycle with their authorisation strengthened. Firms that arrive treating the inspection as a paperwork exercise will exit with findings, restrictions, and a supervisory file that follows them for years. The map above is built to put readers in the first group.