If You Move Stablecoins, You Need to Move Fast: A PSD2 Compliance To‑Do List for MiCA Stablecoin Platforms

1. Why MiCA Firms Suddenly Have a PSD2 Problem

Electronic Money Tokens (EMTs) – including MiCA-regulated stablecoins – now sit at the crossroads of MiCA and PSD2 in the EU payments framework: they are both a regulated crypto‑asset under MiCA and “funds”/electronic money under PSD2.

When a CASP offers custody of EMTs or transfers EMTs on behalf of clients, those activities are treated as regulated payment services in addition to MiCA services.

For any MiCA CASP offering stablecoin transfers, PSD2 compliance is not optional: full adherence is mandatory.

For clarity, MiCA treats most single‑currency stablecoins as “electronic money tokens” (EMTs): crypto‑assets designed to hold a stable value against one official currency (such as EUR) and to be used mainly for payments. That is why many founders now discover that their MiCA stablecoin platform is, in practice, an EU payment service provider under PSD2.

The EBA’s 2025 Opinion and No‑Action Letter resolved the legal uncertainty by confirming that only a subset of EMT services are PSD2 payment services and introducing a transition period ending on 2 March 2026. After that date, unauthorised EMT payment services are no longer tolerated, and NCAs are expected to enforce PSD2 or its successor legislation in full.

PSD2 is the EU’s core Payment Services Directive, the rulebook that regulates payment institutions, electronic money institutions and other payment service providers across the single market (safeguarding of client funds, transparency of charges, strong customer authentication, fraud reporting, etc.). It is also in the process of being updated: PSD3 and a new directly applicable Payment Services Regulation (PSR) are on the way, so any MiCA stablecoin platform that now falls into the PSD2 perimeter is effectively designing for the next‑generation EU payments framework, not just today’s rules.

For MiCA‑authorised EMT players this creates a simple but brutal equation:

• Keep offering EMT custody and transfers without change → you need PSD2 permissions (own licence or agency model).

• Avoid PSD2 entirely → you must redesign your product to stay outside the EMT payment‑services perimeter.

2. What Exactly Is a “Payment Service” for a MiCA Stablecoin CASP?

The EBA and national regulators have now aligned around a clear perimeter for EMT‑related CASP activities.

In practice, if you:

• hold EMT balances for clients in on‑platform wallets; and

• allow clients to send and receive EMTs to/from third parties (on‑chain or off‑chain),

you are almost certainly providing payment services and will trigger PSD2 requirements in addition to MiCA.

3. The Regulatory Timetable: From No‑Action Comfort to Enforcement

The regulatory timeline matters for commercial decisions.

• 10 June 2025 – EBA No‑Action Letter (EBA/Op/2025/08)

  • Confirms which EMT‑related CASP activities are PSD2 payment services.Opinion-on-the-interplay-between-PSD2-and-MiCA.pdf+2

  • Advises NCAs to allow a transition period to 1–2 March 2026 before requiring PSD2 authorisation or partnership.

  • Recommends de‑prioritising some PSD2 requirements (e.g. safeguarding, charge disclosures, execution times) for dual‑licensed EMT businesses during the interim.

• 12 February 2026 – EBA Opinion on end of the transition period (EBA/Op/2026/01)

  • Sets out three scenarios for CASPs after 2 March 2026 and the supervisory expectations under each.

• National implementation – Cyprus as an early blueprint

  • CySEC Circular C722 and the Central Bank of Cyprus’s “Dual Licensing of CASPs under PSD2” notice transpose the EBA line into local guidance: CASPs must either obtain a PI/EMI licence or partner with an authorised PSP for EMT payment services.

  • Similar approaches are expected across the EU as NCAs align with EBA.Opinion-on-the-end-of-the-NAL-transition-period.pdf+2

The three EBA scenarios after 2 March 2026

1. CASP has PSD2 authorisation or a PSP partnership in place

   • EMT payment services can continue, within the scope of the PI/EMI licence or agency arrangement.

1. CASP has applied for a licence but not yet authorised

   • May continue EMT payment services only if all conditions are met (complete file, good supervisory track record, realistic approval timeline).

   • Must stop marketing EMT payment services and stop onboarding new EMT payment clients until authorised.

1. CASP has not applied, or does not meet conditions

   • Must cease EMT payment services and offboard clients from those EMT services.

For founders and product owners, this is not academic: if you miss the window, your EMT wallet/transfer functionality can be switched off by your NCA.

4. Strategic Options for MiCA Stablecoin CASPs: Licence, Partner, or Redesign”

From a practical standpoint, MiCA stablecoin CASPs offering EMT payment services have three strategic choices:

Option A – Become a payment institution / EMI

You obtain your own payment institution authorisation or EMI license under PSD2 (or, in future, PSR/PSD3 authorisation) on top of your MiCA CASP licence.

What this gives you

• Full control over the EMT payment offering and roadmap.

• Ability to passport EMT payment services across the EU under the standard PSD2 cross‑border regime.

• A unified group‑level risk and compliance architecture for MiCA + PSD2 activities.

What regulators will expect

The CBC application package and the EBA Guidelines on authorisation of payment institutions are a good proxy for EU‑wide expectations. You should be ready to deliver, among others:

• Programme of operations and detailed business plan for payment services (EMT wallet and transfers).

• Structural organisation, including clear governance, three lines of defence, outsourcing map, and key function holders.

• Evidence of initial capital and an own‑funds plan that combines MiCA and PSD2 requirements (cumulative capital).

• Robust safeguarding model for client funds (even if some EMT‑specific safeguarding requirements are de‑prioritised in the interim).

• Governance, internal control and ICT risk frameworks aligned with PSD2 and DORA.2025-

• Security policy, strong customer authentication (SCA) for access to EMT wallets and initiation of EMT transfers, and incident/fraud reporting capabilities.

• Full AML/CFT framework, shareholder and management fitness and propriety, and audit arrangements.

This route suits larger, well‑capitalised platforms that view payments as a core long‑term profit centre.

Option B – Operate as an agent of a licensed PI/EMI

Instead of becoming a PSD2‑licensed entity yourself, you act as an agent of an authorised payment institution or e‑money institution.

Key features of the agent model

• The PI/EMI is the principal and holds the PSD2 licence; your entity is registered as its agent in the home NCA’s public register.

• You provide EMT payment services (wallet and transfers) on behalf of the PI/EMI, under its regulatory responsibility and supervision.

• From a user perspective, the interface can remain your app – but legal documentation and disclosures must clearly state that certain services are provided “as agent of [PI/EMI]”.

Regulatory and operational implications

• The PI/EMI must notify its NCA with detailed information on you as agent (AML controls, governance, key persons, services in scope), and registration must be approved before go‑live.

• The PI/EMI remains responsible for PSD2 compliance (SCA, fraud reporting, own‑funds, etc.), but will impose strong oversight, audit rights and detailed contractual controls.

• You must align your KYC/AML and Travel Rule frameworks with the PI/EMI and implement data‑sharing mechanisms to support their reporting and monitoring.

This model can be faster and less capital‑intensive, but you trade regulatory autonomy and some margin for time‑to‑market.

Option C – Redesign your product to avoid PSD2 scope

A third, often overlooked, option is to reshape your EMT use‑cases so they do not qualify as payment services under PSD2.

That means, for example:

• Avoiding EMT wallets that can send or receive EMTs to/from third parties;

• Structuring EMT usage so that transfers remain on‑platform value changes linked to trading or investment, without offering a general‑purpose payment function; and

• Ensuring that EMT‑related flows you support fall under MiCA services that the EBA has explicitly excluded from PSD2 (e.g. exchange crypto‑for‑funds, crypto‑for‑crypto, intermediation in EMT‑funded purchases)

This approach can preserve a crypto‑native model but may significantly reduce the utility of your stablecoin product from a payments perspective.

5. Design Considerations: How to Build a Compliant EMT Payment Stack

Whatever path you choose, regulators will scrutinise the end‑to‑end design of your EMT product. A few concrete design themes emerge from the EBA Opinions, national law and real‑life projects.

a) Strong Customer Authentication and security

• Apply SCA when a user accesses a custodial EMT wallet or initiates an EMT transfer: two independent factors and dynamic linking of the amount and recipient.

• Align your in‑app authentication flows with PSD2 standards, not just MiCA’s general “security systems” language.

b) Fraud and incident reporting

• Build data models and reporting pipelines that allow you (or your principal PI/EMI) to produce statistical fraud data and major incident reports in the format NCAs expect.Opinion-on-the-end-of-the-NAL-transition-period.pdf+3

• Ensure classification of EMT fraud and unauthorised transactions is consistent with PSD2 definitions.

c) Capital and safeguarding economics

• Model the cumulative capital impact of MiCA + PSD2 on your group and, in agency models, on your partner PI/EMI (this will feed directly into commercial terms).

• Understand which safeguarding obligations your NCA will enforce immediately and which are de‑prioritised during the interim, but do not design to the minimum – the forbearance is temporary.

d) Governance, outsourcing and AML/CTF

• Align governance and internal control frameworks so that MiCA, PSD2 and DORA expectations are met in one coherent model rather than three parallel systems.

• In agent or outsourcing structures, document reliance on the CASP’s AML operations in line with the PI/EMI’s policies and regulatory obligations, including audit rights and data access.

6. Where Pnyx Hill Can Help

For many MiCA organisations, the challenge is not understanding that PSD2 now matters – it is operationalising a viable roadmap in nine to twelve months, across multiple EU jurisdictions, without breaking the business.

Typical mandates where we assist:

• Mapping your EMT use‑cases against MiCA and PSD2 to determine whether you need:

  • a full PI/EMI authorisation,

  • an agent/partnership model, or

  • a product redesign to remain outside the payment‑services perimeter.

• Designing and documenting the PSD2 application pack for MiCA CASPs, re‑using your MiCA materials and aligning with EBA‑GL‑2017‑09 and national law (programme of operations, business plan, governance, safeguarding, security, AML/CTF).

• Structuring and negotiating agent arrangements between MiCA CASPs and PIs/EMIs, including reliance agreements, operational playbooks and user‑facing disclosures.

• Building EMT‑specific SCA, fraud reporting and DORA‑aligned ICT controls that satisfy both your MiCA supervisor and your payment regulator.

We help EU MiCA CASPs design and execute their PSD2 compliance and dual‑licensing strategy, including agent models as well as Payment Institution and Electronic Money Institution applications.