Regulatory Forensics | European Crypto Policy | June 2026
The MiCA Pathway Map: A Forensic Guide to Every Legitimate Option EU Crypto Users Actually Have, Eight Days Before the Final Deadline
On July 1, 2026, the European Union's transitional grandfathering period for crypto-asset service providers under the Markets in Crypto-Assets Regulation (MiCA) ends with no extension, a deadline ESMA reconfirmed in an April 2026 supervisory statement. As of June 18, 2026, approximately 204 crypto-asset service providers (CASPs) hold full MiCA authorisation according to ESMA's interim register, including at least 14 large centralised exchanges covering roughly 70% of EU crypto transaction volume, while an estimated 18% of platforms previously serving EU users have already exited the market since enforcement tightened. The picture is genuinely mixed: OKX, Kraken, Coinbase, Crypto.com, Bitstamp, Bitpanda, Revolut, and Paybis all hold confirmed CASP authorisation, while Binance's application remains pending in Greece and does not yet appear in ESMA's official register, and KuCoin was formally banned from operating in Austria by the FMA in February 2026 for providing unauthorised services. ESMA's April 2026 statement also closed the "reverse solicitation" loophole that some non-EU platforms had relied on, confirming that systematically marketing to EU clients without authorisation remains prohibited regardless of who technically initiates contact. This article forensically maps three distinct, legitimate pathways available to EU crypto users after July 1, 2026: fully licensed MiCA CASPs with complete regulatory protection, non-EU exchanges operating under other jurisdictions' licensing regimes (which carry reduced EU legal protection but are not "KYC-free," given the EU's Transfer of Funds Regulation requires originator and beneficiary data on all CASP-to-CASP transfers with no minimum threshold and enhanced due diligence above EUR 1,000 for unhosted wallet transfers), and decentralised exchanges, which sit outside MiCA's regulatory perimeter entirely under Recital 22's exclusion for genuinely decentralised protocols.
Eight days from the publication of this article, on July 1, 2026, the European Union's grandfathering window for crypto exchanges closes permanently. ESMA confirmed in April 2026 that there is no extension, anywhere in the regulation's text, for any of the 27 member states. Any platform still serving EU customers without full Crypto-Asset Service Provider authorisation on that date is, in ESMA's own words, in breach of EU law and must cease operations immediately. This is not a soft deadline. It is written into the regulation itself, and the agencies enforcing it have spent the past several months making clear they intend to apply it uniformly.
This article exists to answer the question that actually matters to you as a reader in this position: not "what is MiCA" in the abstract, which has been written about extensively elsewhere, but specifically, forensically, which platforms have actually secured a license, which haven't, what happened to the ones that tried to skip the process, and what your genuinely available, legitimate options are if the platform you currently use isn't on the list. We will not pretend that "find a platform with no KYC" is a real or durable strategy. It largely isn't, for reasons this article documents in detail. What follows instead is a forensic map of three distinct, legitimate pathways, each with real tradeoffs you deserve to understand clearly before you choose one.
"Any entity that continues to provide crypto-asset services to European clients without MiCA authorisation will be in breach of EU law and must cease its activities." ESMA's April 2026 supervisory statement also explicitly closed the reverse-solicitation loophole, confirming that active marketing to EU clients by unlicensed entities remains prohibited regardless of who technically initiates contact.
— ESMA Supervisory Statement ESMA75-113276571-1679, April 2026.Who Actually Has a License, as of This Week
As of June 18, 2026, approximately 204 crypto-asset service providers hold full CASP authorisation according to ESMA's interim register, up from 183 as of an early-April snapshot and roughly 40 as recently as February 2026, growth that reflects both a genuine wave of authorisations and the approaching hard deadline concentrating applications. Germany leads by number of authorised entities, followed by the Netherlands and France, while Malta has become the preferred jurisdiction specifically for crypto-native exchanges, hosting 13 CASPs including OKX, Crypto.com, Gemini, Gate, Blockchain.com, and BVNK. Roughly 70% of EU-based crypto transaction volume already flows through fully licensed platforms, a figure that should reassure most ordinary users that the system is, broadly, working as intended.
But "broadly working" conceals genuinely important platform-specific facts that most casual coverage glosses over. Binance, the largest exchange in the world by trading volume, does not currently hold full MiCA authorisation. Its application was filed with the Greek regulator in January 2026 and remained under review as of the most recent ESMA register update, meaning Binance does not yet appear as a confirmed authorised entity and, under MiCA's passporting rules, cannot lawfully serve customers across all 27 member states from a single grandfathered status. KuCoin was formally banned from operating in Austria by the Austrian Financial Market Authority (FMA) in February 2026, after continuing to serve EU users under transitional arrangements that the FMA's scrutiny determined did not hold up, the clearest concrete enforcement case study available of what actually happens to a platform that gambles on regulatory tolerance rather than completing the authorisation process. Separately, an estimated 18% of platforms that previously served EU users have already exited the European market entirely since enforcement tightened, with at least 30 smaller platforms confirming EU exits, citing the compliance cost of governance upgrades, capital requirements, and ongoing reporting obligations.
The Licensing Scoreboard: Confirmed Status as of June 2026
| Platform | MiCA Status | Licensing Jurisdiction | What This Means for EU Users |
|---|---|---|---|
| OKX | Authorised | Malta | Full EU-27 passporting, complete MiCA consumer protection |
| Kraken | Authorised | Ireland | Full EU-27 passporting, complete MiCA consumer protection |
| Coinbase | Authorised | Luxembourg | Full EU-27 passporting, complete MiCA consumer protection |
| Crypto.com / Bitstamp / Bitpanda | Authorised | Malta / Luxembourg / Austria | Full EU-27 passporting, complete MiCA consumer protection |
| Revolut | Authorised | Cyprus (CySEC) | Full EU-27 passporting via existing 65M-user banking app |
| Binance | Pending | Greece (application under review) | Not yet in ESMA register; no confirmed EU-27 passporting |
| KuCoin | Banned (Austria) | None confirmed | Formally prohibited from operating in at least one member state |
| Bybit, MEXC, KCEX, Bitget, BloFin | No confirmed CASP | Various (UAE/VARA and others) | Operate under non-EU licensing; no MiCA passporting; see Tier 2 below |
The Three Pathways, Honestly Mapped
Rather than chasing the increasingly elusive idea of a platform with "no KYC at all," which this article will explain in detail is both rarer and riskier than it used to be, the more useful framing is to understand the three genuinely distinct categories of legitimate option available to you, and the specific, real tradeoff each one involves. None of these three pathways is inherently wrong. Each is appropriate for a different priority.
Why "No-KYC" Is a Less Reliable Strategy in 2026 Than It Used to Be
It is worth being precise and honest about a specific, common assumption: that some meaningful population of centralised, fiat-connected exchanges still operate with effectively no identity verification at any transaction size. This is decreasingly true, and the regulatory architecture explains exactly why. The EU's Transfer of Funds Regulation, the operative law implementing the Travel Rule for crypto within the bloc, sets no minimum threshold at all for transfers between two crypto-asset service providers: every CASP-to-CASP transfer requires originator and beneficiary data, regardless of size. For transfers involving an unhosted, self-custodied wallet, enhanced due diligence requirements apply above EUR 1,000. Globally, the Financial Action Task Force's Recommendation 16 has now been transposed into law or formal regulation by 85 of 163 surveyed jurisdictions, up from 65 the year before, and over 50 jurisdictions including the EU, UK, US, Singapore, and UAE now actively enforce it. South Korea is moving to eliminate its remaining transaction-size threshold entirely starting August 2026.
The practical consequence: a centralised exchange, anywhere in the world, that wants to maintain banking relationships, process fiat deposits and withdrawals, or transact with any other licensed exchange, faces escalating pressure to implement real identity verification regardless of where it is nominally headquartered, because its own counterparties increasingly will not deal with it otherwise. The "no-KYC" centralised exchanges that still exist in 2026 tend to fall into a narrowing set of categories: platforms operating with limited or no fiat rails at all (crypto-to-crypto only, which sidesteps banking-relationship pressure), platforms imposing low withdrawal thresholds before requiring verification, or platforms accepting meaningfully higher counterparty and regulatory risk by deliberately operating outside FATF-aligned jurisdictions. None of these is the same thing as a durable, risk-free way to avoid identity verification at any scale, and Chainalysis's 2026 Crypto Crime Report found illicit address activity rose 162% year-over-year in 2025 to at least $154 billion, a trend directly cited by regulators as justification for tightening, not loosening, this exact category of enforcement going forward.
The genuinely structural exception is decentralised exchanges, Tier 3 above, where there is no central corporate entity for any regulator to license or require KYC from in the first place, because the smart contract itself has no operator in the traditional sense. This is the honest, durable distinction: not "find a centralised exchange that happens to skip identity checks today," which is an increasingly unstable position for the exchange itself to maintain, but "use infrastructure that was never structured around a central, licensable counterparty to begin with."
What This Actually Means for Your Decision
If regulatory protection, deposit security, and a real complaint pathway matter most to you, Tier 1 is the only category that genuinely delivers them, and the 70% of EU volume already there reflects a rational, broad migration. If you specifically need an asset, a derivatives product, or a leverage structure that licensed CASPs do not yet offer, Tier 2 remains a real, widely used option, but go in with eyes open: you are accepting another jurisdiction's regulatory umbrella instead of the EU's, not escaping regulation altogether, and you should not assume EU legal protections apply to a dispute with a Tier 2 platform. If your priority is genuine self-custody and resistance to any single point of platform failure, Tier 3 is structurally the strongest answer, at the cost of having no one to call when you make a mistake.
What This Map Does Not Claim
"No confirmed CASP authorisation" is not the same claim as "illegal to use." Several Tier 2 platforms are licensed and supervised in other credible jurisdictions; the absence of an EU passport changes your legal protections, not necessarily the platform's legitimacy in its home jurisdiction.
Licensing status changes weekly. ESMA's register updates on a rolling basis, and a platform listed here as pending or unlicensed may have completed authorisation by the time you read this. Always verify current status directly against the official ESMA register before making a significant deposit.
The Bottom Line: Three Real Doors, Not One Trick
The honest answer to "what should EU crypto users do after July 1, 2026" is not a single platform recommendation or a clever workaround. It is a clear-eyed choice among three structurally different, all genuinely legitimate pathways, each trading a specific protection for a specific freedom. Kraken and OKX deliver full MiCA protection for readers who want it. Bybit, MEXC, and KCEX deliver broader asset access under a different jurisdiction's licensing umbrella for readers who need it. GMX, gTrade, and Drift deliver structural self-custody for readers who want no central counterparty at all. See the DN Custody Sovereignty Score to audit your own current setup against all three tiers.
Frequently Asked Questions
Not as of mid-2026. Binance filed a CASP application with the Greek regulator in January 2026, but the application remains under review and Binance does not appear as a confirmed authorised entity in ESMA's official register. Without confirmed authorisation, Binance cannot lawfully claim EU-27 passporting rights, meaning its legal status serving EU customers from a single grandfathered registration is unresolved heading into the July 1, 2026 deadline.
Austria's Financial Market Authority (FMA) formally banned KuCoin from operating in Austria in February 2026, after KuCoin continued serving EU users under transitional arrangements that did not satisfy the FMA's scrutiny. This is the clearest concrete enforcement case study of what happens when a platform does not complete the MiCA authorisation process before a national regulator loses patience with continued unauthorised operation.
Reverse solicitation refers to the argument that a non-EU platform can serve an EU client lawfully if the client, rather than the platform, initiated contact. ESMA's April 2026 supervisory statement (ESMA75-113276571-1679) explicitly closed this as a systematic workaround, confirming that active marketing to EU clients by unlicensed entities remains prohibited regardless of who technically initiated contact, and that reverse solicitation cannot be relied upon as a routine compliance strategy.
Genuinely no-KYC centralised exchanges with full fiat rails are increasingly rare and structurally unstable, because the EU's Transfer of Funds Regulation requires originator and beneficiary data on all CASP-to-CASP transfers with no minimum threshold, and 85 of 163 surveyed jurisdictions globally have now transposed the FATF Travel Rule into binding law. Centralised platforms maintaining banking relationships face mounting pressure to implement identity verification regardless of their nominal headquarters. The structural exception is decentralised exchanges, which have no central corporate entity for any regulator to require KYC from, since the trading logic runs on a smart contract with no traditional operator.
These platforms operate under licensing regimes outside the EU (for example, Bybit under Dubai's VARA framework) and do not hold confirmed MiCA CASP authorisation as of mid-2026. Using them does not provide the EU-27 passporting protections, mandatory client-asset segregation, or guaranteed EU regulatory recourse that a MiCA-licensed platform provides. They are not unregulated in an absolute sense, since they remain subject to their home jurisdiction's AML and Travel Rule obligations, but an EU user accepts a different, generally less protective legal framework by using them, and ESMA's closure of the reverse-solicitation loophole means active marketing of these services to EU clients carries its own compliance risk for the platforms involved.
MiCA's Recital 22 excludes "fully decentralised" services from the regulation's scope, on the basis that there is no central operator capable of holding a license in the traditional sense when the trading logic runs entirely on autonomous smart contracts. ESMA has not yet published a precise legal test for what qualifies as sufficiently decentralised, with Level 3 guidance expected during 2026, but established protocols with no identifiable controlling entity, such as the major perpetual futures DEXs, generally fall within this exclusion as a practical matter.
The Transfer of Funds Regulation is the EU's operative implementation of the FATF Travel Rule for crypto-asset transfers, effective since December 2024. It requires that all transfers between two crypto-asset service providers include originator and beneficiary identity data, with no minimum transaction threshold. For transfers involving an unhosted, self-custodied wallet, enhanced due diligence requirements apply specifically above EUR 1,000. This regulation is the primary reason genuinely no-KYC centralised exchange activity at any meaningful scale has become structurally difficult to sustain for any platform wanting EU banking and counterparty relationships.
An estimated 18% of crypto platforms that previously served EU users have exited the European market since MiCA enforcement tightened, according to coinlaw.io data from April 2026, with at least 30 smaller platforms confirming EU exits. The most commonly cited reasons are the compliance costs associated with governance upgrades, minimum capital requirements, and ongoing regulatory reporting obligations that smaller, less capitalised platforms found uneconomical to meet.
The DN MiCA Pathway Navigator maps three distinct, legitimate categories of option available to EU crypto users after the July 1, 2026 deadline: Tier 1, fully MiCA-licensed CASPs offering complete EU regulatory protection; Tier 2, non-EU licensed exchanges offering broader asset access under a different jurisdiction's regulatory umbrella; and Tier 3, decentralised exchanges and self-custody, which sit outside MiCA's scope entirely. Each tier is presented with an honest accounting of what it provides and what it costs the user, rather than ranking platforms by how little identity verification they require, since that framing both overstates how durable low-KYC centralised platforms actually are and understates the genuine legal and counterparty risk involved.
Embed grant: The DN MiCA Pathway Navigator may be reproduced with attribution to decentralised.news.
DN-INTERNAL links to resolve: DN MiCA Compliance Tracker, DN Custody Sovereignty Score, DN Boring Bitcoin Thesis.
Sources: ESMA interim CASP register and supervisory statement ESMA75-113276571-1679 (Apr 2026), Paybis "MiCA-Licensed Crypto Exchanges 2026" and "CASP Authorised Exchanges 2026" (Jun 2026), Entropikaizen MiCA exchange tracker, CASP Tracker (casptracker.eu), CCN "MiCA Compliance Watchlist" (Apr 2026), coinlaw.io EU platform exit data (Apr 2026) and "Crypto AML Compliance: FATF Travel Rule 2026," Sumsub FATF Travel Rule guide (Apr 2026), InnReg Crypto Travel Rule Guide, AMLWatcher "AML Compliance for Crypto Exchanges: 2026 Regulatory Map" (Mar 2026), Chainalysis 2026 Crypto Crime Report, Austria FMA KuCoin enforcement action (Feb 2026).
As of: June 19, 2026. Not legal or financial advice. Licensing status changes frequently; verify current status directly against the official ESMA register before relying on this article for compliance decisions.
About the Author
