New EU Regulations on Crypto-Asset Service Providers – Complaints Handling and Business Continuity

The European Commission has recently adopted several Delegated Regulations supplementing the Markets in Crypto-Assets Regulation (MiCAR). These regulatory updates introduce critical obligations for Crypto-Asset Service Providers (CASPs) operating within the European Union (EU). Among them, two key regulations require immediate attention: the Delegated Regulation on Complaints Handling by CASPs and the Delegated Regulation on Business Continuity and Regularity in Crypto-Asset Services.

1. Commission Delegated Regulation (EU) 2025/294 – RTS on Complaints Handling by CASPs

This regulation establishes clear and standardized procedures for handling client complaints to enhance transparency and fairness. CASPs are now required to implement a structured and transparent system that allows clients to submit complaints free of charge. To ensure accessibility, CASPs must provide a mandatory complaint form that follows a standardized template outlined in the regulation. Furthermore, complaints must be accepted in the languages used to market services, as well as in the official languages of both the CASP’s home and host EU Member States.

Timeliness is a critical aspect of this regulation. CASPs must acknowledge receipt of complaints promptly and provide a final resolution within two months. If an exceptional situation delays resolution, the CASP must inform the complainant of the reason and provide an estimated timeline for response. Additionally, firms must keep secure electronic records of all complaints and ensure that their management body actively monitors compliance with these new requirements. To maintain consistency in decision-making, complaints must be analysed systematically, and client communications must be clear, concise, and accessible both electronically and in print upon request.

Failure to comply with these obligations could lead to regulatory scrutiny, reputational damage, and possible penalties. Therefore, it is essential for CASPs to review their existing complaints-handling procedures and align them with these new regulatory requirements.

2. Commission Delegated Regulation (EU) 2025/299 – RTS on Continuity and Regularity in the Performance of Crypto-Asset Services

This regulation aims to enhance operational resilience by ensuring that CASPs have robust continuity measures in place. CASPs must establish a comprehensive business continuity policy that includes clear steps to address potential disruptions, including those related to permissionless distributed ledgers and other external factors that may affect service availability.

Governance and oversight play a key role in business continuity. The management body of each CASP is responsible for designing, endorsing, and annually reviewing the business continuity plan to ensure its effectiveness. In the event of a disruption, CASPs must provide timely updates to clients and stakeholders, including an assessment of the risks involved, details on expected service resumption, and any corrective actions being taken.

A well-defined continuity plan should outline response procedures that protect data integrity, ensure the availability of essential business functions, and establish reliable backup processes. CASPs must also have contingency measures in place to relocate critical business operations if necessary. To confirm the reliability of these plans, annual testing must be conducted using realistic disruption scenarios. Additionally, CASPs are required to conduct self-assessments to evaluate the nature, scale, and risk exposure of their services.

Compliance with these business continuity requirements is not only a regulatory necessity but also a crucial step in maintaining operational stability and client trust. Firms that fail to meet these expectations risk service disruptions that could impact their reputation and financial standing.

3. Other recent Delegated Legislation under MiCAR

In addition to the above regulations, the EU has also published other key Delegated Regulations supplementing MiCAR, including:

Commission Delegated Regulation (EU) 2025/292 – RTS establishing a template document for cooperation arrangements between competent authorities and supervisory authorities of third countries.

Commission Delegated Regulation (EU) 2025/293 – RTS specifying requirements for the handling of complaints related to asset-referenced tokens (ARTs).

Commission Delegated Regulation (EU) 2025/295 – RTS on harmonization of conditions enabling the conduct of oversight activities.

Commission Delegated Regulation (EU) 2025/296 – RTS specifying the procedure for the approval of a crypto-asset white paper.

Commission Delegated Regulation (EU) 2025/297 – RTS specifying conditions for the establishment and functioning of consultative supervisory colleges.

Commission Delegated Regulation (EU) 2025/298 – RTS specifying the methodology to estimate transaction volumes associated with ARTs and e-money tokens denominated in non-EU currencies.

4. Next steps for CASPs

To ensure compliance with these new regulatory requirements, CASPs should conduct a thorough review of their internal policies and procedures. Firms must update their complaints-handling processes to include the standardized template and multi-language accessibility requirements. Additionally, CASPs should establish clear response mechanisms that allow for timely complaint resolution.

On the business continuity side, CASPs must develop and document a detailed plan that addresses potential service disruptions. Regular testing and self-assessments are crucial to maintaining the plan’s effectiveness. It is also important to ensure that all employees are aware of their roles in upholding business continuity and regulatory compliance. Providing staff training on these new obligations will help ensure that compliance efforts are consistent across all operational areas.

Ensuring compliance with these new obligations is essential for maintaining regulatory approval, operational stability, and client trust. The regulatory landscape is evolving rapidly, and CASPs must be proactive in integrating these new requirements into their operations.