MiCA Compliance (2026) Checklist for Bulgarian VASPs

1LTT Team | December 09 / 2025 | Uncategorized

1 July 2026 may seem far away, but for Bulgarian VASPs, MiCA compliance is not something to leave for the last minute. Effective preparation requires time, structured planning, and dedicated resources.

That is why this article presents a practical MiCA compliance checklist for Bulgarian VASPs, focused on building strong internal operational readiness rather than last-minute regulatory remediation.

Scope and Focus of the MiCA Compliance Checklist for Bulgarian VASPs

This guide explores how VASPs can future-proof their internal operations under both the Bulgarian Crypto-Asset Markets Act (CAMA) and the EU Markets in Crypto-Assets Regulation (MiCA) without addressing formal licensing or authorization procedures.

Official MiCA text is available via EUR-Lex, and supervisory implementation is coordinated by the European Securities and Markets Authority (ESMA and the European Banking Authority (EBA).

The analysis focuses on:

Governance and management fitness

Internal control frameworks

AML/CFT alignment

ICT and cybersecurity safeguards

Data protection and consumer protection

Risk management and audit systems

Licensing and registration under Bulgarian CAMA and their interaction with MiCA authorisation will be addressed in a separate article.

By prioritising internal readiness over procedural approval, VASPs can reduce regulatory friction, improve transparency, and strengthen long-term trust with clients, investors, and supervisors. In Bulgaria, supervisory expectations will ultimately be shaped by the Bulgarian Financial Supervision Commission (FSC).

Practical MiCA Compliance Checklist for Bulgarian VASPs (Operational Readiness Guide)

1.Decide your MiCA service perimeter and legal structure

Map exactly which Annex I MiCA services you will perform (e.g., custody, exchange, advice). This drives capital requirements, policy scope, and IT architecture. Assess and adjust business models to align with MiCA provisions, especially regarding issuance and public offerings of crypto-assets.

2. Capital planning

Model both permanent minimum capital and fixed-overheads (FOH)-based capital. Minimum capital depends on services (EUR 50k / EUR 125k / EUR 150k depending on the class) or 25% of prior-year fixed overheads — the higher amount applies. Build a 20–40% buffer for potential FSC capital add-ons.

3. Governance and fit-and-proper framework

Document:

  • Management roles and responsibilities
  • Time-commitment policies
  • Board and senior management competence matrices

These must satisfy ESMA and EBA suitability standards for managers and qualifying shareholders. Prepare full ownership transparency and source-of-funds documentation.

4. Operational compliance readiness

Appoint a dedicated MiCA compliance officer. Build or expand a compliance function with operational knowledge of crypto-asset services, not just traditional financial regulation.

5. Information security and operational resilience

Build the IT risk and business continuity framework required under MiCA, including:

  • Incident handling
  • Access management
  • Change control
  • Wallet key management
  • Asset segregation and reconciliations

Align these controls with the Digital Operational Resilience Act (DORA) requirements.

6. Technology and systems

Implement or upgrade systems supporting:

  • Transaction monitoring
  • Regulatory reporting
  • Record-keeping and audit trails
  • Ensure GDPR-compliant data protection and security architecture.

7. Risk management framework

Perform regular enterprise-wide risk assessments covering:

  • Operational risk
  • ICT risk
  • Market abuse risk
  • Financial crime risk

Strengthen internal controls to prevent fraud, money laundering, and sanctions breaches.

8. Client asset safeguarding under MiCA custody rules

Finalise wallet segregation models, omnibus vs. individually segregated accounts, reconciliation frequency, and insolvency exit playbooks. Reflect these structures in client terms, custody disclosures, and risk statements. MiCA places strict emphasis on custody integrity.

9. AML/CFT uplift under MiCA and EU AML reform

Align your framework with the Bulgarian AML Act, upcoming EU AML Regulation (AMLR), and the travel-rule regime. Embed:

  • Sanctions screening
  • Blockchain analytics
  • Risk-based KYC and ongoing monitoring

Bulgarian supervisors are expected to apply heightened scrutiny in this area.

10. White paper readiness and product governance

If you (or your onboarded issuers) offer crypto-assets in the EU, ensure MiCA-compliant white papers are prepared and validated. Separate treatment applies for:

  • Asset-Referenced Tokens (ARTs)
  • E-Money Tokens (EMTs)
  • Other crypto-assets

Trading platforms must implement listing governance, due-diligence procedures, and disclosure checks.

11. Conduct of business and client disclosures

Implement MiCA-aligned retail disclosures on:

  • Fees and charges
  • Execution and order handling
  • Conflicts of interest
  • Risk warnings
  • Complaints handling

All communications must be fair, clear, and not misleading.

12. Regulatory reporting and audit

Implement systems for:

  • Transaction and supervisory reporting
  • Periodic disclosures
  • Full audit trail retention

Conduct regular internal audits and engage independent external auditors to evidence ongoing compliance.

13. Ongoing MiCA compliance programme

Deliver structured staff training on MiCA obligations. Monitor regulatory updates and guidance continuously. Maintain active dialogue with regulators and industry associations.

Ongoing MiCA Compliance Strategy for Bulgarian VASPs

Beyond initial alignment, VASPs should adopt permanent strategic compliance practices:

Enhanced customer due diligence

Strengthen KYC and AML monitoring frameworks. Implement risk-based EDD processes and ongoing transaction surveillance.

Product and service innovation

Embed compliance directly into product design and development life cycles.

Third-party risk management

Ensure outsourcing providers and critical vendors meet MiCA, DORA, and AML requirements.

Market surveillance

Deploy real-time monitoring to detect insider trading, market manipulation, and abusive trading patterns.

Stakeholder engagement

Maintain transparent communication with clients and investors regarding regulatory protections under MiCA.

Continuous regulatory monitoring

Establish a permanent regulatory-watch programme for EU and Bulgarian developments with adaptive compliance planning.

Final Strategic Positioning for MiCA Compliance in Bulgaria

By following this structured MiCA compliance checklist, Bulgarian VASPs can achieve early operational alignment well ahead of 2026. This proactive approach reduces regulatory friction, strengthens institutional credibility, and positions firms as trusted and resilient participants in the evolving EU crypto-asset market.

Jenny Gancheva

Web3 & Crypto Lawyer

ABOUT 1LTT

We are crypto Legal, Tokenomics & Tax experts
Crypto is our expertise and we just love it!
We can help you with your crypto project at whatever stage of the business journey you are on, from initial idea to growing and expansion.

Contact us at hello@1ltt.eu or simply Book a meeting.