Back to Assurance

Assurance: MiCA — CASP Readiness

MiCA readiness for CASPs—delivered as control mapping, an evidence pack, and an execution roadmap.

Built for teams who need a structured way to operationalise requirements, reduce supervisory friction, and present credible, complete evidence to stakeholders.

Netallion provides readiness and assurance support. We do not provide legal advice.

Who it's for

Designed for:

  • CASPs including exchanges, brokers, custodians, wallet providers, and other crypto service providers
  • Compliance and risk teams who need traceability from obligations → controls → evidence
  • Engineering/ops teams who want "what to build" clearly defined (not vague policy talk)

Not ideal if:

You want guaranteed authorisation outcomes (no credible provider should promise that)

What you get

You receive a versioned, export-ready pack including:

Readiness Roadmap

  • Current-state assessment (maturity + gaps)
  • Prioritised remediation plan (30/60/90 days)
  • Ownership + timelines + dependency notes

Control Mapping

  • Obligations → controls → evidence matrix
  • RACI mapping (who owns what: compliance, ops, engineering, leadership)
  • "Evidence index" so you can respond fast to due diligence queries

CASP Evidence Folder (Audit-Grade Structure)

  • Governance & accountability overview
  • Policies and operating procedures (structured, consistent, versioned)
  • Security posture summary (IAM, logging, monitoring, vulnerability management, incident handling)
  • Customer assets & safeguarding narrative (where applicable)
  • Change management and release governance summary
  • Vendor/outsourcing register and oversight approach
  • Complaints handling and customer support process overview
  • Operational resilience and continuity artefacts (aligned with DORA-style expectations where relevant)

Executive Summary

  • Readiness snapshot
  • Key risks + mitigation plan
  • Residual risk notes (clear, credible, non-marketing)

What we cover

Your scope depends on your CASP model, but typically includes:

Governance and decision accountability
Risk management and documentation discipline
Operational controls (monitoring, incident handling, change control)
Security controls and evidence quality
Third-party/vendor dependencies and oversight
Customer-facing processes that need clear evidence (e.g., complaints handling)

How it works

Week 1

Intake + scope + mapping skeleton

Confirm CASP services, entity boundaries, and build control framework baseline.

Week 2–3

Evidence build + control mapping

Assemble evidence, validate operational controls, and map to obligations.

Week 4

Pack finalisation + handover + maintenance plan

Export evidence pack, executive summary, and establish ongoing refresh cadence.

*Timeline varies with service complexity and documentation maturity.

Packaging (3 tiers)

Toolkit (Self-Serve)

Templates + checklists + evidence structure

Guided (Hybrid)

Workshops + reviews + we help assemble the evidence pack

Enterprise (Assured Delivery)

Deeper validation, executive reporting, optional ongoing refresh

Add-ons (optional)

  • +DORA Resilience Pack (recommended if you want resilience alignment and third-party discipline)
  • +Security evidence enrichment (turn technical reality into audit-friendly artefacts)
  • +Ongoing monthly refresh (versioned updates as you ship changes)

Frequently Asked Questions

Do you replace our legal/compliance counsel?

No. We produce readiness packs and evidence structure; we can collaborate with your counsel.

Can you support multi-entity / group operating models?

Yes—scope can be separated by entity and consolidated in a group summary.

Can this include technical validation?

Yes—where helpful, we can include security testing summaries and control evidence from your systems.

Build CASP readiness with audit-grade evidence—not scattered documents.

Netallion Assurance provides readiness and evidence support. We do not provide legal advice. Regulatory and listing outcomes are determined by regulators and venues and are not guaranteed.