The European Union is in the middle of a high-stakes debate: should the bloc’s top markets regulator, the European Securities and Markets Authority (ESMA), directly supervise the biggest crypto firms, or should national watchdogs keep the driver’s seat under MiCA (Markets in Crypto-Assets)? On September 16, 2025, Malta — through its Malta Financial Services Authority (MFSA) — made its stance crystal clear: Malta opposes the EU push to hand crypto oversight to ESMA. The MFSA supports consistent standards across the EU but warns that centralising supervision would add bureaucracy, slow decisions, and risk undermining competitiveness just as MiCA is bedding in.
This clash didn’t appear out of thin air. Recent months saw ESMA scrutinise how Malta authorises and supervises Crypto-Asset Service Providers (CASPs) under MiCA, offering both praise and pointed recommendations. Malta says it’s already implementing improvements and that its licenses remain sound — but some member states, led by France (joined by Italy and Austria), argue that passporting could export weak oversight across the single market unless ESMA takes the wheel.
In this in-depth analysis, we unpack why Malta opposes centralising crypto oversight, what ESMA actually found in Malta, how France’s stance on passporting escalated tensions, and what the outcome could mean for crypto firms, investors, and Europe’s broader digital-finance ambitions.
Core dispute Centralise with ESMA or coordinate via national supervisors?
What ESMA centralisation would look like
The proposal championed by France — with support from Italy and Austria — is to transfer direct supervision of major CASPs to ESMA, rather than leaving it primarily with national competent authorities (NCAs) like the MFSA. Advocates argue that this would ensure supervisory convergence, eliminate “light-touch” discrepancies, and provide uniform protection for consumers across the EU.
Malta’s argument against centralisation
Malta counters that MiCA already provides the architecture needed for consistent oversight — with ESMA setting standards and coordinating, while NCAs perform day-to-day supervision close to the market. Shifting control to ESMA now, Malta argues, would create additional layers, slow authorisations, and duplicate processes at the very moment EU policymakers want to boost competitiveness and provide firms with regulatory certainty.
Key point: Malta isn’t rejecting ESMA’s role; it’s rejecting over-centralisation. The MFSA supports ESMA’s efforts to align practices but believes primary supervision should stay with experienced national teams applying MiCA locally — and being held to EU-wide standards.
The ESMA review of Malta What was actually said?
ESMA’s peer review is mixed but manageable
In July 2025, ESMA published a peer review focused on a Malta authorisation case under MiCA. ESMA concluded Malta had adequate staffing and resources but criticised aspects of one license process as “only partially” compliant, including timing and depth of risk assessment, and urged improvements in areas like governance, IT systems, and unregulated services marketing.
Malta’s response We’re essentially meeting expectations — and improving
The MFSA publicly welcomed ESMA’s review, highlighting findings that Malta is fully meeting expectations on supervisory settings and resources, and essentially meeting expectations overall — while acknowledging and addressing the recommendations. Crucially, Malta stated that no MiCA licenses are at risk as a result of the review.
Why this matters for the ESMA vs. NCA debate
For centralisation advocates, the review highlights why EU-level guardrails are crucial when passporting allows firms to operate across borders. For Malta, the review shows that MiCA is working: ESMA reviews and recommends, while NCAs improve and enforce. That’s supervisory convergence in action, without stripping national agencies of their core mandate.
France’s passporting alarm — and how it raised the stakes
AMF’s tough talk on “shopping for leniency”
France’s market watchdog, the AMF, has warned it could try to block some crypto companies licensed in other EU states from operating in France, citing fears of regulatory arbitrage under MiCA. That stance is part of a broader push to expand ESMA’s direct powers to prevent weak licenses from spreading via passporting.
Malta’s take: fix gaps, don’t upend the model
For Malta, the answer is not to upend MiCA’s structure, but to tighten coordination, clarify expectations, and accelerate shared enforcement tools where needed. The MFSA’s position dovetails with a “convergence-first” approach: ESMA can standardise checklists, issue guidance, and run targeted reviews — while NCAs supervise day to day.
What firms need to know right now
MiCA is live; scrutiny is intensifying
If you’re a CASP or a firm seeking MiCA authorisation, expect more questions, more demanding evidence standards, and more explicit labelling between regulated and unregulated services. ESMA has warned firms not to mislead customers about protections — a signal that marketing claims will be vetted closely across the EU.
Practical tips for compliance teams:
-
Map regulated vs. unregulated offerings; ensure disclosures aren’t conflating the two.
-
Demonstrate robust governance, conflict-of-interest policies, and ICT/operational resilience (including DORA-aligned controls).
-
Prepare for passporting audits: be ready to show consistent standards across all EU customer touchpoints, not just in your home state.
Competitive angle Will centralisation help or hinder Europe?
The case for centralisation
Proponents say putting ESMA in charge of the largest CASPs would:
-
Level the playing field across member states
-
Reduce regulatory arbitrage and “forum shopping”
-
Speed up supervisory convergence for systemically essential firms
These points echo concerns voiced in France and other capitals after ESMA’s Malta review.
Malta’s countercase
Malta argues that ESMA can already achieve convergence without taking over day-to-day supervision — and that a full handover risks:
-
Extra bureaucracy and slower authorisations
-
Less market proximity, weakening problem-spotting at the local level
-
Mixed signals to innovators during a crucial phase of MiCA implementation
This is the essence of Malta’s opposition: optimise the current model instead of rebuilding it.
What this means for consumers and investors
For consumers, the outcome of this governance debate affects how consistently MiCA protections are enforced. ESMA’s warnings about misleading claims aim to reduce confusion and ensure that being “MiCA-licensed” doesn’t become mere marketing. For investors, the stability and clarity of the regime — whether centralised or coordinated — will influence trust, market integrity, and ultimately adoption.
Scenario planning Three plausible paths ahead
Convergence-first (status quo plus)
ESMA continues targeted peer reviews, issues guidance, and pushes best-practice templates while NCAs remain primary supervisors. Expect more spot checks in jurisdictions with fast authorisation cycles and continued debate over passporting safeguards. This is the path Malta favours.
Partial centralisation for systemic firms
A compromise where ESMA directly oversees a shortlist of “significant” CASPs (by EU footprint or risk profile), while others remain with NCAs. This aligns with banking supervision models and may alleviate concerns about cross-border spillovers.
Complete ESMA takeover for major crypto groups
The maximalist version of France’s vision: ESMA becomes the lead supervisor for top-tier CASPs EU-wide, with NCAs in a supporting role. This would likely require legislative tweaks and a build-out of ESMA’s staffing and technical capabilities.
Strategic guidance for CASPs operating (or applying) in Malta
-
Align to ESMA expectations now. Treat the July peer-review feedback as a forward-looking blueprint, not just a Malta-specific critique. Build documented risk assessments, test ICT resilience, and ensure board-level ownership of MiCA compliance.
-
Anticipate more challenging cross-border questions. If your growth relies on passporting, prepare evidence packs showing consistent controls in every EU touchpoint, not only in your home NCA.
-
Calibrate your marketing. ESMA’s warnings on misleading claims make it essential to avoid implying that unregulated services carry MiCA protections.
-
Engage early with the MFSA. Malta says it’s strengthening processes in line with ESMA’s recommendations while maintaining that national supervision works. Have pre-filing dialogues and address remediation items proactively.
Conclusion
The EU’s crypto regime is young, ambitious, and under global scrutiny. France’s hard line on passporting and its call to elevate ESMA as the central supervisor respond to legitimate risks of regulatory arbitrage. But Malta’s position — opposing an EU push to hand crypto oversight to ESMA — underscores another truth: the system we have is designed for shared responsibility. Let ESMA set firm expectations and test them; let NCAs implement and enforce with local proximity — and tighten the bolts where reviews find gaps.
As Brussels weighs reforms, firms should assume more evidence-heavy authorisations, stricter disclosure rules, and deeper IT/governance checks. Whether the future is coordinated or centralised, one thing is sure: MiCA’s promise of a safer, integrated crypto market will be judged by consistent supervision and explicit consumer protections — not by who sits at the top of the org chart.
Also More: Bitcoin 6 Month Prediction: What’s Next for the Crypto?
