We built SENTINEL because we watched this exact problem unfold across Spanish exchanges and crypto asset service providers. Over 200 Spain-based crypto companies are still unlicensed. The two Spanish-native firms who managed to get licensed (Bit2Me in July 2025, Criptan in March 2026) spent months navigating a regulatory framework that Spain itself is still calibrating. So here's what actually matters for MiCA compliance in Spain right now.
What MiCA Actually Means for Spanish CASPs
MiCA is the EU's Markets in Crypto Assets Regulation. It went fully live on December 30, 2024. For Spain, that means CNMV (the Spanish financial regulator) is now the licensing authority for every CASP — custodian wallets, crypto exchanges, staking services, even some blockchain infrastructure providers.
Spain chose the maximum transition period allowed under MiCA: 18 months from the regulation's effective date. That means a July 1, 2026 hard stop. Any firm that hasn't submitted and been approved for a CNMV license by then has two options: migrate to another EU member state or close.
What makes Spain's situation unique is that firms previously registered under the old Banco de España regime weren't automatically grandfathered in. They had to re-qualify under MiCA's stricter standards — resubmitting business plans, updating compliance frameworks, and proving they meet new organizational requirements that didn't exist before. The 85 licensed firms operating in Spain today are mostly large EU players using passporting rights. The Spanish-native cohort is tiny.
The 5 Compliance Obligations Every Licensed CASP Must Manage
Getting a CNMV license is the start, not the finish line.
- Market Abuse and Insider Trading Prevention — You must monitor for market manipulation and insider trading across all your trading venues and services. Documented systems, real-time flagging, audit trails, and CNMV reporting within set timeframes.
- Stablecoin and Asset-Referenced Token Reserves — If your CASP holds customer funds or issues any crypto asset token, reserve requirements apply now. Stablecoins must be backed 1:1 by liquid reserves. Proving this quarterly to CNMV requires robust treasury systems.
- Custody and Operational Resilience — Customer crypto assets must be segregated from operational holdings. Your systems must meet CNMV's resilience standards — uptime targets, incident response plans, cyber insurance, backup systems.
- Organizational and Governance Requirements — A compliance officer with direct board access. Written policies for AML, KYC, conflicts of interest, complaints handling. CNMV conducts annual supervisory reviews and can demand proof these aren't just documents in a shared folder.
- Data Reporting and Transparency — This is where DAC8 comes in, and it's the one obligation most Spanish CASPs underestimate.
Why DAC8 Reporting Matters (and Why Most Firms Get It Wrong)
DAC8 is the EU's Directive on Administrative Cooperation. Spanish CASPs must file quarterly reports on crypto asset transactions to CNMV, feeding into the broader EU AML intelligence apparatus.
The problem: DAC8 requirements are still being clarified. What triggers a reportable transaction? What's the threshold? How do you classify DeFi interactions? Firms that took shortcuts in their reporting systems now face compliance gaps. We've seen 15-20 licensing holders request extensions to initial filings because their DAC8 setup was incomplete.
The Practical Reality: 100 Days, Two Paths
If you're reading this unlicensed, two realistic paths exist:
- Fast-track CNMV approval: Takes 4-6 months if your application is clean on the first pass. Getting licensed by July 1 is possible but tight. Submit now.
- Planned migration or restructuring: If Spain isn't viable, you migrate operations to another EU member state (Germany, Portugal, and Malta have faster processes) or restructure as a non-CASP service.
Both paths require moving now. Waiting for June to decide isn't a strategy.
If you're already licensed, the risk isn't regulatory — it's operational. Staying compliant post-license means continuous monitoring of CNMV guidance updates, DAC8 filing deadlines, quarterly reserve certifications, and incident reporting obligations. Missing one quarterly deadline can trigger a formal investigation that costs months and legal fees.
This is exactly why we built SENTINEL. It monitors MiCA requirement changes across Spain, flags which CNMV guidance applies to your specific CASP type, tracks your DAC8 filing deadlines, and alerts you when regulatory interpretation shifts. You stop guessing and start acting.
Moving Forward
The Spanish crypto market will be smaller on August 1, 2026. Dozens of companies that couldn't get licensed will have exited. That's not speculation — that's MiCA's actual design.
The firms that survive are the ones that treated MiCA compliance as a core business problem. The ones that thrive are the ones treating it as a continuous operational obligation, not a one-time checkbox.
July 1 isn't coming. It's already here.