AI Act · MiCA sector

The EU AI Act for Crypto-Asset Service Providers

You are already carrying MiCA and DORA. The good news, for once: the AI Act barely touches a crypto-asset service provider.

Check your exposure — free

Almost nothing you run is high-risk

Blockchain analytics, transaction monitoring, market abuse surveillance, trading bots, KYC verification — none of it appears in Annex III, and the fraud-detection carve-out and the biometric-verification exclusion cover the two that come closest. Unless you lend to consumers, a CASP's AI Act programme is Article 50 and Article 4. That is a policy and a disclosure, not a conformity assessment.

Your AI systems, classified

Read this the way the Act reads it: Annex III is a list of named use cases, not a judgement about how important a system is to your business. The most consequential model you run may well be the one the Act says nothing about.

SystemUnder the AI ActWhy
Blockchain analytics and transaction monitoring Not high-risk Not high-risk Not in Annex III. And to the extent it functions as fraud detection, point 5(b) excludes it by name.
AML screening, sanctions, Travel Rule matching Not high-risk Not high-risk Not named in Annex III. Your obligations here come from the AML framework and the Transfer of Funds Regulation.
Market abuse surveillance (MiCA Title VI) Not high-risk Not high-risk Not in Annex III. MiCA already requires you to detect and report market abuse; the AI Act adds nothing on top.
KYC identity verification — selfie / document match Not high-risk Not high-risk Annex III point 1 expressly excludes biometric verification whose sole purpose is to confirm a person is who they claim to be. One-to-one onboarding match is verification, not remote identification.
Trading bots, market making, liquidity algorithms Not high-risk Not high-risk Absent from Annex III entirely.
Crypto lending or credit to consumers Applies High-risk — Annex III 5(b) If you assess the creditworthiness of natural persons — a collateralised consumer loan still counts — you are in 5(b), and the full high-risk chapter follows.
Customer chatbot, or anything that looks like advice Applies Transparency — Art. 50 Disclose that the customer is talking to an AI, from 2 August 2026. And note MiCA's own fair, clear and not-misleading standard applies to whatever the bot says.
CV screening and employee evaluation Applies High-risk — Annex III point 4 Catches you as an employer. For most CASPs this is the only high-risk AI system in the building.

How it sits on the regime you already carry

A CASP carries MiCA for authorisation and conduct, DORA for ICT risk and incident reporting — CASPs have been DORA entities since January 2025 — and the AML framework plus the Travel Rule for monitoring. That is a heavy stack, and the reflex when a fourth regulation arrives is to assume it is heavier still.

It is not. Read Annex III against what you actually run and the list comes back nearly empty. Your realistic AI Act workplan is: disclose the bot, mark generated content, write the AI literacy measures into your training programme, and check whether HR has bought a CV screener. If someone is quoting you for a high-risk conformity assessment on your blockchain analytics, ask them which point of Annex III it falls under.

Read the text

We describe the delta. The Act itself — all 113 articles, in 24 EU languages — lives on our sister site.

Frequently asked questions

Is blockchain analytics high-risk under the AI Act?
No. It is not listed in Annex III. To the extent it functions as fraud detection, Annex III point 5(b) excludes AI used for the purpose of detecting financial fraud by name. Your obligations for transaction monitoring come from the AML framework and MiCA, not from the AI Act high-risk chapter.
Does our KYC selfie verification make us a high-risk deployer?
No, provided it is one-to-one. Annex III point 1 covers remote biometric identification - matching a face against a database - and expressly excludes biometric verification whose sole purpose is to confirm that a specific person is who they claim to be. Onboarding selfie-match against the customer's own uploaded document is verification.
So what does the AI Act actually require of a CASP?
Realistically three things. Article 50: tell customers when they are interacting with an AI, and mark AI-generated content machine-readably. Article 4: take measures to support the AI literacy of staff using AI systems. And Annex III point 4 vigilance over anything HR buys for recruitment or worker evaluation. Unless you lend to consumers, that is the whole programme.
We are also subject to DORA. Does that cover the AI Act?
No. DORA governs the resilience of your ICT estate; the AI Act governs what your models do. They overlap on documentation and third-party control, and they diverge sharply on data governance, human oversight and incident reporting - AI Act Article 73 reports serious incidents to the market surveillance authority, which is not your DORA competent authority.
When is our first AI Act deadline?
If you run a customer-facing chatbot: 2 August 2026, for Article 50. Marking of AI-generated content follows on 2 December 2026. Both are far closer than the December 2027 high-risk date that most of the coverage focuses on.

Start free: run the AI Act exposure check to classify a specific system, or read the cross-obligation table showing what the AI Act adds to a DORA programme. Already working on DORA? See DORA for Crypto-Asset Service Providers. Analytical guidance for compliance teams, not legal advice.

How Compliant Is Your Institution?

Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.

Get Your Free DORA Score Join Free Monthly Webinar